Vandana Verma Sehgal
About Me
Hi, I am Vandana Verma, an Indian OWASP member. I am a seasoned information security professional with 16+ years of experience covering 360 degree view of information security from technical work to management. I am reapplying for an OWASP board position after working on board for the last 2 years. I have held Treasurer as well as Vice-chair position at OWASP Board in the last 2 years. I am also a chapter lead for OWASP Bangalore and supporting Board member for our Diversity initiative Women in AppSec/ Diversity in AppSec.
Professionally I have been a speaker / trainer at almost all the major security events across the globe from BlackHat to OWASP AppSec to Bsides to RSA. I am passionate about diversity and spreading awareness and working towards bringing diversity in the information security industry and to that effect I run various diversity initiatives of my own : InfosecGirls, InfosecKids and also collaborate with other similar initiatives like WoSec and more.
I am also one of the organizers of BSides Delhi and a review board member for BlackHat Asia, Grave Hopper India and more.
Social Media Handles: https://twitter.com/InfosecVandana https://www.linkedin.com/in/vandana-verma/
Link to My Video
Q1 OWASP has great resources for different people and different roles: CISOs, AppSec Managers, Pentesters, Analysts, Developers, DevOps, QA, and even users. Currently, most of them are either not aware of OWASP, or consider OWASP as a short for the “OWASP Top 10”. What practical steps should OWASP take to change that?
Very valid and topical question: This is a known problem and there are multiple efforts already underway and I have a few ideas which I am trying to work on. We need to understand that human behaviour has changed over the past many years and organizations need to adapt to it.
As of now OWASP is doing following activities
OWASP Developer Outreach Program: As part of the Outreach Program, We ran a Developer Outreach summit in July, 2021, which was joined by over 700 people from around the globe. We need to create more focused programs/initiatives to be able to reach out to the Developer community and provide them the resources they need to be able to write secure software. We also already have a lot of great resources, and we can participate in developer conferences, communities and organize developer specific events to talk about those initiatives. Spotlight Series: I have started this series to provide a short and quick overview of the benefits of various OWASP projects directly from the project leaders. We also cover how to use those projects. OWASP Integration Standards : The goal of the Integration Standards project is to facilitate technical interaction between software security initiatives inside OWASP and outside: links between documents and exchange between tools
Areas which I intend to champion in next 2 years
Ambassador Program:
I would like to revitalize the OWASP Ambassador program. As part of the program the focus is on building connections and evangelists within the developer / security communities. These evangelists would champion the owasp cause in their own influence circle and bring the much needed new energy into the community. It will be a program to bring the community closer to OWASP. The program will have people from different support groups to levels to support the program.
OWASP is a global organisation and with so much work done in OWASP, an ambassadors program is something that can be quite useful in evangelizing and promoting the OWASP work.
We can look at tapping the existing active chapters network and/or use other means to establish a robust program of Application Security Ambassadors who can spread awareness, help organisations and communities adopt OWASP resources and best practices.
OWASP Developer Outreach Program : I would also like to focus on the Developer Outreach program to engage more developers with OWASP projects and especially involve them in speaking about security around different platforms and different languages. We hosted the Developer Security Summit in July, 2021 to engage people from around the world. We will have a lot more engagement going forward.
Diversity and Inclusion:- We have a Women In AppSec (WIA) community working for over 5 years. They are taking some good initiatives as part of it. However, We can make a change in the direction of making it more inclusive while it’s moving forward to become Diversity in AppSec (DIA) by involving diverse people taking part in the sessions hosted as well as representing DIA at global events.
Q2 Sometimes local chapters disband before anyone knows they exist and there does not seem to be a strong mechanism to regrow them. How will you enable members to grow OWASP in their localities?
Chapter and OWASP Foundation communication has been a challenge for a very long time and it is a known fact in the OWASP community. Last 2 years we have worked to smooth out the process as well as involve more community volunteers to manage the chapter committee to drive the initiative. This has improved the situation and will help going forward. What is missing in my opinion at this point is more focus on awareness that such a vehicle exists and can be used to help the chapters. This would be one of the focus areas of mine as I am already a sponsor of the chapter’s committee within the OWASP Board.
In the Last year, we realized we needed strong initiative to support the chapters and we set up a chapter committee to help the chapters and the leaders. Chapter committee came into existence with the help of the community and the leaders. They are trying to help setup and grow the chapters. Local Chapters got disbanded as there was less activity in the chapters as well as some chapters were not active at all. Chapter committee and staff have been trying to connect with the inactive leaders and when there is no response from the respective leaders, the chapter committee must take a call. Chapter committee is here to help. I think we should be empowering the chapter committee and provide it the resources it needs to be able work with chapters globally and assist them in the best possible manner.
All the chapters are listed under the chapter (https://owasp.org/chapters/) page. In the past year, I have seen a huge shift in the number of chapters getting reactivated and created with the help of Chapters committee. OWASP leaders, board and staff are spreading the word around new chapters at many events and forums. People are very interested in contributing to it.
If you wish to contribute, you can request to be a chapter leader by clicking on start a chapter. https://owasporg.atlassian.net/servicedesk/customer/portal/7/user/login?destination=portal%2F7%2Fcreate%2F73
Q3 What experience do you bring serving in a board or executive committee of a large international organization or project?
I have been part of the OWASP Board for the last two years, first year serving as a Treasurer and currently serving as Vice- Chair.
