[Owasp-leaders] 2016 Developer Survey Results

Milton Smith milton.smith at owasp.org
Tue Apr 5 18:00:31 UTC 2016


FYI - I didn't get a whole lot of suggestions on the paper.  I thought I 
would write a post to stir some debate around the subject.
http://www.securitycurmudgeon.com/2016/04/fortune-top-100-cisos-not-well-equipped.html

--Milton

On 28 Mar 2016, at 14:28, Milton Smith wrote:

> All,
>
> I created a draft CISO Top 10.  I was not sure on the best way to 
> share/open this for public comment.  For now, you can send me or 
> Johanna your comments.  Anyone with access to the link should have 
> Google Docs "View" permissions.  If you have a lot of suggestions, 
> send me your email and I will update your permissions to the doc so 
> you can add comments/improvements directly to the draft.
>
> https://drive.google.com/file/d/0B2PfsU7XDXnsV3ZEQzF6WE9yUm8/view?usp=sharing
>
> I could spend a week thinking about this but I don't have the time.  I 
> know I have some misspellings, grammar, and I don't feel particularly 
> strong about order of importance of the different qualities at the 
> moment.  Meaning, I feel good about #1 being #1 but I'm less sure as I 
> work down the list.  Also a few of the points may overlap or be best 
> represented and reformulated into single point.  I'm open to your 
> thoughts and suggestions.
>
> I offer the document as a starting point of discussion for building a 
> public resource for selecting new CISO's capable of meeting today's 
> security challenges.  OWASP could use it as the basis of an 
> infographic or other type of communication.  If there is zero interest 
> then I'm ok let this thread die.  Let us know what you think.
>
> Regards,
> Milton
>
>
> On 25 Mar 2016, at 17:59, johanna curiel curiel wrote:
>
>>>> CISO Top 10.  Everyone loves OWASP 10's. ;o)  Does anyone think 
>>>> this
>> would be a good/bad idea/waste of time, or interested in helping if 
>> we were
>> to do something like this?
>>
>> Milton,
>>
>> We can create an infographic ;-)
>>
>> Just provide the input
>>
>>
>> OWASP top 10 CISO skills:
>>
>>    - Background in Software engineering
>>    - Communication Skills
>>    - ?
>>    - ?
>>
>> I want again to use this opportunity to add a strategy , which is 
>> clearly,
>> not only to target the developers target group but there are other 
>> just as
>> important such as CISO's.
>>
>> Have you been paying attention how commercial vendors are influencing
>> Application Security decision makers (aka CISO's) to go buy the right 
>> set
>> of 'tools' which include SAST , DAST , RAST IAST?
>>
>> https://www.gartner.com/doc/reprints?id=1-2KU6OUB&ct=150806&st=sb
>>
>>>> Organizations listen to OWASP. OWASP should post some guidance 
>>>> [...]
>> Why don't we do they same?
>> OWASP's own Magic Quadrant for Open Source tools?
>>
>> You see this quadrant? Anything missing?
>> ZAP should have been there, but again this is just commercial tools 
>> ;-)
>>
>> Cheers
>>
>> Johanna
>>
>>
>>
>> On Fri, Mar 25, 2016 at 7:57 PM, Milton Smith 
>> <milton.smith at owasp.org>
>> wrote:
>>
>>> We are on the same page Jim.  Your last line is exactly where the 
>>> appsec
>>> leader, assuming there is one, will find it's challenge - the 
>>> budget.  A
>>> CISO without hands-on software coding background is the surest way 
>>> to screw
>>> up an appsec program before it even gets off the ground.  We need 
>>> CISO's
>>> that have deep business acumen and can speak to a board of directors 
>>> as
>>> comfortably as whiteboard security architecture with software 
>>> developers.
>>> Software development/coding is not new skill for today's CISO's to 
>>> master,
>>> it's an entire profession that takes years to master.  I doubt 
>>> software
>>> developers will ever respect a security executive that cannot do 
>>> what they
>>> do and speak their language.  Respect and trust are important when 
>>> asking
>>> development to make improvements impacting delivery schedules.  A 
>>> CISO
>>> should also go to battle with other execs to help development do the 
>>> extra
>>> tasks they need to do to be secure.  A CISO must be a deep partner 
>>> with
>>> those that develop applications.
