21 December 2018
I ran for the OWASP Global Board in 2014 and started serving in 2015. Board members are term limited to 4 years so my time on the board is coming to a close with the end of 2018.
At the time I joined the board, the current sitting board members included: Michael Coates (Twitter CSO), Tobias Gondrom (Huawei CSO), Fabio Cerullo, Andrew van der Stock, Jim Manico and others. I mean, these were freaking legends … household names in AppSec … and highly accomplished leaders. You can see it all clearly in this picture.
In many ways, I felt that I immediately didn’t belong. I had run on the idea that OWASP could do a lot more to reach developers - which is so commonplace now as to seen silly - but at the time and in the OWASP community that message created a groundswell. Yet I was just the founder of a tiny company focused on that. Although I had spoken at several AppSec conferences, I saw myself as just a random person trying to build bridges. I was still very new to OWASP and the security community in general. I would note that all those folks on the board quickly accepted me and I like to think that over the years I have also done a thing or two to earn their respect.
It has been quite an experience. In this post, I want to reflect on the last 4 years of OWASP, talk a bit about some of our successes and call attention to some of the challenges ahead.
I want to start by calling out and acknowledging the role the staff plays. In my time with the Board, I got to see how things work at OWASP up close.
That included the opportunity to work with a number of folks that deserve a lot more recognition than they typically get for their contributions to OWASP because they are paid staff and not volunteers or leaders. People don’t always realize how much work and community knowledge goes into running the OWASP Foundation. They toil day in and day out to make the Foundation stronger while some folks in the community have very unrealistic expectations about what is possible from a small Foundation. I can clearly say that the OWASP Staff have consistently put in levels of effort that reflect a deep investment in our community and we might do well to step back and note that.
I also want to specifically mention:
I also very much appreciate Dawn Aitken, Harold Blankenship, Lisa Jones, Laura Grau, Tiffany Long and our Virtual support team that often held things together. As a community, we have relied on all of these folks very heavily whether we realize it or not.
No-one could have foreseen our Executive Director Paul Ritchie’s untimely demise, which was tragic for OWASP (and undoubtedly even more so for his family). In that moment and maybe ever since, this presented both the Board and the Foundation itself with innumerable challenges.
I hope that everyone that takes the time to read this blog post about being on the OWASP Board will take a moment to appreciate all of these folks and maybe do something to make their lives easier!
For almost anyone that gets involved with OWASP, the most energizing thing about OWASP is the community. I can go to a meeting in any city I am in and I’m guaranteed to find a group of interested, knowledgeable, friendly folks that are unified around the idea of making the world safer from an application security standpoint. I’ve personally done this in at least New York, Washington DC, Orlando, Chicago, Minneapolis, Austin, Dallas, San Jose, San Francisco, Rome and Amsterdam.
It is important to understand that it is in large part because of its Open values and vendor neutrality that OWASP is able to attract and keep lots of folks in the community engaged in such a positive way. It is the community that builds ZAP, The OWASP Top 10, The ASVS, DevSlop, Defect Dojo, Amass, The Testing Guide, and on and on. People are willing to do all that because the community acknowledges them and supports their efforts.
I submit to you that the community is OWASP’s biggest asset. It is comproised of so many folks with good will that want to help make us great. This is truly a precious resource.
With full appreciation for all that it means, it has been an honor to serve OWASP’s global community.
In reflecting on the time, I think it is interesting to think back to what my take was when the journey started and then contemplate all the things that have transpired since. Consider the board interview video which I prepared exhaustively for and arrived with charts and diagrams about OWASP finances. To see what everyone was saying, you can watch all the vidoes or look at the interview question responses.
I wanted to:
Many of my initiatives failed.
In addition to the challenge with Paul (The ED that passed away), we had the controversy about the Benchmark project, at least two sitting and two former board members with potential compliance issues and several community related compliance issues. We also had a mishire at the ED position. We had project summits and AppSec events that went far outside of our normal processes. We had regional events that weren’t happy with the central Foundation and a central Foundation that wasn’t happy with the regional events.
But that makes it seem more negative than it should. I’m just trying to be realistic and tell the whole story.
Much of our success over the past few years was in managing to continue to execute on the day to day activities like budgeting, operating, events, taxes, etc. in the context of being understaffed and without an executive director. We also had some very difficult board members. If I had one thing to do differently, it would have been to find someone to take on the role that Paul’s death left open faster.
During those operational years, we held successful global conferences, sustained 250 chapters, brought better order to 100’s of projects and held to our vendor neutral and non-commercial values. We resisted going down the path of certifications several times. From a community perspective, I believe we were able to sustain OWASP through some very challenging times to a point where it is thriving with more momentum than it has ever had before.
Some highlights - during my time on the board we also:
This is not to take away from the absolutely crucial and generous support of security vendors, but tapping into software companies shows that our message is starting to reach more broadly. It also advances the security vendors interests - because they want to build relationships with the software companies. I like to think this is a function of a lot of work over a lot of years trying to reach developers. As with many examples, it is also the result of broad collaboration across many people within OWASP.
Serving as Chair of the Board for 2 of the 4 years made it difficult to execute on iniatives beyond the core board functions and then the operational issues that needed to get handled. I’m proud that I was able to step in and help keep OWASP on track.
I am also proud that I was able to stick to OWASP values and not cross the commercial and non-profit streams.
Perhaps the single thing I am the most proud of is that everyone that joined the board meetings while I was Chair knew that their voice was going to be heard and that I was not working to advance my agenda so much as to bring everyone to a fair conclusion based on the different positions represented.
Truthfully, I will take a deep breath. I probably owe my Jemurai team some undivided attention as we navigate the start of 2019.
But soon, I will definitely continue to invest my time in OWASP:
When I joined the Board, I consciously stopped submitting talks for a lot of events because I didn’t think it was fair to put the organizers and selection committees in a position where they might feel conflicted saying no to a Board member’s submission. I may start submitting talks again …
I hope to see lots of OWASP folks for years to come. I will absolutely seek out opportunities to connect people to make great things happen. I invite you to email me: firstname.lastname@example.org. I promise that communications on that channel will stay “open” and non-commercial.
Recently there has been some heated criticism of the OWASP Board from the community. It typically orients around hoarding information or trying to consolidate power and money. My sense is that these criticisms are unfounded. The Board truly is your board (if you are an OWASP Member - if you are not, you should go here and become one) and is probably more afraid of doing the wrong thing than actively working to do anything.(!)
One thing that was reinforced repeatedly during my tenure is that change can be hard. Sometimes our institutions are built to make change hard. That may seem bad but there are good parts to it too. I think we all want OWASP to be deeply rooted in an open community. Our structure supports that and makes it hard to change. It also makes it hard to grow, take better advantage of growing markets, and change structures.
There is always room for growth and improvement and the speed of change may or may not be appropriate for the community. I do think it is a direct function of the structure of the organization and board.
I hope that over the years to come OWASP can find a way to bring even more experienced leaders with deep financial, marketing, and industry experience so that we can continue to be an organization that is seen as a leader. That will take a balance of openness and opportunism that may feel weird. I trust the community to elect the board they need to take OWASP where it should best go.
I don’t know if I succeeded or failed but I can say that I gave it everything I had and did everything I could to do it the right way.
I thank the community for their confidence and support throughout the last four years.