The Application Security Podcast

OWASP Board of Directors Debate

Chris Romeo Season 10 Episode 26

The Application Security Podcast presents the OWASP Board of Directors Debate for the 2023 elections. This is a unique and engaging discussion among six candidates vying for a position on the board. Throughout the debate, candidates address pressing questions about their priorities as potential board members, the future direction of OWASP, and strategies for community growth and vendor neutrality. Topics such as vendor agnosticism, the allocation of profits from global OWASP events, and the importance of community involvement are among the critical issues discussed.

The questions presented by Chris and Robert include:

  1. What experience do you have running an organization like OWASP? Have you been a C-level exec? Have you served on a Board of Directors? What hard decisions about the strategic direction of an organization have you personally made?
  2. What are your priorities as a board member, and what should not be on the board's agenda?
  3. How do you envision maintaining the legacy of OWASP's open-source projects in the future, especially compared to organizations like the Linux Foundation, which has successfully nurtured community engagement and secured funding for project sustainability?
  4. The individual paid memberships are in a steady decline year over year. What is your plan to increase the number of paid members of OWASP?
  5. How do you plan on remaining vendor agnostic and maintaining the open-source character of the org without becoming an incubator for companies?
  6. With the individual events happening around the globe under the OWASP brand, what should happen with the profit from those events? Should it become part of the Global OWASP bank account?


For those interested in the future of OWASP and the perspectives of its potential leaders, this debate offers valuable insights. We want to invite all application security professionals to tune in and listen to the complete discussion to gain a deeper understanding of the candidates' visions and strategies for the advancement of OWASP in the coming years.

Chris concludes with this message: 

"I can't stress enough the importance of your active participation in the upcoming board elections. These elections play a pivotal role, and you, as a valued member of the OWASP community, have the power to shape our organization's future. 

I want to remind you that there's a dedicated candidate page for each contender, complete with videos where they lay out their platforms and provide written answers to various questions. You must be informed. As an OWASP member, I urge you to exercise your right to vote. The voting period for the board of directors will open on October 15 and run until October 30. 

I genuinely believe that voting isn't just a right—it's a responsibility. Your vote will help determine the next generation of leaders who will steer OWASP in the coming years."

Links:

OWASP Global Board Candidates webpage:  https://owasp.org/www-board-candidates/


FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Chris:

Get ready for a very special episode of The Application Security Podcast. Robert and I had the opportunity to interview and participate in a debate amongst candidates for the 2023 OWASP Board of Directors. So stay tuned for a special episode that's not like anything we've ever done before. And, as it turns out, we think it's the first ever debate that's ever happened amongst OWASP Board of Director candidates. Hey folks, this is Chris Romeo. I am the CEO of Devici and a general partner at Kerr Ventures, joined by my good friend Robert Hurlbut. Hey Robert.

robert:

Hey, Chris. Yeah. Robert Hurlbut. I'm a principal application security architect and threat modeling lead at Aquia and really excited about what we're doing today for this podcast.

Chris:

It's quite a momentous occasion that we find ourselves involved with here. So we're, we're super excited to introduce most of the candidates that are running for the OWASP Board of Directors here in the election for 2023. Uh, we think this is the first time that we've ever had a candidate debate. And so we are super excited. We've been watching hours of debates on YouTube, trying to figure out what not to do, and I think we've come up with a list of what not to do, but we're going to have some fun. This is a good group of folks that love OWASP and, uh, are stepping up to put their names out on the ballot. And, uh, so we're super appreciative to them for all of that. But with that, I want to jump in. So a couple of quick ground rules, just for those listening at home, they can understand what's about to happen here. Uh, we've prepared six different questions because we have six candidates that are on the line right now. And for each of these questions, I'm going to read the question. I'm going to direct the question to one of our candidates and that candidate will have 90 seconds to answer the question. Robert is going to be running the timer here and letting people know when they're out of time. After the first candidate has had 90 seconds to answer, I will cycle through the list of. of the rest of the candidates, giving everybody 60 seconds to provide their, their thoughts on this particular question. And, uh, just so you know, if we get to the end of the list and the first person has, has had a lot of things thrown up against their answer, I'll let the first person circle back in and give their perspective as well, just to keep this as fair and balanced as we possibly can. So with that, we're going to jump in and we're going to kick off our debate here with our first question. And the first question is for Paulino. And this question comes to us from Jeff Williams, who's pretty well known in the world and the lore of OWASP. And Jeff's question to kick this off is, what experience do you have running an organization like OWASP? Have you been a C level exec? Have you served on a board of directors? What hard decisions about the strategic direction of an organization have you personally made? Paulino, your 90 seconds starts now.

Paulino:

Yeah, I'm the co founder of a cyber security company. So, I guess I'm the director of the operations in Mexico. And I'm part of a board of directors of the same company that operates in Canada. And as a consultant, I get to deal with the C level, uh, direction all the time, we help them make decisions, uh, create their AppSec programs, and I guess, I mean, besides that, I run a couple of non InfoSec businesses, so I'm pretty well transverse on running teams efficiently, and that's what I do.

Chris:

Okay, very good. Steve Springett coming to you next.

Steve:

right. Um, great question, Jeff. Um, so I, I have previously done the startup life twice. It's a lot of fun. It's a ton of work. Um, I'm in my fifties now, so it's not exactly for me right now, but, um, in my day job, I'm the director of product security at ServiceNow, where I get to set the strategic direction for how we are going to, uh, securely build and deliver software, uh, across 5, 000 plus developers that we have. Um, so yeah, a lot of that falls on my lap. Um, I've also been fortunate enough to build, um, what I believe to be the largest OWASP project, which is the Cyclone DX project, which has 60 plus repositories. It's basically a community of itself at this point. And as part of that project, I've kind of morphed myself from being a doer to community builder. And I think anybody on the board of directors has to, um, Some people call them soft skills, I call them essential skills. It's all about relationships.

robert:

That's time.

