[Owasp-leaders] The Gap Between OWASP and Developers
andreg at gmail.com
Fri Feb 18 13:51:50 EST 2011
On Fri, Feb 18, 2011 at 11:29 AM, Jim Manico <jim.manico at owasp.org> wrote:
> I'm passing on a message from Jeremiah Grossman on vendor/OWASP/enterprise relations. Insightful comments - especially coming from a vendor. ;)
> I'm really happy to see Joe Bernik (CISO at Fifth Third Bank) stepping up as the Industry Committee chair. I think this fits into both Jeremiah's vision and OWASP's mission very well.
Thanks for this, Jim. I absolutely agree with Jeremiah on this issue
and he put it very eloquently:
"Imagine having CSOs from major eCommerce, financial services,
healthcare, etc. organizations stacking the OWASP board"
I think this is the BEST idea to ever come from Jeremiah, and the only
thing I would add to it would be, "as long as WhiteHat Security
customers are only represented as a minority and not a majority". ;>
If vendors are recommending that their most-faithful of customers
become the leadership instead of the vendors themselves -- we could
end up in a much worse situation than we are already in with regards
to promoting the believability of our appsec expertise (as well as
actually having any real experience or direction to put forward to the
> OWASP Leaders,
> Want to know what scares enterprises, and by extension developers, away from OWASP more than anything else? Us. That is, us vendors.
> They look at who makes up the global board. 100% vendors, of one particular ilk. They look at who sponsors, the Summit or in general, nearly all vendors. They see who gives the presentations. Right, essentially all vendors. I wouldn't be surprised if OWASP's paid-for user membership wasn't also lopsided by vendors. This doesn't leave much room for the enterprise representatives to assume key roles and influence the direction of the organization as they should be afforded.
> In the beginning days of OWASP, and the webappsec industry collectively, vendors building up OWASP was absolutely essential. Many of us, myself included, originally came from the enterprise because we saw a real (appsec) problem that needed to be solved and we had to organize and evangelize as vendors -- so we did. We paved the way and should be proud of that. Today though we must recognize that it is no longer 2001, it is 2011 are many organizations as a result have heavily invested in their application security programs. They have much knowledge to share with their peers.
> Imagine having CSOs from major eCommerce, financial services, healthcare, etc. organizations stacking the OWASP board. That would speak volumes to their peers, who it is always said need to be more included in OWASP. Enterprises on the OWASP board would hugely encourage other organizations to similarly invest in their application security programs and get actively involved in the community. In my opinion, just adding "developers" doesn't go far enough, and wouldn't influence nearly enough.
> Personally, when nominations open, these are the candidates I'd encourage looking and voting for. Time for the enterprises to lead and choose their own destiny.
> Jeremiah Grossman
> Chief Technology Officer
> WhiteHat Security, Inc.
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
More information about the OWASP-Leaders