[Owasp-leaders] Professionalism and the Future of OWASP

Josh Sokol josh.sokol at owasp.org
Fri May 20 15:50:29 UTC 2016

OWASP Board, Staff, and Leaders,

I wanted to take a moment to address the elephant in the room.  When I look
at the front page of owasp.org, I am drawn to a statement that OWASP is
"operating as a community of like-minded professionals".  Unfortunately,
when I look at the reality of OWASP, I feel like we have moved more in the
direction of a clubhouse political debate than an organization of
like-minded professionals.  Don't get me wrong.  I consider differing views
and conversations about change to be a good thing, but frequently these
debates have devolved into profanity and personal attacks.  That is not
professional and completely inappropriate.  The biggest benefit of our
mailing list is that it gives you time to fully think through not only your
words, but also their interpretation, before you "speak" them.  Passion is
great, but at the end of the day we still need to work with eachother, so
professionalism needs to trump passion.

OWASP is a 501c3 not-for-profit *CORPORATION*.   Just because our goal is
not to make a profit, doesn't mean that we shouldn't act like a
corporation.  And when you consider the size of our volunteer base, our
revenue, and our global reach, we are a relatively large corporation.  And
like a corporation, we have a Board of Directors, we have policies,
guidelines, and a mission statement.  But if any other corporation acted
the way that we do, they would not be in business for very long.  Can you
imagine a global brand like Dell with every stakeholder doing their own
thing under the same banner?  You'd have 1,000 different laptop models with
different looks, feel, functionality, documentation, and zero consistency.
>From the outside looking in, as a consumer, it would be pure madness.  More
than enough to drive your business into the hands of someone else.  Yet,
that is the state of OWASP today.  Fortunately, it doesn't have to be the

I would like to hope that every one of you is here because you believe in
OWASP's mission statement of improving the security of software.  The
challenge is that every one of us has a different opinion on how to
accomplish that.  Each opinion is every bit as valid as the next, but like
any other business, we need to prioritize our limited resources on the
strategic initiatives that will give us the biggest bang for our buck.  In
my opinion, this prioritization process is an area that OWASP has done a
poor job of in the past.  It is the purpose of the OWASP Board of Directors
to align our available resources to accomplish a common goal and, to date,
we have done little more than provide a handful of resources to a handful
of people, in order to accomplish some goals that are tangential to our
business.  The result is not bad, but I do question whether OWASP is living
up to it's potential.  And without strategic alignment, it's no wonder why
our stakeholders are in routine conflict.  That's what happens when
everyone has a different idea of how to accomplish a goal.

Nobody wants a problem without a solution.  I mentioned in a separate
thread that I feel like the time has come for OWASP to have a formal CTO
position.  I envision this as a person well qualified and vetted in the
field of Application Security so that they can do a thorough analysis of
the space, talk with our stakeholders, and identify documentation, tools,
etc where OWASP can fill a need.  They would then be responsible for
creating that projects vision and aligning our resources in order to drive
it to completion.  This is not a "Project Manager" role, this is a business
strategy and technical architecture role.  Volunteers would still be free
to follow their passion, but hopefully they could find one of these
strategic projects to align themselves with.  And with a common vision and
goal in mind, hopefully it would reduce contention amongst our impassioned
community.  In my opinion, its time for OWASP to stop thinking like a club
and start thinking like a business and I feel like this is necessary to get
us there.

I don't see the other projects going away under this model.  OWASP can
still provide a home and limited resources for them under our brand
umbrella.  We would just be making the conscious decision to allocate the
majority of our project resources in order to accomplish some very specific
strategic initiatives.  The volunteer would still be free to choose how to
contribute and how much effort they can put in.

Thoughts on this model for the future of OWASP?  At this point, it's mostly
an idea in my head, not well-socialized, but this is my attempt to try to
put it out there for consumption and feedback.  I'm open to your additional
ideas and suggestions.  Let's just agree to keep it professional.  Thank

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160520/9cbbae71/attachment.html>

More information about the OWASP-Leaders mailing list