[Owasp-leaders] OWASP board foundation

Matt Tesauro mtesauro at gmail.com
Wed Nov 18 12:01:25 EST 2009

Sorry for the delayed response, I'm still catching up the non-OWASP
parts of my life after AppSec Brazil and AppSec US.

Current Employer:  Texas Education Agency - the state agency which
handles K-12 public education in Texas.  Since Texas has a ton of
schools (1200+ Independent School Districts) and we collect a ton of
data, we have many web applications for interacting with out
consistency.  At TEA, I am the "App Sec Guy" program and have just
launched a 2 year program to create a unified, coherent App Sec program
(which I've based on Open SAMM).  

Philosophies:  I've pretty well listed those out on my nomination page:

The fly over summary is:
* Increase the size of the OWASP community by reaching out beyond the
App Sec community to developers, auditors, industry, education, etc.
* More focus needs to be placed on education - this is where we invest
for the long term (get them young).  Also, I'd really like to see an
OWASP CBT and during AppSec DC, an OWASPer approached me and several
members of the Education committee about starting that project.
* Industry participation is also very important.  I want to make sure
that OWASP is moving in a direction that works with industry.  The
industry advisory panel which was discussed at the Summit is one such
example of engaging industry.

Some short term goals are:
* Setup an OWASP archive so that there is an official place where OWASP
project releases can live.  Currently these are scattered across the
Internet and there is the real risk some of these could go AWOL.
* Sub-domaining owasp.org for projects.  This allows projects with needs
beyond what the Wiki will allow to still be part of the 'OWASP family'.
Projects like ASVS, ESAPI and the Live CD are projects which could
benefit from this.
* Re-think starting up some OWASP Forums and other community outreach
technologies such as having a planet.owasp.org which could aggregate the
communities blogs.

Builder vs Breaker:  While I did create the OWASP Live CD which is
pretty much a breaker toolkit currently, I actually started my career as
a developer.  The next release of the Live CD is focused on adding
builder tools.   
     I am also currently on the inside so I work very closely with
developers, PM, architects in my day job.  I really think you need both.
Sometimes the only way to motivate change is to break a few apps - to
demonstrate the reality of the problem.  Once you've got the
stakeholders attentions, that's when the building work starts.  The ROI
on building is _so much more_ then the ROI on breaking.

Hope that helps!


-- Matt Tesauro
OWASP Live CD Project Lead
http://AppSecLive.org - Community and Download site

On Tue, 2009-11-17 at 16:03 -0500, McGovern, James F. (eBusiness) wrote:
> Could the candidates describe other characteristics about themselves
> such as:
> - Current employer: I have a think for enterprisey types :-)
> - Philosophies on things like marketing of OWASP, industry evangelism,
> other demographics such as Business Analysts, Project Managers, CIOs and
> the value they should receive from OWASP, etc
> - More Builder or More Breaker
> etc
> ************************************************************
> This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
> ************************************************************
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list