Avi Douglen
About Me
Hi! I am Avi Douglen.
I am the founder and CEO of Bounce Security, a boutique software security consulting agency. We work primarily with software teams, helping them level up their product security in the most efficient way by making them want to do more for security, but never fighting or shaming them into it. This is the same approach I take with me into OWASP activity.
I started attending OWASP chapter meetings way back in 2006, and started volunteering shortly after. After supporting my chapter’s board for a few years, I was asked to lead it as Chapter Chair. During my stint as Chair, I helped grow the OWASP Israel chapter into a thriving community and one of the largest chapters. I also created the incredibly popular AppSec Israel conference, one of the largest OWASP events. After several years hiatus, we came back this year with around 700 people attending in person.
Since passing on that title, I continue to support the current chapter leadership on the chapter board and as a core AppSecIL organizer, and have recently rebooted one of our documentation projects. I have run the CFP and CFT for several Global AppSec conferences, and I’ve also served on the Chapters Committee, amongst other activities. Currently I am serving this great community as the Vice-Chair of the OWASP Global Board of Directors.
Professionally, I’ve worked in QA, as a professional developer, as team lead, research director, startup CTO, and most recently as a software security consultant. I am an advisor to several startups, and I am on the Board of Advisors for a VC incubator. I also co-authored the Threat Modeling Manifesto, volunteered as a high school mentor, and I am also a community moderator on Security.StackExchange.com as well as a core organizer for Hackeriot.org, a free event bringing hundreds of women with no experience into the cyber industry.
Why I would like to be on the Board of Directors
For many years, I’ve been volunteering and contributing for OWASP - for other organizations as well, but the OWASP community has always had a special place in my heart. We’ve had some rough patches in the past (and even very recently), but I feel that now we are on a very healthy path. I might not agree with every decision made - heck, I’m often the first to debate about it! But even when I don’t love the conclusion, we reach it together, in a very healthy and respectful manner, with consideration for all legitimate viewpoints and overall transparency towards the community.
I would like to continue to lead this trend, and push to consider even more viewpoints, to be even more transparent, to ensure a healthy, non-toxic environment at all levels. I feel that the leaders of the community, and the Board of Directors in particular, should be there with the sole intention of serving the community, and our mission. It should not be for the purpose of enhancing one’s resume, corporate marketing, or for personal gain, fame, or game (except for rhyming, that should be allowed).
I would like to be on the Board of Directors of OWASP to continue to push back - hard - against any misuse for personal interests or corporate commercialism, against short-sighted or narrow-minded decisions, and for healthy dialogue in a vibrant community, and for no less than emphatically ethical efforts (alliteration should also be approved). I want to continue to lead efforts - as I’ve always done - to increase our diversity, improve inclusion efforts, support our projects and get them more of the resources they need to thrive, grow the community, and increase our funding efforts so that we can meet more of our mission. Join me on this journey!
Link to My Video
Click here to watch my full video.
Questions
How do you envision OWASP to become more reachable to individual developers and institutions?
This is an incredibly important issue.
When I originally ran for the Board two years ago, I actually highlighted the need to improve developer outreach as one of our key challenges. Unfortunately, since then the Outreach Committee has disbanded on a technicality, though the intention was to be reforming with a new improved charter.
Still, we have been doing quite a bit of developer outreach lately, albeit piecemeal and locally instead of strategically and intentionally. A few weeks ago, at the Board Summit, we reemphasized the need to focus on the various forms of outreach in a dedicated, well-thought out manner. We are reforming the Outreach Committee with new strategic goals, and continuing to stretch outside of our typical appsec bubble.
We will need to reform our major conferences to be more attractive to developers and development managers, as well as CISOs; continue to have a presence at more developer and devops conferences; participate actively in other adjacent and relevant communities; provide role-, tech-, and level-specific training and education materials; and especially, invest efforts towards marketing our major projects and industry-leading products towards developers and their organizations.
In addition to the above, we should also work on bringing more non-security institutions into the OWASP fold. This could be accomplished with standard marketing, positioning OWASP products as a proper solution for their needs, and targeted outreach. At the recent Board Summit, we also outlined additional approaches, including creating an industry advisory board, which could help attract additional institutions in specific verticals such as insurance, travel, medtech, and finance.
What do you plan to do to increase funding for OWASP projects?
This is one of OWASP’s main challenges in the coming year, and not just for projects. It is worth noting that the Foundation’s yearly budget does already allocate a 6 figure sum towards projects, the majority of which goes unused and unrequested from year to year. This is still nowhere near enough, but the first step is to optimize allocation of the existing resources - and we’ve already started! I’ve been working with the Projects Committee for a while now, to identify and map out specific project needs, and to create a pool of resources (both professional and technical) to start pushing these to projects as needed. I have noticed that a lot of project leaders are not even aware of a lot of the existing resources and funding options that we are currently making available to projects, so communication and awareness is definitely a good place to start.
But we do still need much more funding in order to reach our goals on the wide range of valuable projects we have, and even others we would like to have. For this, we have several approaches - the chief one being increasing funding for OWASP overall. Fundraising is a primary concern for the Board, and we’ll be creating a new Committee to focus on this together with the Board, and bring in professionals specifically for this. I already mentioned reforming our core events - another explicit goal of this reformation is an order of magnitude increase in profits from the global conferences, mostly from increased corporate sponsorships and training events. We should also clarify our corporate supporter plans and improve the benefits, and redouble our efforts in recruiting these corporate supporters. We should also engage with a professional grant writer in order to apply to the variety of existing grants to organizations like OWASP, from both government, corporate, and more.
