[Owasp-leaders] 2016 Developer Survey Results

Milton Smith milton.smith at owasp.org
Mon Mar 28 21:28:03 UTC 2016


All,

I created a draft CISO Top 10.  I was not sure on the best way to 
share/open this for public comment.  For now, you can send me or Johanna 
your comments.  Anyone with access to the link should have Google Docs 
"View" permissions.  If you have a lot of suggestions, send me your 
email and I will update your permissions to the doc so you can add 
comments/improvements directly to the draft.

https://drive.google.com/file/d/0B2PfsU7XDXnsV3ZEQzF6WE9yUm8/view?usp=sharing

I could spend a week thinking about this but I don't have the time.  I 
know I have some misspellings, grammar, and I don't feel particularly 
strong about order of importance of the different qualities at the 
moment.  Meaning, I feel good about #1 being #1 but I'm less sure as I 
work down the list.  Also a few of the points may overlap or be best 
represented and reformulated into single point.  I'm open to your 
thoughts and suggestions.

I offer the document as a starting point of discussion for building a 
public resource for selecting new CISO's capable of meeting today's 
security challenges.  OWASP could use it as the basis of an infographic 
or other type of communication.  If there is zero interest then I'm ok 
let this thread die.  Let us know what you think.

Regards,
Milton


On 25 Mar 2016, at 17:59, johanna curiel curiel wrote:

