[Owasp-leaders] Are we helping Hackers or helping Application security?
johanna curiel curiel
johanna.curiel at owasp.org
Wed May 25 01:19:00 UTC 2016
Forget my silly stupid question
I have decided to support Phineas😁
For those who have not seen the video highly recommended
On Sun, May 22, 2016 at 1:10 PM, Timothy D. Morgan <tim.morgan at owasp.org>
> Hi Kevin,
> Great points. A few comments below.
> > I think *we* can do these things if we stop sniping at each other for
> > things like supporter logos, etc. and stand together. But if we are
> > rather than united, I don't think we stand a chance. We've already lost a
> > lot of good people. Let's lay outside our differences and unite to carry
> > our mission statement. And stop majoring on the minors on focus on the
> > main things in our mission.
> Yes. There's far too much churn about things on the OWASP leaders list
> that are
> very tangential to the mission. Let the board and staff make some
> minor decisions now and then and trust that they've had adequate
> amongst themselves. Elect new board members if you don't like the result.
> > > Why can't we discuss and brainstorm new ways to defend applications?
> Bring a
> > > balance by spending more energy on this?
> > > How can OWASP motivate this more?
> > I have said for many years that we need to involve *DEVELOPERS* more
> > of more or less just targeting the security community.
> > Let's start with your local OWASP chapter meetings? What percentage of
> > attendees consider themselves developers? Take an informal poll sometime.
> > IMO, it should be at least 50%, but I think that it seldom is.
> Very true. It's always a struggle to get large numbers of developers to
> up for OWASP meetings. Security groups, by their nature, attract security
> > I think we should also "recruit" developers with more intention.
> YES! And "recruit" in more ways than one.
> > I've always
> > said that it's easier to teach a good developer appsec skills than it is
> > to teach someone with only appsec skills to be a good developer. (That's
> > I assembled my AppSec team at my previous employer and I think that they
> > all now more than proficient at appsec.) Especially on the "defense" side
> > of appsec, it is essential to have strong development skills so I think
> > that recruiting those people from the development community is the right
> > way to go forward.
> The thing is, most deeply technical app security folks are not builders by
> their nature. We like to deconstruct things and understand them.
> Creating new
> things from whole cloth? Less of an interest for many of us. Not to
> we're in high demand and always very busy with the next customer fire.
> If we want to build technical tools for defenders, we should recruit
> who have an interest in security and pay them for their time. Convincing
> pentesters to build mature defensive frameworks on volunteer time isn't
> to happen.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders