[Owasp-leaders] Instead of OWASP libraries, why don't we ...

Bev Corwin bev.corwin at owasp.org
Sun Nov 22 01:10:05 UTC 2015


Thanks for clarifications Tim, Best wishes, Bev

On Sat, Nov 21, 2015 at 7:02 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
wrote:

> On Sat, Nov 21, 2015 at 6:37 PM, Tim <tim.morgan at owasp.org> wrote:
> >
> >
> >> Hi everyone, All sound like good concepts to me. Is it possible to have
> >> both, somehow integrated into best of both (or all) worlds, instead of
> >> either / or scenarios only? Best wishes, Bev
> >
> > It's definitely not an either-or proposition I'm making.  It's just
> > that I've come to realize that we're missing a large segment of
> > developers entirely.  Not only are we missing them, but no matter how
> > hard we try to reach those green developers directly, there will
> > always be new developers entering the profession and writing code long
> > before they even consider security or hear of OWASP.  That's the
> > segment of the developer population I think we need to put more
> > resources toward, but other developer groups are perhaps better served
> > in other ways.
> >
> > Does that help clarify?
>
> Back in the day when I was one of those wet-behind-the-ears green horns,
> we used to have mentors and Fagan style code inspections. If we went back
> to that, we could improve security. It's like the common adage: "Secure,
> cheap,
> speed...pick 2 out of 3". (And by 'speed' here, I mean time-to-market.) The
> other two still trump security at this point and IMO, that's unlikely to
> change
> unless liability laws change to hold companies who knowingly stick their
> head
> in the sand and ignore security issues accountable in some manner. (Maybe
> rather than allowing law suites, there are fines--that increase for
> repeat offenders--
> that are collected by and put into some industry collation trust fund and
> are
> earmarked for security training, etc. But that's a whole other thread. I'm
> okay
> discussing that, but if you do, please change the Subject line or start a
> new
> discussion.)
>
> Regards,
> -kevin
> --
> Blog: http://off-the-wall-security.blogspot.com/
> NSA: All your crypto bit are belong to us.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151121/775a4759/attachment.html>


More information about the OWASP-Leaders mailing list