Izar Tarandach

About Me

Izar

I’ve been doing Security since the 90’s. Seen a lot of stuff, worked from start-ups up to global companies. I am an active member of OWASP:

- I have been a repeat speaker in OWASP events, from chapter meets to Global events
- I am the lead of the OWASP pytm project, the first threat-modeling-as-code tool
- I have for the past 2 years or so been an active participant in the OWASP Events committee, which works to select submissions to OWASP events from the hundreds that are submitted to every event
- Recipient of the 2022 OWASP Waspy award for Event Person Of The Year

Apart from OWASP, I am a co-author of the Threat Modeling Manifesto, and I co-authored a book on Threat Modeling, aside from numerous webinars, presentations, training and workshops around the world in many leading events.

One thing I can say: I am not a politician. I am not “into it for the power and the lulz”. So I will not be making promises, well, actually I will be making only one promise: I promise maximum effort to make things better. OWASP is at the center of application security, and I want to work hard with the existing Board, incoming members, and the membership at large to make it even better.

Questions

How do you envision OWASP to become more reachable to individual developers and institutions?

I don’t think the problem is OWASP being reachable. The problem is reaching out to individual developers and institutions and helping them recognize (and utilize!) the value of OWASP resources. As well, we in the security community keep talking to each other, we are all security people, and we relate to developers as our “customers” - I want to move towards them. For example, we keep talking about how to enable security champions - but we don’t have content specifically directed at them in our events. I would like to extend the content we offer so it also serves the developer and champion, not only the security practitioner. I want us to create standards and guidelines that can be read and understood by developers, so that security practitioner can focus on those parts of the process that need their unique talents, rather than translating security for the engineers.

What do you plan to do to increase funding for OWASP projects?

The actual value of OWASP projects and content has already been demonstrated over and over. It is used by many organizations, commercial tools and content providers. Unfortunately, that has not translated into any kind of benefit for OWASP and its membership. It is easy to say that we need to increase funding, but not so easy to figure out how. I could throw the usual suspects here, we will ask for more donations, we will paywall this and that, but the truth is that this needs to be a process that is supported by OWASP infrastructure and a myriad other details, it needs to be agreed to by the members, and it has to actually bring change to the present situation. One thing is clear to me, the funding process needs to be tied to the overall project aproval, adoption and promotion lifecycle. We need to decide what projects make sense to have and then to fund, and this can translate into per-project solutions or a bigger approach that serves as a funding umbrella for projects at large.

What are your plans for Foundation outreach in both government/policy and industry?

I think that this is a discussion that OWASP needs to have, first and foremost, to decide what it is. What the OWASP identity is. Who the target audience is and what it is that we want to bring to them. Are government and policy maker where we think we can make the biggest difference? Industry? Developers, no matter where they work? Security practitioners? Once we have that figured out, then it becomes a matter of what we are bringing out to them. We have amazing examples like the Top 10, MASVS and ASVS that are seen as cornerstones of testing and security education, and referenced in published standards and guidelines all over the field. Do we want to focus on these standards and making them part of more official efforts? Do we want to create and influence policy directly by actually writing it? The identity, the content and the purpose drive the outreach.

Do you believe all OWASP Board discussions should happen in the open (excluding HR, Compliance, etc.)?

YES. Transparency is key to good governance, in my opinion. Wherever there is no limitation due to legal or other very strong reasons, I am for total transparency in Board discussions. I have participated as a spectator in Board meetings, and I considered them very useful as a member.

What are you plans to have the board and staff be more involved in project marketing/cheerleading?

I don’t believe that project marketing and cheerleading are functions that the Board should be expected to fulfil. I do expect that the Board will take all measures, planning and actions necessary to make sure that projects have the resources, contacts and support they need to be their own advocates, including offering constructive feedback to those efforts and helping them reach their objectives.

Are you able to devote the time to your OWASP Board duties (can feel like a second full time job)?

I consider myself very fortunate that my employers have in the past shown appreciation for my work in OWASP, and have been very supportive of my efforts, and I have full confidence that in the future this pattern will hold. Besides…sleep is vastly overrated.