Feb 13, 2011

Another OWASP Paperware Project, Anyone?

Summing up the OWASP 2011 Summit I fear OWASP is becoming more and more paperware and less and less software. On the Summit's fixed schedule we had 15 technical sessions and 27 non-technical sessions (my interpretation). That's almost two thirds non-tech.

The only guys I saw actually coding at the summit were people we had invited and that are not OWASP leaders (Powerpoint slides with code do not qualify as coding). At the same time OWASP is getting desperate about not reaching developers.

The solution is in my opinion to cut down on paperware, pdfs, Powerpoint presentations, guidelines, and policies. Developers want code, not Word documents. I tried to bring this up during the OWASP Secure Coding Practice session but failed to convey my view. Who would have thought a coding guide did not contain code?

If you hand a document to a developer that says "Do canonicalization" you will not get canonicalization in the application. But if you hand a developer code snippets in a relevant language that show a couple of instances of canonicalization problems and how the solution could look you will get a change.

So, why do we still have all these guidelines and policies that talk about code? I believe the reason is that the authors don't know how to program. Guys writing appsec guidelines typically cannot code themselves and developers can smell it a mile away.

Do you believe OWASP needs to reach developers?
Are you right now working in a word processor rather than an IDE?

Developers believe in other developers and working code. You want to change how they play? Get in their game.


  1. "Do you believe OWASP needs to reach developers?"
    Of course. But, we also need to reach other major players in the software lifecycle.

    "The solution is in my opinion to cut down on paperware, pdfs, Powerpoint presentations, guidelines, and policies."
    Sure for projects that target developers. But not all of our project do, or should, target developers.

    I think absolute statements that we should cut out these types of projects is the wrong direction. We should realize that we need to target many different levels and, as you point out, create materials that are correct for that type of person.


  2. @Michael: I know you want to prove your point but I did not write "cut out", I wrote "cut down". I too realize we need to target many levels. But the question at hand was – is 15 technical and 27 non-technical sessions a good balance for OWASP? I don't think so. Thus – cut down on paperware. Or increase tech :).

  3. I'm with Michael. I think you are being a bit harsh. OWASP has to strike the right balance and target the development "ecosystem".


    PS: the command line, vi or notepad are the only IDEs. All the rest are entertainment.