[Owasp-leaders] OWASP Core Values

Rex Booth rex.booth at owasp.org
Mon Jan 17 14:26:12 EST 2011

Bottom-up may work in some organizations where the leadership is able to 
define the culture, but we're not in a position to make such definitions 
in the population we're trying to influence.  Our target population is 
essentially the entire IT world.

As I said below, I agree that a multi-faceted approach is necessary - 
one where each component of our approach is built with a specific 
audience and purpose in mind.

<warning: nested tangents following>

With that in mind, I think our organization of projects, content and 
collateral  is too internally-oriented.
One of the elements missing from our project initiation template (as far 
as I can tell) is an "intended audience".  Look at our wiki for a great 
example.  Is the maturity status of a project really what first-time 
visitors are going to care about?  Why don't we instead consider 
organizing according to target audience?  Say something like executive, 
auditor, developer?  Doing so would not only help first time visitors 
quickly find what's most relevant to them, but also organize ourselves 
along this multi-faceted approach and help us better understand where we 
are focusing our efforts.

This speaks again to my earlier calls for OWASP to become more strategic 
in everything it does.  From distribution of funds, to where to focus 
project efforts, to where to focus geographically, we need to stop 
thinking like some sort of grassroots organization and start focusing 
our efforts where they will have the most impact.

Yes, our volunteers are grassroots, but that doesn't mean our 
organization can't think and orient strategically.  Individual 
contributions and thought leadership is still critical, but the board 
(or some form of leadership) needs to step up and start providing 
strategic guidance by prioritizing our projects, efforts and focus.

OWASP needs to move beyond a collection of projects and conferences, but 
it won't do so without focused leadership.



On 1/17/2011 11:46 AM, James McGovern wrote:
> 1.Bottoms up does actually work in “some” organizations where the 
> impediments of writing secure code have already been addressed through 
> other channels. For example, in my past employer developers were given 
> a certain portion of time where they could fix issues that they felt 
> were important. In shops where everything is managed (in the negative 
> sense) then the challenge of the developer doing the right thing is 
> reduced.
> 2.Gary McGraw acknowledged in the interview I did with him on the 
> Cigital podcast that the people adopting BSIMM were all executives who 
> came from a software development background. Sadly and increasingly, 
> more and more people who run IT don’t come from a software development 
> background and therefore other approaches may need to be employed. The 
> work that we do that isn’t developer-focused appeals to those who may 
> be auditors which is a role that won’t get you to the CIO slot. The 
> gap here is one of not being able to think about finances and project 
> management and a few projects that help folks out in this regard may 
> be in order.
> 3.I really hate debates on top-down vs. bottoms-up as it only demands 
> someone to argue middle-out. With that being said, the distinction 
> that may be important to noodle is that developers can remediate 
> applications using frameworks but this doesn’t result in a sustainable 
> approach. Likewise, a CIO can use all that audit stuff but only has a 
> short lifespan which also doesn’t result in anything sustainable. The 
> folks with the right agenda who are responsible for sustainability is 
> the folks that do Enterprise Architecture and we have absolutely no 
> offering for them.
> *James McGovern
> *http://twitter.com/McGovernTheory
> *Virtusa **Corporation***
> *From:*owasp-leaders-bounces at lists.owasp.org 
> [mailto:owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Rex Booth
> *Sent:* Sunday, January 16, 2011 7:06 PM
> *To:* owasp-leaders at lists.owasp.org
> *Subject:* Re: [Owasp-leaders] OWASP Core Values
> I respectfully disagree.
> I think Mike is right in one respect: "What is the end result from a 
> developer's perspective that you're trying to achieve with something. 
> "  This is very true, and it's also why working security in through 
> grassroots and bottom-up approaches has failed time and time again - 
> and will continue to fail.
> Tools like ESAPI and other developer-oriented projects are necessary 
> and valuable components to our mission.  They clearly make it easier 
> for the developer to incorporate security into their application.  But 
> what happens when the developers simply don't care?  As Mike said, 
> unless it's a functional requirement, it's likely not going to get 
> their attention.
> The real driver for the widespread recognition of the need for 
> security is a top-down approach.  Working with the application owners, 
> standards bodies, and auditing organizations is absolutely key to 
> realizing our mission.  Those who dismiss such efforts are missing the 
> bigger picture and clearly don't understand the IT ecosystem outside 
> of the technical lifecycle.
> Is there room for improvement?  Absolutely.  But let's be respectful 
> of the wide variety of activities required by OWASP in order for us to 
> effectively pursue our mission - both technical and non-technical.
> Rex
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110117/0bfd8bc9/attachment.html 

More information about the OWASP-Leaders mailing list