Chris:

Okay, Avi.

Avi:

First of all, I want to point out there are not many other organizations like OWASP out there, putting that aside. Right now I am the founder and CEO of my own consulting agency, small boutique, nothing like OWASP. I'm on the board of advisors of startups and OVC Incubator. I've also gone through a few startups as well, uh, in the past. Um, specifically for OWASP, I have been for the past two years or year and a half on the board of directors of OWASP. Um, currently serving as the vice chair of OWASP. Uh, as a consultant, Very often I work with my clients on building strategies, on building it, planning out a worldly map and planning out how they're going to do that. And for OWASP, we've recently had a board summit planning out a strategic, intentional approach to how we're going to solve a lot of problems.

Chris:

Okay, up next we have Izar. Thank you.

Izar:

So the good thing is that, uh, being a member of this board, you're not, you're not alone. So the individual experience, perhaps, not all of us have to have the same one. I have never been in a, in a C level thing, but, uh, we can complement each other. And, uh, I'm sure that any of the, the, any four of this set is going to do a great job for OWASP. But, uh, I have been doing decisions under pressure, sorry, be it in an instant response, be it in the military for a long time. And, uh, you know what, throw me in the fire and I'm... Coming out, popping.

Chris:

All right. Very good. So, Sam, coming to you.

Sam:

Yeah, I think very similar to Avi. Um, uh, I have my own startup experience being a founder and running my own boutique consultancy. Um, so that I hope counts. Uh, but obviously, um, my previous experience of, uh, consulting a lot of very large financial services organizations in the city of London. And obviously. These are the organizations which are doing, uh, a lot of things, uh, I would say properly. So there's lots of policies, standards, guidelines, because they are under regulatory pressure. So obviously, uh, this is very different from a startup environment when you're just trying to build an MVP. Uh, if you're working for a proper, you know, bank and, uh, you know, big financial services organization, it's a different, Culture, it's a different, uh, responsibility. And yeah, that's what I'm hoping to bring into OWASP. And of course, uh, my experience of, uh, leadership of the OWASP London chapter. All

Chris:

Okay. Very good. All right. Fred. Thank you.

Fred:

Hey, it's Fred Donovan. I've not been a C level or run a nonprofit. I have been involved in two startup companies, uh, myself, uh, and working with, uh, multinational companies like the one I do now, I have, uh, uh, experience within a task force, task force of, of, uh, executives that, uh, work together across the globe to, um, Implement, uh, uh, security initiatives, uh, processes, training, testing, resources, et cetera. Um, but most importantly, I'm a relationship builder, so... Um, I like to, uh, uh, connect, uh, teams, connect people, and as, as we started out, we're a board, or this would be a board if I'm, uh, part of it. We have to have a group think, so I think we're just not one person, we're many people working together, uh, for the, hopefully for the same goal, and, uh, using our connections, uh, um, and our experience, I think we can do a fantastic process.

Chris:

Okay, very good. Thanks for, uh, everybody for sharing your history and your background perspectives, things like that. That's excellent. Uh, our second question is. This question is going to be directed to Steve first, and this is from Adam Showstack. Adam's question is, what are your priorities as a board member, and what do you think should not be on the board's agenda?

Steve:

Another excellent question. Um, number one on my, um, I guess priorities would be fundraising. Um, we are at a serious crossroads, um, in that projects are in dire need of funding. And the processes in order to obtain funding are entirely too complex. So therefore, most projects simply don't ask. Um, I think, uh, marketing will be one of my second priorities. Um, as well as outreach. Uh, we have to start engaging, uh, developer communities that we are no, uh, that we are currently not, uh, engaged with. And when we help those communities, when we, um, make the OWASP name known, if we're growing by membership... That will also positively impact us as well. Um, so fundraising, marketing, and outreach are my three, three main things that I would focus on. The things that I would not focus on as a board member are anything that contributes to continued drama that we've seen for the last couple of years. Um, I would like to, uh, say that yesterday was yesterday, today is today, and let's move forward.

Chris:

Okay, Avi, you're up next on this question.

Avi:

Yeah, um, I would say my three main priorities are protecting, enlarging, and growing. And by that I mean, number one, protecting the brand. the foundation, the community, right? Not letting it be abused by whatever kind of personal corporate interest there might be. Number two is growing this outreach, as Steve said, diversity issues, getting more people involved, getting more people using it. And number three is, uh, an enlarging, which is investing, whether it's marketing, uh, fundraising. Putting those funds to use. We have a bunch of funds. Putting those to use for the projects where they need to go and revamping the way we do events and things like that. Those are the three main areas.

Chris:

Okay, Izar, priorities and things you would not focus on.

Izar:

So Stephen and Avi make great points. Uh, I think that one thing that I would like to focus on is identity. We recently changed names. We went from OWASP to OWASP. And, uh, I think that together with that, we have to decide exactly who we are and what we want to do out there. Uh, as was mentioned, there's a lot of, uh, things going on around OWASP and, uh, sprouting out of it and on top of. And, uh, I think that it's very important for us to figure out where do we fit in this whole puzzle. And, uh, the other efforts that were, uh, that were mentioned, uh, I think that they derive from that, right? You're not going to be able to, to bring about more membership if you don't really know how to explain yourself and say this is what I'm, I'm standing for, this is what I want to do. Uh, same thing with, uh, projects. What, what kind of projects should we go for? What projects should we, do we need a hundred plus projects? Can, can we focus on something here? And, uh, uh, I think that Steve made, made a great point in saying that, uh, one of the, the things that should be left out is, is the drama. And, uh, but unfortunately, you know, life is life. You deal with what's in there. But,

robert:

That's time.

