[Owasp-leaders] Are we helping Hackers or helping Application security?

Timothy D. Morgan tim.morgan at owasp.org
Sun May 22 17:10:53 UTC 2016

Hi Kevin,

Great points.  A few comments below.

> I think *we* can do these things if we stop sniping at each other for mundane
> things like supporter logos, etc. and stand together. But if we are divided
> rather than united, I don't think we stand a chance. We've already lost a
> lot of good people. Let's lay outside our differences and unite to carry out
> our mission statement. And stop majoring on the minors on focus on the
> main things in our mission.

Yes.  There's far too much churn about things on the OWASP leaders list that are
very tangential to the mission.  Let the board and staff make some
minor decisions now and then and trust that they've had adequate discussions
amongst themselves.  Elect new board members if you don't like the result.

> > Why can't we discuss and brainstorm new ways to defend applications? Bring a
> > balance by spending more energy on this?
> > How can OWASP motivate this more?  
> I have said for many years that we need to involve *DEVELOPERS* more instead
> of more or less just targeting the security community.
> Let's start with your local OWASP chapter meetings? What percentage of
> attendees consider themselves developers? Take an informal poll sometime.
> IMO, it should be at least 50%, but I think that it seldom is.

Very true.  It's always a struggle to get large numbers of developers to show
up for OWASP meetings.  Security groups, by their nature, attract security

> I think we should also "recruit" developers with more intention. 

YES!  And "recruit" in more ways than one.

> I've always
> said that it's easier to teach a good developer appsec skills than it is
> to teach someone with only appsec skills to be a good developer. (That's how
> I assembled my AppSec team at my previous employer and I think that they are
> all now more than proficient at appsec.) Especially on the "defense" side
> of appsec, it is essential to have strong development skills so I think
> that recruiting those people from the development community is the right
> way to go forward.

The thing is, most deeply technical app security folks are not builders by
their nature.  We like to deconstruct things and understand them.  Creating new
things from whole cloth?  Less of an interest for many of us.  Not to mention,
we're in high demand and always very busy with the next customer fire.

If we want to build technical tools for defenders, we should recruit developers
who have an interest in security and pay them for their time.  Convincing
pentesters to build mature defensive frameworks on volunteer time isn't going
to happen.


More information about the OWASP-Leaders mailing list