For full Summit coverage and follow-up, check out the OWASP Summit 2011 page.
I'm not even home yet, and already my brain is churning. I left Lisbon this morning, heading for home, and then on to San Francisco for RSA-related "festivities" the next day, but since I'm stuck on a plane for several hours here, I thought it would be a good time to jot down some thoughts. Actually, I started making notes in the car this morning en route to the airport... here how it starts:
As we raced down the highway in excess of 150kph, flying through the lush green hills, kissed by the slowly lifting fog, I couldn't help but let my mind wander freely over this trip and the past couple days. I leave Portugal with a few conclusions:
* OWASP is doing good and important work.
* OWASP is going through a transitional period, in part related to generational ascendence.
* OWASP is strong and filled with wonderfully passionate people.
* OWASP is application security.
Perhaps the writing is a bit over the top, but it's how I feel after what I can only describe as an interesting, yet strangely energizing, event marked by the expression of strong sentiments and passionate drive to make the world a better place. Allow me to expound...
What was the Summit, exactly? Well, it was kind of like a conference, except different. Instead of traditional talking-head lectures, pretty much everything was couched as a hands-on workshop or interactive discussion. It was extremely rare to have a single person at the lead, and in all cases there was a high degree of engagement from participants. Walking between sessions during the day, and even wandering between sessions Wednesday night, it was amazing to see so many openly participating (contributing!) to projects, discussions, and workshops.
Nowhere was passion more readily demonstrated than in the "governance" dynamic session Tuesday evening. People I know and respect got up and voiced their concerns in no uncertain terms. By the end of the night, a clear direction had been laid out, all the while clearing out the bile that had boiling up in some over the course of the year (or more!). Growing mains, miscommunication, and confusion is inevitable as organizations rapidly grow and move; especially an organization that is tackling such a daunting mission of enable application security globally.
Helping drive much of the passion within OWASP is an emerging cadre of younger leaders. There's nothing more thrilling than seeing the next generation begin to assert itself and start taking ownership of projects and leadership roles. It is only through the dedicated efforts of these new leaders that OWASP will continue to grow and succeed.
Another remarkable point was the degree of participation from our European counterparts. This is the first forum where I've truly seen international collaboration on a truly ubiquitous scale. It was awesome to meet so many non-Americans with such a strong passion for OWASP and appsec. I should also note that it's not just the Europeans, either, but also the Brazilians, who are building strong leadership cadres to promote and grow OWASP locally and global.
Room for Improvement
It would be fool-hardy to somehow imply that OWASP was already adequate, as nothing could be further from the truth. As is true of most things, there is ample room for improvement. Specifically, there are some tough issues that are going to need to be addressed aggressively in the coming months and years:
* Process Development/Improvement: By it's own admission, the board is not currently strictly following its defined processes when it should be. Its made a commitment to resolve that matter. But, more than that, there is a general lack of formal processes within the organization, which can lead to confusion, miscommunication, and decisions made without following due process. This area will be one of the largest obstacles to overcome in the near-term as it is exceedingly difficult to introduce more rigorous process within a well-established, mid-sized organizations. At the same time, there is a certain degree of irony in OWASP not having very good processes when so many of us actively promote formalizing SDLs wherever possible. ;)
* Formal, Documented Rules (aka "policies): It's likely that the governing by-laws will need to be amended, at least to a small degree, if for no other reason than to make them better reflect the current status of the organization. However, additional rules need to be established, such as spelling out roles and responsibilities, how authority is delegate, who can become project or committee leads, etc, etc, etc. Everybody is working for the greater good of OWASP, but it's time to put some formal definition around what that means, or what the consensus leadership believes meets the objective of "greater good."
* Improved Communication: Communication is not particularly good within OWASP. There's a lot of confusion, there are a lot of lists, there's no easy way to access most of the information, and so on and so forth. The next point will speak to one of the main obstacles today (the web site), but beyond that there are other improvements to be made. OWASP has mailing lists, twitter, and the web site through which information can be published. For all I know, there might also be a blog. There's no excuse for various announcements not to be heard, and yet that's exactly what is happening today. E.g., external consultants have been retained to help formalize and improve the vision, mission, objectives/goals, and so on. Very few people knew this was going on, despite an assertion that it had been announced. And here the board just figured nobody cared to review what had been proposed... d'oh! My expectation is that leadership will diligently work to greatly improve communication this year. I hope that they formalize rules and processes around this area, too.
* Revamped Web Site: The current OWASP web site rather sucks. It's true! It is nye on impossible to find things on the site. Many people (myself included) use Google instead of the built-in search engine because the site is just that broken. Part of the problem is organization (or lack thereof), part of the problem is too much stale/outdated content that should have been archived years ago, and part of the problem is general maintenance. The underlying code was upgraded recently to improve the basic functionality of the platform, but much more will need to be done. Thankfully, there is a group of interested, passionate people working on developing recommendations as a direct outcome from the Summit.
Willingness to Evolve, Motivated to Serve
Perhaps the most pleasant surprise for me was the openness of the current "old guard" leadership to suggestions for change. Change is necessary and important, especially given how rapidly the organization has grown these past few years. Everybody I spoke with expressed a willingness to do what was right for OWASP, and that translated directly to a willing to change. Never have I seen such a strong balance between outright passion and willing flexibility.
Along these same lines, this group of people we call "members" is really quite remarkable. Smart, motivated, and innovative. It was exceedingly wonderful to see a lack of resistance to innovation, and in fact it was great to see such an interest in evolving practices and the organization. Case-in-point, I led an hour-long "dynamic" session (that is, ad hoc) on formal risk assessment methods that had a full room. Never in my life did I think that I would get a dozen or more interested parties in a room talking about risk assessment, the differences between qualitative and quantitative, the need to define labels/ratings, and so on. It was wonderful! :)
A Promising Future
For as much work as was accomplished this week, I believe that we will historically only see this as a blip on the radar. Though the Summit had been billed as "building OWASP 4.0" I think it really was perhaps more along the lines of v3.5. We do not need a bunch of wholesale changes, but rather a handful of well-considered, targeted changes addressing the issues I've listed above. This is very good news! Going into the Summit I had concerns about the future of the organization, but now I'm reasonably optimistic about things. The next step is to figure out how I can help out more. I hope that you'll join me in formally engaging with OWASP, either as a leader or a volunteer, and always as a member. There are tons of projects that need help, there are committees that need more people, there are events that need volunteers, and there are leaders who need honest feedback and suggestions.