[Owasp-leaders] The Gap Between OWASP and Developers

Tom Brennan tomb at owasp.org
Fri Feb 18 14:08:51 EST 2011

That is the plan of the industry committee for those that missed that mission and goal - Joe's got the ball and running with that with the team of global industry committee  

The board nominations can take place as soon as April with election 3 months after the candidates are locked in. As we did in 2009 the candidates need to have a "why me" document write up so that member voters can elect a volunteer leader.   

So if you are reading this and you are a owasp member and leader/committee member you are eligible to be nominated as a candidate, then the election will happen and the 2 year term will start in January.

I will be leading this effort with the assistance of Dan Cornell and the rest of the Global Membership Committee like we did in 2009


Tom Brennan
OWASP Foundation

-----Original Message-----
From: Andre Gironda <andreg at gmail.com>
Sender: owasp-leaders-bounces at lists.owasp.org
Date: Fri, 18 Feb 2011 11:51:50 
To: <owasp-leaders at lists.owasp.org>
Reply-To: "Feel free to browse the archives." <owasp-leaders at lists.owasp.org>
Cc: Jeremiah Grossman<jeremiah at whitehatsec.com>
Subject: Re: [Owasp-leaders] The Gap Between OWASP and Developers

On Fri, Feb 18, 2011 at 11:29 AM, Jim Manico <jim.manico at owasp.org> wrote:
> I'm passing on a message from Jeremiah Grossman on vendor/OWASP/enterprise relations. Insightful comments - especially coming from a vendor. ;)
> I'm really happy to see Joe Bernik (CISO at Fifth Third Bank) stepping up as the Industry Committee chair. I think this fits into both Jeremiah's vision and OWASP's mission very well.
> Aloha,
> Jim

Thanks for this, Jim. I absolutely agree with Jeremiah on this issue
and he put it very eloquently:

"Imagine having CSOs from major eCommerce, financial services,
healthcare, etc. organizations stacking the OWASP board"

I think this is the BEST idea to ever come from Jeremiah, and the only
thing I would add to it would be, "as long as WhiteHat Security
customers are only represented as a minority and not a majority". ;>

If vendors are recommending that their most-faithful of customers
become the leadership instead of the vendors themselves -- we could
end up in a much worse situation than we are already in with regards
to promoting the believability of our appsec expertise (as well as
actually having any real experience or direction to put forward to the


> ****
> OWASP Leaders,
> Want to know what scares enterprises, and by extension developers, away from OWASP more than anything else? Us. That is, us vendors.
> They look at who makes up the global board. 100% vendors, of one particular ilk. They look at who sponsors, the Summit or in general, nearly all vendors. They see who gives the presentations. Right, essentially all vendors. I wouldn't be surprised if OWASP's paid-for user membership wasn't also lopsided by vendors. This doesn't leave much room for the enterprise representatives to assume key roles and influence the direction of the organization as they should be afforded.
> In the beginning days of OWASP, and the webappsec industry collectively, vendors building up OWASP was absolutely essential. Many of us, myself included, originally came from the enterprise because we saw a real (appsec) problem that needed to be solved and we had to organize and evangelize as vendors -- so we did. We paved the way and should be proud of that. Today though we must recognize that it is no longer 2001, it is 2011 are many organizations as a result have heavily invested in their application security programs. They have much knowledge to share with their peers.
> Imagine having CSOs from major eCommerce, financial services, healthcare, etc. organizations stacking the OWASP board. That would speak volumes to their peers, who it is always said need to be more included in OWASP. Enterprises on the OWASP board would hugely encourage other organizations to similarly invest in their application security programs and get actively involved in the community. In my opinion, just adding "developers" doesn't go far enough, and wouldn't influence nearly enough.
> Personally, when nominations open, these are the candidates I'd encourage looking and voting for. Time for the enterprises to lead and choose their own destiny.
> Regards,
> Jeremiah Grossman
> Chief Technology Officer
> WhiteHat Security, Inc.
> http://www.whitehatsec.com/
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

More information about the OWASP-Leaders mailing list