>>>
>>> Organizations listen to OWASP.  OWASP should post some guidance 
>>> around
>>> what a top CISO candidate looks like and provide some reasons behind 
>>> each
>>> recommendation, CISO top 10.  Everyone loves OWASP 10's. ;o)  Does 
>>> anyone
>>> think this would be a good/bad idea/waste of time, or interested in 
>>> helping
>>> if we were to do something like this?  Wondering if other feel 
>>> strongly
>>> about this.
>>>
>>> --Milton
>>>
>>>
>>> On 25 Mar 2016, at 14:07, Jim Manico wrote:
>>>
>>>> Most CISO's today are IT firewall guys.  Less than 13% of Fortune 
>>>> 100
>>>> CISO's[1] have any kind of background in programming\engineering.
>>>>
>>>> Very well said. I think one of the organizational AppSec challenges 
>>>> is to
>>>> *find the right people* to run AppSec. AppSec should be in the 
>>>> hands of one
>>>> of the *software development leaders*.  Most folks consider their 
>>>> AppSec
>>>> team to be a group of security dudes running scans and pentests. 
>>>> This is
>>>> not the complete AppSec picture, at all. Find software development 
>>>> leaders,
>>>> scrum masters, CTO's from the software side of the house and lead
>>>> developers. Those are the folks who need to get AppSec religion - 
>>>> and if
>>>> they do - you are well on your way.
>>>>
>>>> You need budget from the firewall CISO and the buy-in to do the 
>>>> right
>>>> work, but that's about it.
>>>>
>>>> Aloha,
>>>> Jim
>>>>
>>>>
>>>> On 3/25/16 4:49 AM, Milton Smith wrote:
>>>>
>>>>> A few years ago I started a full security track at JavaOne, 
>>>>> Oracle's
>>>>> software development conference in San Francisco CA.  In fact, Jim 
>>>>> Manico
>>>>> and Michael Coates helped me get this started.  In a very short 
>>>>> period of
>>>>> time the security track was the 3rd most popular track.
>>>>>
>>>>> It's my opinion most development orgs feel appsec is important but
>>>>> appsec is like brushing your teeth.  If you ask someone if they 
>>>>> want
>>>>> beautiful teeth everyone would say, "Yes".  When you then tell 
>>>>> them they
>>>>> need to brush their teeth twice a day some people won't do it.  
>>>>> Some will
>>>>> floss ever other day or once a week. There's a gap in 
>>>>> understanding.  Most
>>>>> technical people don't perceive the same risks we do so they don't
>>>>> prioritize appsec like we know they should.  Developers are also 
>>>>> fighting
>>>>> battles to improve code quality in general.  Many teams I talk 
>>>>> with hardly
>>>>> document anything or even perform peer code review.  These are 
>>>>> areas that
>>>>> most developers feel should be done better but don't invest the 
>>>>> time.
>>>>> Appsec is getting lost in the code quality shuffle.
>>>>>
>>>>> It would be beneficial if OWASP (or another organization) provided
>>>>> security education across roles.  Sure, developers at conferences 
>>>>> but also
>>>>> role appropriate top down appsec education.  Most CISO's today are 
>>>>> IT
>>>>> firewall guys.  Less than 13% of Fortune 100 CISO's[1] have any 
>>>>> kind of
>>>>> background in programming\engineering. They think security is 
>>>>> found in a 1U
>>>>> box.  We can't expect these CISO to think like we do.  We need to 
>>>>> be
>>>>> changing the hearts and minds of IT business leaders.  OWASP 
>>>>> representation
>>>>> at conferences like Gartner's IT Security Summit would be helpful 
>>>>> to reach
>>>>> c-level execs.  Also some representation with policy makers would 
>>>>> be
>>>>> helpful.  Each leader and policy maker we influence makes it 
>>>>> easier for
>>>>> anyone under their purview trying to improve appsec.  Creating a 
>>>>> "culture"
>>>>> of security creates an environment friendlier and more receptive 
>>>>> when you
>>>>> propose your next appsec project.  OWASP is not going to code it's 
>>>>> way out
>>>>> of appsec challenges.
