Aruneesh Salhotra

About Me

Aruneesh Salhotra

Technologist • Servant Leader • Community Builder • Entrepreneur • Investor

Who I Am

I'm a technologist, servant leader, community builder, entrepreneur, and investor who believes that the future of security lies at the intersection of open source innovation, artificial intelligence, and global collaboration. With deep expertise spanning software development, program management, agile methodologies, DevSecOps, AI, compliance, audit, sales, and infrastructure, I've spent my career contributing to movements that have helped shape how the industry approaches security.

🎥 Candidacy Pitch - Aruneesh Salhotra

🚀 My Pitch for OWASP Global Board

A concise overview of my vision and commitment to OWASP's future

▶️ Watch Pitch Video

📋 Full Candidature Video

Complete presentation of my qualifications and detailed plans

▶️ Watch Full Video

🏆 Key Achievements & Leadership Impact

🚀 OWASP Leadership

Co-lead OWASP AI Exchange
Co-lead OWASP Serverless Top Ten
Founded OWASP AIBOM
Co-authored LLM Top Ten
Created 3 Working Group proposals

🌍 Global Engagement

Davos - WEF Security Conference
Dubai - "Machines Can See" Panelist
Belgium - Open Source Congress
Policy influence & regulatory advisory

💼 Professional Credentials

C-CISO, GCISO, CISSP certified
Entrepreneur & investor
Author, blogger, podcaster
DevSecOps & AI expertise

🚀 Immediate Impact

$100K+ sponsorship for OWASP AI Exchange
OWASP AIBOM project launched with first sponsor in 3 weeks
AI Exchange elevation from Incubation to Flagship
Strategic alignment with SANS, CSA, EU AI Act

Education & Credentials

Certification	Description
C-CISO	Certified Chief Information Security Officer
GCISO	GCLF Certified Information Security Officer
CISSP	Certified Information Systems Security Professional
AWS 5+ & Kubernetes 2+	Specialized cloud infrastructure certifications

But credentials alone don't define leadership—execution does.

Why I Lead Through Community

I don't just participate in organizations—I transform them. At OWASP, I've led multiple flagship initiatives: OWASP AI Exchange (which I co-lead along with Rob van der Veer), OWASP AIBOM (which I founded), OWASP LLM Top Ten (where I co-authored on Supply Chain Security). I've elevated these projects by creating platforms where contributors become thought leaders and where technical excellence translates into industry impact.

Global Leadership Positions

Organization	Role & Impact
Global CISO Leadership Foundation (GCLF)	Co-Chair – Connecting and empowering security leaders worldwide
Purple Book Community (PBC)	Global community of AppSec leaders driving industry best practices
IEEE Next Gen Cyber Security	Shaping the future of security standards
Cyber Future Foundation (CFF)	Advancing cybersecurity innovation
InfraGard NY Metro Chapter	Collaborating with the FBI on critical infrastructure protection
CISO Communities Globally	Building bridges between security leaders across continents

Global Engagement at the Highest Levels

My commitment to shaping international security dialogue extends to the world's most influential platforms:

Davos – World Economic Forum

I participated in the CFF Cyber Future Dialogue 2023 in Davos held alongside the World Economic Forum—where technology leaders converge to address humanity's most pressing challenges.

"Machines Can See" – Dubai, Middle East's Largest AI Conference

I served as a panelist at "Machines Can See"—the Middle East's largest AI conference in Dubai—where I engaged with regional policymakers, technology leaders, and innovators driving AI adoption across the MENA region. This platform positioned me to build critical relationships with Middle Eastern regulators and establish advisory channels that will shape how AI security standards evolve in one of the world's fastest-growing technology markets.

Open Source Congress – Belgium, September 2025

I participated in the Open Source Congress in Belgium, now in its third year and hosted by the Eclipse Foundation in collaboration with OSS foundations. This intimate, facilitated forum brings together leadership from code-producing open source software foundations to foster global dialogue, collaboration, and strategic development of the open source ecosystem. I also participated in the Open Source Stakeholder Day—a first-time OSC-adjacent event where foundation leadership joined with industry and public policy leaders to continue dialogue on the most pressing concerns and opportunities for our ecosystem.

In these forums, I don't just observe—I contribute to conversations that influence international cybersecurity policy and the frameworks that will govern AI and digital infrastructure for decades. This experience taught me that our industry's future is shaped at the intersection of policy, technology, and capital—where I've deliberately positioned myself to ensure voices like OWASP's are heard at the tables where it matters most.

Entrepreneur & Investor—Backing Innovation at Every Stage

As an ex-entrepreneur, I understand the journey from zero to one. I've invested in a few ventures and advised many startups through their most critical growth phases.

Investment Role	Focus & Impact
Limited Partner (LP)	Multiple venture capital firms specializing in cybersecurity – deploying capital strategically into funds shaping the next generation of security innovation. This gives me visibility into emerging trends and technologies that will define our industry's future.
Angel Investor	Writing personal checks into early-stage startups where I can add operational value, backing founders solving problems others don't yet see. Portfolio spans security automation, AI governance, DevSecOps tooling, and open source commercialization.

This dual perspective means I understand both sides of the equation: I know what it takes to secure sponsorship because I've raised funding. I know what enterprises need because I've sold to them. I speak the language of CFOs and understand how to position OWASP not as a non-profit foundation seeking sponsorship via donations, but as a strategic partner delivering measurable value.

Go-to-Market & Sponsorship Expertise

I bridge the gap between technical excellence and business value. For OWASP AI Exchange, I've secured substantial funding and established a pipeline positioning us to exceed $100k in 2025—during a global economic downturn. My collaborations with SANS Institute, Cloud Security Alliance, and enterprise sponsors demonstrate that when you align security innovation with business outcomes, everyone wins.

Standardization & Operational Excellence

I've proposed Working Groups for Funding, Marketing, and Governance within OWASP and to the exising OWASP Global Board —ensuring that proven strategies scale across all projects and chapters. As someone who has built companies and invested in dozens more, I bring operational discipline, financial rigor, and the ability to execute consistently at scale.

Working Group Proposals

Funding Working Group Proposal: View Document
Marketing Working Group Proposal: View Document
Working Group Foundational Proposal: View Document

Author, Blogger, Podcaster—Amplifying Security Voices

I believe knowledge hoarded is knowledge wasted. As an author, blogger, and podcaster, I've created platforms that democratize expertise and make complex topics accessible. When speaking or conducting workshops, my goal is the same: translate technical depth into actionable wisdom that moves the industry forward.

Academic Bridge Builder

I partner with New York State universities to strengthen their cybersecurity and technology programs. When I helped Stony Brook University's Linguistics Program secure a Google grant, it demonstrated how emerging technologies like AI intersect with unexpected disciplines, creating entirely new research frontiers.

Board Advisor & Strategic Counsel

As a board advisor to multiple organizations and startups, combined with my LP and angel investments, I maintain a unique vantage point: I see patterns others miss, connect dots across seemingly disparate domains, and architect strategies that compound over time.

Why This Matters for OWASP

Everything I've built—the partnerships, the sponsorships, the academic collaborations, the companies I've launched, the startups I've funded, the policy conversations in Davos, the regulatory relationships forged in Dubai, my leadership as Co-Chair of GCLF connecting CISOs worldwide—has prepared me for this moment.

OWASP stands at a crossroads: we can remain a respected collection of excellent projects, or we can become the indispensable global foundation that defines how software security is practiced in the age of AI, open source, and converging technologies.

I'm running for the OWASP Global Board because I don't just see what OWASP is—I see what OWASP must become. And I have the track record, the relationships, the global reach, and the execution discipline to make it happen.

The Pattern

I take initiative when I see opportunities to create value. Rather than waiting for perfect conditions or seeking recognition, I focus on building the right teams and partnerships. When a situation calls for it, I help mobilize resources and facilitate conversations across organizational levels to turn ideas into reality.

I invest in ideas.
I build communities.
I shape conversations that matter.
I deliver results.

And I'm ready to do all four for OWASP's next chapter.