Aside from these, individual projects currently do have a few options for raising targeted funding. Several projects are already using each of these. However, we should clarify, operationalize, and communicate these options to the respective leaders, and invest time and resources to support the leaders that are interested in this.
First among these is directly asking for funding: there is a Jira ticket item for this, and a project simply needs to provide a plan for the project, how the funds will be used, goals, and such. While this might still be limited by the overall available Foundation funds, as noted we do have quite a bit of unused funds in this bucket.
Second, a project can get a grant or sponsor from a corporate or few, usually committing to fulfill a pre-defined set of work agreed to by the project leaders. This effectively means finding a company to pay the project leaders (or others) to complete particular tasks or goals for the project, e.g. creating a specific functionality or completing the next version. As long as it fits with the inherent project goals decided by the leaders, of course.
Third, building a commercial entity on top of the OWASP project can be incredibly effective in certain cases. While the opensource project itself needs to remain open, and individually viable, the commercial entity can sell services such as hosting or support, which would in turn fund continued development of the project itself.
We need to be able to package up each of these options, and offer these to project leaders that need this. We also need to be able to better support the leaders in taking these options, even if they do not have e.g. grant writing skills. Either way, these are viable options that need to be better operationalized and supported.
What are your plans for Foundation outreach in both government/policy and industry?
I already mentioned above about outreach in general and recreating the Outreach Committee, with full Board support going forward. This definitely includes industry, both security companies as well as non-security companies that should be more involved in using OWASP materials.
Regarding government, and setting policy - we are of course forbidden from operating as a political lobby due to US non-profit law. That’s not a bad thing, instead we should be operating as authoritative advisors to those setting policy, whether in the US, EU, or other relevant venues. And in fact, we have done so in the past - sometimes driven by the members of the Board, other times by other members of the community that were already involved locally together with support of the Board. We should absolutely continue to do so, but we should also reach the point where the governmental policy makers start by approaching us for advice, input, and an official position.
Do you believe all OWASP Board discussions should happen in the open (excluding HR, Compliance, etc.)?
Yes of course, that is a given - “Openness” is one of our core values, it’s literally there in the name :-)
For the most part these have always been in the open (at least for the past few years), though there have been technical/logistical snafus with recordings (and a couple of cases of restricting access due to zoombombing, I believe). Transparency is a huge requirement for all of our operations, and especially for Directors of the Board themselves - any kind of conflict of interest must be disclosed and avoided, backroom deals are an absolute no-no.
There might be some room to argue about which cases should not be in the open - legal or privacy requirements are the easy ones, there might be others - but I dont think anyone would seriously claim otherwise. (Note that there is a difference between “Board discussions” and “chatting between directors”, if its not public its not official.)
What are you plans to have the board and staff be more involved in project marketing/cheerleading?
I often say that OWASP doesn’t actually suck at marketing - because we don’t do it at all.
Well, that has to change, we need real marketing, and not just for the projects! But the good news is that this has already started, finally. The staff is experimenting with a marketing firm to start with advertising the upcoming events, and this should eventually expand into a full blown marketing strategy with the help of our dedicated volunteers, prioritizing our core products and other leading projects. The Board needs to invest real funds into marketing these, just as a commercial vendor markets their commercial products, in addition to having official PR channels and media contacts as well.
I think the Foundation also needs to have someone on staff that at least can understand marketing language, if not actual experience. Another outcome from the recent Board Summit is the decision to create a focused Marketing Committee, pulling in additional marketing expertise. The Chair of the Board should also be the direct liaison to the Marketing Committee, to ensure it is supported and driven at the highest strategic level.
In the meantime, staff have their own way of handling requests to amplify social media posts, but this needs to be optimized. The process is not ideal, but can be improved. The Board should be doing more cheerleading, but this only works when the individual director is familiar with the project itself (as opposed to cheerleading for OWASP projects in general). I would like for leaders of the Flagship projects (at least) to meet with Board members periodically, which would help enable this as well.
For that matter, other leaders including chapter leaders should also be familiar with the main products, and make sure to talk them up as well! On a personal note, I try to speak about these at every opportunity, including taking community booths at non-OWASP conferences to spread the word. I’ve also allocated work time for my teammates to travel around giving talks at developer conferences about OWASP projects!
Are you able to devote the time to your OWASP Board duties (can feel like a second full time job)?
Hahaha definitely not! No one really is, this is perfectly Hofstader’s Law! ;-)
“It always takes longer than you expect, even when you take into account Hofstader’s Law.
But seriously, I have already been spending many hours a week on OWASP duties - Board, chapter, events, projects, other initiatives… My employer (I am [un]lucky to be my own boss) allocates a certain percentage of workday for OWASP and similar activities, and at certain times (eg leading up to conferences…) a lot more than that, including some evenings and weekends.
That said, sometimes life does happen, and there are periods that leave less time for dedicated Board work. These come and go. And sometimes we wind up spending far too much time dealing with unnecessary Board emergencies as well, at the expense of other duties. Comes and goes… But overall it works out, and I have learned to balance this with enough time dedicated to dealing with Board duties and progressing necessary priorities.