[Owasp-leaders] Professionalism and the Future of OWASP

Milton Smith milton.smith at owasp.org
Fri May 20 17:49:49 UTC 2016

Well said, Josh.  I would also go so far as to say OWASP does not have 
to please all members all the time.  After all, we voted for "You".  We 
expect all our OWASP leaders will keep our desires in mind when making 
decisions.  I'm a believer in the Meritocratic approach but voting on 
every issue is too noisy and distracting.  We voted on the leaders and 
that should be good enough.  If you said you were going to do X,Y,Z when 
you were elected, and you were elected, then your budget is 
retroactively approved to spend the money and get it done!  We should 
also begin to take OWASP governance very seriously.  It could be the 
full-time job of a person or two.  A small example, OWASP logo bitching 
and complaining is ridiculous and there are many others.  I have 
actually been told to pull Oracle's logo off my slides before a session 
I was presenting on Java (a free and open source project).  Establish 
documented rules and documented consequences.  If a detestable action 
occurs which there is no rule then let that person/organization do it.  
Let it be a learning experience then establish future policies that 
prohibit the action.  Establish policies for resolving member grievances 
with board decisions.  Members should be able to override board 
decisions in a formal way.  Complaining on public email lists should not 
be allowed or at least discouraged.

I said it last year and I am saying it this year, OWASP cannot code it's 
way out of security challenges.  We need to grow up as an organization.  
We need to start working security from the top down.  In case nobody has 
noticed, while members debate over the nuances of which cipher suite to 
use governments are passing completely horrible security policies that 
make the world a worse place for everyone.  We can't shut a "back door" 
with a better security APIs.  I know this stuff is boring to members but 
working with government security policy makers is essential.  I'm not 
suggesting we should invest ourselves in the privacy debates between 
governments and citizens.  Still there's many opportunities where we can 
influence information security policy by providing our expertise.  For 
example, there is a bill proposed, Cyber Security Disclosure Act of 
2015(SB.2410) that directs companies to appoint a security expert 
(CISO/CSO) to the board.  I recently returned from a cyber insurance 
forum at Stanford University and let me say industry does not feel 
responsible for security.  The state Insurance Commissioner for 
California considers exploitation of information systems in many ways 
like a fire, flood, or other acts of God.  This is completely 
ridiculous, code is written by developers and vulnerabilities are 
entirely man made.  Many at the forum expressed a sentiment that no 
matter how hard organizations try, vulnerabilities are unavoidable.  
This mentality is like suggesting diet and exercise is worthless since 
we are all going to die anyway.  There were many other equally 
ridiculous ideas presented.  The people at this forum are significant 
and influential leaders.  They are bright people but they don't 
understand application security like we do.  Perhaps perfect security is 
unattainable but acceptable or reasonable security is within our grasp.  
Application security can be far better than it is today.  We need to be 
positively influencing opinion on security, software developer's coders, 
policy makers, general public, new appsec professionals, CISO/CSO, etc. 
Changing hearts and minds on security can have a powerful impact.  
Thoughtfully influencing the minds and hearts can have a powerful 
positive impact.

I like Josh's idea for the formal CTO position, maybe a Chief Policy 
Officer(CPO), and others as well.  Some leadership roles should focus on 
running the organization, member needs, while new positions set and 
pursue a vision.  Let's figure out where we want to influence and invest 
in those areas.  Let's improve ourselves, our governance, let's set the 
bar high and make some changes.  OWASP has a voice.  Let's use it!