Q1. What open source contributions, research or visible leadership work have you done? If few, what 3 specific outcomes will you deliver in your first 90 days on the board in OWASP and how will members verify the progress?

Most people chase titles. I chase impact.

Since joining the OWASP AI Exchange in April 2024 alongside Rob van der Veer, I've been obsessed with one question: How do you turn a nascent open source project into a movement that shapes an entire industry?

Here's what execution-driven leadership looks like:

⚡ I turned budget constraints into strategic advantage.

While others complained about the global economic downturn and shrinking budgets, I saw opportunity. I didn't ask for sponsorships—I built business cases. I identified what kept executives at target companies awake at night and showed them how investing in AI Exchange would deliver measurable ROI. The result? We're on track to exceed our $100k funding goal for 2025. When money is tight everywhere.. For an open source project.

🎤 I made my team famous.

Leadership isn't about hoarding the spotlight—it's about building stages for others. I engineered speaking opportunities that put our contributors on the world's most prestigious platforms: RSA, Black Hat, CactusCon. We didn't just participate; we orchestrated 80+ presentations and webinars globally. Each talk amplified individual contributors while elevating OWASP's voice in AI security. When your volunteers become thought leaders, everyone wins.

🤝 I fostered collaboration and broke barriers.

The most powerful partnerships aren't transactional—they're transformational. By aligning AI Exchange with SANS Institute and Cloud Security Alliance, I didn't just expand OWASP's reach; I positioned us as the connective tissue between the industry's most influential organizations. We showed up at the OWASP Project Summit not to compete, but to collaborate, turning potential rivals into force multipliers.

🎯 I prioritised the OWASP brand.

In every conversation, every partnership, every presentation—I asked: "How does this advance OWASP's mission globally?" Not my personal brand. Not my project's metrics. The foundation's impact.

The pattern? I don't wait for permission. I don't optimize for credit. I identify what needs to exist in the world, then I make it inevitable.

Because at the end of the day, leadership isn't measured by the position you hold—it's measured by the movement you leave behind.

🎯 90-Day Strategic Execution Plan: Transforming OWASP's Global Impact

Three focused blocks. Measurable outcomes. Public accountability.

Days 1-30 - Foundation & Launch Theme: Establish Infrastructure, Activate Governance, Launch OWASP’s Modern Era

Initiative	Deliverables	Success Metrics & Verification
Working Group Framework	• WG charter & governance model • Formation templates & metrics • Foundation/Board socialization	Metrics: Framework approved, 3+ templates Verification: Charter at owasp.org/working-groups
Flagship Project Convergence	• Monthly sync with 8+ flagship leaders • Integrated security pathway roadmap • Collaboration commitments & tracking	Metrics: 8+ leaders, 3+ initiatives, roadmap Verification: owasp.org/flagship-convergence

Days 31-60 - Revenue Generation & Operational Excellence Theme: Build Sustainable Funding, Operationalize Marketing, Scale Sponsorships

Initiative	Deliverables	Success Metrics & Verification
$200K Sponsorship Campaign	• Close 5+ enterprise sponsorships • ROI business case template • Monthly "Sponsor Showcase" series • Tiered sponsorship packages	Metrics: $200K revenue, 5+ Fortune 1000 pipeline Verification: Monthly reports, testimonials on owasp.org
Funding Working Group Activation	- Recruit 5-7 members with proven fundraising expertise - Publish Funding WG charter and monthly meeting schedule - Release standardized sponsorship proposal templates - Create chapter/project fundraising playbook	Metrics: - WG formed with 5-7 active members - Charter published - Template library released Verification: - Meeting minutes: owasp.org/working-groups/funding - Template downloads tracked - Playbook published
Integrated Project Sponsorship Model	- Package flagship projects as unified solutions for sponsors - Create "Complete AppSec Stack" sponsorship tier (ASVS + SAMM + ZAP + Dependency-Track) - Develop co-marketing materials for integrated offerings - Pilot with 1+ major sponsor	Metrics: - 1+ integrated package sold - 3+ package options created - Co-marketing materials published Verification: - Package descriptions on owasp.org/sponsors - Sponsor case study published
Flagship Project Convergence (Continued)	- Second monthly sync focused on technical integrations - Document first cross-project integration (e.g., SAMM → ASVS mapping) - Create unified project marketing messaging - Establish shared metrics framework	Metrics: - 1+ technical integration documented - Unified messaging framework created - Shared KPI dashboard designed Verification: - Integration docs published - Second meeting notes available - Messaging guide on owasp.org

