[Owasp-leaders] The Gap Between OWASP and Developers

John Steven John.Steven at owasp.org
Wed Feb 23 07:31:47 EST 2011


Prior to the first OWASP summit, I suggested to Dinis we needed to
make a change like Jeremiah describes. He agreed and suggested he'd
help fund anyone who I could convince to come. I actively lobbied my
clients to no avail. Since the first summit, we've all heard several
well-respected members of the OWASP community--who are not
vendors--lament how difficult it is for them to contribute. The
situation faced remains what it was and is simply:

There is no formal conduit through which the participation of
commercial entities and their employees feel comfortable contributing
while protecting their organization's privacy, intellectual property,
and employment.

Some organizations and their employees can participate without such a
formal conduit, and that's great. Others will not be able to. I
imagine we want to actively include those who are currently precluded,
even in a first such attempt at outreach for greater involvement.
Something Joe, Tom, and other representatives from commercial entities
and I have talked about is establishing some 'ground rules' for
working with these reluctant organizations. Ground rules would need to
address the issues I described in the breakout above.

Failing to make progress on this issue is likely going to cause the
same deja vu feeling in the broader leader's list that it's doing for
me now. I think this is a 'non-starter' situation.

If someone from the Industry committee is willing to take lead on this
effort and produce a draft, I'd be happy to push it to my contacts in
industry and act as intermediary so that they could anonymously
improve it for our use.


On Fri, Feb 18, 2011 at 8:08 PM, Tom Brennan <tomb at owasp.org> wrote:
> That is the plan of the industry committee for those that missed that mission and goal - Joe's got the ball and running with that with the team of global industry committee
> The board nominations can take place as soon as April with election 3 months after the candidates are locked in. As we did in 2009 the candidates need to have a "why me" document write up so that member voters can elect a volunteer leader.
> So if you are reading this and you are a owasp member and leader/committee member you are eligible to be nominated as a candidate, then the election will happen and the 2 year term will start in January.
> I will be leading this effort with the assistance of Dan Cornell and the rest of the Global Membership Committee like we did in 2009
> Brennan
> 9732020122
> Tom Brennan
> OWASP Foundation
> 973-202-0122
> -----Original Message-----
> From: Andre Gironda <andreg at gmail.com>
> Sender: owasp-leaders-bounces at lists.owasp.org
> Date: Fri, 18 Feb 2011 11:51:50
> To: <owasp-leaders at lists.owasp.org>
> Reply-To: "Feel free to browse the archives." <owasp-leaders at lists.owasp.org>
> Cc: Jeremiah Grossman<jeremiah at whitehatsec.com>
> Subject: Re: [Owasp-leaders] The Gap Between OWASP and Developers
> On Fri, Feb 18, 2011 at 11:29 AM, Jim Manico <jim.manico at owasp.org> wrote:
>> I'm passing on a message from Jeremiah Grossman on vendor/OWASP/enterprise relations. Insightful comments - especially coming from a vendor. ;)
>> I'm really happy to see Joe Bernik (CISO at Fifth Third Bank) stepping up as the Industry Committee chair. I think this fits into both Jeremiah's vision and OWASP's mission very well.
>> Aloha,
>> Jim
> Thanks for this, Jim. I absolutely agree with Jeremiah on this issue
> and he put it very eloquently:
> "Imagine having CSOs from major eCommerce, financial services,
> healthcare, etc. organizations stacking the OWASP board"
> I think this is the BEST idea to ever come from Jeremiah, and the only
> thing I would add to it would be, "as long as WhiteHat Security
> customers are only represented as a minority and not a majority". ;>
> If vendors are recommending that their most-faithful of customers
> become the leadership instead of the vendors themselves -- we could
> end up in a much worse situation than we are already in with regards
> to promoting the believability of our appsec expertise (as well as
> actually having any real experience or direction to put forward to the
> industry).
> -Andre
>> ****
>> OWASP Leaders,
>> Want to know what scares enterprises, and by extension developers, away from OWASP more than anything else? Us. That is, us vendors.
>> They look at who makes up the global board. 100% vendors, of one particular ilk. They look at who sponsors, the Summit or in general, nearly all vendors. They see who gives the presentations. Right, essentially all vendors. I wouldn't be surprised if OWASP's paid-for user membership wasn't also lopsided by vendors. This doesn't leave much room for the enterprise representatives to assume key roles and influence the direction of the organization as they should be afforded.
>> In the beginning days of OWASP, and the webappsec industry collectively, vendors building up OWASP was absolutely essential. Many of us, myself included, originally came from the enterprise because we saw a real (appsec) problem that needed to be solved and we had to organize and evangelize as vendors -- so we did. We paved the way and should be proud of that. Today though we must recognize that it is no longer 2001, it is 2011 are many organizations as a result have heavily invested in their application security programs. They have much knowledge to share with their peers.
>> Imagine having CSOs from major eCommerce, financial services, healthcare, etc. organizations stacking the OWASP board. That would speak volumes to their peers, who it is always said need to be more included in OWASP. Enterprises on the OWASP board would hugely encourage other organizations to similarly invest in their application security programs and get actively involved in the community. In my opinion, just adding "developers" doesn't go far enough, and wouldn't influence nearly enough.
>> Personally, when nominations open, these are the candidates I'd encourage looking and voting for. Time for the enterprises to lead and choose their own destiny.
>> Regards,
>> Jeremiah Grossman
>> Chief Technology Officer
>> WhiteHat Security, Inc.
>> http://www.whitehatsec.com/
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list