Izar:

sorry.

Sam:

right. Um, I think, uh, my first priority would be to address the burning issue. And I think this is what we'll hear because we'll recognize that OWASP is in crisis. Right, that's why all the, uh, fantastic AppSec, uh, industry veterans are now applying to the board of directors. And I think we need to tackle the crisis. So the first thing we need to do, we have to address the issues raised in the open letter because, um, I have not seen OWASP addressing this yet. I know Avi is currently on the board, so I know they had some meetings, but again, we haven't seen those meetings being published publicly anywhere yet. Um, so I think, uh, open letter raised a lot of very serious issues about strategy and the fact that the strategy needs to be changed because the current model is not working. And this is what I'm actually going to be addressing in my manifest as well, because I plan to bring some new fundraising streams into OWASP, and, um, that's a bit of a strategy change, but I hope it will be accepted and supported by other members of the board. Um, uh, and I think that what we shouldn't be focusing on is the, um, bureaucracy and policies, because if you remember Mark Curphey resigned because he said, all that board was talking about is travel policy and whether we pay for business travel.

robert:

Yeah. And that's time.

Chris:

OK. And, fred.

Fred:

Yeah, I think the board should focus exclusively on the things that move the needle in the terms of our mission. I do think that also requires us to address the letter that was just mentioned. I, some of the things that I want to do with the board is work together to equip standards bodies like, uh, uh, INISA and NIST with, uh, Um, at every iteration, frankly, of policies and frameworks and certification development. That means getting the board involved with them, that means getting our executive director involved with them as well. Um, and I have plans for that that I want to share, uh, more with the, uh, community of the board. And also, fundraising. I think we need to make new fundraising models to, uh, improve how we, uh, attract, uh, an audience in sponsorship, frankly, from non security companies, non security corporations. We're missing them, and, uh, I have some ways to do that, and I'd like to be able to engage, uh, OWASP in these, uh, uh, non security corporate, uh, communities. In a way that benefits their employees as well.

robert:

Yep. Time.

Chris:

Excellent. You got a lot of, a lot of head nods. Uh, on that answer, Fred. Um, Paulino coming back around. I'm going to you here for your thoughts on board priorities and things that the board should not focus on.

Paulino:

Yeah, for me it will be to make it a globally inclusive community, take the AppSec events to other regions of the world. Another thing I think is very important to revise all the projects that we have. If some of them are not, you know, making the cut, it is better to free those resources and to focus and give the resources that they need to the flagship projects so they can actually make an impact. And when we take the AppSec events to other regions of the world, we can... Get closer to government bodies, as I mentioned, other organizations that haven't really made those connections yet and help them bring memberships at the end. We need to improve what we're getting our members in exchange of their, of being a member. And I wouldn't, I wouldn't hold people up.

Chris:

You still got a few more seconds.

robert:

Yeah. Few more.

Paulino:

I wouldn't focus on, on, on the drama, as everyone said, and day to day operational things. I think we should appoint committees that have very specific goals, and they can take care of that. The board should be focusing on the strategic overall for a whole community.

Chris:

Okay. So our third question, Avi is going to be the first person to answer this one. This is a combination of a few questions that we received from Sean Finley and Chris Hughes. And the combination of these questions is how do you envision maintaining the legacy of OWASP's open source projects in the future, especially compared to organizations like the Linux Foundation, which has successfully nurtured community engagement and secured funding for project sustainability? Avi, please answer first.

Avi:

So there's a couple parts to that and I'll start with the end, right? You mentioned funding right there at the end and that's a big part of that. It's both getting funding and, you know, Sam mentioned previously the change to strategy we didn't have. Any kind of intentional strategy till now. The board just recently at the recent board summit actually for the first time actually worked out a specific strategy with explicit tactics and approaches. With a multi pronged approach to increasing funding and for channeling those funds to the various projects and other initiatives that need those. So we definitely need to get more money and get more of those resources to the projects that need that. We are going to be more intentional about which projects we have and which ones we're going to focus on. Izar mentioned, there's a lot of projects that we don't need to be focusing our energy on, which will free us up to spend a lot more on the ones that we do want to be spending it on. We call these production level projects or flagship products and so on this type of thing.

Chris:

Okay, so Izar, you're, uh, first responder.

Izar:

Right, so, again, it's about cleanup, right? 100 plus projects and not all of them on the same level. Uh, then I think that there needs to be a very, uh, strong work with the projects committee. To understand exactly what's the timeline of a project, as a project maintainer myself, sometimes that's a bit murky. And I think that's all, any kind of question in this area already adds friction that doesn't need to be there. and makes the project harder to maintain. And based on that, on that timeline, on that life cycle, understand what are the needs for funding for each project. Not every project has the same needs for funding, and sometimes we confuse the needs of a project with need for funding. If they need help with marketing, if they need help with development. Two completely different asks, right? So, we have to make it clear what is it that OWASP is going to provide to each one of these projects. And based on that, rethink the funding. And, uh, what was the other part of it?

robert:

That's time.

Chris:

Okay, so up next we have Sam. Thank you. Thank you.

Sam:

Yeah, I think, uh, this question had another part to it, right? Because basically there was a question, another, the part introduced by Chris Hughes about the, uh, comparison with Linux Foundation, right? And I think, um, we need to understand that, Um, we do not have anywhere near as much funding as Linux Foundation, right? So we have to make do with the funds that we can raise. And, uh, this makes things a little bit difficult. So obviously, colleagues already mentioned that we need to look at the projects. But I think one thing which is missing, and Izar touched upon that, and I think what we need to address is the actual governance of these projects. And... The project benefits, what do projects get currently from OWASP, apart from the OWASP name and the OWASP GitHub repo, right, and ability to ask for a grant, uh, That's something that we need to define and also we need to define the longevity and sustainability of the projects because we have the situations. For example, when the projects left, right? So we had two projects, ZAP and SKF, which moved to Linux Foundation. So we need to address the situation, uh, of the trademark and brand protection and how do we keep OWASP projects inside OWASP and make sure that they, their life keeps living under the house of OWASP.

robert:

That's time.

