[Owasp-board] Questions regarding Developer outreach program

Matt Konda matt.konda at owasp.org
Mon Nov 23 23:47:44 UTC 2015


It is totally fair that the proposal is not well fleshed out.  I put it out
in that early state with the hope that folks would collaborate in putting
detail into it and we would come up with an awesome way forward working

To be clear though, it was never intended that a major portion of it would
be funding travel to developer conferences.  I for one have already been
doing that for years, as have many others, on our own dime.  So I think we
all agree that's not what we want to do here.

What it is about is:

   - Participating in DHS and IEEE standards efforts.  These organizations
   are moving forward with or without us and if we don't participate I think
   we risk losing our place as the de facto standard for application security.
   - Making an investment in DevOps.  This includes conference and summit
   activities.  This is an area we have mixed results at so far but we have
   some active work happening that we can either leverage or let fall to the
   - Building a data collection and metrics focused initiative so that we
   have something behind us when we say that X,Y,Z are the most important
   things going on and A,B,C work.
   - Building training content and capabilities.

I look forward to your input.


On Mon, Nov 23, 2015 at 5:33 PM, Jim Manico <jim.manico at owasp.org> wrote:

> I agree with your concern, Johanna. Going to developer conferences feels
> good but it largely ineffective and does not really scale. Most of OWASP's
> efforts are on conferences in general, and I think we can do more in
> service of our mission. (By the same token I'm really proud of our staff
> and the work they do to put on amazing conferences).
> I'd much rather spend these funds funding and working with popular
> software frameworks to provide additional automatic security controls where
> we can. This is how you change the AppSec world for the better, but its a
> huge leap from what we do today and most folks I've talked to in leadership
> are opposed to that kind of funding.
> --
> Jim Manico
> Global Board Member
> OWASP Foundation
> https://www.owasp.org
> Join me in Rome for AppSecEU 2016!
> On Nov 23, 2015, at 8:06 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
> Hi Board
> I do have some questions regarding this program
> So far I have not seen concrete plans but a quite vaguely defined plan
> with  a budget for 50K for 'engagement costs' for leaders (who also not
> clear) to conferences
> I do not see clear actions into this initiative.
> $50K for work to help OWASP *actively engage* with developer
> communities.==>
>    - Which concrete actions and steps will be done  in order to *engage*
>    the developer communities?
>    - Where is the proposal explaining this?
>    - How will be the selection procedure of Project leaders to go to this
>    'conferences'? Will only be the 'board members or elected ember san dhow
>    will this be done?
> Example, I don't see how someone that has no developer experience using
> certain programming language or that framework can engage a Developer
> community, so the action plan is quite important in order to justify this
> 'engagement' with chances to get results
> regards
> Johanna
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151123/d05eb449/attachment.html>

More information about the Owasp-board mailing list