[Owasp-leaders] 2016 Developer Survey Results

Eoin Keary eoin.keary at owasp.org
Mon Mar 28 17:11:12 UTC 2016


I don't think it's a marketing issue but rather defining a way one can easily engage with the knowledge and material available. 

Challenge is How to "inject" some security into someone's day job without too much disruption or affecting productivity in a negative manner (and possibly improving productivity).

"How do I get some engagement which appears as a benefit rather than a hinderance?"


Eoin Keary
OWASP Volunteer
@eoinkeary



> On 23 Mar 2016, at 16:24, Tom Brennan - OWASP <tomb at owasp.org> wrote:
> 
> 
> There's always going to be difference of opinion on how to best approach the problem awareness.  (aka marketing)
> 
> There is no single right answer in the strategy which is to be determined should focus on several different avenues to move the ball forward.  As a member of the board I am pleased to see activity in these areas to drive metrics and educated decisions for recommended investments.  Like you as a paid member I'm also very interested in what the foundation spends money on as it should serve the membership (Builders of Sofware/Breakers of Software /Defenders of Software) interests proportionally. 
> 
> Note those interests can only be determined with things like discussion email threads and and surveys so thumbs up to staff for starting the discussion and with only (25) random people answering a survey that seems a bit small sampling in a community that we claim is 45,000 or even on the leaders list that has over 1200 emails subscribed to it currently per Paul. 
> 
> FWIW The board approved $995,000 for expenditures in 2016 see: https://www.owasp.org/index.php/OWASP_Strategic_Goals the implementation of that strategy and plan(s) are ultimately the decision now of the staff with input from the community.   I call this out to simply state the following creative feedback is helpful destructive feedback is not.
> 
> Want to invest your volunteer cycles into a Strategic doing? SIMPLE:  Create the committee, ask for others to join to work on it and then it becomes the group of volunteers that actually set the agenda and drive it forward HELPING staff in reaching their defined goals. To SIGN UP simple, click here https://www.owasp.org/index.php/OWASP_Initiatives_Global_Strategic_Focus its amazing what you can do with PASSION and a few people in a video conference.
> 
> Finally I like to draw your eyeballs to the reports that are issued monthly
> https://www.owasp.org/index.php/March_16,_2016#Reports_2  any questions can be directed to the writers directly or public comment of members is welcomed monthly at her scheduled and recorded public meetings.
> 
> If you still can't get your point accross contact your elected representative on Team OWASP
> https://www.owasp.org/index.php/About_OWASP#2016_Global_Board_Members or throw your hat in the ring for the next election cycle that is coming up shortly stay tuned for the announcement
> 
> "Trying to teach a fish to climb a tree just gets frustrating for"  everyone on the mailing list
> 
> Tom Brennan
> Global Board Member
> 
> 
> 
> 
> 
> 
>> On Wed, Mar 23, 2016 at 11:48 AM, Daniel Harvey <daniel.harvey at owasp.org> wrote:
>> In this case we may not be able to reach the developers who just don't want to listen, but we should have a strategy to reach developers before they get to that point.  Such as get more involved in the places where developers learn to develop and ingrain secure programming in the basic tutorials on how to develop.
>> 
>>> On Wed, Mar 23, 2016 at 11:42 AM, Mark Miller <mark.miller at owasp.org> wrote:
>>> > What about those that don't want to listen, could care less to listen
>>> 
>>> Then this is not our market. Trying to teach a fish to climb a tree just gets frustrating for both parties. 
>>> 
>>> 
>>> 
>>> 
>>>> On Wed, Mar 23, 2016 at 11:36 AM, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
>>>> >>These were security people, at a security conference, interested in what was going on outside of their main area of expertise.
>>>> 
>>>> Exactly, they were ready to listen ;-). They went there because they wanted to know more about security.
>>>> 
>>>> What about those that don't want to listen, could care less to listen, which I think represents the big majority of developers?
>>>> 
>>>> If everyone was ready to listen and know about security then the Top 10 should have changed since the beginning of time...;-P and we were not struggling to promote the message
>>>> 
>>>> Just that people understand when I trying to communicate here:
