[Owasp-leaders] 2016 Developer Survey Results

Mark Miller mark.miller at owasp.org
Wed Mar 23 15:42:36 UTC 2016


> What about those that don't want to listen, could care less to listen

Then this is not our market. Trying to teach a fish to climb a tree just
gets frustrating for both parties.




On Wed, Mar 23, 2016 at 11:36 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> >>These were *security people*, at a *security conference*, interested in
> what was going on outside of their main area of expertise.
>
> Exactly, they were ready to listen ;-). They went there because they
> wanted to know more about security.
>
> What about those that don't want to listen, could care less to listen,
> which I think represents the big majority of developers?
>
> If everyone was ready to listen and know about security then the Top 10
> should have changed since the beginning of time...;-P and we were not
> struggling to promote the message
>
> Just that people understand when I trying to communicate here:
>
>    - I support going to Dev conferences but with a clear strategy in mind
>    which leads to:
>       - Who are you sending and can this 'representative' be able to talk
>       the same language as devs, engage them about security or act as an
>       ambassador?
>       - Are travel costs covered fully for those OWASP leaders willing to
>       assist to these dev conferences?
>
> I think the community wants clarity of the purpose of assisting to devs
> conferences and who will be entitled to assist. I think we need to look at
> experts like Bill and send him to Microsoft Conference to mingle there for
> example.
> These people are knowledgeable, understand perfectly the struggles from a
> developer point of view,  that can talk and understand the issues from *a
> developer point of view*.
>
> But if you send a *no developer* to preach security, or someone that has
> never programmed in that language or platform,  I think this is a very
> wrong approach. I have not met yet the developer that has not had a fight
> with a pen tester regarding bugs found...
>
> I think is a waist of money on activities without clear goals and
> measurement of that impact in mind .
>
> Why did only 25 persons voted in the survey when we claim we have more
> than 20K people on the mailing lists?
>
> I''ll stop spamming this list. I hope my message is clear.
>
>
> Cheers
>
> Johanna
>
> On Wed, Mar 23, 2016 at 10:55 AM, Mark Miller <mark.miller at owasp.org>
> wrote:
>
>> Attending, participating and supporting other conferences is a
>> cornerstone of community activity, not just to get our message out, but to
>> participate in a global ecosystem of DevSecOps.
>>
>> Regarding participation in other conferences, I can confirm when I
>> produced the DevOps track at RSA Conference 2016 three weeks ago, we had
>> 600+ people attend the full day of sessions. These were security people, at
>> a security conference, interested in what was going on outside of their
>> main area of expertise.
>>
>> Mark
>>
>> On Tue, Mar 22, 2016 at 5:06 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> >>That's why I think heading out to the large cons is a good start.
>>> Yes, I believe so too, however the strategy must not be just to be there
>>> but :
>>>
>>>    - Do surveys to research more how to engage these devs
>>>    - Just giving a 'talk' does not mean you are really engaging the
>>>    developer audience
>>>
>>> Effective ways to reach these audience.
>>>
>>> We need to put the helmet of a developers in our heads. Not just  *look*
>>> from it from the 'security' perspective
>>>
>>> We 'devs' hate security(many I have speak with including me). It makes
>>> our lives difficult, we only want to focus and get the work done at the
>>> functional part with all the pressure there is  to deliver and produce
>>> software. From the business pov people(aka Sales+Managers) want to deliver
>>> software that works and they also tend to forget 'security' as part of the
>>> offer (aka quotation and price).
>>>
>>> Only when they hear there is a 'pen tester' coming, everyone starts
>>> biting their nails 😱
>>>
>>> Or when they hear ' the application has been hacked'😵 (which also
>>> happened to me. So you engage most of the time when is to late) Then you
>>> get paranoid. then you only think about security about this traumatic
>>> experience. So traumatic to me that now I'm into Offensive security
>>> certification, and all kind off 'security mixed' things...I have been
>>> 'converted' 😁
>>>
>>> My experience is , developers want easy solutions and not people
>>> preaching to us that is all our blame ... Not preaching to us security
>>> especially to those that see this as extra work...
>>>
>>> What are other developers experience with security? I would love to know
