Sam Stepanyan
About Me
Hello everyone,
My name is Sam Stepanyan, and it’s my honor to be running for the OWASP Global Board this year. Allow me to introduce myself:
-
I am a long-time active member of the OWASP community and a Chapter Leader of the OWASP London Chapter (since 2015). I became a member of OWASP in 2010 and have been attending OWASP London Chapter meetings as an attendee since 2008.
-
My very first OWASP Global AppSec conference was OWASP AppSec Research in Hamburg in 2013. I also helped to organise and run the OWASP Global AppSec Europe conference in London in 2018.
-
In 2020 I took on an additional leadership role as Chair of the OWASP Chapter Committee. In this position, I work with fellow committee members to provide guidance and support to chapter leaders worldwide to ensure that OWASP Chapters have the all the resources to help them succeed.
-
Earlier this year I was also nominated for the OWASP Web Application Security Person of the Year (WASPY) award, which is an annual award given out by OWASP to recognize contributions in various categories. I was honored to receive this award in the Chapter Leader category.
-
Over the years I have contributed to several OWASP projects including OWASP Top 10 and OWASP ZAP. I am also one of the Leaders of the OWASP Nettacker Project. If you have never heard about OWASP Nettacker - do check it out!
-
In my day job I am an independent Application Security Consultant & Architect working in the Financial Services industry in the City of London.
Why am I applying to be on the OWASP Board?
2023 has been an unprecedented year for OWASP - a year of unprecedented crisis. We had the Open Letter sent to the Foundation’s Board and after that two OWASP Board Members left their posts after just a few months of serving on the Board, and two much-loved and respected OWASP Project Leaders (Simon Bennetts and Glenn Ten-Cate) made the decision to move their projects from OWASP to the Linux Foundation. I am deeply concerned that the community I love is in danger.
This is the year the OWASP Board needs to wake up from hibernation and address multiple issues, including those raised by the Open Letter. I am glad to see that quite a few application security industry veterans are applying to the Board - it is clear that we all want one thing - to steer OWASP through this crisis.
Now let me provide my answers to the community questions to the Board candidates (you can also watch me answering the questions in the video below):
Link to My Video
Sam Stepanyan - OWASP Board Candidate Video
Questions
How do you envision OWASP to become more reachable to individual developers and institutions?
First of all we should improve, simplify and streamline the OWASP website and documentation to make it easier for people to find relevant information. Much has been said about the website issues and we do have some great research work driven by Mark Curphy at the beginning of 2023. Sadly this effort was left unfinished.
- Just like OWASP Cheatsheets we should develop bite-sized accessible content like “OWASP Quick Start Guides” targeted to different audiences like CISOs, penetration testers, developers, security engineers, bug-bounty hunters, auditors, prospective chapter leaders, project leaders etc.
To be more reachable we should ensure as many developers as possible can attend our OWASP Global AppSec Conferences. The ticket price to attend OWASP Global AppSec in Washington DC this month is a whopping $985! While some larger companies will have no problem paying $985 for their developers to attend an OWASP Conference this price limits Conference’s accessibility, especially for individual developers and smaller companies. Yes, OWASP needs to raise more funds to fix the finances eroded by the pandemic, but not at the expense of people to whom we want to reach out to.
So I believe we should:
- Offer tiered pricing for Global Conference tickets. For example, have a discounted “Independent Developer Rate” and “Small Team Rate” for those with lower budgets.
- Provide scholarship opportunities and discounted tickets to underrepresented communities in CyberSecurity.
We need to improve our outreach and marketing efforts to raise awareness of OWASP resources. This should include social media campaigns, participation in tech conferences, industry events and expos, hackathons and university partnerships.
What do you plan to do to increase funding for OWASP projects?
There are several ways how I propose to increase the funding for OWASP projects:
OWASP CERTIFICATION: I am proposing a strategic change and a brand new source of funding - I plan to introduce an OWASP Certification: OWASP Certified Secure Developer or OCSD. There is a clear need for a respected certification that validates secure coding abilities. I believe that this certification perfectly aligns with OWASP’s mission and will provide immense value to developers and the industry. Having OWASP-certified developers on staff will give organizations assurance that their developers truly understand secure coding best practices - this will help companies to reduce risk and increase customer trust and their competitive edge. I have a plan on how this certification can be implemented at OWASP.
COMPANY SPONSORSHIPS ON VENDOR-NEUTRAL BASIS: Not everything needs to translate to monetary donation to the projects. It can be things like:
-
Companies sponsoring Cloud resources/credits for OWASP projects. With donated cloud credits, OWASP projects would not have to pay for hosting their tools, websites, databases - this will also enable them to innovate more quickly.
-
Companies dedicating a staff member to work on and maintain an OWASP project of their choice (in a vendor-neutral way so they will be doing this on the full understanding that other contributors and maintainers may potentially come from their competitors) in return for having their company logo showcased. This will be a mutually-beneficial partnership. This initiative will benefit both the OWASP Project and the sponsoring company. If you don’t quite understand how it will benefit the sponsoring company, here is how:
- Improve their own products/services - By directly enhancing an OWASP project they use themselves, the company ensures those improvements and new features are available for their own products and services.
- Enhance expertise - Working closely on an OWASP project will allow the staff member to develop their skills and knowledge in application security. This expertise can then be brought back into the company.
- Build industry connections - Through engaging with the OWASP project community, the company can develop relationships with other OWASP contributors - smart people working to advance application security. This provides opportunities for future collaboration.
- Contribute back to open source - By supporting OWASP’s open source security projects, the company will be helping the broader goal of transparent and community-driven security efforts and publicly showcase their commitment to improving software security, which can enhance the company’s reputation.
I had meetings with several large companies in the Gartner Magic Quadrant for Application Security Testing. As a result, every company I spoke with said they would be happy to provide at least one full-time staff member and a $xx,000 donation to work on an OWASP project of their choice. Their company logo would be displayed on that OWASP project’s page on a non-exclusive basis, so that OWASP remains vendor neutral. These companies are okay having their logo displayed next to their competitors’ logos, as it showcases the good work they are doing to benefit the global community.
I will be working on figuring out more mutually beneficial yet vendor-neutral ways for companies to give back to OWASP and support our open source projects development and maintenance, whether financially or through other contributions.
MORE MEMBER BENEFITS: Dramatically increase OWASP membership by increasing the amount and quality of the benefits available to members as well as by requiring people with OWASP Certifications to be an OWASP member in order to maintain their certification.
OFFICIAL OWASP TRAINING: Another new(ish) revenue source will be the Official OWASP Training. OWASP has traditionally offered official training sessions only at the annual Global AppSec conferences held in the USA, Europe, and Asia. While valuable, this limited training availability of just 9 days per year poses challenges. Many organizations are unable to send employees to conferences abroad for multiple days. At the same time, this restricted training schedule limits OWASP’s potential to generate revenue through training. The training model should be changed, to be more frequent, more structured and accessible.
PAID JOB BOARD: Yet another source of funding I propose will be to have a paid AppSec/DevSecOps Job Board. At the moment, OWASP has a #jobs channel on OWASP Slack where companies and recruiters post their vacancies for free. This is while the same recruitment companies will charge their customers quite a substantial fee if they source a candidate from OWASP. OWASP currently gets nothing. I propose that:
a) we move the Job Board from Slack to the OWASP website (it gets 2mln+ unique visitors/month).
b) each job vacancy published on the OWASP job board will cost at least the same amount as one OWASP membership = $50. This will be fair to both the small companies who want to find candidates directly and to the recruitment agencies which charge a lot of money for finding a candidate (while in reality they just source them from the OWASP Slack channel). You can quickly calculate the revenue - for 2500 job ads per year: 2500 * $50 = $125,000 raised.
Companies looking to hire InfoSec professionals, especially those with expertise in application security, would likely get applicants very relevant to their needs by posting job ads on the OWASP Job Board. If the OWASP Job Board is available directly through the OWASP website this would provide high visibility and a focused exposure to the job opening within the information security community.
GRANTS: And another very substantial project funding source will be grants. There are multi-million research grants available for R&D projects in Cyber Security. But OWASP does not apply to them, because currently there is no dedicated member of staff whose job is to find and apply to these grants. I plan to change that.
Did you know that for 2024 the National Science Foundation (NSF) Grant size for projects in cyber security is $11mln ! (grant applications must be received by Feb 1st 2024). If I am elected - the first motion I am going to put for voting in January 2024 will be to submit an application for this grant.
What are your plans for Foundation outreach in both government/policy and industry?
First of all many of you might not know that OWASP is already referenced in various government and industry regulations and standards. This includes references in documents from organizations like NIST, ISO, HIPAA, EU ENISA, and others.
By using Google search engine I have found evidence of all G7 Governments as well as the EU Government referring to OWASP resources as a source of guidance for improving application security.
You can simply use the following search in Google to see the evidence of this: site:gov +owasp
Here is how I propose to increase the outreach:
-
We should proactively look for government-led and industry-led working groups, task forces, or other initiatives related to software security and offer to contribute OWASP’s expertise. Provide feedback on proposed regulations or guidelines.
-
We should promote OWASP’s resources and training to governments and industry. We need to make sure that key decision makers are aware of OWASP’s standards, guidelines, cheat sheets, testing guides, Top 10 lists, educational and security tools and other practical resources for improving software security.
-
We should increase OWASP’s presence at high-profile events for governments and industry such as conferences, seminars, panels, or exhibitions. Have OWASP Leaders speak on these panels and network with attendees.
-
We should publish op-eds and thought leadership content. Write articles for industry publications read by government and business leaders. Clearly explain why software security matters and how OWASP can help the government and business leaders to reduce risks.
-
We should promote real-world case studies showing OWASP’s impact. Collect and highlight stories of organizations and governments successfully using OWASP resources to boost software security. We should quantify results and benefits as much as possible.
Do you believe all OWASP Board discussions should happen in the open (excluding HR, Compliance, etc.)?
Yes - for the following reasons:
- Transparency - Having Board discussions in the open builds trust with the community and shows the board is not trying to hide anything. It allows our members to see how decisions are made.
- Accountability - Board members will be more thoughtful and accountable for their comments and decisions knowing the community is watching their discussions.
- Collaboration - Allowing the community to view board discussions enables them to provide feedback, ideas and insights the Board may not have considered. More perspectives lead to better decisions.
- Alignment - Open discussions help ensure Board decisions align with the interests and needs of the broader OWASP community.
- Participation - Community members can feel more engaged and included in OWASP’s governance when they can observe and even participate in board discussions. OWASP Board meetings happen on Zoom and any community member may ask to join these meetings.
Of course there may be certain sensitive topics like personnel issues, litigation, or contractual negotiations that require confidentiality and confidential Board meetings. In such cases the Board should retrospectively disclose the number and types of confidential meetings after a certain time period, such as quarterly or annually. For example: “The Board held 5 confidential meetings in Q3 regarding personnel grievances, legal matters, and contractual negotiations.”
What are you plans to have the board and staff be more involved in project marketing/cheerleading?
First of all we should re-start the OWASP Connector Newsletter. While the content is available on the website and is also available to subscribe to using RSS feeds (from yesterday by the way!) there is a difference between a pull and a push. Newsletters aggregate content into one place and deliver it straight to your inbox and we should publish and regularly push all project-related content via the newsletter in addition to other channels like the website and social media.
The Board and the Staff should:
- Share and re-post/retweet social media posts about OWASP project releases, milestones, usage stats and press exposure.
- Get the word out through public speaking: incorporate project overviews, use cases, or highlights into conference talks and local chapter meetings. For example at OWASP London Chapter meetings I always allocate a couple of slides to the new and cool OWASP projects (the recent example was the OWASP Top 10 for LLM)
- Collaborate with Project Leaders to write blog posts and articles in the industry publications about projects, how they work, and their impact. I have to praise the current Board member Vandana Verma for her excellent OWASP Spotlight YouTube video series. I believe this project should be also turned into a podcast.
- We should help projects create professional marketing assets - quality images, YouTube videos, graphic designs to polish their public image. We need to make sure that OWASP projects have all the resources they need to succeed.
Are you able to devote the time to your OWASP Board duties (can feel like a second full time job)?
Yes and as I am a Chapter Leader, a Project Leader and OWASP Chapter Committee Chair I know exactly how much time OWASP volunteering takes. If I am voted by you to become an OWASP Global Board member in accordance with the OWASP bylaws I will actually have to drop one of my volunteer duties - the OWASP Chapter Committee Chair role. This will free up some of my time for the Board meetings and duties.
I am willing to take on these demanding duties because of my passion and commitment to the OWASP’s mission. The demanding time spent volunteering as OWASP Board member is justified by the ability to drive meaningful change and giving back to our global community.
OWASP is loved by so many because it fosters a strong sense of community and belonging. It provides an opportunity for people to feel that they are part of something meaningful and impactful.
The OWASP community is our greatest asset. Our people, meetups, conferences, summits, and project collaborators comprise a vibrant, enthusiastic, and diverse community. There is nothing quite like the experience of working together to tackle critical security challenges. The collaborative spirit and passion of our community is what makes OWASP so special.