Adrian Winckles

About Me

My name is Adrian Winckles, a cyber security professional, academic, and community leader with more than three decades of experience advancing global cyber resilience. My career has spanned academia, industry, and international organisations, where I have consistently focused on bridging the gap between research, education, and practice to build stronger and more secure digital ecosystems.

My involvement with OWASP began in 2011 when I jointly founded and continue to lead the Cambridge UK Chapter, hosting monthly community events that bring together practitioners, researchers, and students. In 2014, I was joint chair of OWASP Europe AppSec conference in Cambridge, UK and involved in all decision making parts of the delivery.

In 2015, I was co-opted to the OWASP European Board, where I contributed to multiple AppSec Europe conferences, including reviewing speaker and training proposals and helping with the multinational University Challenge to engage the next generation of security professionals.

Since 2019, I have served as Chair of the OWASP Education and Training Committee, helping to developing strategies for education, training, and certification that support OWASP’s mission worldwide. I also lead two global OWASP projects: the Distributed Web Threat Intelligence Honeypot, which delivers open-source datasets for the community, and the Open Application Security Curriculum Project, designed to close critical skills gaps in application security.

Beyond OWASP, I have held leadership roles in professional bodies such as the British Computer Society and the UK Cybercrime Forensics SIG, contributing expertise to national initiatives and skills frameworks. As a Senior Lecturer and later Director of the Cyber Security & Networking Research Group at Anglia Ruskin University, I designed multiple degree programmes, supervised nine PhDs and over 250 MSc/BSc projects, and secured more than £500,000 in external research funding. My academic work has generated over 25 publications and informed EU and UK government policy and training programmes. Following a period of illness, I am curently working at the Open University with a Lectureship in Cyber Security.

I bring to OWASP Board candidacy, extensive board-level experience, including my role as Director of Cyber East, supporting cyber innovation and skills development across the region. My work as co-founder and Research Director of ZORB Security further reflects my commitment to translating research into practical solutions.

My Manifesto

I am standing for election to the OWASP Global Board of Directors in 2025 to continue advancing OWASP’s mission of improving the security of software worldwide, with a strong focus on education and lifelong learning.

Throughout my career, OWASP has been the cornerstone of my professional ethos: open collaboration, community empowerment, and advancing application security for all. As a Global Board member, I will continue to champion inclusivity, strengthen education initiatives, and expand OWASP’s influence across academia, industry, and government. My vision is for OWASP to remain the world’s most trusted voice in application security, shaping the future of secure software development for generations to come.

Through my work, I have seen first-hand how critical ongoing education is to improving application security. Security cannot be taught once and forgotten; it must be embedded into every stage of developer’s and security analyst’s careers. From foundational undergraduate courses to professional upskilling and executive training, developers and architects must be supported with accessible, relevant, and evolving learning resources. OWASP has a unique role to play in leading this charge-by creating open, community-driven curricula; building partnerships with schools, colleges universities and industry training providers; and ensuring that our resources remain free, practical, and globally inclusive.

If elected, I will champion four priorities:

• Education for All Levels - Expanding OWASP’s educational initiatives so that learners at every stage, from students to senior developers, have lifelong continuing access to modern and practical training in secure software design and development.
• Sustainable Skills Growth - Building pathways for continuous professional development that enable developers to maintain and advance their security knowledge throughout their careers.
• Global Reach & Inclusion - Strengthening OWASP’s presence in underrepresented regions and communities, ensuring our training and resources reflect the diversity of our global developer and security community.
• Strengthening OWASP Educational Relationships - within our community both with projects and chapters, we have lots of relationships and linkages to local educational resources, educational institution and training providers which we have no knowledge of and often go unreported. By understanding what linkages we have we better utilise them.

OWASP has always stood for openness, collaboration, and community. By prioritising education, we can make security knowledge truly universal-empowering developers everywhere to build safer applications, stronger systems, and a more secure digital future.

I ask for your support to continue this mission as a member of the OWASP Global Board of Directors.

Link to My Video

Adrian Winckles

What open source contributions, research or visible leadership work have you done? If few, what 3 specific outcomes will you deliver in your first 90 days on the board in OWASP and how will members verify the progress?