Fred:

Nice. I like that. Um, well, generally we need to see what projects are being used, frankly. And then, um, if there's any legacy projects with receiving funding intention, well, then we're going to know about it. And we can, I mean, ideally we're going to, um, Identify what's a useful project, and I can identify several in my mind which are really useful right now, but there are some outdated, and potentially we can use funds, and perhaps we need to restart some things. For instance, I personally think we need to restart the developers guide, uh, in a way that, uh, includes, uh, ASVS. This is, uh, ASVS is so major to so many people and certainly to my firm. Um, so, I think that, uh, we have a, a, uh, fiduciary responsibility, though, to get more money and make sure that, uh, we can nurture the right projects.

robert:

Okay,

Chris:

All right, Paulino.

Paulino:

Um, I think this could be a good opportunity to get the vendors involved. Like, keeping in mind that the, uh, need to be neutral, keeping in mind OWASP values, but still get them involved with the community so we can reassess all the projects and see what the community actually needs. What are the, what we should focus on? And, um, I guess for newer projects, because I experienced that myself, if we can establish, like, mentorship programs where we guide them through the OWASP ecosystem, that will be really helpful. And for the more established ones, we should definitely be looking for grants, different options. Uh, to fund them, uh, we know we can get funds, uh, in several ways. It's just a matter of reaching out and doing stuff that the community or the industry actually needs, while keeping things neutral, because we don't want to steer things to a bender path. We obviously want to keep things neutral, but it is a good opportunity to

robert:

that's time.

Paulino:

promote.

Chris:

Okay, so Steve, you have the final word on this question.

Steve:

You know, Chris framed the question in context with Linux Foundation, and I think it's important to know that OWASP is not the Linux Foundation and will never be the Linux Foundation. Um, and this is a good thing. Right? In my opinion, this is a brilliant thing because the beauty of OWASP is that anyone has an equal seat at the table. Doesn't matter if you are a single individual or you contribute billions of dollars to OWASP, right? Everyone has an equal say, which is not true at the Linux Foundation. Go to any Linux Foundation project and you will see firsthand for yourself how that works. Um, as a result, the projects that are funded over there, Um, have a very narrow scope of the world, have a very narrow view of reality, and yes, they're funded. But, you know, the value of those projects can be questionable at some times. So I think there's a way to dramatically increase our fundraising without losing our soul. Right? Without selling ourselves out to the highest bidder. And one way to do that is a grant writer. Projects are in need of this. There's hundreds of grants available every single year. I think a CTO is also can set the strategic direction for projects going forward as well.

robert:

that's time. Yep.

Chris:

Okay, let's move to our fourth question here. This question will be sent to Izar first. Um, the individual paid memberships are in a steady decline year over year. Thank you. Thank you. What is your plan to increase the number of paid members of OWASP? And just so folks know, I found that data in the public, uh, Andrew Vanderstock, executive director, posts a monthly set of statistics with the board packages that are all public and on the OWASP website for anyone to peruse. And what I saw was a pretty big dip in the number of individual memberships. And so Izar, first for you, what's your plan to increase the number of paid members of OWASP?

Izar:

So, I think that first of all, it has to be made clear to the membership that, as Steve so well put it, Uh, OWASP is made by its members. Sometimes I think that we lose a bit of the focus and it appears that OWASP is a collection of chapters. And that separates the individual membership from the rest of OWASP. What I would like to see is membership understanding what's the good thing about OWASP. Not in addition to, for example, the free training that we have access to and a lot of members don't know about. But things like, for example, having OWASP mediate a mentorship program, as Paulino mentioned mentorship, between members. So that members with less experience can be exposed to members with more experience. Trade that experience and there's a market in there that they can find each other and grow together. Uh, more services for members, more, uh, transparency for members. Understanding that, for example, when I had an idea and I came to the board, Avi and Grant were awesome in giving me support in that idea, but most members don't know that they can approach the board with that. So that kind of transparency, making sure that, uh, OWASP is here for you as well. We don't just want your check once a month, once a year.

Chris:

Okay,

Izar:

And, uh, uh, at the end, for example, making every member a champion of OWASP in their workplace. You don't have to go to the local chapter to have all those, those meetings and everything, but you could empower members to, in the workplace itself, extend the word and the, and the work of, uh, OWASP. And with that, perhaps help bring that workplace into OWASP, which will help, help the funding down the road.

robert:

Okay. Time.

Chris:

Sam, you have the first response on this issue. Thank you. Bye.

Sam:

Right. So my plan is we need to. Increase member benefits because when you tell people, why don't you become an OWASP member? They're saying, what's in it for me, right? And if you look at the amount of member benefits that we had in the past three years, you will see that list collapsing into just one. And this was very sad thing to see. And a lot of fantastic member benefits that we had was free training or complimentary training for OWASP members. And I think that's what we need to bring back because people say, why should I become an OWASP member? Because that means they will have access to training, which otherwise costs a lot of money. Um, and of course, not just. Uh, training, but I think training is most important. For example, developers, the very good reason to become an OWASP member is that they can get secure coding, secure development, threat modeling, training, uh, which otherwise would have cost them lots of money. So, uh, I think that is the main thing, cause we need to make sure benefits are there and they are clearly communicated, um, to everyone.

robert:

Okay.

Chris:

Okay, Fred.