>>> CISO Top 10.  Everyone loves OWASP 10's. ;o)  Does anyone think this
> would be a good/bad idea/waste of time, or interested in helping if we 
> were
> to do something like this?
>
> Milton,
>
> We can create an infographic ;-)
>
> Just provide the input
>
>
> OWASP top 10 CISO skills:
>
>    - Background in Software engineering
>    - Communication Skills
>    - ?
>    - ?
>
> I want again to use this opportunity to add a strategy , which is 
> clearly,
> not only to target the developers target group but there are other 
> just as
> important such as CISO's.
>
> Have you been paying attention how commercial vendors are influencing
> Application Security decision makers (aka CISO's) to go buy the right 
> set
> of 'tools' which include SAST , DAST , RAST IAST?
>
> https://www.gartner.com/doc/reprints?id=1-2KU6OUB&ct=150806&st=sb
>
>>> Organizations listen to OWASP. OWASP should post some guidance [...]
> Why don't we do they same?
> OWASP's own Magic Quadrant for Open Source tools?
>
> You see this quadrant? Anything missing?
> ZAP should have been there, but again this is just commercial tools 
> ;-)
>
> Cheers
>
> Johanna
>
>
>
> On Fri, Mar 25, 2016 at 7:57 PM, Milton Smith <milton.smith at owasp.org>
> wrote:
>
>> We are on the same page Jim.  Your last line is exactly where the 
>> appsec
>> leader, assuming there is one, will find it's challenge - the budget. 
>>  A
>> CISO without hands-on software coding background is the surest way to 
>> screw
>> up an appsec program before it even gets off the ground.  We need 
>> CISO's
>> that have deep business acumen and can speak to a board of directors 
>> as
>> comfortably as whiteboard security architecture with software 
>> developers.
>> Software development/coding is not new skill for today's CISO's to 
>> master,
>> it's an entire profession that takes years to master.  I doubt 
>> software
>> developers will ever respect a security executive that cannot do what 
>> they
>> do and speak their language.  Respect and trust are important when 
>> asking
>> development to make improvements impacting delivery schedules.  A 
>> CISO
>> should also go to battle with other execs to help development do the 
>> extra
>> tasks they need to do to be secure.  A CISO must be a deep partner 
>> with
>> those that develop applications.
>>
>> Organizations listen to OWASP.  OWASP should post some guidance 
>> around
>> what a top CISO candidate looks like and provide some reasons behind 
>> each
>> recommendation, CISO top 10.  Everyone loves OWASP 10's. ;o)  Does 
>> anyone
>> think this would be a good/bad idea/waste of time, or interested in 
>> helping
>> if we were to do something like this?  Wondering if other feel 
>> strongly
>> about this.
>>
>> --Milton
>>
>>
>> On 25 Mar 2016, at 14:07, Jim Manico wrote:
>>
>>> Most CISO's today are IT firewall guys.  Less than 13% of Fortune 
>>> 100
>>> CISO's[1] have any kind of background in programming\engineering.
>>>
>>> Very well said. I think one of the organizational AppSec challenges 
>>> is to
>>> *find the right people* to run AppSec. AppSec should be in the hands 
>>> of one
>>> of the *software development leaders*.  Most folks consider their 
>>> AppSec
>>> team to be a group of security dudes running scans and pentests. 
>>> This is
>>> not the complete AppSec picture, at all. Find software development 
>>> leaders,
>>> scrum masters, CTO's from the software side of the house and lead
>>> developers. Those are the folks who need to get AppSec religion - 
>>> and if
>>> they do - you are well on your way.
>>>
>>> You need budget from the firewall CISO and the buy-in to do the 
>>> right
>>> work, but that's about it.
>>>
>>> Aloha,
>>> Jim
>>>
>>>
>>> On 3/25/16 4:49 AM, Milton Smith wrote:
>>>
>>>> A few years ago I started a full security track at JavaOne, 
>>>> Oracle's
>>>> software development conference in San Francisco CA.  In fact, Jim 
>>>> Manico
>>>> and Michael Coates helped me get this started.  In a very short 
>>>> period of
>>>> time the security track was the 3rd most popular track.
>>>>
>>>> It's my opinion most development orgs feel appsec is important but
>>>> appsec is like brushing your teeth.  If you ask someone if they 
>>>> want
>>>> beautiful teeth everyone would say, "Yes".  When you then tell them 
>>>> they
>>>> need to brush their teeth twice a day some people won't do it.  
>>>> Some will
>>>> floss ever other day or once a week. There's a gap in 
>>>> understanding.  Most
>>>> technical people don't perceive the same risks we do so they don't
>>>> prioritize appsec like we know they should.  Developers are also 
>>>> fighting
>>>> battles to improve code quality in general.  Many teams I talk with 
>>>> hardly
>>>> document anything or even perform peer code review.  These are 