--Milton Smith

On 20 May 2016, at 8:50, Josh Sokol wrote:

> OWASP Board, Staff, and Leaders,
> I wanted to take a moment to address the elephant in the room.  When I 
> look
> at the front page of owasp.org, I am drawn to a statement that OWASP 
> is
> "operating as a community of like-minded professionals".  
> Unfortunately,
> when I look at the reality of OWASP, I feel like we have moved more in 
> the
> direction of a clubhouse political debate than an organization of
> like-minded professionals.  Don't get me wrong.  I consider differing 
> views
> and conversations about change to be a good thing, but frequently 
> these
> debates have devolved into profanity and personal attacks.  That is 
> not
> professional and completely inappropriate.  The biggest benefit of our
> mailing list is that it gives you time to fully think through not only 
> your
> words, but also their interpretation, before you "speak" them.  
> Passion is
> great, but at the end of the day we still need to work with eachother, 
> so
> professionalism needs to trump passion.
> OWASP is a 501c3 not-for-profit *CORPORATION*.   Just because our goal 
> is
> not to make a profit, doesn't mean that we shouldn't act like a
> corporation.  And when you consider the size of our volunteer base, 
> our
> revenue, and our global reach, we are a relatively large corporation.  
> And
> like a corporation, we have a Board of Directors, we have policies,
> guidelines, and a mission statement.  But if any other corporation 
> acted
> the way that we do, they would not be in business for very long.  Can 
> you
> imagine a global brand like Dell with every stakeholder doing their 
> own
> thing under the same banner?  You'd have 1,000 different laptop models 
> with
> different looks, feel, functionality, documentation, and zero 
> consistency.
> From the outside looking in, as a consumer, it would be pure madness.  
> More
> than enough to drive your business into the hands of someone else.  
> Yet,
> that is the state of OWASP today.  Fortunately, it doesn't have to be 
> the
> future.
> I would like to hope that every one of you is here because you believe 
> in
> OWASP's mission statement of improving the security of software.  The
> challenge is that every one of us has a different opinion on how to
> accomplish that.  Each opinion is every bit as valid as the next, but 
> like
> any other business, we need to prioritize our limited resources on the
> strategic initiatives that will give us the biggest bang for our buck. 
>  In
> my opinion, this prioritization process is an area that OWASP has done 
> a
> poor job of in the past.  It is the purpose of the OWASP Board of 
> Directors
> to align our available resources to accomplish a common goal and, to 
> date,
> we have done little more than provide a handful of resources to a 
> handful
> of people, in order to accomplish some goals that are tangential to 
> our
> business.  The result is not bad, but I do question whether OWASP is 
> living
> up to it's potential.  And without strategic alignment, it's no wonder 
> why
> our stakeholders are in routine conflict.  That's what happens when
> everyone has a different idea of how to accomplish a goal.
> Nobody wants a problem without a solution.  I mentioned in a separate
> thread that I feel like the time has come for OWASP to have a formal 
> position.  I envision this as a person well qualified and vetted in 
> the
> field of Application Security so that they can do a thorough analysis 
> of
> the space, talk with our stakeholders, and identify documentation, 
> tools,
> etc where OWASP can fill a need.  They would then be responsible for
> creating that projects vision and aligning our resources in order to 
> drive
> it to completion.  This is not a "Project Manager" role, this is a 
> business
> strategy and technical architecture role.  Volunteers would still be 
> free
> to follow their passion, but hopefully they could find one of these
> strategic projects to align themselves with.  And with a common vision 
> and
> goal in mind, hopefully it would reduce contention amongst our 
> impassioned
> community.  In my opinion, its time for OWASP to stop thinking like a 
> club
> and start thinking like a business and I feel like this is necessary 
> to get
> us there.
> I don't see the other projects going away under this model.  OWASP can
> still provide a home and limited resources for them under our brand
> umbrella.  We would just be making the conscious decision to allocate 
> the
> majority of our project resources in order to accomplish some very 
> specific
> strategic initiatives.  The volunteer would still be free to choose 
> how to
> contribute and how much effort they can put in.
> Thoughts on this model for the future of OWASP?  At this point, it's 
> mostly
> an idea in my head, not well-socialized, but this is my attempt to try 
> to
> put it out there for consumption and feedback.  I'm open to your 
> additional
> ideas and suggestions.  Let's just agree to keep it professional.  
> Thank
> you.
> ~josh
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list