As Chairman of the OWASP global board I’ve strove to bring a scalable structure to OWASP that allows us to continue growing and tackling application security. Over the past 3 years we’ve dramatically increased participation around the world, increased our funding which allows greater opportunities, built a full-time operations team to support our events and appointed an executive director for the foundation. Behind the scenes we’ve also focused heavily on maturing OWASP’s entity for legal and tax compliance, established annual budgeting and tracking, and created annual goals for the foundation that impacts operational focus and growth. All of these efforts setup OWASP to continue rapid growth around the world.
Today we have over 42,000 participants around the world who collaborate with OWASP through local chapter meetings (we have over 200 chapters in over 100 countries), events, projects, free trainings and more. OWASP was even recognized with an SC Magazine editor’s choice award this year.
All of these efforts are the result of the hard work and dedication of our community, operations team and all volunteers. As chairman I’ve tried to build systems and relationships to foster our open community and allow it to grow to meet these challenges.
Now it’s time for OWASP to make another turn. The need and importance for application security could never be greater. Every week there is a new breach announced impacting thousands of people. Every quarter we hear about a devastating flaw that has widespread security ramifications. OWASP needs to stand up to the challenge of tackling application security.
To rise to the growing challenges we face OWASP must shift course and focus on what makes us successful.
(1) OWASP is a group of doers
We must reward and recognize those that see a problem and tackle it. A list of to-do’s is interesting, but we can all talk about what we want to accomplish. The real power is a list of “have-dones” or more specifically, a list of items we have accomplished. Two quotes I’ve recently heard capture this well: “ideas are cheap, implementation is what matters” and "You know what's easy? Yelling on the internet. You know what's hard? Working with people to build things that last." -Christie Koehler
We all must identify the doers and reward them. Also, the correct response to someone suggesting “hey, why don’t you do x?” Is to say “great idea, please come and help us get that started” or, of course, you could hear that idea, be the doer, and add yet another item to your competed-items list.
(2) OWASP must take the fight to the enemy
Sitting on a hill and watching a battle does not make you a victor. We must take the fight to the enemy. The application security enemy has many faces: lack of security knowledge or tools to enable fast and secure development, insufficient tools and techniques to defend against attackers, and also popular libraries and frameworks with lingering vulnerabilities that cripple trust in the Internet when they are uncovered.
Over the next weeks I will personally be reaching out to groups developing critical elements of the web to offer our assistance in securing their open source products. In addition I’ll be working directly with different industry verticals so OWASP can integrate into their communities and bring security to medical, manufacturing, critical infrastructure and more. This is not a one-person effort – we’ll figure out how OWASP can foster effective relationships that scale and last in this area.
(3) The OWASP community is our driving force
The power of OWASP is in our diverse and talented community that brings together a wealth of skills and expertise. We must break down any walls that prevent participation. We need discussion methods that can support thousands of active contributors. Our community should be so easy to engage that an individual who attends their first OWASP chapter meeting in can go home and join our online discussion area to engage in projects, the wiki, and interact with our amazing community.
Further, our community must be inclusive and supportive. We must recognize that there are different approaches and seek to first understand before judging. We must seek to help those that are struggling and recognize that the ends don’t necessarily justify the means. There are many approaches to tackling a problem and the way we choose to interact with others reflects on our leadership and the value we bring to the OWASP community.
(4) OWASP must put our best foot forward and also be able to experiment, fail quickly, learn and try again
OWASP supports experimentation and research - we always have and always will. Just like a research group or a nimble company, we must be prepared to experiment, fail quickly, learn and try a new approach. Those that do so should be celebrated even if they are in the stages of experimenting, failing and repeating.
However, companies and professionals around the world also look to OWASP for solid guidance on application security. We must ensure that we identify our ideas, projects, and tools that are top notch and ready to be used by others. These ideas will have stood the test of time and have been carefully analyzed by our community. These premier or flagship projects must be well polished, maintained and a serve a true testament that the OWASP community can be proud of.
We may not be in that position today, but I believe by leveraging the combined power of our community and effectively using our available resources we can quickly move into this scenario.
Getting to OWASP.next
OWASP is bigger than you or me, a single project or voice - OWASP represents the vision of a future where applications can provide amazing services and features to the world while also being secure. This security extends to protect the application's users, data, critical components for application functionality and more. It is time for OWASP to ask how we can grow to meet these challenges, build the next 100,000 contributors to OWASP and scale our efforts to meet the obstacles before us.
You’ll see more material coming over the weeks to support the above items. I encourage all of you to ask and discuss how we can make OWASP the organization that is needed to tackle the growing threats to application security.
Chairman & Fellow OWASP'er