>>>>>
>>>>> --Milton
>>>>>
>>>>> [1]
>>>>> https://digitalguardian.com/blog/anatomy-ciso-breakdown-todays-top-security-leaders-infographic
>>>>>
>>>>> On 23 Mar 2016, at 9:48, Daniel Harvey wrote:
>>>>>
>>>>> In this case we may not be able to reach the developers who just 
>>>>> don't
>>>>>> want
>>>>>> to listen, but we should have a strategy to reach developers 
>>>>>> before they
>>>>>> get to that point.  Such as get more involved in the places where
>>>>>> developers learn to develop and ingrain secure programming in the 
>>>>>> basic
>>>>>> tutorials on how to develop.
>>>>>>
>>>>>> On Wed, Mar 23, 2016 at 11:42 AM, Mark Miller 
>>>>>> <mark.miller at owasp.org>
>>>>>> wrote:
>>>>>>
>>>>>> What about those that don't want to listen, could care less to 
>>>>>> listen
>>>>>>>>
>>>>>>>
>>>>>>> Then this is not our market. Trying to teach a fish to climb a 
>>>>>>> tree
>>>>>>> just
>>>>>>> gets frustrating for both parties.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Mar 23, 2016 at 11:36 AM, johanna curiel curiel <
>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>
>>>>>>> These were *security people*, at a *security conference*, 
>>>>>>> interested
>>>>>>>>>>
>>>>>>>>> in what was going on outside of their main area of expertise.
>>>>>>>>
>>>>>>>> Exactly, they were ready to listen ;-). They went there because 
>>>>>>>> they
>>>>>>>> wanted to know more about security.
>>>>>>>>
>>>>>>>> What about those that don't want to listen, could care less to 
>>>>>>>> listen,
>>>>>>>> which I think represents the big majority of developers?
>>>>>>>>
>>>>>>>> If everyone was ready to listen and know about security then 
>>>>>>>> the Top
>>>>>>>> 10
>>>>>>>> should have changed since the beginning of time...;-P and we 
>>>>>>>> were not
>>>>>>>> struggling to promote the message
>>>>>>>>
>>>>>>>> Just that people understand when I trying to communicate here:
>>>>>>>>
>>>>>>>>    - I support going to Dev conferences but with a clear 
>>>>>>>> strategy in
>>>>>>>>    mind which leads to:
>>>>>>>>       - Who are you sending and can this 'representative' be 
>>>>>>>> able to
>>>>>>>>       talk the same language as devs, engage them about 
>>>>>>>> security or
>>>>>>>> act as an
>>>>>>>>       ambassador?
>>>>>>>>       - Are travel costs covered fully for those OWASP leaders 
>>>>>>>> willing
>>>>>>>>       to assist to these dev conferences?
>>>>>>>>
>>>>>>>> I think the community wants clarity of the purpose of assisting 
>>>>>>>> to
>>>>>>>> devs
>>>>>>>> conferences and who will be entitled to assist. I think we need 
>>>>>>>> to
>>>>>>>> look at
>>>>>>>> experts like Bill and send him to Microsoft Conference to 
>>>>>>>> mingle
>>>>>>>> there for
>>>>>>>> example.
>>>>>>>> These people are knowledgeable, understand perfectly the 
>>>>>>>> struggles
>>>>>>>> from a
>>>>>>>> developer point of view,  that can talk and understand the 
>>>>>>>> issues
>>>>>>>> from *a
>>>>>>>> developer point of view*.
>>>>>>>>
>>>>>>>> But if you send a *no developer* to preach security, or someone 
>>>>>>>> that
>>>>>>>> has
>>>>>>>> never programmed in that language or platform,  I think this is 
>>>>>>>> a very
>>>>>>>> wrong approach. I have not met yet the developer that has not 
>>>>>>>> had a
>>>>>>>> fight
>>>>>>>> with a pen tester regarding bugs found...