Over the past decade, I have made visible contributions to OWASP and the wider security community through a blend of open-source projects, research, and leadership roles:

Open Source & Research Contributions

• OWASP Distributed Web Threat Intelligence Honeypot Project (2018-present): Led development of an AWS-based low-interaction honeypot/honeynet solution, generating open threat intelligence datasets for the security community.
• OWASP Open Application Security Curriculum Project (2019-present): Spearheading efforts to build a globally applicable open curriculum to close the skills gap between academia, industry, and secure software development needs.
• Academic & applied research: Published 25+ academic papers on cybercrime, malware detection in cloud/virtual environments, botnet detection, and distributed honeypot approaches. Many of these outputs were presented at OWASP AppSec events and made available to the wider community.
• Conference leadership: As OWASP European Board Member, I successfully delivered AppSec Europe conferences (e.g. 2014 with 600+ attendees), securing sponsors, speakers, and university engagement (University Challenge with Martin Knobloch).
• CFT & CFP Conference Reviewer: Between 2014 and 2020 I have been contributing to the review of both proposed conference presentations and training proposals for OWASP’s AppSec Europe’s conferences.
• Chapter & committee leadership: OWASP Cambridge Chapter Leader since 2011 and Chair of the OWASP Education & Training Committee since 2019, where I have built consistent community engagement, mentoring, and project delivery.

Visible Leadership

Beyond OWASP, I co-founded ZORB Security (data theft prevention start-up) and chair the BCS Cybercrime Forensics SIG, contributing to the UK National Cyber Security Blueprint. These roles demonstrate a track record of steering multi-stakeholder initiatives and turning ideas into practical outputs.

If elected to the OWASP Board, and to demonstrate early accountability, I will deliver three specific outcomes in my first 90 days:

• Launch an OWASP “Education & Skills Roadmap” pilot
  • Consolidate existing OWASP training, curriculum, and project resources into a clear, member-friendly roadmap based on my manifesto priorities:
    • Education for All Levels
    • Sustainable Skills Growth
    • Global Reach & Inclusion
    • Strengthening OWASP Educational Relationships
  • Outcome verification: roadmap draft published on OWASP wiki and GitHub, open for member comments.
• Establish a Transparent Board Activity Dashboard
  • Implement a simple GitHub-based or wiki-based tracker for board activities, showing progress on commitments, board motions, and deliverables.
  • Outcome verification: live dashboard link shared monthly in OWASP community newsletters.
• Kick-off an “OWASP University Challenge 2.0” initiative
  • Relaunch and modernize the University Challenge to engage students globally through CTF-style competitions (utilising other open-source resources such as SecGen) tied to OWASP projects.
  • Outcome verification: announcement, registration portal, and at least 10 universities onboarded within 90 days and develop plans to make them available regionally as well as globally.

By focusing on education, transparency, and community engagement, these outcomes will be visible, verifiable, and directly aligned with OWASP’s mission.

What do you see as the top three challenges for OWASP to increase impact and visibility worldwide? Please provide actionable plan which you can spearhead and lead if need be for the goals you plan to achieve

The top three challenges for OWASP to increase global impact and visibility are:

1. Bridging the Education and Skills Gap
   Many developers and security practitioners lack accessible, practical education in secure software design. While OWASP has strong projects, they are often fragmented and underutilized by training providers and educational establishments. So based on my 4 election manifesto priorities
   1. Education for All Levels
   2. Sustainable Skills Growth
   3. Global Reach & Inclusion
   4. Strengthening OWASP Educational Relationships

   Actionable Plan:

   • Spearhead creation of an OWASP Global Education & Skills Roadmap, consolidating projects like the OWASP Top 10, Cheat Sheets, and training labs into structured learning pathways.
   • Partner with universities, training providers, and industry to embed OWASP materials into curricula and professional certification frameworks and ensuring such relationships are documented and publicised.
   • Launch “OWASP Education Ambassadors” to champion adoption in their regions.
     Outcome: A widely adopted, modular skills framework visible across academia, professional training, and industry.
2. Improving Project Sustainability and Visibility
   Many OWASP projects rely on a few individuals, making them hard to sustain. Visibility is often limited to security circles, not mainstream developers and businesses.

Actionable Plan:

• Establish a Project Incubator & Support Program that pairs active projects with mentors, documentation writers, and community advocates so we build upon the success we have had with Google Summer of Code Program (GSoC)
• Implement a clear OWASP Project Showcase hub highlighting flagship and emerging projects with business-friendly case studies (featuring testimonials and business/educational users)
• Drive targeted outreach at developer conferences, hackathons, and open-source ecosystems but utilise OWASP Project Ambassadors to champion projects to a wider community.
  Outcome: Stronger project lifecycles, higher adoption, and increased visibility outside traditional security audiences.

1. Strengthening Global Community Engagement & Transparency
   OWASP’s global reach is uneven-some chapters thrive while others struggle. Members also want more transparency from leadership.

