Monday, February 21, 2011

A Vision For OWASP

There's been lots of talk over the last few weeks about OWASP.  Is OWASP at a tipping point? Where should OWASP go next? Has OWASP lost touch withdevelopers?
These three posts provide very interesting insight about OWASP and some concerns in the community.  Some individuals may view these discussions and think that OWASP is in trouble and is crumbling. I think that nothing could be further from the truth.The reality is that OWASP is growing by leaps and bounds.  Community involvement is up, membership is up and projects are growing. We just held a fantastic summit that gathered the best security minds in the world. Sure, we have issues to address, but that is a result of our growth and our desire to be better.  The fact that people are discussing how to make OWASP better points to the strong desire for OWASP to succeed.

Enough for talking without acting, here's how I think OWASP can grow to meet the new demands we are seeing.

  • Greater focus and involvement from key security groups - builders, breakers, defenders
  • Get the right people to the table. We have lots of consultants, let's increase enterprise/industry represenation
  • A shift from quantity to quality
  • Use OWASP as a platform for growth and support (as mentioned during the summit)
  • Do away with the notion of the board driving all decisions and direction. The board will assist and support everyone's efforts. But the people are the true drivers.

Here is a model that I think would be successful for OWASP.  The focus is on building communities around builders, breakers & defenders (am I missing anyone?).  The intent isn't for these groups to operate in isolation; instead the goal is to get the correct stakeholders united to address the key security issues that they are facing.  Developers know what developers need and how development works. So let's get security minded developers together to address the issue.  If they need information from the breakers or defenders, then just ask, we're all OWASP.  Let's do the same for the breakers community and the defenders community. The intent is to drive security by getting the best people together to solve the right problems in areas where they are experts. 
Moreover, within OWASP these groups should be champions of projects within their domain. No more half-baked or abandoned projects. Each community should be able to vouch for the quality of the projects in their area. If its not up to snuff, then fix it or cut it.  Is a key project missing? Then develop a strategy and plan to fill the gap with quality material.   If OWASP wants to succeed then we need to focus our efforts in the right areas and create high quality outputs.

One last thought, which is probably the most import, this model is all built on top of the OWASP platform.  OWASP has a voice and is a gathering point for security excellence throughout the world. Let’s leverage this incredible community and focus our efforts for some truly awesome results.
Don't like this model? Then suggest something better.  Talk is cheap; let's get some results.

Here's how to get involved

Want to join the developer/builder community? Email John Wilander (

Want to join the defender community? Email me -

Breakers? We need a leader.

A community for c-level security people? Need a leader here too.

-Michael Coates - @_mwc


  1. "if there is no struggle there is no progress"

    OWASP has evolved and will continue to grow

  2. I like your take on renewing OWASP, Michael. Good to see you take on the Defenders part. I'll try my best to get the Developer Outreach going. It's a big beast but we have to bridge the gap.

    The only thing that I worry a little bit about is how the committees fit in with Builders/Breakers/Defenders? Are they truly cross-cutting? Would that mean e.g. the conferences committee could/should go for a Builders/Breakers/Defenders revamp of the AppSec conferences?

    Anyway – keep up the good work and good luck with defending the web!

  3. I wasn't aware there were any issues with OWASP, I've been reading the site and material and getting totally excited about what's there.

    The OWASP Top 10 is the foundation of my Security testing service offering!

    I'm a breaker, so when Thang Nguyen get's his community stuff set-up I'll be signing up, dragging a few colleagues along with me.


  4. Mark C,

    I wouldn't say there are issues with OWASP. Instead, we're going throwing the normal pains that an organization faces as it grows. In my opinion this is the exact discussion we need to realign OWASP to best provide awesome resources for the world and to involve top security talent.

  5. Hiya,

    Did Thang Nguyen ever get his Breaker community set-up? Darned if I can find any link on the OWASP site, some hacker I'll make :P


  6. Mark,

    Nope. Its all you now. Here's the link of where you can start:


  7. Michael,
    You left out the "Policy Wonks". Admittedly they are a small subset of OWASP but they do exist and not all of them are C-level execs.


Note: Only a member of this blog may post a comment.