>>>> areas that
>>>> most developers feel should be done better but don't invest the 
>>>> time.
>>>> Appsec is getting lost in the code quality shuffle.
>>>>
>>>> It would be beneficial if OWASP (or another organization) provided
>>>> security education across roles.  Sure, developers at conferences 
>>>> but also
>>>> role appropriate top down appsec education.  Most CISO's today are 
>>>> IT
>>>> firewall guys.  Less than 13% of Fortune 100 CISO's[1] have any 
>>>> kind of
>>>> background in programming\engineering. They think security is found 
>>>> in a 1U
>>>> box.  We can't expect these CISO to think like we do.  We need to 
>>>> be
>>>> changing the hearts and minds of IT business leaders.  OWASP 
>>>> representation
>>>> at conferences like Gartner's IT Security Summit would be helpful 
>>>> to reach
>>>> c-level execs.  Also some representation with policy makers would 
>>>> be
>>>> helpful.  Each leader and policy maker we influence makes it easier 
>>>> for
>>>> anyone under their purview trying to improve appsec.  Creating a 
>>>> "culture"
>>>> of security creates an environment friendlier and more receptive 
>>>> when you
>>>> propose your next appsec project.  OWASP is not going to code it's 
>>>> way out
>>>> of appsec challenges.
>>>>
>>>> --Milton
>>>>
>>>> [1]
>>>> https://digitalguardian.com/blog/anatomy-ciso-breakdown-todays-top-security-leaders-infographic
>>>>
>>>> On 23 Mar 2016, at 9:48, Daniel Harvey wrote:
>>>>
>>>> In this case we may not be able to reach the developers who just 
>>>> don't
>>>>> want
>>>>> to listen, but we should have a strategy to reach developers 
>>>>> before they
>>>>> get to that point.  Such as get more involved in the places where
>>>>> developers learn to develop and ingrain secure programming in the 
>>>>> basic
>>>>> tutorials on how to develop.
>>>>>
>>>>> On Wed, Mar 23, 2016 at 11:42 AM, Mark Miller 
>>>>> <mark.miller at owasp.org>
>>>>> wrote:
>>>>>
>>>>> What about those that don't want to listen, could care less to 
>>>>> listen
>>>>>>>
>>>>>>
>>>>>> Then this is not our market. Trying to teach a fish to climb a 
>>>>>> tree
>>>>>> just
>>>>>> gets frustrating for both parties.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, Mar 23, 2016 at 11:36 AM, johanna curiel curiel <
>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>> These were *security people*, at a *security conference*, 
>>>>>> interested
>>>>>>>>>
>>>>>>>> in what was going on outside of their main area of expertise.
>>>>>>>
>>>>>>> Exactly, they were ready to listen ;-). They went there because 
>>>>>>> they
>>>>>>> wanted to know more about security.
>>>>>>>
>>>>>>> What about those that don't want to listen, could care less to 
>>>>>>> listen,
>>>>>>> which I think represents the big majority of developers?
>>>>>>>
>>>>>>> If everyone was ready to listen and know about security then the 
>>>>>>> Top
>>>>>>> 10
>>>>>>> should have changed since the beginning of time...;-P and we 
>>>>>>> were not
>>>>>>> struggling to promote the message
>>>>>>>
>>>>>>> Just that people understand when I trying to communicate here:
>>>>>>>
>>>>>>>    - I support going to Dev conferences but with a clear 
>>>>>>> strategy in
>>>>>>>    mind which leads to:
>>>>>>>       - Who are you sending and can this 'representative' be 
>>>>>>> able to
>>>>>>>       talk the same language as devs, engage them about security 
>>>>>>> or
>>>>>>> act as an
>>>>>>>       ambassador?
>>>>>>>       - Are travel costs covered fully for those OWASP leaders 
>>>>>>> willing
>>>>>>>       to assist to these dev conferences?
>>>>>>>
>>>>>>> I think the community wants clarity of the purpose of assisting 
>>>>>>> to
>>>>>>> devs
>>>>>>> conferences and who will be entitled to assist. I think we need 
>>>>>>> to
>>>>>>> look at
>>>>>>> experts like Bill and send him to Microsoft Conference to mingle
>>>>>>> there for
>>>>>>> example.
>>>>>>> These people are knowledgeable, understand perfectly the 
>>>>>>> struggles
>>>>>>> from a
>>>>>>> developer point of view,  that can talk and understand the 
>>>>>>> issues
>>>>>>> from *a
>>>>>>> developer point of view*.
>>>>>>>
>>>>>>> But if you send a *no developer* to preach security, or someone 
>>>>>>> that
>>>>>>> has
>>>>>>> never programmed in that language or platform,  I think this is 
>>>>>>> a very
>>>>>>> wrong approach. I have not met yet the developer that has not 
>>>>>>> had a
>>>>>>> fight
>>>>>>> with a pen tester regarding bugs found...
>>>>>>>
>>>>>>> I think is a waist of money on activities without clear goals 
>>>>>>> and
>>>>>>> measurement of that impact in mind .
>>>>>>>
>>>>>>> Why did only 25 persons voted in the survey when we claim we 
>>>>>>> have more
>>>>>>> than 20K people on the mailing lists?
>>>>>>>
