[Owasp-leaders] 2016 Developer Survey Results

johanna curiel curiel johanna.curiel at owasp.org
Tue Mar 22 21:06:05 UTC 2016


>>That's why I think heading out to the large cons is a good start.
Yes, I believe so too, however the strategy must not be just to be there
but :

   - Do surveys to research more how to engage these devs
   - Just giving a 'talk' does not mean you are really engaging the
   developer audience

Effective ways to reach these audience.

We need to put the helmet of a developers in our heads. Not just  *look*
from it from the 'security' perspective

We 'devs' hate security(many I have speak with including me). It makes our
lives difficult, we only want to focus and get the work done at the
functional part with all the pressure there is  to deliver and produce
software. From the business pov people(aka Sales+Managers) want to deliver
software that works and they also tend to forget 'security' as part of the
offer (aka quotation and price).

Only when they hear there is a 'pen tester' coming, everyone starts biting
their nails 😱

Or when they hear ' the application has been hacked'😵 (which also happened
to me. So you engage most of the time when is to late) Then you get
paranoid. then you only think about security about this traumatic
experience. So traumatic to me that now I'm into Offensive security
certification, and all kind off 'security mixed' things...I have been
'converted' 😁

My experience is , developers want easy solutions and not people preaching
to us that is all our blame ... Not preaching to us security especially to
those that see this as extra work...

What are other developers experience with security? I would love to know





On Tue, Mar 22, 2016 at 4:46 PM, Bill Sempf <bill at pointweb.net> wrote:

>
>
> On Tue, Mar 22, 2016 at 4:36 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>>
>>
>> It will be interesting to know *how* to engage properly developers with
>> zero background in security.
>>
>>
>>
> I can't speak for everyone on the initiative team, but this is exactly why
>  I am interested in this.
>
> Since 2010 I have made "bridging the gap" a core focus of my community
> work. I give developer talks at security cons and security talks at
> developer cons.  Bringing the official OWASP banner to developer cons and
> talking to current devs about what they really need from us has brought be
> personally a lot of targeted focus in my content creation.
>
> That's why I think heading out to the large cons is a good start.
>
> S
>
>
>>
>> On Tue, Mar 22, 2016 at 4:26 PM, Noreen Whysel <noreen.whysel at owasp.org>
>> wrote:
>>
>>> I think it is pretty clear. Find out what kinds of developer events
>>> people are going to, have a presence at these events, learn how they are
>>> reaching, teaching and communicating with the developer community, Then
>>> "design an outreach program" part takes into consideration what we learned.
>>> I think the last part is what Johanna is interested in and can be developed
>>> at a local chapter level or via virtual trainings. But we want to do a
>>> little research first to find out how to engage developers and where our
>>> message fits.
>>>
>>> Noreen Whysel
>>> Community Manager
>>> OWASP Foundation
>>>
>>> On Tue, Mar 22, 2016 at 4:20 PM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>>>  Just "being there" is a great place to start.
>>>>
>>>> Hi Bill, I believe this already happens. With just being there in a
>>>> form of a booth presence does always help. Thats actually how I got
>>>> involved with owasp, but this is an 'old' strategy, nothing new and only
>>>> has impact on those developers that assist to conferences.
>>>>
>>>> What about all those thousands of devs that cannot pay these expensive
>>>> conferences, living in countries like me?
>>>>
>>>> I support Matt's idea and I just think that it needs to be promoted so
>>>> we can design this outreach, not just as visiting conferences
>>>>
>>>> cheers
>>>>
>>>> Johanna
>>>>
>>>> On Tue, Mar 22, 2016 at 4:16 PM, Bill Sempf <bill at pointweb.net> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Tue, Mar 22, 2016 at 4:04 PM, johanna curiel curiel <
>>>>> johanna.curiel at owasp.org> wrote:
>>>>>
>>>>>>
>>>>>>
>>>>>> We do not reach this community just by assisting to these conferences.
>>>>>>
>>>>>>
>>>>> I disagree comprehensively with this statement. Through participation
>>>>> in developer conferences like CodeMash and Stirtrek, I have seen
>>>>> quantifiable increase in the 'reach' of security.  All of the OWASP
>>>>> chapters in the area have seen significant increases in growth, there have
>>>>> been far more security -focused talks at user groups, and there has been a
>>>>> significant increase in requests for security expertise from the area
>>>>> consulting firms.  Just "being there" is a great place to start.
>>>>>
>>>>> That said, if something significant is learned while we are just being
>>>>> there, and it leads to a larger strategy, so be it.  Personally, I'm
>>>>> pleased to see some action on a front of attack, rather than constant
>>>>> discussion.  It's a low risk activity with a potentially high reward.
>>>>>
>>>>> S
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Johanna Curiel
>>>> OWASP Volunteer
>>>>
>>>
>>>
>>
>>
>> --
>> Johanna Curiel
>> OWASP Volunteer
>>
>
>


-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160322/5fd1a06b/attachment-0001.html>


More information about the OWASP-Leaders mailing list