What I did and tired to get others to do was set up internal training for the network and server teams and also try to spend time with them helping them see a bit of my world. I think that we security guys tend to get so caught up in our own little world that we forget that others don't have our passion and mindset. We spend time "preaching to the choir" when what we need is a good swift kick in the butt by the choir at times.
I also love the concept of OWASP stepping outside the norm to reach more people. If we are to narrowly focused on our audience or topic we miss lots of great opportunities to help others. One thing that I do with my chapter meetings it's too bring in speakers who talk about other security disciplines from time to time. That way we are not losing out on great info that can help us as we secure code and apps.
I also trained quite a lot of web developers and gave talks to
developers on AppSec, mostly in Switzerland. There about 80%-90% of all
the devs already knew what a XSS and SQLi is, even though they only know
the very basics of those topics.
I don't know why my experience is so different from what you described
and I totally agree with you, that OWASP has still a lot of work to do.
Still, the difference between 10%-20% and 80%-90% is huge and it really
makes me wonder, what could be the reason for this.
Antonio 'Chouchou' Fontes OWASP Geneva
Philippe 'Neldor' Gamache OWASP Montreal
Since 2010 we giving some talks on AppSec and they have been well attended by the developers!
I just submitted two talk proposals for Italy Ruby Day on about how to use ruby in a penetration test and how to use test driven development to check for Owasp Top 10 while writing a ruby app.
I have also been reaching out to the development community, I have really made a point of speaking at mostly development or QA events and fewer security events. As I look at the developers in the communities I have interacted with in the past year I have noted a couple of points:
1) Developers who tend to visit code camps and regional conferences tend to be the ones who are experimenting with new technologies and are often interested in how they can improve, and security is often actually in that mix. (They know that they don't know and just want to learn)
2) The high number of developers that exist in organizations are really 9-5 developers with no desire to educate themselves outside of those hours. Even the development world is having a hard time reaching these folks.
3) Our content needs to be fresh to engage, not just talk about XSS, but talk about how XSS or SQL injection pertains to the new technologies that are being talked about that day. It needs to be developer relevant which is something in the security space we often struggle with.
With these things being said, the reception has been fantastic for the security talks I have given, over the last few years the crowds have risen from 6-8 interested people to over 100 interested folks. The good news is that if we engage the development community well, they will come....all be it they will practice what we speak about when it does not effect deadlines, etc, but they are listening.
I would encourage each of our OWASP chapters to reach out to their local code camps, or regional development conferences and become engaged. Maybe offer an event that piggybacks, or at least submit a few presentations. I think there is a lot we can do here to help continue the evangelism.
I gave a talk at a health care technology startup and there was a large percentage of developers that were very knew to many of the basic security defenses that we prescribe.
Never underestimate the power of covering the foundation of application security to an eager new group of developers.
As a following up to the 'outside the O' I want to let you know the ROOTs Conference in Bergen, Norway, is dedicating a track to (application) security:http://www.rootsconf.no/Continuously, I am looking for developer conferences and events to speak about application security.
In my experience, developer are more then willing, they (mostly) just did not know as they are not thought about security.
Anyway, security is getting more important and the need to know about security becomes more and more visual. Last is most definite as you see developer events do look for security experts!
Have replied to the CFP for the security track at the ROOTs conference 2012, I hope others might be interested and follo! For me, it will be the third time to be in Bergen. A small conference with high value!
Seems like a good time to announce the theme of this year's AppSec USA Conference: "Bridging the Gap Between Software Developers and Security" Look for an announcement very soon on our keynotes and invited speakers. The CFP should be up by the end of February.