>>>>>>>>
>>>>>>>> I think is a waist of money on activities without clear goals 
>>>>>>>> and
>>>>>>>> measurement of that impact in mind .
>>>>>>>>
>>>>>>>> Why did only 25 persons voted in the survey when we claim we 
>>>>>>>> have more
>>>>>>>> than 20K people on the mailing lists?
>>>>>>>>
>>>>>>>> I''ll stop spamming this list. I hope my message is clear.
>>>>>>>>
>>>>>>>>
>>>>>>>> Cheers
>>>>>>>>
>>>>>>>> Johanna
>>>>>>>>
>>>>>>>> On Wed, Mar 23, 2016 at 10:55 AM, Mark Miller 
>>>>>>>> <mark.miller at owasp.org>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Attending, participating and supporting other conferences is a
>>>>>>>>> cornerstone of community activity, not just to get our message 
>>>>>>>>> out,
>>>>>>>>> but to
>>>>>>>>> participate in a global ecosystem of DevSecOps.
>>>>>>>>>
>>>>>>>>> Regarding participation in other conferences, I can confirm 
>>>>>>>>> when I
>>>>>>>>> produced the DevOps track at RSA Conference 2016 three weeks 
>>>>>>>>> ago, we
>>>>>>>>> had
>>>>>>>>> 600+ people attend the full day of sessions. These were 
>>>>>>>>> security
>>>>>>>>> people, at
>>>>>>>>> a security conference, interested in what was going on outside 
>>>>>>>>> of
>>>>>>>>> their
>>>>>>>>> main area of expertise.
>>>>>>>>>
>>>>>>>>> Mark
>>>>>>>>>
>>>>>>>>> On Tue, Mar 22, 2016 at 5:06 PM, johanna curiel curiel <
>>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>>
>>>>>>>>> That's why I think heading out to the large cons is a good 
>>>>>>>>> start.
>>>>>>>>>>>>
>>>>>>>>>>> Yes, I believe so too, however the strategy must not be just 
>>>>>>>>>>> to be
>>>>>>>>>> there but :
>>>>>>>>>>
>>>>>>>>>>    - Do surveys to research more how to engage these devs
>>>>>>>>>>    - Just giving a 'talk' does not mean you are really 
>>>>>>>>>> engaging the
>>>>>>>>>>    developer audience
>>>>>>>>>>
>>>>>>>>>> Effective ways to reach these audience.
>>>>>>>>>>
>>>>>>>>>> We need to put the helmet of a developers in our heads. Not 
>>>>>>>>>> just
>>>>>>>>>> *look* from it from the 'security' perspective
>>>>>>>>>>
>>>>>>>>>> We 'devs' hate security(many I have speak with including me). 
>>>>>>>>>> It
>>>>>>>>>> makes
>>>>>>>>>> our lives difficult, we only want to focus and get the work 
>>>>>>>>>> done at
>>>>>>>>>> the
>>>>>>>>>> functional part with all the pressure there is  to deliver 
>>>>>>>>>> and
>>>>>>>>>> produce
>>>>>>>>>> software. From the business pov people(aka Sales+Managers) 
>>>>>>>>>> want to
>>>>>>>>>> deliver
>>>>>>>>>> software that works and they also tend to forget 'security' 
>>>>>>>>>> as part
>>>>>>>>>> of the
>>>>>>>>>> offer (aka quotation and price).
