Thursday, April 10, 2014

OWASP.next

 
As Chairman of the OWASP global board I’ve strove to bring a scalable structure to OWASP that allows us to continue growing and tackling application security. Over the past 3 years we’ve dramatically increased participation around the world, increased our funding which allows greater opportunities, built a full-time operations team to support our events and appointed an executive director for the foundation. Behind the scenes we’ve also focused heavily on maturing OWASP’s entity for legal and tax compliance, established annual budgeting and tracking, and created annual goals for the foundation that impacts operational focus and growth. All of these efforts setup OWASP to continue rapid growth around the world.

Today we have over 42,000 participants around the world who collaborate with OWASP through local chapter meetings (we have over 200 chapters in over 100 countries), events, projects, free trainings and more. OWASP was even recognized with an SC Magazine editor’s choice award this year.

All of these efforts are the result of the hard work and dedication of our community, operations team and all volunteers. As chairman I’ve tried to build systems and relationships to foster our open community and allow it to grow to meet these challenges. 


.next

Now it’s time for OWASP to make another turn. The need and importance for application security could never be greater. Every week there is a new breach announced impacting thousands of people. Every quarter we hear about a devastating flaw that has widespread security ramifications. OWASP needs to stand up to the challenge of tackling application security.

To rise to the growing challenges we face OWASP must shift course and focus on what makes us successful. 


(1) OWASP is a group of doers 

We must reward and recognize those that see a problem and tackle it.  A list of to-do’s is interesting, but we can all talk about what we want to accomplish. The real power is a list of “have-dones” or more specifically, a list of items we have accomplished. Two quotes I’ve recently heard capture this well: “ideas are cheap, implementation is what matters” and "You know what's easy? Yelling on the internet. You know what's hard? Working with people to build things that last." -Christie Koehler

We all must identify the doers and reward them. Also, the correct response to someone suggesting “hey, why don’t you do x?” Is to say “great idea, please come and help us get that started” or, of course, you could hear that idea, be the doer, and add yet another item to your competed-items list. 


(2) OWASP must take the fight to the enemy

Sitting on a hill and watching a battle does not make you a victor. We must take the fight to the enemy. The application security enemy has many faces: lack of security knowledge or tools to enable fast and secure development, insufficient tools and techniques to defend against attackers, and also popular libraries and frameworks with lingering vulnerabilities that cripple trust in the Internet when they are uncovered.

Over the next weeks I will personally be reaching out to groups developing critical elements of the web to offer our assistance in securing their open source products. In addition I’ll be working directly with different industry verticals so OWASP can integrate into their communities and bring security to medical, manufacturing, critical infrastructure and more. This is not a one-person effort – we’ll figure out how OWASP can foster effective relationships that scale and last in this area. 


(3) The OWASP community is our driving force 

The power of OWASP is in our diverse and talented community that brings together a wealth of skills and expertise. We must break down any walls that prevent participation. We need discussion methods that can support thousands of active contributors. Our community should be so easy to engage that an individual who attends their first OWASP chapter meeting in can go home and join our online discussion area to engage in projects, the wiki, and interact with our amazing community.

Further, our community must be inclusive and supportive. We must recognize that there are different approaches and seek to first understand before judging. We must seek to help those that are struggling and recognize that the ends don’t necessarily justify the means. There are many approaches to tackling a problem and the way we choose to interact with others reflects on our leadership and the value we bring to the OWASP community.

(4) OWASP must put our best foot forward and also be able to experiment, fail quickly, learn and try again


OWASP supports experimentation and research - we always have and always will. Just like a research group or a nimble company, we must be prepared to experiment, fail quickly, learn and try a new approach. Those that do so should be celebrated even if they are in the stages of experimenting, failing and repeating.

However, companies and professionals around the world also look to OWASP for solid guidance on application security. We must ensure that we identify our ideas, projects, and tools that are top notch and ready to be used by others. These ideas will have stood the test of time and have been carefully analyzed by our community. These premier or flagship projects must be well polished, maintained and a serve a true testament that the OWASP community can be proud of.

We may not be in that position today, but I believe by leveraging the combined power of our community and effectively using our available resources we can quickly move into this scenario.


Getting to OWASP.next

OWASP is bigger than you or me, a single project or voice - OWASP represents the vision of a future where applications can provide amazing services and features to the world while also being secure. This security extends to protect the application's users, data, critical components for application functionality and more. It is time for OWASP to ask how we can grow to meet these challenges, build the next 100,000 contributors to OWASP and scale our efforts to meet the obstacles before us.

You’ll see more material coming over the weeks to support the above items. I encourage all of you to ask and discuss how we can make OWASP the organization that is needed to tackle the growing threats to application security.




--

Michael Coates
Chairman & Fellow OWASP'er
@_mwc



5 comments:

Dinis Cruz said...

As I mention in On the unrealistic expectations on OWASP board members, and the 'myth of the OWASP Board member' there are still a number of operational issues that need to be addressed

Andrew van der Stock said...

Michael,

This is an awesome laundry list, and I for one, will be supportive of any initiatives that take us back to completing our mission, and being focussed on it.

We are no longer a few people here and there, we are a professional body, and we should be able to work with our sponsors and corporate supporters to build out our full range of projects by enabling and supporting our "doers". You know my opinion on this.

One caveat, projects are not our enemy! We must work with frameworks (Spring, Zend, Symfony, RoR, etc) and in my personal experience, they are very interested in help if you can be sustained, consistent and add value. They are NOT our enemy at all.

We cannot afford to sit back and be stuck in the same old, same old mindset, so I look forward to working with you and the board on re-shaping OWASP to support our mission.

Andrew van der Stock said...

Michael,

This is an awesome laundry list, and I for one, will be supportive of any initiatives that take us back to completing our mission, and being focussed on it.

We are no longer a few people here and there, we are a professional body, and we should be able to work with our sponsors and corporate supporters to build out our full range of projects by enabling and supporting our "doers". You know my opinion on this.

One caveat, projects are not our enemy! We must work with frameworks (Spring, Zend, Symfony, RoR, etc) and in my personal experience, they are very interested in help if you can be sustained, consistent and add value. They are NOT our enemy at all.

We cannot afford to sit back and be stuck in the same old, same old mindset, so I look forward to working with you and the board on re-shaping OWASP to support our mission.

Sastry Tumuluri said...

This is great. This (.next) is very much needed. To my mind, the two most important points are:

- Getting the world to want security, not in an abstract way - but in a meaningful enough way that means "I'll demand secure products and am ready to pay for them". In a way, this has been the mission of OWASP and will continue to be.

- Getting enough doers into the system to ensure that the world has the resources they need to secure themselves.

Going by the second problem first -- a centralized motive force will be limited in its scalability. Perhaps better, is to depend on the Chapters to become more active in both the aspects mentioned above.

For this, some effort would be needed to rejuvenate dormant Chapters and increasing active (nay, contributing) members (doers) in each Chapter.

I'm all for it. In Chandigarh, we've started off on the first point with a mission statement "Secure Chandigarh". In that sense, we are adding doers to the first aspect (of spreading the message).

It is too early to make any claims or predictions, but we are open to course corrections. Hopefully, before long, we will also pick up the second point (of adding doers to OWASP projects.

Tom Brennan said...


Committees 2.0

http://owasp.blogspot.com/2014/05/committees-20.html