I have been working on many initiatives as part of the Board and would like to keep contributing to these initiatives. I would also love to start and drive new initiatives.
As a board member,
- I have organised Chapters all day to bring chapters close to each other which was a 24 hours event.
Running 2 important projects with OWASP
- Project spotlight series to bring the spotlight to the projects. The idea is to bring awareness about OWASP projects in the industry.
- OWASP Developer Outreach program to bring developers close to OWASP
Some of the initiatives I have contributed in the last few years
- Built OWASP Women in AppSec (WIA) since its inception.
- Driven many free trainings for diversity candidates at every OWASP Global Conference.
- Been on the OWASP Bangalore Board since 2017.
- Helped in Setting up chapters committee to help chapters.
I am also currently part of the CFP review board of Black Hat Asia and BSides conferences In India.
Q4 COVID-19 has had a major impact on OWASP’s major earning sources which were conference tickets / training tickets. What will you do to ensure more balanced funding sources in the future?
When we speak about OWASP majority funding at the moment, it comes from conferences and training. It is the main source of Income for OWASP. However, due to the pandemic, we have seen almost every conference going virtual and due to which we have seen the revenue going down.
When I started service on the board, In my first year I became a treasurer (2020) when we were fighting to survive the pandemic and as an organization stay strong. I got to face first hand on how to decide the budget for an Open Source organisation which was a huge learning.
From all the learnings of last year, We came up with a lot of new ideas to source the funding.
Memberships - Memberships have not been considered as a huge source of income. However, in the past year, we have seen the number of memberships going up drastically by having membership drives at our events. We should be adding more attractions for individuals to join OWASP as paid OWASP members. We have already added benefits like access to secure flag training, We Hack Purple’s foundation training, etc and we need to keep working to be able to provide best value to members. OWASP has a reach in masses and if masses start opting for paid membership, it can solve a lot of funding challenges for good
Recently, we started with the Youtube donation as part of the 20th Anniversary and starting soon with the Github donation project as we have a huge Github base. We will take it to the next level.
Corporate Sponsorship is another big thing that we are targeting and can help OWASP in a big way. Running these corporate sponsorship drives at our own events and external events can help reach the broader community and sponsoring OWASP.
Through more initiatives, we should bring projects to the forefront. If we are able to evangelize projects in a way that organizations use them and find value, we would find more organizations supporting OWASP as corporate members.
Q5 What are the three main things you’d focus on changing/improving for OWASP as an organization, and why?
There are few things that I would for sure concentrate on the upcoming tenure:-
Maturing Projects: Projects need special attention as they serve the true identity of OWASP. We need to be working with more projects to help them mature, provide them necessary tools and resources to be able to grow. My personal objective is to help existing projects grow and mature within OWASP and this will be top priority.
Committees : We have seen some positive results with the Chapter committee and I would love to replicate the committee to other areas. I think it serves to the purpose of OWASP being a global community and also empowers the community to bring change and individuals to contribute gives the community a way to contribute
Increasing the number of members: We should be adding more attractions for individuals to join OWASP as paid OWASP members. We have already added benefits like access to secure flag training, We Hack Purple’s foundation training, etc and we need to keep working to be able to provide best value to members. OWASP has a reach in masses and if masses start opting for paid membership, it can solve a lot of funding challenges for good
Diversity Initiatives: I will be helping DIA grow globally with many new initiatives including bringing new speakers, hosting CTF’s, and participating in Round tables at global conferences and events. Another perspective to it would be to have Diverse participation in different chapters around the world.
Q6 Automation and now AI have been good for AppSec in that it has increased the speed of releases, improved detection of coding flaws and reduced overall operating costs. At the same time, jobs in AppSec are moving from analyst positions to lower paid engineering positions. What do you see as being OWASP’s role in the industry in ten years and how would you begin to position OWASP to get there?
Currently, AI is used to ‘guess’ which vulnerabilities are real and which are false-positive, drastically lowering the time required to manually determine which vulnerabilities are real.
Expert monitoring of AI-driven findings, from a futuristic viewpoint, can help ensure that tools are targeting the right circumstances at the right time for the right reasons, just as human action (or inaction) can cause problems. This ability is helped by tools that can provide curation, context, and stateful solutions, allowing human-led information security teams to gain an advantage over threat actors. We’d aim to make the initiatives relevant so that they might collaborate and serve the larger community.
Also, when it comes to cloud and cloud native application security, appropriate application posture management is critical. We currently use SAMM, but we’d like to understand how automation may be achieved with Maturity models and posture management solutions.
Although ten years is a long period and the industry is continuously evolving, the foundation of the business has remained relatively the same. One of my goals for OWASP is for it to continue to play a leading role in guiding the industry through the complexities of application security.
Software is eating the planet, and the quantity of software we will have in ten years will be multiples of what we have now.
The way software is written and delivered will continue to evolve, but the requirement for software security will remain constant. We must adapt to current technologies and trends, as well as lead the industry via them, such as the usage of AI, machine learning in software, and DevOps.
We should be distributing our attention into two parts; one is the core of Application Security and the whole shift left movement. Create, and share best practices, guidelines, documents, tools for writing secure code, threat modeling, and how to overall embed security in SDLC and the other part of the initiatives should be on the futuristic developments, how modern frameworks, languages are addressing some of the legacy problems and how can we encourage the world to use them more. Build projects around application security automation. How does the use of AI, ML in software help and where it is needed? What are the threats associated with them?