[Owasp-leaders] 2016 Developer Survey Results

Azeddine Islam Mennouchi azeddine.mennouchi at owasp.org
Wed Mar 23 16:33:23 UTC 2016


I really get frustrated from this kind of discussions on the list
I think that there is a lot of factors that need to be taken in
consideration in the strategy a lot of considerations that need to be
validated and there is just one way to validate those points is by trying
I worked also as a developer for some period and engaged with a lot of them
almost all the talks that I did in Algeria and the region were for a dev
audience and so little security people and to a certain point I came up
with conclusions :
1- security need to be taught with the basics of programming it is always
hard to train devs secure programming after they took a lot of insecure
habits it is like trying to teach someone to write with his left hand while
his all life he was using his right hand
2- security is a choice some people know about it but they tend to ignore
it and in this situation I m with Mark we can not teach a fish to climb a
tree

Now for me what I think it needs to be done is to build a clear stasitical
model not 25 answers and attending dev confs.  Would be a great way to
build that statistical model.

Regards Islam
On Mar 23, 2016 4:45 PM, "Mark Miller" <mark.miller at owasp.org> wrote:

> > What about those that don't want to listen, could care less to listen
>
> Then this is not our market. Trying to teach a fish to climb a tree just
> gets frustrating for both parties.
>
>
>
>
> On Wed, Mar 23, 2016 at 11:36 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> >>These were *security people*, at a *security conference*, interested
>> in what was going on outside of their main area of expertise.
>>
>> Exactly, they were ready to listen ;-). They went there because they
>> wanted to know more about security.
>>
>> What about those that don't want to listen, could care less to listen,
>> which I think represents the big majority of developers?
>>
>> If everyone was ready to listen and know about security then the Top 10
>> should have changed since the beginning of time...;-P and we were not
>> struggling to promote the message
>>
>> Just that people understand when I trying to communicate here:
>>
>>    - I support going to Dev conferences but with a clear strategy in
>>    mind which leads to:
>>       - Who are you sending and can this 'representative' be able to
>>       talk the same language as devs, engage them about security or act as an
>>       ambassador?
>>       - Are travel costs covered fully for those OWASP leaders willing
>>       to assist to these dev conferences?
>>
>> I think the community wants clarity of the purpose of assisting to devs
>> conferences and who will be entitled to assist. I think we need to look at
>> experts like Bill and send him to Microsoft Conference to mingle there for
>> example.
>> These people are knowledgeable, understand perfectly the struggles from a
>> developer point of view,  that can talk and understand the issues from *a
>> developer point of view*.
>>
>> But if you send a *no developer* to preach security, or someone that has
>> never programmed in that language or platform,  I think this is a very
>> wrong approach. I have not met yet the developer that has not had a fight
>> with a pen tester regarding bugs found...
>>
>> I think is a waist of money on activities without clear goals and
>> measurement of that impact in mind .
>>
>> Why did only 25 persons voted in the survey when we claim we have more
>> than 20K people on the mailing lists?
>>
>> I''ll stop spamming this list. I hope my message is clear.
>>
>>
>> Cheers
>>
>> Johanna
>>
>> On Wed, Mar 23, 2016 at 10:55 AM, Mark Miller <mark.miller at owasp.org>
>> wrote:
>>
>>> Attending, participating and supporting other conferences is a
>>> cornerstone of community activity, not just to get our message out, but to
>>> participate in a global ecosystem of DevSecOps.
>>>
>>> Regarding participation in other conferences, I can confirm when I
>>> produced the DevOps track at RSA Conference 2016 three weeks ago, we had
>>> 600+ people attend the full day of sessions. These were security people, at
>>> a security conference, interested in what was going on outside of their
>>> main area of expertise.
>>>
>>> Mark
>>>
>>> On Tue, Mar 22, 2016 at 5:06 PM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>>> >>That's why I think heading out to the large cons is a good start.
>>>> Yes, I believe so too, however the strategy must not be just to be
>>>> there but :
>>>>
>>>>    - Do surveys to research more how to engage these devs
>>>>    - Just giving a 'talk' does not mean you are really engaging the
>>>>    developer audience
>>>>
>>>> Effective ways to reach these audience.
>>>>
>>>> We need to put the helmet of a developers in our heads. Not just
>>>> *look* from it from the 'security' perspective
>>>>
>>>> We 'devs' hate security(many I have speak with including me). It makes
>>>> our lives difficult, we only want to focus and get the work done at the
>>>> functional part with all the pressure there is  to deliver and produce
>>>> software. From the business pov people(aka Sales+Managers) want to deliver
>>>> software that works and they also tend to forget 'security' as part of the
>>>> offer (aka quotation and price).
>>>>
>>>> Only when they hear there is a 'pen tester' coming, everyone starts
>>>> biting their nails 😱
>>>>
>>>> Or when they hear ' the application has been hacked'😵 (which also
>>>> happened to me. So you engage most of the time when is to late) Then you