>>>>>>> I''ll stop spamming this list. I hope my message is clear.
>>>>>>>
>>>>>>>
>>>>>>> Cheers
>>>>>>>
>>>>>>> Johanna
>>>>>>>
>>>>>>> On Wed, Mar 23, 2016 at 10:55 AM, Mark Miller 
>>>>>>> <mark.miller at owasp.org>
>>>>>>> wrote:
>>>>>>>
>>>>>>> Attending, participating and supporting other conferences is a
>>>>>>>> cornerstone of community activity, not just to get our message 
>>>>>>>> out,
>>>>>>>> but to
>>>>>>>> participate in a global ecosystem of DevSecOps.
>>>>>>>>
>>>>>>>> Regarding participation in other conferences, I can confirm 
>>>>>>>> when I
>>>>>>>> produced the DevOps track at RSA Conference 2016 three weeks 
>>>>>>>> ago, we
>>>>>>>> had
>>>>>>>> 600+ people attend the full day of sessions. These were 
>>>>>>>> security
>>>>>>>> people, at
>>>>>>>> a security conference, interested in what was going on outside 
>>>>>>>> of
>>>>>>>> their
>>>>>>>> main area of expertise.
>>>>>>>>
>>>>>>>> Mark
>>>>>>>>
>>>>>>>> On Tue, Mar 22, 2016 at 5:06 PM, johanna curiel curiel <
>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>
>>>>>>>> That's why I think heading out to the large cons is a good 
>>>>>>>> start.
>>>>>>>>>>>
>>>>>>>>>> Yes, I believe so too, however the strategy must not be just 
>>>>>>>>>> to be
>>>>>>>>> there but :
>>>>>>>>>
>>>>>>>>>    - Do surveys to research more how to engage these devs
>>>>>>>>>    - Just giving a 'talk' does not mean you are really 
>>>>>>>>> engaging the
>>>>>>>>>    developer audience
>>>>>>>>>
>>>>>>>>> Effective ways to reach these audience.
>>>>>>>>>
>>>>>>>>> We need to put the helmet of a developers in our heads. Not 
>>>>>>>>> just
>>>>>>>>> *look* from it from the 'security' perspective
>>>>>>>>>
>>>>>>>>> We 'devs' hate security(many I have speak with including me). 
>>>>>>>>> It
>>>>>>>>> makes
>>>>>>>>> our lives difficult, we only want to focus and get the work 
>>>>>>>>> done at
>>>>>>>>> the
>>>>>>>>> functional part with all the pressure there is  to deliver and
>>>>>>>>> produce
>>>>>>>>> software. From the business pov people(aka Sales+Managers) 
>>>>>>>>> want to
>>>>>>>>> deliver
>>>>>>>>> software that works and they also tend to forget 'security' as 
>>>>>>>>> part
>>>>>>>>> of the
>>>>>>>>> offer (aka quotation and price).
>>>>>>>>>
>>>>>>>>> Only when they hear there is a 'pen tester' coming, everyone 
>>>>>>>>> starts
>>>>>>>>> biting their nails 😱
>>>>>>>>>
>>>>>>>>> Or when they hear ' the application has been hacked'😵 
>>>>>>>>> (which also
>>>>>>>>> happened to me. So you engage most of the time when is to 
>>>>>>>>> late)
>>>>>>>>> Then you
>>>>>>>>> get paranoid. then you only think about security about this
>>>>>>>>> traumatic
>>>>>>>>> experience. So traumatic to me that now I'm into Offensive 
>>>>>>>>> security
>>>>>>>>> certification, and all kind off 'security mixed' things...I 
>>>>>>>>> have
>>>>>>>>> been
>>>>>>>>> 'converted' 😁
>>>>>>>>>
>>>>>>>>> My experience is , developers want easy solutions and not 
>>>>>>>>> people
>>>>>>>>> preaching to us that is all our blame ... Not preaching to us
>>>>>>>>> security
>>>>>>>>> especially to those that see this as extra work...
>>>>>>>>>
>>>>>>>>> What are other developers experience with security? I would 
>>>>>>>>> love to
>>>>>>>>> know
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Tue, Mar 22, 2016 at 4:46 PM, Bill Sempf 
>>>>>>>>> <bill at pointweb.net>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Tue, Mar 22, 2016 at 4:36 PM, johanna curiel curiel <
>>>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> It will be interesting to know *how* to engage properly 
>>>>>>>>>>> developers
>>>>>>>>>>> with zero background in security.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I can't speak for everyone on the initiative team, but this 
>>>>>>>>>>> is
>>>>>>>>>> exactly
>>>>>>>>>> why  I am interested in this.
>>>>>>>>>>
>>>>>>>>>> Since 2010 I have made "bridging the gap" a core focus of my
>>>>>>>>>> community
>>>>>>>>>> work. I give developer talks at security cons and security 
>>>>>>>>>> talks at
>>>>>>>>>> developer cons.  Bringing the official OWASP banner to 
>>>>>>>>>> developer
>>>>>>>>>> cons and
>>>>>>>>>> talking to current devs about what they really need from us 
>>>>>>>>>> has
>>>>>>>>>> brought be
>>>>>>>>>> personally a lot of targeted focus in my content creation.
>>>>>>>>>>
>>>>>>>>>> That's why I think heading out to the large cons is a good 
>>>>>>>>>> start.
>>>>>>>>>>
>>>>>>>>>> S
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> On Tue, Mar 22, 2016 at 4:26 PM, Noreen Whysel <
>>>>>>>>>>> noreen.whysel at owasp.org> wrote:
>>>>>>>>>>>
>>>>>>>>>>> I think it is pretty clear. Find out what kinds of developer
>>>>>>>>>>>> events
>>>>>>>>>>>> people are going to, have a presence at these events, learn 
>>>>>>>>>>>> how
>>>>>>>>>>>> they are
