[Owasp-leaders] Are we helping Hackers or helping Application security?

Kevin W. Wall kevin.w.wall at gmail.com
Sun May 22 03:46:25 UTC 2016

On Sat, May 21, 2016 at 9:50 PM, johanna curiel curiel
<johanna.curiel at owasp.org> wrote:
> On Sat, May 21, 2016 at 8:21 PM, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:
> >>I am not surprised by that at all. Being on the "breaker" side of things is
> >>"sexy"; being on the defender side, not so much.
> Innovation is about thinking out of the box solutions and this is what we are
> not doing enough.
> Sure not within OWASP. Sure not in Defender projects. Except some, like
> SeraphimDroid using Machine learning to stop malware.
> So we accept our loss blaming it to the fact that is easier, sexier to hack
> than protect and create defense?

I was "blaming" this on anyone, simply stating a common perception.
I personally find defense much more stimulating and personally satisfying
than being on the "offense", which to me, is almost like shooting fish
in a barrel. But I *do* think this explains why we have trouble attracting
people to the "defensive" side of AppSec.

I also don't think that we have to "accept" it, but I do think we need to
acknowledge it and step up our game on the defensive side to make it look
cool in the same way that pen testing, etc. is viewed as cool. Of course,
we are fighting the media, and in particular Hollywood, in doing so. When
was the last time you saw a movie around someone DEFENDING a web site
or whatever? That's exactly my point.

> Thats is a quite sad scenario and fate to accept...sure for a bunch or
> 'security experts' in this community.

It's hard to find Hollywood and fiction writers. The only way that we
can change this perception is by F1000 companies starting to put a premiums
on salaries of those playing AppSec defense. But they aren't going to do
that until we convince them of the value of those positions...keeping in
mind that their HR people also are fans of Hollywood.

> I might be in the wrong community.

That depends if you're up for a challenge or not. No one said this would be
easy. Defense in AppSec has always been the harder part; let's show them
that it's the more challenging and fun part.

> I'm looking to create solutions , innovate and solve problems and don't keep
> on thinking the same old pattern. I though that was one of our core values:
> "INNOVATION: OWASP encourages and supports innovation and experiments for
> solutions to software security challenges"
> Projects like Rust are trying to do that.

I think *we* can do these things if we stop sniping at each other for mundane
things like supporter logos, etc. and stand together. But if we are divided
rather than united, I don't think we stand a chance. We've already lost a
lot of good people. Let's lay outside our differences and unite to carry out
our mission statement. And stop majoring on the minors on focus on the
main things in our mission.

> Why can't we discuss and brainstorm new ways to defend applications? Bring a
> balance by spending more energy on this?
> How can OWASP motivate this more?

I have said for many years that we need to involve *DEVELOPERS* more instead
of more or less just targeting the security community.

Let's start with your local OWASP chapter meetings? What percentage of
attendees consider themselves developers? Take an informal poll sometime.
IMO, it should be at least 50%, but I think that it seldom is.

So what can we do? Well, we can start "preaching" to the development
community instead of preaching to the choir. If that means they they
won't attend our meetings, then we should attend theirs. If they won't
come to our conferences, then we should go to theirs (even if we don't go
there to speak). We could also entice DEVELOPERS to come to OWASP conferences
by giving them steeply discounted rates (I'm thinking of something like the
student discount rate, or in that ballpark).

I think we should also "recruit" developers with more intention. I've always
said that it's easier to teach a good developer appsec skills than it is
to teach someone with only appsec skills to be a good developer. (That's how
I assembled my AppSec team at my previous employer and I think that they are
all now more than proficient at appsec.) Especially on the "defense" side
of appsec, it is essential to have strong development skills so I think
that recruiting those people from the development community is the right
way to go forward.

> Only answer I get here is that we are doomed and that hackers have the
> advantage.

Well, I apologize if you got that impression from me. Microsoft did a
pretty decent job at turning their company around and they used to be
everyone's laughingstock wrt security failures. No, they still have
not yet arrived, but they changed their CULTURE and that's something
that is very difficult to do.

I don't believe we are doomed. (We only need to survive long enough until
our AI overlords take over the world. Once Skynet is in place, we'll be
happy for all the shitty vulnerable software we've produced as that will
be our only way to fight back. :)

Seriously, keep the faith.
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.

More information about the OWASP-Leaders mailing list