[Owasp-leaders] 2016 Developer Survey Results

johanna curiel curiel johanna.curiel at owasp.org
Wed Mar 23 15:36:50 UTC 2016


>>These were *security people*, at a *security conference*, interested in
what was going on outside of their main area of expertise.

Exactly, they were ready to listen ;-). They went there because they wanted
to know more about security.

What about those that don't want to listen, could care less to listen,
which I think represents the big majority of developers?

If everyone was ready to listen and know about security then the Top 10
should have changed since the beginning of time...;-P and we were not
struggling to promote the message

Just that people understand when I trying to communicate here:

   - I support going to Dev conferences but with a clear strategy in mind
   which leads to:
      - Who are you sending and can this 'representative' be able to talk
      the same language as devs, engage them about security or act as an
      ambassador?
      - Are travel costs covered fully for those OWASP leaders willing to
      assist to these dev conferences?

I think the community wants clarity of the purpose of assisting to devs
conferences and who will be entitled to assist. I think we need to look at
experts like Bill and send him to Microsoft Conference to mingle there for
example.
These people are knowledgeable, understand perfectly the struggles from a
developer point of view,  that can talk and understand the issues from *a
developer point of view*.

But if you send a *no developer* to preach security, or someone that has
never programmed in that language or platform,  I think this is a very
wrong approach. I have not met yet the developer that has not had a fight
with a pen tester regarding bugs found...

I think is a waist of money on activities without clear goals and
measurement of that impact in mind .

Why did only 25 persons voted in the survey when we claim we have more than
20K people on the mailing lists?

I''ll stop spamming this list. I hope my message is clear.


Cheers

Johanna

On Wed, Mar 23, 2016 at 10:55 AM, Mark Miller <mark.miller at owasp.org> wrote:

