[Owasp-leaders] Instead of OWASP libraries, why don't we ...

Kevin W. Wall kevin.w.wall at gmail.com
Sun Nov 22 00:02:30 UTC 2015


On Sat, Nov 21, 2015 at 6:37 PM, Tim <tim.morgan at owasp.org> wrote:
>
>
>> Hi everyone, All sound like good concepts to me. Is it possible to have
>> both, somehow integrated into best of both (or all) worlds, instead of
>> either / or scenarios only? Best wishes, Bev
>
> It's definitely not an either-or proposition I'm making.  It's just
> that I've come to realize that we're missing a large segment of
> developers entirely.  Not only are we missing them, but no matter how
> hard we try to reach those green developers directly, there will
> always be new developers entering the profession and writing code long
> before they even consider security or hear of OWASP.  That's the
> segment of the developer population I think we need to put more
> resources toward, but other developer groups are perhaps better served
> in other ways.
>
> Does that help clarify?

Back in the day when I was one of those wet-behind-the-ears green horns,
we used to have mentors and Fagan style code inspections. If we went back
to that, we could improve security. It's like the common adage: "Secure, cheap,
speed...pick 2 out of 3". (And by 'speed' here, I mean time-to-market.) The
other two still trump security at this point and IMO, that's unlikely to change
unless liability laws change to hold companies who knowingly stick their head
in the sand and ignore security issues accountable in some manner. (Maybe
rather than allowing law suites, there are fines--that increase for
repeat offenders--
that are collected by and put into some industry collation trust fund and are
earmarked for security training, etc. But that's a whole other thread. I'm okay
discussing that, but if you do, please change the Subject line or start a new
discussion.)

Regards,
-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/
NSA: All your crypto bit are belong to us.


More information about the OWASP-Leaders mailing list