[Owasp-leaders] Are we helping Hackers or helping Application security?

johanna curiel curiel johanna.curiel at owasp.org
Wed May 25 01:19:00 UTC 2016


Forget my silly stupid question

I have decided to support Phineas😁

For those who have not seen the video highly recommended

https://tune.pk/video/6528544/hack

On Sun, May 22, 2016 at 1:10 PM, Timothy D. Morgan <tim.morgan at owasp.org>
wrote:

> Hi Kevin,
>
> Great points.  A few comments below.
>
>
> > I think *we* can do these things if we stop sniping at each other for
> mundane
> > things like supporter logos, etc. and stand together. But if we are
> divided
> > rather than united, I don't think we stand a chance. We've already lost a
> > lot of good people. Let's lay outside our differences and unite to carry
> out
> > our mission statement. And stop majoring on the minors on focus on the
> > main things in our mission.
>
> Yes.  There's far too much churn about things on the OWASP leaders list
> that are
> very tangential to the mission.  Let the board and staff make some
> minor decisions now and then and trust that they've had adequate
> discussions
> amongst themselves.  Elect new board members if you don't like the result.
>
>
> > > Why can't we discuss and brainstorm new ways to defend applications?
> Bring a
> > > balance by spending more energy on this?
> > > How can OWASP motivate this more?
> >
> > I have said for many years that we need to involve *DEVELOPERS* more
> instead
> > of more or less just targeting the security community.
> >
> > Let's start with your local OWASP chapter meetings? What percentage of
> > attendees consider themselves developers? Take an informal poll sometime.
> > IMO, it should be at least 50%, but I think that it seldom is.
>
> Very true.  It's always a struggle to get large numbers of developers to
> show
> up for OWASP meetings.  Security groups, by their nature, attract security
> people.
>
>
> > I think we should also "recruit" developers with more intention.
>
> YES!  And "recruit" in more ways than one.
>
> > I've always
> > said that it's easier to teach a good developer appsec skills than it is
> > to teach someone with only appsec skills to be a good developer. (That's
> how
> > I assembled my AppSec team at my previous employer and I think that they
> are
> > all now more than proficient at appsec.) Especially on the "defense" side
> > of appsec, it is essential to have strong development skills so I think
> > that recruiting those people from the development community is the right
> > way to go forward.
>
> The thing is, most deeply technical app security folks are not builders by
> their nature.  We like to deconstruct things and understand them.
> Creating new
> things from whole cloth?  Less of an interest for many of us.  Not to
> mention,
> we're in high demand and always very busy with the next customer fire.
>
> If we want to build technical tools for defenders, we should recruit
> developers
> who have an interest in security and pay them for their time.  Convincing
> pentesters to build mature defensive frameworks on volunteer time isn't
> going
> to happen.
>
> tim
>



-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160524/74ee5077/attachment.html>


More information about the OWASP-Leaders mailing list