> Attending, participating and supporting other conferences is a cornerstone
> of community activity, not just to get our message out, but to participate
> in a global ecosystem of DevSecOps.
>
> Regarding participation in other conferences, I can confirm when I
> produced the DevOps track at RSA Conference 2016 three weeks ago, we had
> 600+ people attend the full day of sessions. These were security people, at
> a security conference, interested in what was going on outside of their
> main area of expertise.
>
> Mark
>
> On Tue, Mar 22, 2016 at 5:06 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> >>That's why I think heading out to the large cons is a good start.
>> Yes, I believe so too, however the strategy must not be just to be there
>> but :
>>
>>    - Do surveys to research more how to engage these devs
>>    - Just giving a 'talk' does not mean you are really engaging the
>>    developer audience
>>
>> Effective ways to reach these audience.
>>
>> We need to put the helmet of a developers in our heads. Not just  *look*
>> from it from the 'security' perspective
>>
>> We 'devs' hate security(many I have speak with including me). It makes
>> our lives difficult, we only want to focus and get the work done at the
>> functional part with all the pressure there is  to deliver and produce
>> software. From the business pov people(aka Sales+Managers) want to deliver
>> software that works and they also tend to forget 'security' as part of the
>> offer (aka quotation and price).
>>
>> Only when they hear there is a 'pen tester' coming, everyone starts
>> biting their nails 😱
>>
>> Or when they hear ' the application has been hacked'😵 (which also
>> happened to me. So you engage most of the time when is to late) Then you
>> get paranoid. then you only think about security about this traumatic
>> experience. So traumatic to me that now I'm into Offensive security
>> certification, and all kind off 'security mixed' things...I have been
>> 'converted' 😁
>>
>> My experience is , developers want easy solutions and not people
>> preaching to us that is all our blame ... Not preaching to us security
>> especially to those that see this as extra work...
>>
>> What are other developers experience with security? I would love to know
>>
>>
>>
>>
>>
>> On Tue, Mar 22, 2016 at 4:46 PM, Bill Sempf <bill at pointweb.net> wrote:
>>
>>>
>>>
>>> On Tue, Mar 22, 2016 at 4:36 PM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>>>
>>>>
>>>> It will be interesting to know *how* to engage properly developers
>>>> with zero background in security.
>>>>
>>>>
>>>>
>>> I can't speak for everyone on the initiative team, but this is exactly
>>> why  I am interested in this.
>>>
>>> Since 2010 I have made "bridging the gap" a core focus of my community
>>> work. I give developer talks at security cons and security talks at
>>> developer cons.  Bringing the official OWASP banner to developer cons and
>>> talking to current devs about what they really need from us has brought be
>>> personally a lot of targeted focus in my content creation.
>>>
>>> That's why I think heading out to the large cons is a good start.
>>>
>>> S
>>>
>>>
>>>>
>>>> On Tue, Mar 22, 2016 at 4:26 PM, Noreen Whysel <noreen.whysel at owasp.org
>>>> > wrote:
>>>>
>>>>> I think it is pretty clear. Find out what kinds of developer events
>>>>> people are going to, have a presence at these events, learn how they are
>>>>> reaching, teaching and communicating with the developer community, Then
>>>>> "design an outreach program" part takes into consideration what we learned.
>>>>> I think the last part is what Johanna is interested in and can be developed
>>>>> at a local chapter level or via virtual trainings. But we want to do a
>>>>> little research first to find out how to engage developers and where our
>>>>> message fits.
>>>>>
>>>>> Noreen Whysel
>>>>> Community Manager
>>>>> OWASP Foundation
>>>>>
>>>>> On Tue, Mar 22, 2016 at 4:20 PM, johanna curiel curiel <
>>>>> johanna.curiel at owasp.org> wrote:
>>>>>
>>>>>>  Just "being there" is a great place to start.
>>>>>>
>>>>>> Hi Bill, I believe this already happens. With just being there in a
>>>>>> form of a booth presence does always help. Thats actually how I got
>>>>>> involved with owasp, but this is an 'old' strategy, nothing new and only
>>>>>> has impact on those developers that assist to conferences.
>>>>>>
>>>>>> What about all those thousands of devs that cannot pay these
>>>>>> expensive conferences, living in countries like me?
>>>>>>
>>>>>> I support Matt's idea and I just think that it needs to be promoted
>>>>>> so we can design this outreach, not just as visiting conferences
>>>>>>
>>>>>> cheers
>>>>>>
>>>>>> Johanna
>>>>>>
>>>>>> On Tue, Mar 22, 2016 at 4:16 PM, Bill Sempf <bill at pointweb.net>
>>>>>> wrote:
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Mar 22, 2016 at 4:04 PM, johanna curiel curiel <
>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> We do not reach this community just by assisting to these
>>>>>>>> conferences.
>>>>>>>>
>>>>>>>>
>>>>>>> I disagree comprehensively with this statement. Through
>>>>>>> participation in developer conferences like CodeMash and Stirtrek, I have
>>>>>>> seen quantifiable increase in the 'reach' of security.  All of the OWASP
>>>>>>> chapters in the area have seen significant increases in growth, there have
>>>>>>> been far more security -focused talks at user groups, and there has been a
>>>>>>> significant increase in requests for security expertise from the area
>>>>>>> consulting firms.  Just "being there" is a great place to start.
>>>>>>>
>>>>>>> That said, if something significant is learned while we are just
>>>>>>> being there, and it leads to a larger strategy, so be it.  Personally, I'm
>>>>>>> pleased to see some action on a front of attack, rather than constant
>>>>>>> discussion.  It's a low risk activity with a potentially high reward.
>>>>>>>
>>>>>>> S
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Johanna Curiel
>>>>>> OWASP Volunteer
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Johanna Curiel
>>>> OWASP Volunteer
>>>>
>>>
>>>
>>
>>
>> --
>> Johanna Curiel
>> OWASP Volunteer
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> --
> *Mark Miller, Senior Storyteller*
> *Curator and Founder, Trusted Software Alliance*
>
> *Host and Executive Producer, OWASP 24/7 Podcast ChannelCommunity
> Advocate, Sonatype*
>
> *Developers and Application Security: Who is Responsible?*
> <https://www.surveymonkey.com/s/Developers_and_AppSec>
>
>


-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160323/5bc1ae73/attachment-0001.html>


More information about the OWASP-Leaders mailing list