Fred:

Yeah, I think it's a, it's about funding, right? So, uh, we need to find ways to increase funding, and I think part of that is definitely, um, uh, having things that entice people to become members, but also to have people become members, we, we have a way, have opportunities to entice their companies. And so, um, I think that there are ways to change and, uh, just, uh, modify funding models, uh, to, uh, um, allow corporations, any corporation, uh, a more of a desire to. Provide funding. For instance, if I was providing, if I was a non security company and I wanted to have a sponsorship, um, part of that sponsorship could be, uh, could go directly to a flagship product of their choice or more, maybe, maybe 25%. 25 percent of that could go to employee membership. So they have direct employee participation. And we're going to create communities within these corporations that have OWASP people able to work together. And we're going to increase our funding. So I think there are ways to do that because we're still going to get money for the Global Foundation. So I think it's expanding our current outreach. Thank you.

Chris:

Paulino. Okay.

Paulino:

It boils down to increasing the benefits. Um, I think not a lot of people know that they do get free training and that's something that we can tackle. Even making it more social, even simple stuff like batches. You know how on Github they display batches every time you contribute to a major project, things like that? So it's more seen out there. And another idea that I love is actually reaching out to the organizations and Instead of just giving them training, giving them an assessment tool. So, if they have budget for training that year, instead of hiring a local company that gives them like a diploma with no value, they can go to OWASP, access this assessment tool, and keep it in their assessment every year. Keep it every year, and that will incentivize to get more members, and someone will definitely take on from there.

Chris:

Steve, let me just restate the question since we're kind of in the middle of the The individual paid memberships are in steady decline year over year. What's your plan to increase the number of paid members of OWASP?

Steve:

Um, yeah, first of all, I think I would reduce the, um, the, uh, the, the impact of, of having that individual membership be so important to OWASP in, in the first place, but, uh, to increase membership, first of all, I would I would invest in community managers. This is something that the OWASP Cycle and DX project and Dependency Track project have asked for. It's, it was part of what we wanted to put in the open letter. Um, community managers help with a lot of different things. They actually help the individual projects in which they serve. But more importantly, they actually engage with the development communities, which we're trying to reach. And when we reach these communities, it's kind of a land and expand model, right? You land in those developer communities. You start providing OWASP resources and name recognition and guess what? Your membership will increase as you are expanding your outreach to those various communities. Fred mentioned vendor benefits. Completely agree. There should be very specific member benefits for, uh, contributions as well as bringing their developers over to, uh, individual memberships as well.

Chris:

Okay, and Avi, you have the final word on this particular issue.

Avi:

So the first thing I want to address is the data in your question. It's not accurate. Year over year we're still in growth. We've at, we are currently in month over month decline. I think the high point was June of this year. We are still at a higher point than August of last year, number one. Number two, uh, I want to address the intention of this question. And I think Steve touched on this. The individual paid memberships are not, or should not, be about funding. They're about growing the community, getting people to be more involved with the community, and feeling that sense of ownership. Monetization is from vendors. And I only have a few seconds left, so I just want to address, yes, we need to do a better job on having more member benefits, but we need to do a better job of communicating the benefits we already have, with them, in marketing speak. Lastly, extrinsic versus intrinsic motivation, right? Too many benefits, too much focus on benefits reduces the actual intrinsic motivation of the first place. Again, marketing, Wiffum, doing a better job of that.

Chris:

Okay, all right, so that takes us to our fifth question here. Um, And this question will first be sent to Sam, and this is from Spiros Gastarados. How do you plan on remaining vendor agnostic and maintaining the open source character of the organization without becoming an incubator for companies? Thank

Sam:

Yeah, I think, first of all, we need to state that, uh, OWASP's vendor neutrality is its biggest strength. fact that we are not biased by any particular vendor is what makes us the trustworthy, the providers of trustworthy content and Uh, I think that's what people should recognize. And of course, another, uh, important thing is, uh, that we are a community. So there's a community feedback and the transparency. So as long as we provide full transparency on all our projects, on all our toolings, and the contribution of all the companies. Uh, company sponsors, whoever they are, it's all transparent. That's what should provide that ongoing, uh, uh, transparency for us. And of course, uh, another thing is branding, right? Uh, cause we need to understand that what does it truly mean to be an OWASP standard, an OWASP guideline, an OWASP project, and that the fact that it's open to everyone and all the contributions are always in the open, always transparent and they're not there. So we do not sell. board seats to companies, and similarly, we do not sell any project management seats to companies. Uh, it's all fully open, uh, to the community. In terms of the, I think, the incubator for the companies, I think the, you know, the, uh, question is that a lot of companies just grab an OWASP project. For example, OWASP is up and then use it behind the commercial tooling. And again, the problem here is that there is no clear relationship defined, how they should be giving back and, uh, how that relationship should work in the open source world, and I think that's something that we need to address.

Chris:

Okay, Fred, you're the first responder on this issue. Thank you.

Fred:

Okay. Um, well, we, uh, promote the awareness of AppSec at a, at a high level and, uh, and a low level, and we, we can promote security, technology, new technology, important areas in technology or in security without making any endorsements to a particular company. And, uh, some OWASP projects, uh, I think definitely will evolve into, uh, commercial enterprises. And, and in fact, I, I think we are already doing some incubation like Defect Dojo, but, uh, that's a needle, frankly, that needs to be threaded carefully, but we as a board can give direction to improve these things for, uh, our community.

Chris:

Okay, Paulino.

Paulino:

Yeah, um, I think it's definitely We, we need to keep in mind that it has to be neutral. Uh, we do appreciate their support, but, um, this, as far as that, um, they can maybe make a specific request and the project will decide, or the community will decide if we'll get done or not. But, uh, keeping it neutral, being transparent about what the project plans are, are, are the keys to this. And I don't think we can fight the fact that a project becomes so useful that might be considered, you know, turning into an incubator. As Fred said, we need to plan ahead and see how we're going to take this instead of preventing it. If the project is that useful, I don't think I'm against letting it evolve, basically.