>>>> get paranoid. then you only think about security about this traumatic
>>>> experience. So traumatic to me that now I'm into Offensive security
>>>> certification, and all kind off 'security mixed' things...I have been
>>>> 'converted' 😁
>>>>
>>>> My experience is , developers want easy solutions and not people
>>>> preaching to us that is all our blame ... Not preaching to us security
>>>> especially to those that see this as extra work...
>>>>
>>>> What are other developers experience with security? I would love to know
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Mar 22, 2016 at 4:46 PM, Bill Sempf <bill at pointweb.net> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Tue, Mar 22, 2016 at 4:36 PM, johanna curiel curiel <
>>>>> johanna.curiel at owasp.org> wrote:
>>>>>
>>>>>>
>>>>>>
>>>>>> It will be interesting to know *how* to engage properly developers
>>>>>> with zero background in security.
>>>>>>
>>>>>>
>>>>>>
>>>>> I can't speak for everyone on the initiative team, but this is exactly
>>>>> why  I am interested in this.
>>>>>
>>>>> Since 2010 I have made "bridging the gap" a core focus of my community
>>>>> work. I give developer talks at security cons and security talks at
>>>>> developer cons.  Bringing the official OWASP banner to developer cons and
>>>>> talking to current devs about what they really need from us has brought be
>>>>> personally a lot of targeted focus in my content creation.
>>>>>
>>>>> That's why I think heading out to the large cons is a good start.
>>>>>
>>>>> S
>>>>>
>>>>>
>>>>>>
>>>>>> On Tue, Mar 22, 2016 at 4:26 PM, Noreen Whysel <
>>>>>> noreen.whysel at owasp.org> wrote:
>>>>>>
>>>>>>> I think it is pretty clear. Find out what kinds of developer events
>>>>>>> people are going to, have a presence at these events, learn how they are
>>>>>>> reaching, teaching and communicating with the developer community, Then
>>>>>>> "design an outreach program" part takes into consideration what we learned.
>>>>>>> I think the last part is what Johanna is interested in and can be developed
>>>>>>> at a local chapter level or via virtual trainings. But we want to do a
>>>>>>> little research first to find out how to engage developers and where our
>>>>>>> message fits.
>>>>>>>
>>>>>>> Noreen Whysel
>>>>>>> Community Manager
>>>>>>> OWASP Foundation
>>>>>>>
>>>>>>> On Tue, Mar 22, 2016 at 4:20 PM, johanna curiel curiel <
>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>
>>>>>>>>  Just "being there" is a great place to start.
>>>>>>>>
>>>>>>>> Hi Bill, I believe this already happens. With just being there in a
>>>>>>>> form of a booth presence does always help. Thats actually how I got
>>>>>>>> involved with owasp, but this is an 'old' strategy, nothing new and only
>>>>>>>> has impact on those developers that assist to conferences.
>>>>>>>>
>>>>>>>> What about all those thousands of devs that cannot pay these
>>>>>>>> expensive conferences, living in countries like me?
>>>>>>>>
>>>>>>>> I support Matt's idea and I just think that it needs to be promoted
>>>>>>>> so we can design this outreach, not just as visiting conferences
>>>>>>>>
>>>>>>>> cheers
>>>>>>>>
>>>>>>>> Johanna
>>>>>>>>
>>>>>>>> On Tue, Mar 22, 2016 at 4:16 PM, Bill Sempf <bill at pointweb.net>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Tue, Mar 22, 2016 at 4:04 PM, johanna curiel curiel <
>>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> We do not reach this community just by assisting to these
>>>>>>>>>> conferences.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> I disagree comprehensively with this statement. Through
>>>>>>>>> participation in developer conferences like CodeMash and Stirtrek, I have
>>>>>>>>> seen quantifiable increase in the 'reach' of security.  All of the OWASP
>>>>>>>>> chapters in the area have seen significant increases in growth, there have
>>>>>>>>> been far more security -focused talks at user groups, and there has been a
>>>>>>>>> significant increase in requests for security expertise from the area
>>>>>>>>> consulting firms.  Just "being there" is a great place to start.
>>>>>>>>>
>>>>>>>>> That said, if something significant is learned while we are just
>>>>>>>>> being there, and it leads to a larger strategy, so be it.  Personally, I'm
>>>>>>>>> pleased to see some action on a front of attack, rather than constant
>>>>>>>>> discussion.  It's a low risk activity with a potentially high reward.
>>>>>>>>>
>>>>>>>>> S
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Johanna Curiel
>>>>>>>> OWASP Volunteer
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Johanna Curiel
>>>>>> OWASP Volunteer
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Johanna Curiel
>>>> OWASP Volunteer
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>>
>>> --
>>> *Mark Miller, Senior Storyteller*
>>> *Curator and Founder, Trusted Software Alliance*
>>>
>>> *Host and Executive Producer, OWASP 24/7 Podcast ChannelCommunity
>>> Advocate, Sonatype*
>>>
>>> *Developers and Application Security: Who is Responsible?*
>>> <https://www.surveymonkey.com/s/Developers_and_AppSec>
>>>
>>>
>>
>>
>> --
>> Johanna Curiel
>> OWASP Volunteer
>>
>
>
>
> --
> *Mark Miller, Senior Storyteller*
> *Curator and Founder, Trusted Software Alliance*
>
> *Host and Executive Producer, OWASP 24/7 Podcast ChannelCommunity
> Advocate, Sonatype*
>
> *Developers and Application Security: Who is Responsible?*
> <https://www.surveymonkey.com/s/Developers_and_AppSec>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160323/f670a703/attachment-0001.html>


More information about the OWASP-Leaders mailing list