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Mar 22, 2016 at 4:46 PM, Bill Sempf <bill at pointweb.net> wrote:
>>>
>>>>
>>>>
>>>> On Tue, Mar 22, 2016 at 4:36 PM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>>>
>>>>>
>>>>> It will be interesting to know *how* to engage properly developers
>>>>> with zero background in security.
>>>>>
>>>>>
>>>>>
>>>> I can't speak for everyone on the initiative team, but this is exactly
>>>> why  I am interested in this.
>>>>
>>>> Since 2010 I have made "bridging the gap" a core focus of my community
>>>> work. I give developer talks at security cons and security talks at
>>>> developer cons.  Bringing the official OWASP banner to developer cons and
>>>> talking to current devs about what they really need from us has brought be
>>>> personally a lot of targeted focus in my content creation.
>>>>
>>>> That's why I think heading out to the large cons is a good start.
>>>>
>>>> S
>>>>
>>>>
>>>>>
>>>>> On Tue, Mar 22, 2016 at 4:26 PM, Noreen Whysel <
>>>>> noreen.whysel at owasp.org> wrote:
>>>>>
>>>>>> I think it is pretty clear. Find out what kinds of developer events
>>>>>> people are going to, have a presence at these events, learn how they are
>>>>>> reaching, teaching and communicating with the developer community, Then
>>>>>> "design an outreach program" part takes into consideration what we learned.
>>>>>> I think the last part is what Johanna is interested in and can be developed
>>>>>> at a local chapter level or via virtual trainings. But we want to do a
>>>>>> little research first to find out how to engage developers and where our
>>>>>> message fits.
>>>>>>
>>>>>> Noreen Whysel
>>>>>> Community Manager
>>>>>> OWASP Foundation
>>>>>>
>>>>>> On Tue, Mar 22, 2016 at 4:20 PM, johanna curiel curiel <
>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>>>  Just "being there" is a great place to start.
>>>>>>>
>>>>>>> Hi Bill, I believe this already happens. With just being there in a
>>>>>>> form of a booth presence does always help. Thats actually how I got
>>>>>>> involved with owasp, but this is an 'old' strategy, nothing new and only
>>>>>>> has impact on those developers that assist to conferences.
>>>>>>>
>>>>>>> What about all those thousands of devs that cannot pay these
>>>>>>> expensive conferences, living in countries like me?
>>>>>>>
>>>>>>> I support Matt's idea and I just think that it needs to be promoted
>>>>>>> so we can design this outreach, not just as visiting conferences
>>>>>>>
>>>>>>> cheers
>>>>>>>
>>>>>>> Johanna
>>>>>>>
>>>>>>> On Tue, Mar 22, 2016 at 4:16 PM, Bill Sempf <bill at pointweb.net>
>>>>>>> wrote:
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Mar 22, 2016 at 4:04 PM, johanna curiel curiel <
>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> We do not reach this community just by assisting to these
>>>>>>>>> conferences.
>>>>>>>>>
>>>>>>>>>
>>>>>>>> I disagree comprehensively with this statement. Through
>>>>>>>> participation in developer conferences like CodeMash and Stirtrek, I have
>>>>>>>> seen quantifiable increase in the 'reach' of security.  All of the OWASP
>>>>>>>> chapters in the area have seen significant increases in growth, there have
>>>>>>>> been far more security -focused talks at user groups, and there has been a
>>>>>>>> significant increase in requests for security expertise from the area
>>>>>>>> consulting firms.  Just "being there" is a great place to start.
>>>>>>>>
>>>>>>>> That said, if something significant is learned while we are just
>>>>>>>> being there, and it leads to a larger strategy, so be it.  Personally, I'm
>>>>>>>> pleased to see some action on a front of attack, rather than constant
>>>>>>>> discussion.  It's a low risk activity with a potentially high reward.
>>>>>>>>
>>>>>>>> S
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Johanna Curiel
>>>>>>> OWASP Volunteer
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Johanna Curiel
>>>>> OWASP Volunteer
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>>
>> --
>> *Mark Miller, Senior Storyteller*
>> *Curator and Founder, Trusted Software Alliance*
>>
>> *Host and Executive Producer, OWASP 24/7 Podcast ChannelCommunity
>> Advocate, Sonatype*
>>
>> *Developers and Application Security: Who is Responsible?*
>> <https://www.surveymonkey.com/s/Developers_and_AppSec>
>>
>>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>



-- 
*Mark Miller, Senior Storyteller*
*Curator and Founder, Trusted Software Alliance*

*Host and Executive Producer, OWASP 24/7 Podcast ChannelCommunity Advocate,
Sonatype*

*Developers and Application Security: Who is Responsible?*
<https://www.surveymonkey.com/s/Developers_and_AppSec>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160323/b709f302/attachment-0001.html>


More information about the OWASP-Leaders mailing list