Chris:

Steve?

Steve:

Finding my mute button here. Um, yeah. The, um, you know, vendor neutrality is a great ideal. Uh, we try to do that in the Cyclone DX project, for example. Um, I'll just kind of give everyone kind of a frame of reference. Uh, we've got... Over 200 tools that support the Cyclone DX standard today. Um, lots of open source projects support it. Many, many commercial projects, uh, companies support it. And vendor neutrality doesn't mean no vendors. It just means that we treat everyone the same. Um, the, the question was framed in terms of an incubator for companies. Um, I might actually disagree with this. I get the intent. However, companies also innovate. And if you treat everyone successfully... The fairly, the same, then you can actually, um, create an environment in which you are an incubator for innovation, where multiple companies are innovating together, working on OWASP projects. That's where we need to be.

robert:

okay,

Chris:

you next.

Avi:

I'm really glad a lot of the points were already raised. You know, Sam mentioned vendor dependence and neutrality, of course. Fred and Steve both mentioned the fact that this idea of an incubator for companies is actually a good thing. And this is actually one of the models that can work and has been proven by DefectDojo, as Fred said. On the other hand, we have seen instances where it didn't work as well. There are other models for funding the companies, whether it's via grants or asking it, or external companies funding it. The idea that we need to do is put better guidelines in place for any one of these packages. Being able to have kind of project funding model as a package. Better guidelines, better licensing requirements, better funding requirements for those situations where somebody just takes a project and starts monetizing it, which is a good thing. We just needed better guidelines around that, and these can all work well.

Chris:

Okay, Izar, you have the final word on this issue.

Izar:

And that's the good point here, right? Okay, we touched on vendor neutrality and great points were made, but what's so bad about incubation? Incubation means that you gave that project a nest, something to grow out of, and if tomorrow Steve takes a clone DX and makes a billion dollar empire out of it, it's just fair that OWASP gets a million or two, right? And if OWASP is seen as an incubator, we keep saying, uh, we are going to go to companies that use OWASP projects and ask them to participate in the funding. What's the problem of inverting that and having OWASP projects get so good that somebody splits, makes a startup, and OWASP gets a piece of that pie, right? It's not the first time, it's a model that exists, has been tried many times, and it's funding. We're talking about where do we get funding. Let's have great, high quality projects. that incubate in OWASP, go out, make the world a more secure place, and let's rake the money

robert:

that's,

Chris:

Okay. Well that brings us to our sixth and final question here. And this question will be for Fred to answer first. With the individual events happening around the globe under the OWASP brand, what should happen with the profit from those events? Should it become part of the global OWASP bank account?

Fred:

Okay. Well, that's a good question. Um, and, uh, I've been to many events around the world and I'm hoping, I've always hoped, frankly, that, uh, they could use that money to increase, uh, uh, the, the OWASP brand in those locations, but, uh, there's certainly the GLOWASP, the global OWASP, um, organization should have some of that profit, uh, too, but perhaps we can do some type of a survey, um, on the most Well, let's see, I mean, basically money needs to be used to, to, uh, maximize and further OWASP mission. We're going to do that locally. So they need to keep some funds locally. We're going to do that globally. So we need to do that globally. And as a board, we need to talk about and negotiate how we're going to do that better without people guessing, without people saying, why have you taken the money out of my bank account? I know that we don't have as many meetings as, say, a larger chapter, but why did that happen? I think there are, there are, there are... Situations where, um, we can, we can have opportunities like, for instance, sponsoring OWASP training for OWASP members. We can do certain things that, uh, help to, uh, increase our funding and provide that funding to these localities that really deserve to have it from their individual events. We have a lot of great localities that have grown fledgling to something very, uh, profitable and very important, frankly, for our brand.

Chris:

Okay, first responder on this particular issue is Paulino.

Paulino:

As an organizer of the OWASP LATAM tour, I've seen at first hand how a lot of countries in South America struggle with the, with exactly this. I, I agree that the profits go back to the OWASP, uh, bank account, but they do, they do the split. I don't remember if it's 70 30 or 50 50, but at the beginning, the smaller chart chapters are struggling just to put together the event. So for those chapters, I will definitely advocate that they do get the funding that they need to get the event up and running. And then 100 percent I agree that the profits do go back to the community so they can keep doing this all over the world. And, um, They also tried to put every Latin American country in the same bucket and it wasn't fair for all of them. So the sponsorship packages were defined by OWASP in the U. S. Who has not exactly, you know, it wasn't, it wasn't adjusted properly across the whole spectrum. So one of my main objectives is... Bring an AppSec event either to Mexico or Panama, which are, you know, booming in terms of the events that they're hosting and, uh, see how this works out.

robert:

okay, that's time.

Steve:

Yeah, um, you know, I'm certainly in favor of some kind of revenue sharing model. Um, I don't know where the breakdown is. Um, I believe that the, uh, foundation at a global level needs to provide a lot of assistance, a lot of support for both regional and chapter things. Um, make it easier for chapters to actually hold events. I live in the third largest city in the United States. We've got millions of people here in Chicago and yet our chapter is defunct, right? It's... It's no longer a thing, which is truly unfortunate. And, um, you know, if I had to ask around, it would probably be that it takes a lot of work. I'm sure Sam can probably agree with that statement. Um, we need to make it easier for the chapters to be successful. We need to, to encourage revenue sharing. And I believe we need to investigate, um, hybrid models, uh, similar to what IETF does. Because I personally haven't attended a conference in years since before COVID. Um, and it's been a beautiful thing. I don't want to travel anymore, and we need to adjust our funding model for that reality.

Chris:

we?