Days 61-90 - Global Positioning & Ecosystem Leadership Theme: Foundation Convergence, Policy Influence, Marketing Activation, Project Health

Initiative	Deliverables	Success Metrics & Verification
Open Source Security Alliance (OSSA) Launch	- Establish quarterly executive forum with Linux Foundation, Apache, CNCF, OpenSSF, Eclipse - Define complementary positioning map across foundations - Create joint sponsorship program pilot - Publish OSSA charter and collaboration framework	Metrics: - 1+ formal MOUs signed - Quarterly meeting schedule set Verification: - MOUs published on owasp.org - OSSA charter: owasp.org/ossa - Sponsor program metrics report
EU CRA & Eclipse Foundation Partnership	- Formalize OWASP-Eclipse collaboration (with Steve Springett) - Position OWASP projects as CRA implementation standards - Co-host webinar on CRA compliance (target: 200+ attendees) - Publish 2 policy briefs mapping OWASP projects to regulations	Metrics: - Formal MOU with Eclipse signed - Webinar: 200+ attendees - 2 policy briefs published Verification: - MOU announcement on owasp.org - Webinar recording & attendance data - Policy briefs: owasp.org/policy
Middle East Regulatory Expansion	- Leverage "Machines Can See" conference relationships - Schedule 3+ meetings with MENA regulators (SDAIA, UAE TDRA, Bahrain eGA)	Metrics: - 3+ regulatory meetings scheduled - Advisory framework established - 1+ regional policy brief published Verification: - Meeting summaries published - Advisory framework on owasp.org - Regional engagement report
Marketing Working Group Activation	- Recruit 5-7 marketing professionals from member companies - Publish Marketing WG charter - Release Marketing Playbook v1.0 with 10+ templates - Establish brand metrics framework - Deploy coordinated campaigns for major initiatives	Metrics: - WG formed: 5-7 members - Playbook with 10+ templates released - Brand metrics dashboard live Verification: - Playbook: owasp.org/working-groups/marketing - Monthly brand metrics report - Campaign performance data
Data-Driven Project Health System	- Implement automated project scoring (GitHub, downloads, engagement) - Launch "Project Rescue Squad" with mentor matching - Host quarterly "OWASP Innovation Spotlight" webinar (3-5 projects) - Create conference speaking pipeline for project leaders - Triage 15+ stagnant projects (revive or archive)	Metrics: - 15+ projects triaged - 5+ projects in webinars (300+ attendees/session) - 15+ speaking slots secured - Health dashboard operational Verification: - Dashboard: owasp.org/project-pulse - Monthly health reports - Webinar recordings & attendance - Speaking engagement tracker
Flagship Project Convergence (Final Phase)	- Third monthly sync: finalize technical integrations - Launch unified flagship project documentation - Create cross-promotion strategy and shared roadmap - Publish Q4 integration milestones	Metrics: - Unified docs published - Shared roadmap for Q4 released Verification: - Integration documentation complete - Third meeting notes published - Roadmap: owasp.org/flagship-roadmap

Summary: 90-Day Impact Dashboard

Category	Total Commitments	Key Outcomes
Revenue Generated	$200K+ in 90 days	Sustainable sponsorship model, integrated packages, Funding WG operational
Working Groups Activated	2 WGs operational	Funding WG + Marketing WG with charters, templates, active membership
Project Health	10+ projects triaged	Health dashboard live, 25+ speaking slots secured, rescue squad active
Flagship Convergence	1-2 monthly syncs	3+ technical integrations, unified docs, shared roadmap, collaboration culture

Q2. What do you see as the top three challenges for OWASP to increase impact and visibility worldwide? Please provide actionable plan which you can spearhead and lead if need be for the goals you plan to achieve.

