Monday, February 21, 2011

A Vision For OWASP

There's been lots of talk over the last few weeks about OWASP.  Is OWASP at a tipping point? Where should OWASP go next? Has OWASP lost touch withdevelopers?
These three posts provide very interesting insight about OWASP and some concerns in the community.  Some individuals may view these discussions and think that OWASP is in trouble and is crumbling. I think that nothing could be further from the truth.The reality is that OWASP is growing by leaps and bounds.  Community involvement is up, membership is up and projects are growing. We just held a fantastic summit that gathered the best security minds in the world. Sure, we have issues to address, but that is a result of our growth and our desire to be better.  The fact that people are discussing how to make OWASP better points to the strong desire for OWASP to succeed.

Enough for talking without acting, here's how I think OWASP can grow to meet the new demands we are seeing.

  • Greater focus and involvement from key security groups - builders, breakers, defenders
  • Get the right people to the table. We have lots of consultants, let's increase enterprise/industry represenation
  • A shift from quantity to quality
  • Use OWASP as a platform for growth and support (as mentioned during the summit)
  • Do away with the notion of the board driving all decisions and direction. The board will assist and support everyone's efforts. But the people are the true drivers.

Here is a model that I think would be successful for OWASP.  The focus is on building communities around builders, breakers & defenders (am I missing anyone?).  The intent isn't for these groups to operate in isolation; instead the goal is to get the correct stakeholders united to address the key security issues that they are facing.  Developers know what developers need and how development works. So let's get security minded developers together to address the issue.  If they need information from the breakers or defenders, then just ask, we're all OWASP.  Let's do the same for the breakers community and the defenders community. The intent is to drive security by getting the best people together to solve the right problems in areas where they are experts. 
Moreover, within OWASP these groups should be champions of projects within their domain. No more half-baked or abandoned projects. Each community should be able to vouch for the quality of the projects in their area. If its not up to snuff, then fix it or cut it.  Is a key project missing? Then develop a strategy and plan to fill the gap with quality material.   If OWASP wants to succeed then we need to focus our efforts in the right areas and create high quality outputs.

One last thought, which is probably the most import, this model is all built on top of the OWASP platform.  OWASP has a voice and is a gathering point for security excellence throughout the world. Let’s leverage this incredible community and focus our efforts for some truly awesome results.
Don't like this model? Then suggest something better.  Talk is cheap; let's get some results.

Here's how to get involved

Want to join the developer/builder community? Email John Wilander (

Want to join the defender community? Email me -

Breakers? We need a leader.

A community for c-level security people? Need a leader here too.

-Michael Coates - @_mwc