Avi Douglen
About Me
Hi! I am Avi Douglen.
I am the founder and CEO of Bounce Security, a boutique software security consulting agency. We work primarily with software teams, helping them level up their product security in the most efficient way by making them want to do more for security, but never fighting them into it.
I started attending OWASP chapter meetings way back in 2006, and started volunteering shortly after. After supporting my chapter’s board for a few years, I was asked to lead it as Chapter Chairman. During my stint as Chairman, I helped grow the OWASP Israel chapter into a thriving community with one of the largest appsec conferences around, with close to 1000 people attending the last AppSecIL we were able to hold in person.
Since passing on that title, I continue to support the current chapter leadership on the chapter board, and have recently rebooted one of our documentation projects. I also serve on the Chapters Committee as Vice-Chair, helping to drive the Chapter Policy update and leading the Regional Chapters model, amongst other activities.
Professionally, I’ve worked in QA, as a professional developer, as team lead, research director, startup CTO, and most often as a software security consultant. I am an advisor to several startups, and I am on the Board of Advisors for a VC incubator. I also co-authored the Threat Modeling Manifesto, volunteered as a high school mentor, and I am also a community moderator on Security.StackExchange.com.
For years, I’ve been volunteering and contributing for OWASP - for other organizations as well, but the OWASP community has always had a special place in my heart. We’ve had some rough patches in the past, but I feel that now we are on a very healthy path. I might not agree with every decision made - heck, I’m often the first to argue about it! But even when I don’t love the conclusion, we reach it together, in a very healthy manner, with consideration for most viewpoints and overall transparency.
I would like to support this trend, and push to consider even more viewpoints, to be even more transparent, to ensure a healthy, non-toxic environment at all levels. I feel that the leaders of the community, and the Board of Directors in particular, should be there with the sole intention of serving the community, and our mission. It should not be for the purpose of enhancing one’s resume, corporate marketing, or for personal gain, fame, or game (except for rhyming, that should be allowed).
I would like to be on the Board of Directors of OWASP to push back - hard - against any misuse for personal interests, against narrow-sighted or narrow-minded decisions, and for healthy dialogue in a vibrant community, and for no less than emphatically ethical efforts (alliteration should also be approved).
Link to My Video
OWASP has great resources for different people and different roles: CISOs, AppSec Managers, Pentesters, Analysts, Developers, DevOps, QA, and even users. Currently, most of them are either not aware of OWASP, or consider OWASP as a short for the “OWASP Top 10”. What practical steps should OWASP take to change that?
Outreach is key.
We've been doing quite a bit of outreach, especially lately - joining developer conferences, hosting a table at Black Hat, and especially the Outreach and Education committees. Of course, there is always more to do, and there are a lot of productive directions to take.
I would continue to encourage and grow this outreach, and leverage our extensive community of experts to participate in events outside our typical bubble. Such as developer conferences, hacker meetups, CISO events, and more. Moreover, taking leadership positions at these events and in other community organizations will have incredible impact, and I will move to support these efforts and increase investment in our presence in other communities.
Sometimes local chapters disband before anyone knows they exist and there does not seem to be a strong mechanism to regrow them. How will you enable members to grow OWASP in their localities?
Since the creation of the Chapters Committee, we've moved to reverse this trend. We've put roadblocks in the dispanding process (as part of the refreshed Chapters Policy), to ensure we can get involved and reinforce struggling communities. We've continued to support all chapters to avoid getting to that situation in the first place, and helped other chapters continue to grow and thrive.
I've also introduced a new model for [Regional Chapters](https://groups.google.com/a/owasp.org/g/leaders/c/jw60vATKKpU/m/Al8K6ph8BwAJ), which is currently in process leading up to official Board approval. This new addendum to the Chapters Policy is designed for non-typical City Chapters, and allow for wider regional communities to host a collective chapter. In particular, this model also defines a model for Chapter Branches, which will be a great solution for smaller, remote locations that cannot host a full Chapter but still want to have some local OWASP activity.
What experience do you bring serving in a board or executive committee of a large international organization or project?
I do not have any particular experience serving on the board of a large international organization.
However, I do have experience serving on OWASP's Chapters Committee, as the Vice Chair. I've also been involved in organizing multiple global conferences, spending months working with the rest of the team and recruiting volunteers. I am also on the Board of Advisors for a couple of international companies, including a startup incubator. I have volunteered for over a decade as a moderator on StackExchange's Security site, growing it into a vibrant, productive community that has become a vital resource for thousands of professionals.
I do also have quite a bit of professional experience working with global teams, and their leadership, aligning incentives and getting everyone moving in the same direction, building strategy, and designing financial plans to support organizational objectives.
COVID-19 has had a major impact on OWASP’s major earning sources which were conference tickets / training tickets. What will you do to ensure more balanced funding sources in the future?
IMO this is a hard question. To be fair, our earning sources had been faltering even before COVID-19, I've had conversations years ago with staff about revising how we host our conferences. Of course with the pandemic stopping (almost) all in-person events for the forseeable future, we are forced to consider other options.
While we've had some pretty successful virtual / remote events, as well as trainings, it is clear this is not enough to sustain the organization as a whole. We need to ramp up our corporate supporters, as well as find new sources of income. In order to achieve this, we will need to study our options, consider what we can offer companies (without violating our core principles such as vendor independence of course), and get creative. We absolutely can find these creative solutions, but it won't be simple.
What are the three main things you’d focus on changing/improving for OWASP as an organization, and why?
Overall I think OWASP is already changing in good directions. In particular, I do think the following issues need be improved:
1. Diversity and inclusion - we have a great WIA committee, and they already do a lot. However, IMO we are still nowhere near where we need to be, and not just _women_ in appsec. We need to increase our efforts in this area, including both recruiting more diverse community members, and retaining more of them over time. We especially need to continue to grow their presence, so that OWASP leadership is even more representative of all people in our industry.
2. Independence and vendor agnosticsm - as a core OWASP value, it is incredibly important that we are perceived as an independent source of the best way to do appsec, and not influenced or poisoned by commercial interests. Both at a corporate level, and a personal level - and this applies to events, projects, chapter activities, and more.
3. Corporate funding - I believe the majority of OWASP funding should be the corporate vendors that participate in OWASP, and the companies that benefit from the projects we create. Volunteers should not be reaching in to their own pockets to initiate or sustain OWASP activity, but we need to increasingly look towards our corporate supporters to fund as much of our ongoing activities as possible.
Automation and now AI have been good for AppSec in that it has increased the speed of releases, improved detection of coding flaws and reduced overall operating costs. At the same time, jobs in AppSec are moving from analyst positions to lower paid engineering positions. What do you see as being OWASP’s role in the industry in ten years and how would you begin to position OWASP to get there?
To be perfectly honest, I have idea what our industry will look like in 10 years, no one does (except maybe futurists).
Clearly, the bifurcation of appsec jobs will continue, with high-end analyst and strategic positions moving even higher upstream, and the majority of the "lower" engineering positions specializing even more on a wider range of niche topics and tasks.
However, I do have ideas of what we should be doing towards supporting whatever that future is. We do need to be involved in defining proper software development, whatever that will look like in the future. We need to be providing relevant, modern tools to secure whatever form our development environment, technologies, and pipelines will take. And we need to be supporting all of the roles in AppSec (as well as adjacent jobs), no matter what tasks they will be required to be doing.