>>>>>>>>>>
>>>>>>>>>> Only when they hear there is a 'pen tester' coming, everyone 
>>>>>>>>>> starts
>>>>>>>>>> biting their nails 😱
>>>>>>>>>>
>>>>>>>>>> Or when they hear ' the application has been hacked'😵 
>>>>>>>>>> (which also
>>>>>>>>>> happened to me. So you engage most of the time when is to 
>>>>>>>>>> late)
>>>>>>>>>> Then you
>>>>>>>>>> get paranoid. then you only think about security about this
>>>>>>>>>> traumatic
>>>>>>>>>> experience. So traumatic to me that now I'm into Offensive 
>>>>>>>>>> security
>>>>>>>>>> certification, and all kind off 'security mixed' things...I 
>>>>>>>>>> have
>>>>>>>>>> been
>>>>>>>>>> 'converted' 😁
>>>>>>>>>>
>>>>>>>>>> My experience is , developers want easy solutions and not 
>>>>>>>>>> people
>>>>>>>>>> preaching to us that is all our blame ... Not preaching to us
>>>>>>>>>> security
>>>>>>>>>> especially to those that see this as extra work...
>>>>>>>>>>
>>>>>>>>>> What are other developers experience with security? I would 
>>>>>>>>>> love to
>>>>>>>>>> know
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Tue, Mar 22, 2016 at 4:46 PM, Bill Sempf 
>>>>>>>>>> <bill at pointweb.net>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Mar 22, 2016 at 4:36 PM, johanna curiel curiel <
>>>>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> It will be interesting to know *how* to engage properly 
>>>>>>>>>>>> developers
>>>>>>>>>>>> with zero background in security.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> I can't speak for everyone on the initiative team, but this 
>>>>>>>>>>>> is
>>>>>>>>>>> exactly
>>>>>>>>>>> why  I am interested in this.
>>>>>>>>>>>
>>>>>>>>>>> Since 2010 I have made "bridging the gap" a core focus of my
>>>>>>>>>>> community
>>>>>>>>>>> work. I give developer talks at security cons and security 
>>>>>>>>>>> talks at
>>>>>>>>>>> developer cons.  Bringing the official OWASP banner to 
>>>>>>>>>>> developer
>>>>>>>>>>> cons and
>>>>>>>>>>> talking to current devs about what they really need from us 
>>>>>>>>>>> has
>>>>>>>>>>> brought be
>>>>>>>>>>> personally a lot of targeted focus in my content creation.
>>>>>>>>>>>
>>>>>>>>>>> That's why I think heading out to the large cons is a good 
>>>>>>>>>>> start.
>>>>>>>>>>>
>>>>>>>>>>> S
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> On Tue, Mar 22, 2016 at 4:26 PM, Noreen Whysel <
>>>>>>>>>>>> noreen.whysel at owasp.org> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> I think it is pretty clear. Find out what kinds of 
>>>>>>>>>>>> developer
>>>>>>>>>>>>> events
>>>>>>>>>>>>> people are going to, have a presence at these events, 
>>>>>>>>>>>>> learn how
>>>>>>>>>>>>> they are
>>>>>>>>>>>>> reaching, teaching and communicating with the developer
>>>>>>>>>>>>> community, Then
>>>>>>>>>>>>> "design an outreach program" part takes into consideration 
>>>>>>>>>>>>> what
>>>>>>>>>>>>> we learned.
