Talk:Summit 2011 Working Sessions/Session072
Historically OWASP (and the Web Application Security space in general) has failed (with some notable exceptions) to create productive relationships with developer teams that achieved measurable and 'shipped' results (note for example the lack of 'Frameworks developers' in the OWASP ecosystem). This session will look at the current problems and propose a number of solutions to bridge the gap with the people who ultimately have the final impact on an application's security, the developers.
John's comment on Jeremiah's "Open Letter to OWASP" blog post : "...I think the foremost reason why OWASP hasn't been able to reach out to the developer community is a fairly ignorant attitude to software development.
In IT security I constantly meet experts who say "I used to code" and claim that they know software craftmanship because of that. If you poke them you quickly understand that "used to code" means non-enterprise, command-line Pascal hacks done in Emacs back in the nineties.
To start with, security is at the bottom of the software food chain. Before security you deal with features & functions, uptime, usability, performance, and maintainability. Then security. So when we meet with developers we need to be humble. They create more business and value for their organizations than we do.
Secondly, security experts need not only meet with developers and business people. We need to learn what they do, how they do it, and why they do it. Mocking developers because you found a bug with your fuzzer won't build trust and produce more secure software in the long run.