Open letter to OWASP
The OWASP Summit 2011 in Portugal is coming up soon! This is an opportunity for the community�s leaders and influencers to discuss the future of the organization and that of the application security industry. The working sessions are creative, diverse and forward-thinking, designed to direct standards, establish roadmaps, and improve organizational governance. Unfortunately I�ve a conflict in my schedule and unable to attend, but I am excited to be presenting at IT-Defense in Germany. Fortunately for me Jeff Williams (OWASP Chairman) put a call out for feedback on the Summit�s. Since I can�t be physically present, I�ve taken this as opportunity to share my thoughts for organizers and attendees to consider.
Before getting to the list, I�d like to remind everyone that I was personally present many years ago at the beginnings of OWASP. Since then I�ve contributed to many different projects where I prefer to spend my time. I�ve visited over a dozen local OWASP chapters, including several international conferences to present, where I met new people and shared ideas. Written blog posts and articles directing people to OWASP materials. Through sponsorship dollars from WhiteHat Security, we�ve financially supported the good work the organization does. So with this in mind, please take the following as purely constructive with a desire for OWASP and the industry at large to flourish.
1) Hold a Board of Directors VoteTo my knowledge, and I�m open to correction, OWASP has never had an official Board of Directors vote. At least not one where membership could participate. Is this covered in the by-laws? It should be. Update: Indeed I have been corrected. See Dan Cornell's comment below that nicely detail a 2009 membership vote that resulted in the addition of two new BoD seats. Embarrasing that I missed this. I'm told (via twitter) that after the summit there will be an plan laid out where half the current seats will go out for a vote. Progress!
OWASP is a community of volunteers and like any community it should be managed openly and democratically. I love the fact that the budget itself has been made transparent. Holding a BoD vote would increase confidence in the organization and establish personal ownership and accountability in OWASP�s future. A future where a someones individual contribution, commitment, and merit may be rewarded with a position of greater influence and responsibility.
I do not make this recommendation lightly as I know most of the current board members personally, whom I respect, who have given so much of themselves over the many years, and deserve our appreciation. They�ve done a remarkable job and this is in no way should be considered an indictment. I�m saying that for OWASP to continue to thrive, room must be made at the top most levels for new participants with fresh ideas.
2) It is time for an OWASP Chief Executive Officer
OWASP would be well-served by the creation of a President / CEO position just like Mozilla and other highly successful non-profits. A full-time person responsible for the day-to-day operational affairs and growing the organization. A go to person for global committee members, project leaders, members, sponsors, press, etc. who has the authority to make decisions and get stuff done expeditiously. OWASP generates enough revenue, with sufficient growth, and has enough stuff to easily justify such a position. No doubt others besides myself have experienced much internal confusion and disorganization within that stifles and frustrates those seeking to contribute. The right person could help clean all that up and make things much more efficient and productive.
Second, this person also must serve as an industry cheerleader. It is vital that someone representing OWASP is constantly out there raising awareness and sharing why its a good idea for every developer, security professional, and software generating organization to be involved. Someone who can meet personally with CEOs, CIOs, CTOs, and CSOs of organizations large and small to gain their support. Obviously this can�t happen on a part-time basis with people employed by for-profit �vendors.�
3) Less preaching to the choir, engage more with the outsiders
Everyone in the community recognizes the echo chamber issue. We know the vast majority of who we need to reach, those who do not voluntarily come to us, the application security industry. So of course they have no way of knowing why the work we do is important, how it affects the safety and privacy in their lives, and the viability of online business. Without addressing this issue, the summit runs the risk of perpetuation the problem. I�ve been as guilty as anyone. Therefore instead of continuing to expect people to come to us over the last several years I�ve been transitioning to going to where they are, and with much success! OWASP should do the same to spread the word and take itself to the next level.
For example, OWASP representatives could attend, sponsor, and present at every possible non-security conference such as JavaOne, F8, Google I/O, any O'Reilly event, Star East/Web and so on where thousands of developers gather. In my experience at these events, when in their own element, developers are eager to learn about the state-of-the-art in application security, especially when presented in a way where they can derive value immediately when they get back to work. These attendees also represent a segment of developers who really care about their software. OWASP should proactively reach out to conference organizers with menu of official up-to-date topics and facilitate the CFP process on behalf of qualified representatives. Or, better still, offer to establish and manage an entire security track! Done right with a call to action, this alone would drive much needed membership.
4) Investment justification
Mountains of documentation on what organizations �should be doing,� are already available. Information security professionals are desperate for resources in how to justify to the business why an investment in application security is crucial. Effective application security programs aren�t easy or cheap to build. They require real organizational change and budget dollars to involve people, process, technology, and services. The justification cannot be because it�s �the right thing to do,� �PCI-DSS said so,� or �the APTs will get us!� That�s unconvincing and mind numbingly old. OWASP can help everyone do better.
One way is by capturing success stories from the OWASP corporate and individual membership. Real people, real companies, who are named, documented, and publicly highlighted. Ask them share how much OWASP materials helped them. What they did exactly and how it positively impacted the organization. Ask them to quantify some metrics in how much they are investing, how they are budgeting, all of which creates a watermark for others. These stories are key proof points their peers can use to follow the paths paved by early adopters.
5) Directly get involved with the PCI-DSS
PCI-DSS, despite whatever you think of it, does drive people to OWASP, but often under negative circumstances. Adoption of the OWASP Ten Top is not something e-commerce merchants necessarily want to do, but are forced to and no one likes to be forced to do �security.� As has been said privately to me, �What is OWASP except a bunch of crap I have to deal with for PCI?� This is the unfortunate net effect on attitudes. Merchants are incentivized to do the least application security they can get away with and NOT apply the Top Ten in the spirit of its intent. Either way, this makes OWASP look bad because the outcomes are indeed, bad. Of course PCI-DSS�s usage of the Top Ten in this manner was not something OWASP ever asked for, but here we are just the same.
Perhaps I�m not the first to say it, but this misuse has gone on long enough. If the PCI Council insists on using OWASP materials as an application security standard, which could be mutually beneficial, a good one must made available. Something clear, concise, and specifically designed for the risk tolerance of their credit card merchants. I believe this is what the OWASP PCI Project was meant to accomplish, but the status appears inactive. Fortunately there�s time to rekindle the effort as my understanding is the next revision to PCI-DSS is at least a year or two off. Done right, this could have a profound impact on a large segment of the Internet who currently get hacked all the time -- compliant or otherwise.
There you have it, my thoughts. I have more ideas, but I think that�s enough to chew on for now. :)