Avi:

I just want to point out one technical detail here. Right now, there is literally no other option then the funds going into the OWASP bank account. Local chapters, local events are not allowed to take funding at all. Everything has to go through the OWASP bank account. Now, um, if you're all talking about, um, you know, revenue splitting and revenue sharing and things like that, I assume, I hope we're talking, I hope, we're talking about with the local chapter and the local event and not with the leader's pockets because we've had issues like that in the past as well. Now the issue around revenue sharing with the local chapter is that it's no longer relevant. If you're trying to kickstart a new event, a new chapter, you will get that support regardless. You don't need that revenue. You did a great event. You made a huge amount of profit. Great. Next year, make it bigger. Fantastic. You'll get that support. You lost a bunch of money next year. You're going to probably make it smaller, but you'll still get that support anyway. So the revenue sharing is not really a relevant issue regardless.

Chris:

Okay, Izar.

Izar:

So I don't quite have a lot of visibility right now into the existing model, but the thoughts in my head are that as a global organization, it doesn't seem fair to me that 100 in this country and 100 in that country are completely different things, and they all go into a central fund and have to be disbursed in some different way. Thank you. I think that we've been talking about membership, we've been talking about local chapters, and we have to find a way to, to, to have these be able to, uh, uh, better themselves, to make themselves bigger and, and, and more prominent using the funds that they themselves bring in. At the same time, looking at whatever money they have to give to OWASP as a tax is wrong. It should be, it should be looked at as an investment. The moment that they make OWASP stronger, they make themselves stronger, because then OWASP is able to give more back to the local chapters and the members. So that's where I would invest time into making it less of a tax, more of an investment, and having the local chapters have a clear understanding and a clear way to make their contributions in a way that makes sense locally to them. And it's not everybody, just give me 50 percent of whatever you get, or 70 percent or whatever, and we're going to disburse the funds as we think is right.

Chris:

Okay,

Sam:

Yeah. Well, I think, uh, mainly I just going to repeat what Avi said about the currently the way how the funding model goes is that all the revenue still goes into the OWASP. global bank account. That's how OWASP operates. It's also very important to stress that running three global conferences per year, one in USA, one in Asia, and one in Europe is still the main funding source for OWASP. And what a lot of financial troubles that people are seeing us being in is because for three years of the pandemic, OWASP did not have any in person conferences. We only had virtual ones, which didn't bring any money at all. Right. So I think the, the model of running global events, it needs to be expanded. We need to have as many events as possible. We're now talking about bringing, for example, European events in Eastern European cities, which never had the OWASP event before, that will put these cities on the map. And also, of course, to bring the awareness of what OWASP is, what application security is, and, of course, our standards and projects to the new communities. And I think that's, that's very important. In terms of revenue sharing, that's, of course, a different thing. Uh, my point is for the local team, which is helping rather instead of revenue, is to, again, to pay back in benefits.

Chris:

Okay, all right, well, that now concludes our question, our six questions that we cycled through here and heard from each of our candidates. And so we're going to transition now into our closing. Remarks. And so we will, uh, put two minutes on the clock for each candidate and we're going to go back to our original order. And so we'll start with Paulino and, uh, we'll go down the list from there, giving each candidate two minutes to provide us with their closing remarks. With that, Paulino, I turn the floor over to you.

Paulino:

Well, thank you for having me. I think, uh... If I get elected, just believe that I'll focus on revising and improving the quality of the projects that we have. I truly believe that the potential of the community is invaluable. So we... By creating roadmaps and mentorships and programs around these flagship projects, and not even all, just flagship projects, around all the projects that are groundbreaking, we do have a better opportunity of making OWASP reach more places. I also intend to bring AppSec to Latin America, like, you know, you have it in the States, you have it in Europe, why not Panama or Mexico? These two countries have been Amazing at hosting events. And with that, just with that, I think we are going to increase memberships and definitely creating a community to look for grants for these high quality projects will definitely put us in green numbers or better green numbers, uh, for the future. So thank you.

Chris:

Okay, thank you Paulino, Steve, you're up next.

Steve:

Yeah. So, um, I would, uh, you know. The current situation with the open letter, it's certainly an issue. Um, I would dramatically expand the fundraising opportunities that the OWASP Foundation would have without sacrificing any kind of vendor neutrality. I, uh, am part of the, uh, project committee. I run two flagship OWASP projects. It's a ton of work. Um, it is like a second full time job or third full time job. Um, the open letter was a cry for help. We're still waiting for the board of directors to formally, uh, respond to that. Um, but I have a lot of ideas for how we can help because I run two flagship projects. I know what... We need, um, how we get it done, um, that's, that's a matter of why I'm running for the board. Um, yeah, so, you know, if you, if you are running a project, if you, if you think about fundraising and you care about fundraising, um, and you also care about not selling our soul, not becoming, uh, Linux Foundation, for example, um, then, then I, I would be in your corner for that.

Chris:

Okay. Thank you, Steve. Avi, you're up next. DEWitt. org

Avi:

Thanks. Um, so the main things I want to continue doing and I've already started doing on my current tenure on the board. First of all is to continue to protect our independence, to continue to fight off incidences of whether it's brand abuse or, you know, threats to the community or, um, Whether it's corporate or personal interests, and you know, a few people have mentioned some instances of drama recently, and from the outside, I absolutely agree. But knowing what's going on, most of those cases are dealing with those issues, whether it's taking OWASP funds or trying to abuse the OWASP brand or working against the interests of the community from the inside. I'm going to continue to do that, continue to work on increasing our diversity and inclusion. I think it's not gone unnoticed that All of us here are pretty much, uh, white, white males with a heavy tipping towards U. S. based. Nothing wrong with that, but there is a heavy core of that as well. Um, so we do need to work better on that. I'm going to, I'm starting to reboot the diversity committee, which kind of died, uh, recently. I'm going to continue to invest as steve said, uh, funding, fundraising, getting those funds to the projects already started working with the projects committee to empower them and enable them to get those resources to the projects that need them based on our prioritization of which projects need the most. Not enough. We're doing more. And again, as I mentioned in the board summit, we mapped out a strategy to increase the overall pie and have more slices going there. Getting more resources, growing the community outreach towards CISOs and developers and DevOps and so on. And basically that's what we started working on the recent months once we got past the drama, and that's what we're going to continue working on.

