

Ask HN: Can't figure out the next step – any advice for building an audience? - sarciszewski

I&#x27;m kind of in a weird rut (possibly related to the paradox of choice) in my efforts to build an audience within the PHP developer community. To clarify, it&#x27;s not one of those feeling of helplessness situations, more like a lack of any solid ideas.<p>In the past few months, I have:<p>* Posted a lot of blog posts explaining application security and cryptography for PHP developers. (These happen to be two areas that I specialize in.) https:&#x2F;&#x2F;paragonie.com&#x2F;blog<p>* Authored a bunch of MIT licensed open source tools and libraries: https:&#x2F;&#x2F;paragonie.com&#x2F;projects<p>* Responsibly disclosed several security vulnerabilities in moderately popular open source projects, with patches (the most recent one hasn&#x27;t been resolved, but has a CVE assigned).<p>* Identified a lot of bad security advice in popular&#x2F;accepted StackOverflow answers, and subsequently edited&#x2F;added answers to offer safer advice where I could. I think this was probably the most significant thing I could have done to make developers adopt secure habits by default, but only time will tell if this actually has any significant impact.<p>* Opened an invitation for the PHP community to ask me if a given StackOverflow answer is secure: https:&#x2F;&#x2F;twitter.com&#x2F;voodooKobra&#x2F;status&#x2F;621107117219561472<p>* Participated in the discussion on the PHP internals mailing list seeking to improve the state of cryptography in PHP 7.1 through the use of a simple API that supports multiple back-ends (libsodium, openssl, etc.) and offers secure defaults (i.e. only authenticated symmetric key encryption).<p>* Most recently, I tried to tackle the misleading or outright incorrect information on w3schools, but that was a total non-starter.<p>(continued)
======
czbond
Hey, wow - where to start.

So the gist of what I believe you're trying to accomplish is a) increase
awareness of security + php b) provide yourself as a consultant for those that
need more help. Would that be it in a nutshell?

My experience, having both sold security services, tools, and software
projects in the past (along with actually doing the implementation, etc) - is
that only a small subset of developers actually really truthfully care about
the deep and dirty aspects of security. A security team doing vulnerability
assessments do, security managers do, and Fortune companies at risk do.
Systems engineers often do, but mainly developers (tend) to care more about
new programming technologies or technology tools. That's where I could see a
disconnect.

I would use the methods you're mentioning below (blogs, guest blogs,
assessments, tool patches, seminars) are all FANTASTIC for building your
credibility and brand in the business. Which is more important in the long
run. You could also get great traction by networking at PHP groups. Even you
could map a few in metros near your (eg: if you're in Texas.... Austin,
Dallas, Houston, Denver). ETc. This could give you an endless collection of
work.

~~~
sarciszewski
> So the gist of what I believe you're trying to accomplish is a) increase
> awareness of security + php b) provide yourself as a consultant for those
> that need more help. Would that be it in a nutshell?

Yes, precisely what you said here, but also: I'd eventually like to build a
team so we can tackle more diverse projects.

It sounds like you think I'm on the right track here. :)

We're currently based in Orlando, but so far our clients have been a mix of
both local and international.

------
sarciszewski
(continued from top)

I'm mostly interested in building a relationship with the community, so that
we can continue to raise awareness of security concerns and help people
understand their consequences by providing easily digestible information
through various mediums. One of which is our blog posts.

I've noticed that, for the most part, all of the new visitors to the Paragon
Initiative website/blog come from the same sources, which tells me that I'm
not succeeding. When the subject of expanding or diversifying our audience
comes up, I draw a blank. Actually finding networking opportunities in the hay
stack of semi-interested people? I'm totally lost.

Some ideas I've seen suggested online:

* Guest blogging - but I don't know which blogs would be worth approaching or whose audience or primary author is interested in application security topics

* Social media - I tend to err on the side of silence; am I making a mistake?

* Seminars/webinars - I haven't ruled this out.

* Give a way a free eBook - Started a book on PHP 7 development. I haven't finished much more than the table of contents and introduction.

Questions for HN:

1\. Is PHP and web application security too niche for guest blogging
opportunities?

2\. What are some blogs or websites that would be a good place to start?

3\. Should I be doing something else instead?

4\. Does anyone think I'm completely wasting my time?

------
Delmania
Who's your target audience?

You've done a lot of things right here. You've designated a specialization,
done work to prove your credentials. Social media will help, and ebooks,
speaking, and online courses are all a part of the passive income model.

The only thing you didn't do was identify who your audience is. You think it's
PHP developers, but as czbond pointed out, most developers don't care about
those topics. You did't validate your product against the target. Either you
need to come up with another product, or pivot to a different market.

~~~
sarciszewski
Thanks for your perspective and valuable insight.

> as czbond pointed out, most developers don't care about those topics

Unfortunately, not caring about security isn't the same as not needing it.
They can not care about it all they want, but if their app is insecure in a
way that an attacker knows about, their users will suffer for it. This is a
huge problem.

To complicate matters, I don't know of anyone that cares about security as
part of their job, who isn't also currently being serviced by hundreds of
vendors pushing marginally-superior-to-snake-oil solutions for $X00,000 to
$X,000,000 per year. And even if I manage to find this audience, how do I
speak to them and their interests? This isn't something I've been able to find
valuable insight into from a Google search.

My background is not in business or marketing and although I've attempted to
learn as much as I can about the subject, it isn't something I understand
intuitively. Maybe there are obvious answers to these complications that I
just don't see. Or maybe I'm just asking the wrong questions, for that matter.

