Steve Springett

About Me

Steve Springett

Hi there, I’m Steve Springett, and I’ve been deeply immersed in software security for quite some time. My journey with OWASP began back in 2012, and it’s been a thrilling ride ever since. I’m a proud lifetime OWASP member, which reflects my unwavering commitment to this remarkable community. Currently, I’m fortunate to serve on the OWASP Project Committee, where I work with other leaders to mature their respective projects. Leading two flagship projects, OWASP Dependency-Track and OWASP CycloneDX, has been a personal highlight, and I’m genuinely passionate about driving innovation in software supply chain security.

Additionally, I co-authored and lead the OWASP Software Component Verification Standard (SCVS), which has been referenced in its entirety in the NIST Secure Software Development Framework. In my day job as the Director of Product Security at ServiceNow, my fantastic team and I are on a mission to make sure that the software we build and deliver is not just secure, but resilient in the face of emerging threats. It’s an exhilarating journey, and I’m excited to continue making a positive impact.

Outside of my professional achievements, I find joy and balance in my personal life. I reside in the Northshore of Chicago with my beloved wife, Vera, daughter Aryana, and two Chihuahua rescues, Emitt and Ani.

I am driven to run for the OWASP Board of Directors with a deep commitment to shaping the organization’s future in the face of pressing challenges. The evolving economic landscape and the need for robust project and chapter support underscore the urgency of modernizing the OWASP Foundation to empower the next generation of community builders.

While I may not possess all the answers, I’m fueled by a genuine belief in collective wisdom. I recognize that within the OWASP community, many ideas are waiting to be harnessed. As a candidate, I aim to channel this collective intelligence, fostering a collaborative environment where diverse perspectives converge to move us forward. Central to this vision is the imperative to evolve our funding model. We must strike a delicate balance, embracing new avenues to generate revenue while preserving the unassailable integrity that OWASP has cultivated over two decades. This balance is the cornerstone of our enduring reputation as the preeminent and most trusted security foundation.

I am firmly committed to guiding OWASP through this transformative journey. By leveraging the invaluable expertise within our community, I seek to lead initiatives that address current challenges and establish a resilient foundation for OWASP’s continued growth and impact.

https://www.youtube.com/watch?v=WPoYfk5sNPc

Apologies, but Youtube seemed to have butchered the video. It’s horribly choppy. But I think the message will still come across.

Questions

How do you envision OWASP to become more reachable to individual developers and institutions?

OWASP should have representation in the communities in which we serve. Language and ecosystem-specific representation is an absolute must. If we are to expand our membership and help existing and new developer communities, OWASP must have representation in those communities, period. One approach to this is through the use of community managers, a concept that both the Dependency-Track and CycloneDX projects have requested, but not received, from the current Board of Directors. Community managers engage with developers in diverse communities, provide references to OWASP resources and
chapters when applicable, and identify opportunities that benefit these communities and the OWASP Foundation.

I’m a big supporter of the OWASP Career Fair, which aims to introduce candidates to cybersecurity career paths. I believe the OWASP Foundation should increase its marketing and outreach to universities and industry to bring more individuals in the cybersecurity field and our community.

What do you plan to do to increase funding for OWASP projects?

I believe there are multiple ways to increase project funding without sacrificing the vendor neutrality we collectively strive to achieve. In short, I would:

  1. Fix the website and messaging. It’s broken.
  2. Hire a full-time grant writer providing grants-as-a-service to OWASP projects
  3. Leverage the community manager role to identify indirect fundraising opportunities
  4. Evaluate revenue-generating opportunities outside of the non-profit OWASP Foundation

To expand:

  1. The donation and sponsorship pages of the website need a lot of work (actually, the entire website does, but that’s another subject). The sponsorship page doesn’t have a call to action, and the donation page maxes out at $500. There’s also an assumption that an international audience understands the nuance between donations and sponsorships. I’m working on an opportunity to bring in $200K to the foundation to support an OWASP project in the first year. This organization had to ask if it was even possible. I then had to seek advice from Andrew to see if it was possible. The lack of clear communication is ultimately leading to loss of funding. How many organizations view the donations page, see a maximum of $500, and conclude they cannot donate to OWASP in any meaningful way? I bet we could measure it. But I’d like to improve it.

