[Owasp-board] [Owasp-leaders] The myth of the OWASP board

Eoin eoin.keary at owasp.org
Fri Feb 18 12:22:13 UTC 2011

Indeed OWASP has "Grown up" and now needs to "Grow out"

As I keep saying/ranting, the power of OWASP is in the committees, power to
the people!!

The board (my humble view):

The board has some focus on budget and to apply some "glue" to the overall
ecosystem but glue simply is to serve a purpose, to assist and serve, to
listen and to arbitrate and to help be fair and impartial. The board is also
to protect OWASP from vested interests, protect the brand and to manage the
limited funds such that all committees have an equal say in how we can
leverage the cash we have. Our core values and purpose need to be adhered to
also which is a board responsibility I believe.

To echo Jim Manico, the board needs to focus on fund raising so we can fund
and "productize" our tools, projects and guides etc.
To do this we need potential sponsors.corporate members to understand why
should they give OWASP some of their dollars.

Relevance of OWASP:

It seems to be easy to get consultancy/solution vendors to be corporate
members of OWASP as it is nice to say "OWASP corporate member" when
developing proposals and winning work, which I don't see an issue with and
actually condone it as it helps our message.

It is currently more difficult to get non industry players (Banks, Energy,
Health care, Gov) to donate/join as they still ask "What can OWASP do for
me?" - We need to listen to people with real application security issues
resulting in financial/regulatory/personal impact.

We need release quality product (maybe with limited support and a paid
support model also?) to enable adoption by industry. (Industry: groups with
actual issues relating to application security, real problems which need to
be solved.)
Solving such problems WILL change the face of the Internet or "raise the

Key to OWASP survival and growth is to become relevant to industry, address
common issues faced by Internet users rather than looking inward. Enable
real quality tools to assess these issues but the only way to fix the plague
of web application insecurity is to address the root cause and look at
preventative medicine - Education, Secure SDL, Secure code, Awareness,
Relevance of our work to real issues, Address the symptoms but also
eradicate the spread of the disease.

(I needed to get this off my chest)


On 17 February 2011 22:20, Jeff Williams <jeff.williams at owasp.org> wrote:

> Hi everyone,
> Before the Summit, Dinis and I had a long conversation where we both agreed
> that OWASP was ready for some new leadership. My understanding with him was
> that we were going to wait for the upcoming election to announce, but he (as
> usual) couldn’t wait J
> So, for those of you I haven’t told already, I won’t be running again for
> the board.  I’m still just as passionate about OWASP as ever, but I feel
> democratic leadership is really important for OWASP. I’ve thoroughly enjoyed
> serving on the board and I can’t wait to get back to doing more technical
> projects.
> For those of you that don’t really care about OWASP governance – good for
> you! Stop reading here. Thanks for all your hard work and I’m looking
> forward to working with you in the future.
> ------
> For the rest, I’ve read all the email, and I **strongly** urge you to
> focus on making OWASP a great platform for anything related to application
> security, and not worry too much about establishing a “top-down” board to
> set objectives and direction.  To me, the board should have extremely
> limited power that is centered around improving and protecting the platform
> (independence, brand, core values, ethics, finances, etc…)  The idea that we
> need a board to direct OWASP is a myth and a mistake.
> The Summit is a great example of what can happen when we let things
> self-organize on top of a great platform, where we keep things free and
> open, and protected from commercial influence. Please, think hard about how
> OWASP works. How can we actually drive change with an army of volunteers?
>  What can a top-down board really get people to do?  Who should set the
> priorities? Also note that we **could** raise a lot of money, but what
> message we would send in the process?
> A community-driven OWASP ecosystem **can** effect broad change in the
> software market. We’re only just starting to scratch the surface of what we
> can accomplish if we follow the platform strategy.  For a little background
> on this way of thinking, I’ve attached an article that will be coming out in
> the next issue of Crosstalk. The article touches on the issues in creating
> ecosystems that produce security.  I’m looking forward to your thoughts,
> --Jeff
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20110218/13766fbd/attachment-0002.html>

More information about the Owasp-board mailing list