[WEB SECURITY] Great article outlining a core issue with many in the security community

John Wilander john.wilander at owasp.org
Tue Feb 22 09:06:38 EST 2011


Hi Robert and WebSecurity!

Thanks for all the comments on the Security People vs Developers article.
I've read a lot of interesting perspectives on this list and the blog post
got 1200+ readers. Now we have to move forward.

Therefore we have started up the Developer Outreach Initiative. You can read
about my two proposed outreach projects here (and please comment!):
http://appsandsecurity.blogspot.com/2011/02/developer-outreach-initiative.html

Abbreviated:

*Proposed Solution – Security Itches*
My first proposition is this: Instead of pushing coding guidelines and
security tools onto developers I think we should start by asking them "What
are your security itches?". Whatever we get back will be our starting point.
Maybe we'll pick ten itches and publish good solutions.
   What if they have the *wrong* itches? Well, the goal of the outreach is
1) to find out what developers think, and 2) address their itches to build
some well-needed credibility. Before we have credibility we cannot push
coding guidelines. And if developers think SSL certs are their primary
problem that *is* important.

*Proposed Solution – Open Test Data*
Security people tell developers to "do input validation". Input validation
is no news to developers. The problem is defining the data model and testing
the input validation. We can do something important here – building
opentestdata.org. I own the domain and dream about the following beautiful
community effort:
   You go to the site and can either "submit test data" or "download test
data". On the submission page you can anonymously enter a e.g. Portuguese
postal address, an Indian human name, a Swedish postal/zip code ... or 100
SQL injection strings. The effort is almost zero.
   On the download page you choose your format and download in context. "We
have European customers so we want European human names, postal addresses,
and phone numbers". Developers will love it. And that's where we can start
promoting security testing!

   Kind regards, John Wilander


2011/2/14 <robert at webappsec.org>

> I saw this posted via twitter and thought it was worth mentioning here.
> While the example specifies owasp, I am not posting this link to slam
> them in particular. I think that the point applies to MANY folks in the
> security industry.
>
> Security Vs Developers
>
> http://appsandsecurity.blogspot.com/2011/02/security-people-vs-developers.html
>

-- 
John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
<http://owaspsweden.blogspot.com>Co-organizer Global Summit,
http://www.owasp.org/index.php/Summit_2011
<http://www.owasp.org/index.php/Summit_2011>Conf Comm,
http://www.owasp.org/index.php/Global_Conferences_Committee
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110222/9b9bd9a5/attachment-0003.html>


More information about the websecurity mailing list