>>>> I support going to Dev conferences but with a clear strategy in mind which leads to:
>>>> Who are you sending and can this 'representative' be able to talk the same language as devs, engage them about security or act as an ambassador?
>>>> Are travel costs covered fully for those OWASP leaders willing to assist to these dev conferences?
>>>> I think the community wants clarity of the purpose of assisting to devs conferences and who will be entitled to assist. I think we need to look at experts like Bill and send him to Microsoft Conference to mingle there for example.
>>>> These people are knowledgeable, understand perfectly the struggles from a developer point of view,  that can talk and understand the issues from a developer point of view.
>>>> 
>>>> But if you send a no developer to preach security, or someone that has never programmed in that language or platform,  I think this is a very wrong approach. I have not met yet the developer that has not had a fight with a pen tester regarding bugs found...
>>>> 
>>>> I think is a waist of money on activities without clear goals and measurement of that impact in mind . 
>>>> 
>>>> Why did only 25 persons voted in the survey when we claim we have more than 20K people on the mailing lists?
>>>> 
>>>> I''ll stop spamming this list. I hope my message is clear.
>>>> 
>>>> 
>>>> Cheers
>>>> 
>>>> Johanna
>>>> 
>>>>> On Wed, Mar 23, 2016 at 10:55 AM, Mark Miller <mark.miller at owasp.org> wrote:
>>>>> Attending, participating and supporting other conferences is a cornerstone of community activity, not just to get our message out, but to participate in a global ecosystem of DevSecOps.
>>>>> 
>>>>> Regarding participation in other conferences, I can confirm when I produced the DevOps track at RSA Conference 2016 three weeks ago, we had 600+ people attend the full day of sessions. These were security people, at a security conference, interested in what was going on outside of their main area of expertise.
>>>>> 
>>>>> Mark
>>>>> 
>>>>>> On Tue, Mar 22, 2016 at 5:06 PM, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
>>>>>> >>That's why I think heading out to the large cons is a good start.
>>>>>> Yes, I believe so too, however the strategy must not be just to be there but :
>>>>>> Do surveys to research more how to engage these devs
>>>>>> Just giving a 'talk' does not mean you are really engaging the developer audience
>>>>>> Effective ways to reach these audience.
>>>>>> 
>>>>>> We need to put the helmet of a developers in our heads. Not just  look from it from the 'security' perspective
>>>>>> 
>>>>>> We 'devs' hate security(many I have speak with including me). It makes our lives difficult, we only want to focus and get the work done at the functional part with all the pressure there is  to deliver and produce software. From the business pov people(aka Sales+Managers) want to deliver software that works and they also tend to forget 'security' as part of the offer (aka quotation and price). 
>>>>>> 
>>>>>> Only when they hear there is a 'pen tester' coming, everyone starts biting their nails 😱
>>>>>> 
>>>>>> Or when they hear ' the application has been hacked'😵 (which also happened to me. So you engage most of the time when is to late) Then you get paranoid. then you only think about security about this traumatic experience. So traumatic to me that now I'm into Offensive security certification, and all kind off 'security mixed' things...I have been 'converted' 😁
>>>>>> 
>>>>>> My experience is , developers want easy solutions and not people preaching to us that is all our blame ... Not preaching to us security especially to those that see this as extra work...
>>>>>> 
>>>>>> What are other developers experience with security? I would love to know
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>>> On Tue, Mar 22, 2016 at 4:46 PM, Bill Sempf <bill at pointweb.net> wrote:
>>>>>>> 
>>>>>>> 
>>>>>>>> On Tue, Mar 22, 2016 at 4:36 PM, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
>>>>>>>> 
>>>>>>>> 
>>>>>>>> It will be interesting to know how to engage properly developers with zero background in security.
>>>>>>> 
>>>>>>> I can't speak for everyone on the initiative team, but this is exactly why  I am interested in this.
>>>>>>> 
>>>>>>> Since 2010 I have made "bridging the gap" a core focus of my community work. I give developer talks at security cons and security talks at developer cons.  Bringing the official OWASP banner to developer cons and talking to current devs about what they really need from us has brought be personally a lot of targeted focus in my content creation.
>>>>>>> 
>>>>>>> That's why I think heading out to the large cons is a good start.
>>>>>>> 
>>>>>>> S
>>>>>>>  
>>>>>>>> 
>>>>>>>>> On Tue, Mar 22, 2016 at 4:26 PM, Noreen Whysel <noreen.whysel at owasp.org> wrote:
>>>>>>>>> I think it is pretty clear. Find out what kinds of developer events people are going to, have a presence at these events, learn how they are reaching, teaching and communicating with the developer community, Then "design an outreach program" part takes into consideration what we learned. I think the last part is what Johanna is interested in and can be developed at a local chapter level or via virtual trainings. But we want to do a little research first to find out how to engage developers and where our message fits.
>>>>>>>>> 
>>>>>>>>> Noreen Whysel
>>>>>>>>> Community Manager
>>>>>>>>> OWASP Foundation
>>>>>>>>> 
>>>>>>>>>> On Tue, Mar 22, 2016 at 4:20 PM, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
>>>>>>>>>>  Just "being there" is a great place to start.
>>>>>>>>>> 
>>>>>>>>>> Hi Bill, I believe this already happens. With just being there in a form of a booth presence does always help. Thats actually how I got involved with owasp, but this is an 'old' strategy, nothing new and only has impact on those developers that assist to conferences. 
>>>>>>>>>> 
>>>>>>>>>> What about all those thousands of devs that cannot pay these expensive conferences, living in countries like me?
>>>>>>>>>> 
>>>>>>>>>> I support Matt's idea and I just think that it needs to be promoted so we can design this outreach, not just as visiting conferences
>>>>>>>>>> 
>>>>>>>>>> cheers
>>>>>>>>>> 
>>>>>>>>>> Johanna
>>>>>>>>>> 
>>>>>>>>>>> On Tue, Mar 22, 2016 at 4:16 PM, Bill Sempf <bill at pointweb.net> wrote:
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> On Tue, Mar 22, 2016 at 4:04 PM, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> We do not reach this community just by assisting to these conferences.
>>>>>>>>>>> 
>>>>>>>>>>> I disagree comprehensively with this statement. Through participation in developer conferences like CodeMash and Stirtrek, I have seen quantifiable increase in the 'reach' of security.  All of the OWASP chapters in the area have seen significant increases in growth, there have been far more security -focused talks at user groups, and there has been a significant increase in requests for security expertise from the area consulting firms.  Just "being there" is a great place to start.
>>>>>>>>>>> 
>>>>>>>>>>> That said, if something significant is learned while we are just being there, and it leads to a larger strategy, so be it.  Personally, I'm pleased to see some action on a front of attack, rather than constant discussion.  It's a low risk activity with a potentially high reward.
>>>>>>>>>>> 
>>>>>>>>>>> S
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> -- 
>>>>>>>>>> Johanna Curiel 
>>>>>>>>>> OWASP Volunteer
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> -- 
>>>>>>>> Johanna Curiel 
>>>>>>>> OWASP Volunteer
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> -- 
>>>>>> Johanna Curiel 
>>>>>> OWASP Volunteer
>>>>>> 
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>> 
>>>>> 
>>>>> 
>>>>> -- 
>>>>> Mark Miller, Senior Storyteller
>>>>> Curator and Founder, Trusted Software Alliance
>>>>> Host and Executive Producer, OWASP 24/7 Podcast Channel
>>>>> Community Advocate, Sonatype
>>>>> 
>>>>> Developers and Application Security: Who is Responsible?
>>>> 
>>>> 
>>>> 
>>>> -- 
>>>> Johanna Curiel 
>>>> OWASP Volunteer
>>> 
>>> 
>>> 
>>> -- 
>>> Mark Miller, Senior Storyteller
>>> Curator and Founder, Trusted Software Alliance
>>> Host and Executive Producer, OWASP 24/7 Podcast Channel
>>> Community Advocate, Sonatype
>>> 
>>> Developers and Application Security: Who is Responsible?
>>> 
>>> 
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> 
> The information contained in this message and any attachments may be privileged, confidential, proprietary or otherwise protected from disclosure. If you, the reader of this message, are not the intended recipient, you are hereby notified that any dissemination, distribution, copying or use of this message and any attachment is strictly prohibited. If you have received this message in error, please notify the sender immediately by replying to the message, permanently delete it from your computer and destroy any printout.
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160328/0ecf893e/attachment-0001.html>


More information about the OWASP-Leaders mailing list