[Owasp-leaders] 2016 Developer Survey Results

Jeremy Long jeremy.long at owasp.org
Fri Mar 25 22:29:12 UTC 2016


I haven't been following this thread at all - but 100% agree, you can't
scan and scold your way secure. There is so much more to building secure
applications that falls into the requirements, design, and implementation.
You need to clearly articulate the security requirements up-front, teams
need to do threat modeling to direct development efforts, select and use
secure frameworks/libraries during design/development, use SAST tools early
in the dev cycle (way before QA testing), etc.

--Jeremy

On Fri, Mar 25, 2016 at 6:13 PM, Bev Corwin <bev.corwin at owasp.org> wrote:

> Oh geez, I'm gonna have a hard time sleeping tonight after reading this.
> Worse than a horror movie. So sad, can this be true? Alas!
>
> Bev
>
> On Fri, Mar 25, 2016 at 4:07 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> > Most CISO's today are IT firewall guys.  Less than 13% of Fortune 100
>> CISO's[1] have any kind of background in programming\engineering.
>>
>> Very well said. I think one of the organizational AppSec challenges is to
>> *find the right people* to run AppSec. AppSec should be in the hands of one
>> of the *software development leaders*.  Most folks consider their AppSec
>> team to be a group of security dudes running scans and pentests. This is
>> not the complete AppSec picture, at all.
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160325/d095ef86/attachment.html>


More information about the OWASP-Leaders mailing list