Nov 21, 2010

AppSec Manifesto

To start this blog off I want to publish my personal AppSec Manifesto.

AppSec Manifesto
  • Developers are not lazy, rather quality oriented ⇒ Insecure applications do not stem from laziness.
  • Features and functions are always more important than security ⇒ Security should enable more features and functions.
  • Responsible disclosure is a good way of achieving more secure applications ⇒ Hackers are needed.
  • Technology is a crucial part of security ⇒ Therefore I keep coding.

This manifesto will most probably evolve along with my future insights.


  1. Developers, like the rest of us, come in all shapes and sizes... Insecure applications tend to stem from poor requirements elicitation and a lack of risk perspective.

    So, in the odd case of a developer actually being lazy, he (or she) should be guided by a solid framework of non-functional requirements, proactive testing and assurance.

    Nice blog design, btw! I'll be checking back...

  2. Hi John,

    Completely agree with your manifesto.
    Developers worry about functionality, performance, scalability, maintainability. Usability if you're lucky;) Security comes way down the list, and they're not really measured on it because functional testers dont understand security either!

    One approach I take is to teach basic pen testing techniques to developers.
    I've found that the vast majority of them see pen testing as a 'black art' and when they find out how easy it can be to find basic security vulnerabilities in their products then they take security much more seriously.
    To this end I've released the OWASP Zed Attack Proxy ( and maintain the Pen Testing for Developers blog: