« What's the Point of Conferences? | Main | Diminishing Returns on Small Conferences? »

Thoughts for OWASP Consideration...

Jeremiah Grossman got me thinking about this topic a few weeks ago when he posted his thoughts on OWASP. While I've been a supporter of OWASP for a few years, I only last year (in 2010) became a member and got involved with the local chapter. What I've found has been at times heartening, and other times saddening. Attending AppSecUS and AppSecDC this year further perplexed me as I saw, on the one hand, people interested in promoting software assurance, while on the other hand there seems to be a lot of bickering, confusion, and strife over what the "right thing" might be. Since the OWASP Summit is coming up soon, and since the leadership team is asking for feedback, I thought I'd finally take some time to layout my thoughts and suggestions.

1) What's the mission?

What is the mission of OWASP? I've looked on the OWASP web site and haven't really come up with a good answer. The community is organized around a set of shared Principles, but that's not a mission. The Principles are:

Free & Open
Governed by rough consensus & running code
Abide by a code of ethics (see ethics)
Not driven by commercial interests
Risk based approach

That's all good and fine, and lovely things to strive for, but... what's the goal? The OWASP Foundation needs to set a mission and vision for the organization, which will then translate into a set of actionable tasks. The mission could be as simple as "to provide world-class appsec tools and training to developer communities."

My recommendation: jump to my #2 below, and then come back to mission. The mission should be actionable and achievable, but should require a stretch of sorts (that is, not an automatic "win" that means having to start the vision/mission process all over).

2) What's the vision?

In order to write a mission statement, it's first important to visualize the end-goal. What ideal is being sought? Since OWASP is a non-profit organization, I would submit that this vision has nothing to do with profit-motive, whether for itself or for its member sponsors. Instead, the vision should, I think, be along the lines of: "A developer community that has fully integrated and internalize software security/assurance practices to a degree that renders OWASP unnecessary." This is a rule that I apply to myself in almost all situation (especially consulting). I do not ever see myself as the end, but rather a means. In a perfect future world, we should not need dedicated security professionals, because security will be built-in, automatic, and accounted for. QA teams will perform rigorous security testing (whether it be code reviews, threat modeling, or pentesting), and developers will always use the best secure coding practices, helped by numerous tools. This, I think, is a great idealistic vision around which OWASP could then start building a mission.

3) What's the model?

Assume, if you will, that the vision and mission are set similar to how I've described it in #2. How, then do you build to your organization to achieve that goal? I submit that there are three pieces that are essential:

a) Build Stronger Chapters: There's a lot of inconsistency between chapters (from what I've heard). It seems that there's really not a very clear roadmap for what you're supposed to do once you start a chapter. What sort of resources are available? What should a meeting look like? How often should you meet? Etc. Chapters need to become better engaged and enhanced in their offerings. I would hope that each chapter could meet at least once a month and provide hands-on training that is geared as much to developers in the community as it might be to appsec practitioners. Developers should be the target audience more than the security community. Which is not to say that we shouldn't also spend time ensuring that appsec practitioners are trained-up, but that it is the developers who need the training.

b) Renew Focus on Free Resources: Whether it be tools, or guides, or free training opportunities, OWASP should be focused on delivering all of these things. This point combines well with (a) in that the local chapters then become the primary conduits for delivering and developing these resources.

c) Move Away from Conferences in Favor of Tech Summits: Conferences are all good and fine (well, sort of... see my previous piece "What's the Point of Conferences?"), but let's be honest for a minute and realize that we don't really need more conferences. What we need are technical summits where developers and appsec practitioners can go for good, technical, hands-on content. The cost-model for the AppSec conferences has been pretty good (read: very affordable), but the content value has been generally lacking. It's too much of the same old same old, with talking heads on platforms delivering rote speeches that offer a diminishing return on investment. Instead, I think it would be far more valuable for OWASP to work with local/regional conferences to take an idea like my "AppSec Guerrilla Camp" on the road as a special hands-on track. RSA, Black Hat, large BSides events, CSI, CanSecWest, etc, etc, etc. All of them could easily have an "AppSec Guerrilla Camp" track that is low-cost (or free!) and that provides a bunch of great technical, hands-on sessions that can be immediately applied by developers and appsec practitioners. And, oh, btw... if you're a vendor, these 2-hr sessions provide a great mechanism to start demonstrating the value you bring to the table, opening the door for follow-on work (just sayin').

4) Who should set the agenda?

One thing that concerns me greatly is that OWASP seems to have come to be dominated by a handful of vendors who are forever at odds with each other. I'd never before seen vendor cliques until I attended AppSecUS, and I found the whole thing a bit surreal and unsettling. There is a LOT of business to be had out there, and there's no reason whatsoever to be killing each other as if we're fighting for the last scraps. As such, I think we need to be extremely cautious to not let vendor desires influence OWASP direction unduly. Yes, we rely on sponsors and need those relationships, but the danger is becoming somewhat irrelevant (kind of like the ICSA Labs AV cert.). If the vendors run the show and set the mission with the express unwritten objective of driving more business for themselves, then we run the risk of falling apart. Failure should not be an allowable option at this point, which means putting aside (or redressing) vendor objectives and first settling on a reasonable vision and mission. Once those things are clear, then and only then should vendors start looking at how they can a) support the strategy, and b) (re)align so as to also profit from supporting the strategy.

5) OWASP != BSides

Both organizations (OWASP and Security B-Sides) are non-profit entities (BSides is in concept, though the paperwork is lacking). Both organizations seek to provide value at the lowest price-point possible (oftentimes free). And yet, despite having these similarities, these are two very different organizations, with very different goals. I think that OWASP would be far better served partnering with BSides on conferences than continuing to run their own (with, perhaps, the exception of the AppSecUS and AppSec International events).

At BSides Austin we're actually working with this premise in mind (though unofficially thus far from the OWASP perspective). BSides Austin is being held as an unsanctioned event during SXSW Interactive, which is a major developer conference. I've specifically initiated efforts to launch the "AppSec Guerrilla Camp" at this event in order to provide free, hands-on training for developers and appsec practitioners. The opportunity here is that I view this track as something OWASP can and should be providing and promoting. At the same time, it's a little outside the sweet spot of BSides (which puts on great shows with great speakers in great venues).

My hope is that, assuming all paperwork issues get clarified and resolved (*ahem*BSides), OWASP and BSides will investigate partnering going forward, with BSides providing the event coordination efforts, and OWASP helping provide excellent technical content.


In brief summary, I hope that the OWASP Summit 2011 will result in a clarified vision and mission that will immediately translate into a better strategy and renewed energy. OWASP is an awesome organization with wonderful cross-industry support. The opportunity is here to make it even better. But, it has to happen through energizing and engaging the userbase through local chapters. It can be further enhanced by refining the resources utilized and delivered, with the good amplified through some key partnerships, like with Security B-Sides. It will be interesting to see what the future holds, and I'm hopeful that by mid-February we will hear good news that will help propel OWASP through this new decade.


TrackBack URL for this entry:

Comments (2)

Core Values
http://www.owasp.org/index.php/Core_Values_and_Definitions (RFC still open btw)

Core Principals
Be the thriving global community that drives visibility and evolution in the safety and security of the world’s critical software applications and infrastructure.

The rest will be talked about at: http://www.owasp.org/index.php/Summit_2011



Thanks, Tom. That's interesting about the Core Values, though again, that's neither a vision or mission. So, now you have Principles, Code of Ethics, AND Core Values? Too many lists, not enough value.

Unfortunately, the Summit is scheduled for, I think, about the worst possible time imaginable being the week directly before RSA. I personally can't make it as I have to be in San Francisco the end of the week of the Summit (official duties for pre-RSA meetings). I would very much liked to have been at the Summit. I know I'm not the only person affected by this scheduling, either.


Post a comment


This page contains a single entry from the blog posted on January 24, 2011 12:15 PM.

The previous post in this blog was What's the Point of Conferences? .

The next post in this blog is Diminishing Returns on Small Conferences?.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.