[Owasp-leaders] The Gap Between OWASP and Developers

Jim Manico jim.manico at owasp.org
Fri Feb 18 13:29:17 EST 2011


Hello all,

I'm passing on a message from Jeremiah Grossman on vendor/OWASP/enterprise relations. Insightful comments - especially coming from a vendor. ;)

I'm really happy to see Joe Bernik (CISO at Fifth Third Bank) stepping up as the Industry Committee chair. I think this fits into both Jeremiah's vision and OWASP's mission very well.

Aloha,
Jim

****

OWASP Leaders,
 
Want to know what scares enterprises, and by extension developers, away from OWASP more than anything else? Us. That is, us vendors. 
 
They look at who makes up the global board. 100% vendors, of one particular ilk. They look at who sponsors, the Summit or in general, nearly all vendors. They see who gives the presentations. Right, essentially all vendors. I wouldn't be surprised if OWASP's paid-for user membership wasn't also lopsided by vendors. This doesn't leave much room for the enterprise representatives to assume key roles and influence the direction of the organization as they should be afforded.

In the beginning days of OWASP, and the webappsec industry collectively, vendors building up OWASP was absolutely essential. Many of us, myself included, originally came from the enterprise because we saw a real (appsec) problem that needed to be solved and we had to organize and evangelize as vendors -- so we did. We paved the way and should be proud of that. Today though we must recognize that it is no longer 2001, it is 2011 are many organizations as a result have heavily invested in their application security programs. They have much knowledge to share with their peers.
 
Imagine having CSOs from major eCommerce, financial services, healthcare, etc. organizations stacking the OWASP board. That would speak volumes to their peers, who it is always said need to be more included in OWASP. Enterprises on the OWASP board would hugely encourage other organizations to similarly invest in their application security programs and get actively involved in the community. In my opinion, just adding "developers" doesn't go far enough, and wouldn't influence nearly enough.
 
Personally, when nominations open, these are the candidates I'd encourage looking and voting for. Time for the enterprises to lead and choose their own destiny.
 
Regards,
 
Jeremiah Grossman
Chief Technology Officer
WhiteHat Security, Inc.
http://www.whitehatsec.com/
 


More information about the OWASP-Leaders mailing list