Summing up the OWASP 2011 Summit I fear OWASP is becoming more and more paperware and less and less software. On the Summit's fixed schedule we had 15 technical sessions and 27 non-technical sessions (my interpretation). That's almost two thirds non-tech.
The only guys I saw actually coding at the summit were people we had invited and that are not OWASP leaders (Powerpoint slides with code do not qualify as coding). At the same time OWASP is getting desperate about not reaching developers.
The solution is in my opinion to cut down on paperware, pdfs, Powerpoint presentations, guidelines, and policies. Developers want code, not Word documents. I tried to bring this up during the OWASP Secure Coding Practice session but failed to convey my view. Who would have thought a coding guide did not contain code?
If you hand a document to a developer that says "Do canonicalization" you will not get canonicalization in the application. But if you hand a developer code snippets in a relevant language that show a couple of instances of canonicalization problems and how the solution could look you will get a change.
So, why do we still have all these guidelines and policies that talk about code? I believe the reason is that the authors don't know how to program. Guys writing appsec guidelines typically cannot code themselves and developers can smell it a mile away.
Do you believe OWASP needs to reach developers?
Are you right now working in a word processor rather than an IDE?
Developers believe in other developers and working code. You want to change how they play? Get in their game.