RSnake and I were talking about this the other day as one of the problems in the webappsec industry. Over the years I’ve spoken at well over 100 events including ISSA, ISACA, Black Hat, AppSec, InfoSec, SANS, CSI, and probably more OWASP chapters than anyone. Saying 10% of infosec conference audiences are developers would be a generous estimate. The vast majority is part of IT Security in one form or another. For some reason though IT Security people expect developers to come to us and be shown the light, perhaps it should be the other way around. In fact, I’m sure of it.
Back in May Joe Walker and I co-presented at JavaOne (as we did the year before at the Ajax Experience). He’s plays the part of the well-known developer bringing in the well-known infosec guy. Over 1,000 people maxed out the ballroom, so clearly “security” is a draw at developer conferences. We covered XSS, CSRF, SQL Injection, and offered some live demos. We showed what an attacker could do to their beloved code should some basic precautions not be taken and discussed the value of security inside the SDLC. Judging from the feedback - they loved it. Demos rule, no question. I think I reached more developers and made a more positive impact on that group that day than in all the shows since the Ajax Experience.
Here’s what I’ve learned: Tailor your subject matter and talking points to your audience. OK, you already knew that. From my experience IT Security is most interested in learning about the latest and greatest threats, statistical trends, and what they’re peers did to solve a particular problem. So that's what I focus on during those events. Preaching security in the SDLC is just “OK”, but not terribly sexy to this audience. This is why you hardly see any code security talks at the infosec conferences, much the dismay of Andrew van der Stock. Developers and developer conferences are much interested in “application security”, but it has to be presented in the proper context to keep it interesting. Getting a handle on the right flow, format, and level of sophistication is the hard part. Seems they want to cover more browser extension and Google Gears related stuff now.