>>>>>>>>>>>> reaching, teaching and communicating with the developer
>>>>>>>>>>>> community, Then
>>>>>>>>>>>> "design an outreach program" part takes into consideration 
>>>>>>>>>>>> what
>>>>>>>>>>>> we learned.
>>>>>>>>>>>> I think the last part is what Johanna is interested in and 
>>>>>>>>>>>> can
>>>>>>>>>>>> be developed
>>>>>>>>>>>> at a local chapter level or via virtual trainings. But we 
>>>>>>>>>>>> want
>>>>>>>>>>>> to do a
>>>>>>>>>>>> little research first to find out how to engage developers 
>>>>>>>>>>>> and
>>>>>>>>>>>> where our
>>>>>>>>>>>> message fits.
>>>>>>>>>>>>
>>>>>>>>>>>> Noreen Whysel
>>>>>>>>>>>> Community Manager
>>>>>>>>>>>> OWASP Foundation
>>>>>>>>>>>>
>>>>>>>>>>>> On Tue, Mar 22, 2016 at 4:20 PM, johanna curiel curiel <
>>>>>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>  Just "being there" is a great place to start.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hi Bill, I believe this already happens. With just being 
>>>>>>>>>>>>> there
>>>>>>>>>>>>> in a
>>>>>>>>>>>>> form of a booth presence does always help. Thats actually 
>>>>>>>>>>>>> how I
>>>>>>>>>>>>> got
>>>>>>>>>>>>> involved with owasp, but this is an 'old' strategy, 
>>>>>>>>>>>>> nothing new
>>>>>>>>>>>>> and only
>>>>>>>>>>>>> has impact on those developers that assist to conferences.
>>>>>>>>>>>>>
>>>>>>>>>>>>> What about all those thousands of devs that cannot pay 
>>>>>>>>>>>>> these
>>>>>>>>>>>>> expensive conferences, living in countries like me?
>>>>>>>>>>>>>
>>>>>>>>>>>>> I support Matt's idea and I just think that it needs to be
>>>>>>>>>>>>> promoted
>>>>>>>>>>>>> so we can design this outreach, not just as visiting 
>>>>>>>>>>>>> conferences
>>>>>>>>>>>>>
>>>>>>>>>>>>> cheers
>>>>>>>>>>>>>
>>>>>>>>>>>>> Johanna
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Tue, Mar 22, 2016 at 4:16 PM, Bill Sempf 
>>>>>>>>>>>>> <bill at pointweb.net>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Tue, Mar 22, 2016 at 4:04 PM, johanna curiel curiel <
>>>>>>>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> We do not reach this community just by assisting to 
>>>>>>>>>>>>>>> these
>>>>>>>>>>>>>>> conferences.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I disagree comprehensively with this statement. Through
>>>>>>>>>>>>>> participation in developer conferences like CodeMash and
>>>>>>>>>>>>>> Stirtrek, I have
>>>>>>>>>>>>>> seen quantifiable increase in the 'reach' of security.  
>>>>>>>>>>>>>> All of
>>>>>>>>>>>>>> the OWASP
>>>>>>>>>>>>>> chapters in the area have seen significant increases in
>>>>>>>>>>>>>> growth, there have
>>>>>>>>>>>>>> been far more security -focused talks at user groups, and
>>>>>>>>>>>>>> there has been a
>>>>>>>>>>>>>> significant increase in requests for security expertise 
>>>>>>>>>>>>>> from
>>>>>>>>>>>>>> the area
>>>>>>>>>>>>>> consulting firms.  Just "being there" is a great place to
>>>>>>>>>>>>>> start.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> That said, if something significant is learned while we 
>>>>>>>>>>>>>> are
>>>>>>>>>>>>>> just
>>>>>>>>>>>>>> being there, and it leads to a larger strategy, so be it.
>>>>>>>>>>>>>> Personally, I'm
>>>>>>>>>>>>>> pleased to see some action on a front of attack, rather 
>>>>>>>>>>>>>> than
>>>>>>>>>>>>>> constant
>>>>>>>>>>>>>> discussion.  It's a low risk activity with a potentially 
>>>>>>>>>>>>>> high
>>>>>>>>>>>>>> reward.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> S
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Johanna Curiel
>>>>>>>>>>>>> OWASP Volunteer
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Johanna Curiel
>>>>>>>>>>> OWASP Volunteer
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Johanna Curiel
>>>>>>>>> OWASP Volunteer
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> *Mark Miller, Senior Storyteller*
>>>>>>>> *Curator and Founder, Trusted Software Alliance*
>>>>>>>>
>>>>>>>> *Host and Executive Producer, OWASP 24/7 Podcast 
>>>>>>>> ChannelCommunity
>>>>>>>> Advocate, Sonatype*
>>>>>>>>
>>>>>>>> *Developers and Application Security: Who is Responsible?*
>>>>>>>> <https://www.surveymonkey.com/s/Developers_and_AppSec>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Johanna Curiel
>>>>>>> OWASP Volunteer
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> *Mark Miller, Senior Storyteller*
>>>>>> *Curator and Founder, Trusted Software Alliance*
>>>>>>
>>>>>> *Host and Executive Producer, OWASP 24/7 Podcast ChannelCommunity
>>>>>> Advocate, Sonatype*
>>>>>>
>>>>>> *Developers and Application Security: Who is Responsible?*
>>>>>> <https://www.surveymonkey.com/s/Developers_and_AppSec>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
>
> -- 
> Johanna Curiel
> OWASP Volunteer


More information about the OWASP-Leaders mailing list