Chris:

Okay. Thanks, Avi. Izar, you're up next.

Izar:

So I'm leaving this debate, as I leave most OWASP events that I participate in, uh, excited. There's been a lot of great ideas in here. It's a bunch of smart, committed, willing to work hard people. And, uh, I think that if we raised a lot of points in this debate that looked like, uh, challenges, I think that most of us in here do look at them as opportunities. We have an opportunity to perhaps redefine the identity of OWASP, we have an opportunity to refresh the membership, we have an opportunity to refresh the projects, to look for new ways of funding, and, uh, independent of the result of the, uh, of the election, I think that OWASP is going to be in good hands because the people who are here want to work hard. and make better. So I'm looking forward to what comes next.

Chris:

Okay, thanks Izar, Sam, up to you.

Sam:

Yeah, I think, um, open letter is, again, the topic we're going to go back to. So it needs to be addressed. because it's still out there and one of the things that I plan to in terms of the strategic new thing for OWASP is to introduce an OWASP certification. So many people have asked us to have an OWASP certified. Developers. So I think we should introduce a new certification. We're going to call it, well, that's what I propose. We'll propose to the board to have an OCSD or OWASP certified secure developers. Cause that's what companies are asking us. Every single company I talk to, they say, how can we get assurance that the developers we hire understand secure coding? And this is what we're about. What's our mission of OWASP is about is to make sure that, um, developers understand software security. Um, I think, uh, the certification fees that will come with it with the exam are the ones which will, uh, help us out in funding significantly. I have a plan how we can introduce this. It's not that difficult because we already have, uh, training. And obviously the next plan is to. increase OWASP training. At the moment, the only way for people to be officially OWASP trained is to send their developers or their employees, whoever they are, pen testers, security engineers, to send the people to global AppSec conferences. So that's three days per global AppSec conference. That means only nine days per year, uh, developers can be officially trained by OWASP. trainers in person. This is not enough. Nine days is nothing. So we need to address the training model and make sure that the companies can send their developers on official paid OWASP training if they want. And of course, we need to have the free training available. And at the end of the training, at the moment, nothing happens, right? So the developers do not get certification. And obviously if we introduce the exam, which will validate the developer's knowledge in secure coding, uh, understanding of security principles, threat modeling, that's what's going to help us. The third thing that I want to introduce is, it's time. Yeah, but you can read my manifesto. Thank you.

Chris:

Okay. Thanks, Sam. Fred.

Fred:

Yeah, hi. So, what I see is OWASP, OWASP has, has a really global, fosters a really globally, uh, successful outreach. For me, in 2005 was my first step into OWASP, and frankly, as a first generationer, I learned how to be a builder, breaker, and defender. And I want to see more people learn how to be a builder, breaker, and defender as well. Um, I work in the community of international business, but that doesn't just mean I've got businesses. I'm, I'm actively monthly traveling to, to, uh, uh, different countries to, to talk to their developers and work on AppSec architecture. And so I have a really good experience with the, uh, uh, diversity, uh, part that I think is kind of missing in OWASP and I, and. Avi mentioned that and I'm glad to hear that because I want to be part of it. But we need to find ways to increase our funding and I have some ideas which you can read, uh, and or listen to in my video, but I think there are better ways to get funding in corporations and also have individuals become part of the OWASP community within those corporations. In the way that some other organizations do, and I'll do, I just won't mention those organizations, but, uh, by increasing our sponsorships and improving them in ways that, uh, uh, companies can. focus their attention on the flagship products that they actually use. focus part of their funding, their corporate sponsorship there, and also sponsorships to their individual employees, then these employees become members of the community. They can use these free resources that paying members get and actively participate. We're going to grow, we would have an opportunity to grow our brand within these Corporations and their communities of developers and QAs and just business stakeholders, um, that operate in the application, uh, security community. And so, I really want to be on it.

Chris:

So, uh, I want to thank each of our candidates who took the time to be a part of this conversation today. And as a lifetime member of OWASP, Robert's a lifetime member as well, like I'm excited about the future. I'm excited about what's going to happen here in the next, uh, the next few years with OWASP and this group of candidates, this is, this is just really exciting for me. So a couple of reminders for folks listening. The first reminder is there is a candidate page for each of these candidates and we'll put a link in the show notes so you can find that. On that candidate page, you can find a video from each of these candidates, uh, where they're highlighting their platform as well as answers, written answers to a number of different questions that were asked of each of them. So, that's a place you can go study for additional information and context about the candidates. And then, finally, voting for the board of directors opens on October 15th, and voting will be open for, this is for OWASP members only, uh, October 15th until October 30th. That's the window that, uh, the, the voting and the election is occurring. And so ensure that if you're an OWASP member, get out and vote. Uh, this is something that we all need to be a part of. And it's, it's part of us as being members, being parts of the community. This is our responsibility to help choose the next generation of leaders that take OWASP, uh, through the next number of years. And, uh, Yeah, so, uh, with that, we'll wrap up our time here today. Once again, thanks, candidates. Good luck to all of you, and, uh, hope to see you around the OWASP universe somewhere.

Fred:

Thank you everyone.

Avi:

Thanks everyone, and thanks Chris and Robert for hosting this.

robert:

Thank you.

People on this episode

Podcasts we love

Check out these other fine podcasts recommended by us, not an algorithm.

The Security Table Artwork

The Security Table

Izar Tarandach, Matt Coles, and Chris Romeo