>>>>>>>>>>>>> I think the last part is what Johanna is interested in and 
>>>>>>>>>>>>> can
>>>>>>>>>>>>> be developed
>>>>>>>>>>>>> at a local chapter level or via virtual trainings. But we 
>>>>>>>>>>>>> want
>>>>>>>>>>>>> to do a
>>>>>>>>>>>>> little research first to find out how to engage developers 
>>>>>>>>>>>>> and
>>>>>>>>>>>>> where our
>>>>>>>>>>>>> message fits.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Noreen Whysel
>>>>>>>>>>>>> Community Manager
>>>>>>>>>>>>> OWASP Foundation
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Tue, Mar 22, 2016 at 4:20 PM, johanna curiel curiel <
>>>>>>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>  Just "being there" is a great place to start.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi Bill, I believe this already happens. With just being 
>>>>>>>>>>>>>> there
>>>>>>>>>>>>>> in a
>>>>>>>>>>>>>> form of a booth presence does always help. Thats actually 
>>>>>>>>>>>>>> how I
>>>>>>>>>>>>>> got
>>>>>>>>>>>>>> involved with owasp, but this is an 'old' strategy, 
>>>>>>>>>>>>>> nothing new
>>>>>>>>>>>>>> and only
>>>>>>>>>>>>>> has impact on those developers that assist to 
>>>>>>>>>>>>>> conferences.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> What about all those thousands of devs that cannot pay 
>>>>>>>>>>>>>> these
>>>>>>>>>>>>>> expensive conferences, living in countries like me?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I support Matt's idea and I just think that it needs to 
>>>>>>>>>>>>>> be
>>>>>>>>>>>>>> promoted
>>>>>>>>>>>>>> so we can design this outreach, not just as visiting 
>>>>>>>>>>>>>> conferences
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> cheers
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Johanna
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Tue, Mar 22, 2016 at 4:16 PM, Bill Sempf 
>>>>>>>>>>>>>> <bill at pointweb.net>
>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Tue, Mar 22, 2016 at 4:04 PM, johanna curiel curiel <
>>>>>>>>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> We do not reach this community just by assisting to 
>>>>>>>>>>>>>>>> these
>>>>>>>>>>>>>>>> conferences.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I disagree comprehensively with this statement. Through
>>>>>>>>>>>>>>> participation in developer conferences like CodeMash and
>>>>>>>>>>>>>>> Stirtrek, I have
>>>>>>>>>>>>>>> seen quantifiable increase in the 'reach' of security.  
>>>>>>>>>>>>>>> All of
>>>>>>>>>>>>>>> the OWASP
>>>>>>>>>>>>>>> chapters in the area have seen significant increases in
>>>>>>>>>>>>>>> growth, there have
>>>>>>>>>>>>>>> been far more security -focused talks at user groups, 
>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>> there has been a
>>>>>>>>>>>>>>> significant increase in requests for security expertise 
>>>>>>>>>>>>>>> from
>>>>>>>>>>>>>>> the area
>>>>>>>>>>>>>>> consulting firms.  Just "being there" is a great place 
>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>> start.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> That said, if something significant is learned while we 
>>>>>>>>>>>>>>> are
>>>>>>>>>>>>>>> just
>>>>>>>>>>>>>>> being there, and it leads to a larger strategy, so be 
>>>>>>>>>>>>>>> it.
>>>>>>>>>>>>>>> Personally, I'm
>>>>>>>>>>>>>>> pleased to see some action on a front of attack, rather 
>>>>>>>>>>>>>>> than
>>>>>>>>>>>>>>> constant
>>>>>>>>>>>>>>> discussion.  It's a low risk activity with a potentially 
>>>>>>>>>>>>>>> high
>>>>>>>>>>>>>>> reward.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> S
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Johanna Curiel
>>>>>>>>>>>>>> OWASP Volunteer
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Johanna Curiel
>>>>>>>>>>>> OWASP Volunteer
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Johanna Curiel
>>>>>>>>>> OWASP Volunteer
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> *Mark Miller, Senior Storyteller*
>>>>>>>>> *Curator and Founder, Trusted Software Alliance*
>>>>>>>>>
>>>>>>>>> *Host and Executive Producer, OWASP 24/7 Podcast 
>>>>>>>>> ChannelCommunity
>>>>>>>>> Advocate, Sonatype*
>>>>>>>>>
>>>>>>>>> *Developers and Application Security: Who is Responsible?*
>>>>>>>>> <https://www.surveymonkey.com/s/Developers_and_AppSec>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Johanna Curiel
>>>>>>>> OWASP Volunteer
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> *Mark Miller, Senior Storyteller*
>>>>>>> *Curator and Founder, Trusted Software Alliance*
>>>>>>>
>>>>>>> *Host and Executive Producer, OWASP 24/7 Podcast 
>>>>>>> ChannelCommunity
>>>>>>> Advocate, Sonatype*
>>>>>>>
>>>>>>> *Developers and Application Security: Who is Responsible?*
>>>>>>> <https://www.surveymonkey.com/s/Developers_and_AppSec>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>
>>
>>
>> -- 
>> Johanna Curiel
>> OWASP Volunteer


More information about the OWASP-Leaders mailing list