Fred Donovan
About Me
Hi I am Fred Donovan. I am an Application Security Architect for a large multinational software company. There I help lead over 100 security champions who are driving the appSec and architectural analysis processes for 100’s of software products.
My involvement with OWASP began in 2005 and I joined the NYC Chapter in 2007. My support increased there and then I attended the inaugural EU Summit in Portugal. I have been a volunteer and/or speaker at over 12 OWASP conferences and a volunteer for various projects and initiatives. In 2013, I assisted 4 people in revitalizing the OWASP Omaha chapter, and shared the role of chapter leader.
As a professional, I have worked primarily in roles of software security consulting, as well as being a program manager of web development, University lecturer of cyber security and software development, and AppSec architect.
Opting to become an OWASP Lifetime Member was a deliberate choice, as OWASP was the platform where I learned to refine my skills as a builder, breaker, and defender. To this day, I remain committed to leveraging OWASP’s tools and resources to support the countless builders, breakers, and defenders I collaborate with.
Questions
How do you envision OWASP to become more reachable to individual developers and institutions?
We need to enhance and promote the value of OWASP to individual developers, especially focusing on chapters within regions where OWASP support is limited. To achieve this objective, we need to increase our external funding. This can be done by improved business models with new approaches where companies can be part of the community and not merely financial contributors to “the mission”. We’ve known for years that individuals and businesses cannot rely on collegiate education systems for up-to-date knowledge. We need to provide something better and more tangible to employees of a business. I like the idea of allowing a way for OWASP sponsors to provide feedback directly to the OWASP community for certain levels of business sponsorship. Our current method of providing visibility to well-known and boutique tech security companies plays well at conferences, but this does not meet the needs of non-security companies that use and rely on OWASP projects. I see a future where OWASP contributes even more value to companies and organizations around the world, beyond providing free AppSec materials and tools. Whereas individual memberships receive benefits such as free training platforms or tools, and access to resources not available without a membership, corporate memberships get a name on a marquee or a table at an OWASP conference, but that does not do enough to entice non-security companies to provide financial support. Why not offer companies a range of memberships for their employees in exchange for financial support. Let’s give them something that they can sell up to the C-levels and showcase in their yearly GRC audits.
What do you plan to do to increase funding for OWASP projects?
Using my approach above, we can provide corporations a funding model such as the following: up to 25% of their corporate donation goes to a flagship project of their choice and another 25% of their corporate donation can be applied to memberships for their employees. The remaining 50% of their contribution goes to the OWASP Global Foundation. OWASP will expand our outreach by building chapters within corporate communities and this can be done by improving our business models.
What are your plans for Foundation outreach in both government/policy and industry?
I have worked in both public and private industry. We know that there are government bodies and industry standards that reference OWASP documents, tools, and best practices. But not every standards body knows enough of OWASP as an organization. They certainly see the Top10, but why aren’t they leveraging or including reference material to the ASVS, the cheat sheet series, the developer’s guide, etc.? The answer is because OWASP evangelism in its current form is not sufficient. To equip standards bodies and government decision makers, we need to have our Executive director and Global Board members engaged with these bodies at each iteration of policies, frameworks, and certification development. We need to actively participate in ad-hoc work groups for entities like ENISA and NIST which publish at the international level. This should be standardized within OWASP and led by the Board. This is an improved professional way of building up the OWASP outreach.
Do you believe all OWASP Board discussions should happen in the open (excluding HR, Compliance, etc.)?
There is a history of open discussions and meetings and I have found them to be beneficial. As OWASP Is a non-profit with the single goal of improving application security globally, it is very appropriate to continue the tradition of board openness
What are you plans to have the board and staff be more involved in project marketing/cheerleading?
Board members need to support our staff and Executive Director. OWASP must continue to be a global resource that builds up new generations of security professionals in the same way many of us in the first OWASP generation found success. Our marketing relationships will improve when our relationships with SMBs and multi-national corporations improve. This means enacting new models and new approaches, as I have discussed, where companies can be part of the community and not merely financial contributors to “the mission”. This takes dedication and direction from the board, it requires different approaches and improvements, and the board needs to include the staff who already have good outreach. It requires change and it requires board members like me who will not just dial into a video conference, but also take meaningful action in the real world. This is not starting over, but it is a bold shift. We need to fully realize the benefits of having an executive director who is a first generation OWASP member and respected expert in the AppSec community, along with well-established and respected OWASP staff members such as Dawn and Kelly, who already have a broad outreach for our new business models.
Are you able to devote the time to your OWASP Board duties (can feel like a second full time job)?
OWASP cannot succeed with board members who limit their participation to only board meetings. This means board members have a responsibility to ensure stability of OWASP projects and functions. If the community chooses me to be on the Board of Directors, I will work hard to improve the drive of OWASP’s outreach to individuals and businesses in new and unique ways. I will dedicate my time to lead these efforts.