  2. As a board member, I will support additional staff solely responsible for grant writing. This role will identify the hundreds of grants available yearly, determine if they apply to OWASP projects, and be accountable for the grant’s lifecycle. This role will provide grants as a service to OWASP projects. This will drive revenue into the OWASP Foundation and increase project funding.

  3. As a community builder for CycloneDX, part of my role is to network with open source projects, commercial vendors, and other interested parties. The “community manager” role I discussed as part of the first question can be influential with indirect funding of projects. For example, a commercial vendor applied for and won a grant, which they will use to donate to the CycloneDX project. This occurred because of the continued engagement with the community and the tools we use to measure and improve community engagement across all social and development platforms. This could happen even more, and across more projects, if the foundation supported a full-time community manager role and embraced platforms that help us grow strong and engaging communities.

  4. As a board member, I would support initiatives that would identify revenue-generating opportunities outside of the non-profit OWASP Foundation. This includes looking at organizational structures similar to the Mozilla Foundation, which has a wholly owned subsidiary, Mozilla Corporation, which generates revenue for the foundation and supports Mozilla projects.

In short, there are multiple ways to increase project funding without sacrificing the vendor neutrality we collectively strive to achieve.

What are your plans for Foundation outreach in both government/policy and industry?

As a 501c3, the OWASP Foundation cannot lobby any government. However, we can have representation at government and industry events. I have personally been involved in the Software Transparency (SBOM) initiatives the U.S. Federal Government has led since 2018. That, and other work, has made its way into government policy. I’m currently leading up efforts for a general-purpose machine-readable attestation specification and am engaged with both government and industry on its adoption. So, I understand the importance of government and industry outreach and the impact the OWASP Foundation can have as a result. The community manager role (described in the first question) can be effective at some of this outreach. However, project leaders also need to be empowered and encouraged to participate. As a result, the OWASP Foundation should financially support their efforts and expenses if those efforts are of strategic importance to the foundation.

Additionally, the OWASP Board of Directors should identify areas of strategic importance to the foundation and publish, track, and communicate our progress in supporting these initiatives. For example, OWASP should have a public position on NIST SSDF attestations in the U.S. and the CRA and NIS2 directives in Europe, which could dramatically alter open source, foundation responsibilities and projects, and coordinated vulnerability disclosure.

Do you believe all OWASP Board discussions should happen in the open (excluding HR, Compliance, etc.)?

Absolutely. And there should be a published SLA that the board should meet in publishing minutes and recordings. The CycloneDX project publishes its working group meetings on YouTube, typically on the same day. However, the board should be able to approve minutes and post a video within ten business days.

What are your plans to have the board and staff be more involved in project marketing/cheerleading?

I personally do a lot of this already. There’s not a lot more marketing/cheerleading I can do. However, there are many untapped opportunities. For example, the foundation should provide a “toolbox” for project and chapter leaders, which include graphic design services, UX research services, press release, and content writing services. The OWASP Dependency-Track project celebrated its 10th year anniversary this year, and we took the opportunity to redesign the logo and website and launched a social media campaign earlier in the year. As a project leader, I had to know that Hugo was our graphic design person. I had to fend for myself on press release creation and distribution as well as social media and marketing. We’ve had multiple press releases for CycloneDX this year as well. Ideally, these should be provided as a toolkit that project and chapter leaders can tap into.

For the press specifically, OWASP should establish and maintain relationships with industry journalists and collaborate with them on upcoming press releases. Press releases by themselves have very little impact. A respectable journalist who picks up the story and adds their own insights, interviews, and industry perspectives will have substantially more global reach and impact than press releases alone.

Marketing should be a strategic initiative for the foundation and should be viewed as both an opportunity to advance our core mission of securing the world’s software, as well as for general awareness and fundraising.

Are you able to devote the time to your OWASP Board duties (can feel like a second full time job)?

I already lead two OWASP flagship projects. Many projects have been requesting foundation support for many years and have yet to get the desired help. I’m running for the board so that I, and other leaders, can get the support we need and reduce the burden of running a successful project or chapter. As mentioned earlier, I’ve morphed my role in these two projects from doer to community builder. As a result, I plan to prioritize initiatives that lead to a resilient foundation for OWASP’s continued growth and impact.

Watch Star