[Owasp-leaders] 2016 Developer Survey Results

Kevin W. Wall kevin.w.wall at gmail.com
Sat Mar 26 03:40:01 UTC 2016

On Wed, Mar 23, 2016 at 11:36 AM, johanna curiel curiel
<johanna.curiel at owasp.org> wrote:
> On Wed, Mar 23, 2016 at 10:55 AM, Mark Miller <mark.miller at owasp.org> wrote:
> >>These were security people, at a security conference, interested in what was
> >>going on outside of their main area of expertise.
> Exactly, they were ready to listen ;-). They went there because they wanted to
> know more about security.
> What about those that don't want to listen, could care less to listen, which I
> think represents the big majority of developers?

Okay, see this is the very thing that I was mentioning in my previous post
and I completely disagree with this. If I were a regular non-appsec developer
type reading this, I would view this as spiteful put-down. And Johanna, I most
certainly am NOT trying to make an example of you; I have the utmost respect
for you and all that you've done for OWASP. And God knows that I have done the
same thing _many_ times, but I have come to realize that I was wrong and have
tried to watch myself. So, if you catch me being disrespectful, you have the
right to smack me upside the head, fair enough?

Do you *REALLY* think that the "big majority of developers" feel this
way, or are you equating their _ignorance_ of security with the apathy?
Sure, many of them--perhaps even a majority--are ignorant of many security
related things--especially compared to those of us in appsec. But don't
confuse that with apathy. As I mentioned in my previous email, developers
are under a lot of other pressures besides security: performance issues,
tight schedules, even "getting the eye candy to look right" to make some
marketing person who's funding the project happy. As goes the adage:

    When you're up to your ass in alligators, it's hard to remember that
    your first objective was to drain the swamp!

It has NOT been my experience that most developers find appsec uninteresting
and try to avoid it. If anything, I have found the opposite. I have found
quite a few developers who have taught themselves security.  In particular,
developers also interested in appsec has drastically increased in the last
5 years or so as they start to realize that having these skills gives them
a competitive advantage over their colleagues.

> If everyone was ready to listen and know about security then the Top 10 should
> have changed since the beginning of time...;-P

Or, there could be another reason. For instance, that the complexity of
software has been increasing much faster than people's ability to comprehend

Otherwise, how can you explain the fact that the software defect density
has not significantly improved (overall) over past 10 or 15 years? Do you
also think that, as a general rule, programmers are not interested in the
quality of their code? Probably not.

Software development is full of engineering trade-offs. Zooko's Triangle
as it applies to naming in networking protocols as a more mundane, but more
general application to software development in general; e.g.,

    secure, convenient, cheap
    secure, fast,cheap
etc. Pick 2 out of 3, but it's hard to get them all.

IMO, a major reason that we've not seen significant improvements in
software security are related to the reason that we still little improvement
in software quality overall. (That is my intuition based on personal
observations over a 35+ year career; I don't have any hard data points
backing that up. YMMV.)

I think another major reason is until the Sony hack (which was a major
wakeup call to many) almost a year and a half ago, a lot more companies
please more importance on features over security. Their approach was
"features sell, but security is boring" and so they found it hard to justify
prioritizing making things more secure over adding more features. But
Sony had an interesting effect. Since then, I have spoken to 2 security
folks in 2 different companies (as well as seeing the effect in my present
company) and both told me that their security budget substantially increased
in 2015--in one case, I was told it was a 50% increase! My conclusion: no
company wants to be the next Sony. Now probably most of that $$ is spent
on fancy new security toys^H^H^H^Hdevices, but at least in one case, I
know that some of it went to training developers in application security.

So perhaps eventually, something good will come out of something bad.

> and we were not struggling to promote the message
> Just that people understand when I trying to communicate here:
> I support going to Dev conferences but with a clear strategy in mind which
> leads to:
> Who are you sending and can this 'representative' be able to talk the same
> language as devs, engage them about security or act as an ambassador?.
> Are travel costs covered fully for those OWASP leaders willing to assist to
> these dev conferences?.

That's essential. And not just for builders and defenders, but also for
breakers as well. I used to work with pen testers who never had programmed
and they were put in charge of running IBM AppScan against Internet facing
web applications. Unfortunately, because they did not fully understand HTTP
or HTML or JavaScript, they were at a disadvantage when they had to enter
into dialogues with developers.

Code is the lingua franca of the development community. If you do not speak
it, you best not be marching into their realms to tell them that they are
doing things wrong.

> I think the community wants clarity of the purpose of assisting to devs
> conferences and who will be entitled to assist. I think we need to look at
> experts like Bill and send him to Microsoft Conference to mingle there for
> example.
> These people are knowledgeable, understand perfectly the struggles from a
> developer point of view,  that can talk and understand the issues from a
> developer point of view.
> But if you send a no developer to preach security, or someone that has never
> programmed in that language or platform,  I think this is a very wrong
> approach. I have not met yet the developer that has not had a fight with a pen
> tester regarding bugs found....

A lot of that is because pen testers often don't understand what they are
testing or layer 7 traffic. In my experience, quite a lot of them are just
former network security people with no background at all in programming
or other software related activities.

As I've said in my previous email, I don't think attending developer
conferences is likely to have as much impact as people seem to hope. But it
is one step in the right direction.

Best regards,
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.

More information about the OWASP-Leaders mailing list