Actionable Plan:

• Roll out a Board Transparency Dashboard (motions, deliverables, finances, progress).
• Relaunch the University Challenge 2.0, scaling it to a global online model to engage the next generation.
• Support under-resourced chapters with shared toolkits (event templates, sponsorship guides, speaker pools) and advertising that certain communities need experienced mentors/advisors.
  Outcome: A more inclusive, transparent, and visible OWASP that strengthens local chapters and global reputation alike.

In summary: By focusing on education, project sustainability, and community transparency, OWASP can position itself not just as the authority on application security, but as the global connector bridging developers, researchers, and security professionals. With my experience leading OWASP projects, conferences, and education initiatives, I am ready to spearhead these goals.

Several OWASP projects are stale and leads are unresponsive. If elected, what is your concrete, time bound plan to triage these projects, re-engage with inactive leads or relaunch based on clear criteria and timelines?

OWASP’s strength lies in its projects, but many have become stale due to over-reliance on a few volunteers. To address this, I propose a 90-180 day structured triage and re-engagement plan with clear criteria, transparency, and support.

Step 1 - Discovery & Assessment (First 30 days)

• Conduct an automated health check of all projects (activity on repos, mailing lists, issue trackers, downloads).
• Publish a Project Health Dashboard so members can see activity levels and progress.
• Categorize projects into Active, Dormant, or Critical but Stalled.

Step 2 - Re-engagement (30-90 days)

• Contact inactive project leads directly, offering mentorship, co-leads, or project handover options.
• Introduce a “Call for Contributors” month, matching dormant projects with volunteers from academia, chapters, and industry. More emphasis on internship type programs such as Google Summer of Code (GSoC) to encourage jobseekers and graduates to gain experience and let projects make progress.
• Provide lightweight support resources: documentation writers, event speaking slots, and student contributors via the University Challenge.

Step 3 - Relaunch or Sunset (90-180 days)

• Projects with renewed activity get “OWASP Supported” status and visibility on the showcase hub.
• Stalled but strategically valuable projects enter a Relaunch Incubator with clear milestones and board support.
• Projects with no engagement after repeated attempts are archived gracefully with a transparent record, so their work remains accessible but does not dilute OWASP’s reputation.
• Keep an archive of past projects (whether failed, stalled or otherwise) and include engagement opportunities for students to develop past projects from the archive or to gift their dissertation work to the archive.

Verification & Transparency

• Publish monthly triage updates on the OWASP wiki and dashboards.
• Provide clear timelines, progress indicators, and open calls for community input.

In summary: My plan balances respect for volunteers with accountability to the community. By combining transparency, structured triage, and targeted re-engagement, OWASP can revitalize its portfolio, sustain its most impactful projects, and maintain credibility as the leading open-source security organization.

What kind of support will you provide for Arab countries in regard to trending legislation in security, privacy and data protection, for software, OT, and cloud? Will you plan for specific events to cover the growth of talents and skills in secure coding in this particular region?

OWASP has an opportunity to play a stronger role in supporting Arab countries as they navigate new legislation in security, privacy, and data protection while also growing local talent. My background in education, training frameworks, and global conference leadership makes me well placed to lead this effort as well as strong links through my employer to the Arab Open University (who have 9 campuses across the Middle East).

1. Guidance on Legislation & Compliance

Arab countries are introducing data protection and cybersecurity laws modelled on GDPR, NIS2, and cloud security regulations. OWASP can help by:

• Promote the publishing of practical guidance mapping OWASP resources (Top 10, ASVS, SAMM) to local laws and frameworks.
• Partnering with regional universities (like the Open Arab University), regulators, and industry bodies to translate OWASP outputs into localized compliance toolkits.
• Providing neutral, technical interpretation of laws so organizations can align their practices without heavy reliance on costly consultants.

2. Regional Talent & Skills Development

There is strong demand for secure coding, DevSecOps, and cloud security skills. I propose:

• Launching OWASP Arab Secure Coding Series - a mix of virtual and in-person events focused on secure software, OT, and cloud, delivered in collaboration with regional chapters and local education providers.
• Partnering with universities and incubators to embed OWASP curriculum materials into computer science and engineering programs.
• Extending the University Challenge model to Arab universities, engaging students in OWASP projects and competitions.

3. Events & Visibility

• Establish an annual Arab OWASP Regional Summit, rotating across key cities, to showcase local projects, talent, and compliance discussions.
• Promote Arabic-language support for OWASP documentation and training resources, working with volunteers for translation and adaptation.

In summary: My plan combines legislative mapping, talent development, and regional events. This will both empower Arab countries to meet compliance requirements and equip the next generation of secure software and cloud professionals with the skills they need.