Challenge 1: Data Security in the Age of AI

The Problem

AI systems fundamentally transform how organizations handle data. Traditional data security models fail to address:

Data lineage complexity: Training data flows through multiple preprocessing, augmentation, and transformation stages, making it difficult to track origin, transformations, and downstream usage
Ownership ambiguity: When data from multiple sources feeds a single model, determining accountability and rights becomes legally and technically complex
Metadata explosion: AI systems require extensive labeling, categorization, and annotation—all of which become attack surfaces if improperly secured
Training vs. inference data protection: Different sensitivity levels and retention requirements create classification challenges
Model extraction risks: Attackers can reverse-engineer training data from model outputs

Action Plan: Revitalize OWASP Data Security for AI Era

1. Update the Data Security Top 10

Last updated 2023, revitalize with AI-specific guidance:

Data classification frameworks for ML/AI pipelines
Lineage tracking best practices through training, validation, and inference stages
Ownership and consent management in multi-source training datasets
Metadata security standards (labels, annotations, provenance)
Privacy-preserving techniques (differential privacy, federated learning, synthetic data)

2. Create Practical Tooling and Integration

Reference implementations for data lineage tracking in popular ML frameworks (PyTorch, TensorFlow)
Integration patterns between OWASP AI Exchange and data security guidance
Checklists for data governance in AI development lifecycle

3. Build Educational Resources

Case studies showing data security failures in AI systems
Hands-on labs for implementing data protection in ML pipelines
Certification pathway for AI data security practitioners

Execution Timeline

Months 1-3	Convene working group with AI Exchange contributors, data security practitioners, ML engineers
Months 4-6	Draft updated Data Security Top 10 with AI focus, release for community review
Months 7-9	Finalize guidance, create reference implementations, launch educational content
Month 12	Host "AI Data Security Summit" showcasing adoption and collecting feedback

Measurable Outcomes

Updated Data Security Top 10 published with 10,000+ downloads in first quarter
5+ organizations publicly adopting guidance
3+ conference presentations at ML/AI conferences (not just security events)
Integration with at least 2 major ML platforms or tools

Challenge 2: Scaling AppSec and Compliance in the Age of "Vibe Coding"

The Problem

AI-assisted development ("vibe coding"—where developers describe what they want and AI generates code) is fundamentally changing how software is built:

Developers accept AI-generated code without understanding it, trusting the AI without security review
Traditional security training doesn't apply: Developers never learned secure coding because they didn't write the code
Velocity increases, security review doesn't scale: Teams ship 10x faster but security teams can't keep pace
Shift-left becomes impossible: Security must be embedded in AI generation, not post-generation review
Compliance frameworks assume human-written code: Existing standards don't address AI-generated code provenance, auditability, or accountability

Action Plan: "Secure Vibe Coding" Initiative

1. Create OWASP Guidance for AI-Assisted Development

Security prompt engineering: How to request secure code from AI tools
AI code review checklists: What to verify in generated code
Prompt libraries: Pre-built security-aware prompts for common development tasks
Risk assessment framework: When AI-generated code is acceptable vs. requires human review

2. Integrate OWASP Standards into AI Development Tools

Partner with GitHub Copilot, Cursor, Replit, and other AI coding platforms
Embed OWASP Top 10, ASVS checks directly into code generation pipelines
Create plugins that flag insecure AI-generated patterns in real-time
Build "security linters" specifically for AI-generated code

3. Modernize Compliance for AI-Assisted Development

Update SAMM (Software Assurance Maturity Model) to address AI-generated code governance
Create attestation frameworks: How to document and prove security of AI-generated code
Develop audit trails: Tracking prompts, generated code, and security review decisions
Build bridges between vibe coding practices and regulatory requirements (SOC 2, ISO 27001, etc.)

4. Developer Education at Scale

Launch "Secure Prompt Engineering" course targeting 50,000+ developers
Create GitHub Learning Paths integrating OWASP guidance with AI tools
Partner with developer communities (Dev.to, Stack Overflow, Hashnode) for distribution
Gamify security: CTF-style challenges using AI coding tools with security objectives

Execution Timeline

Months 1-2	Survey developers on AI coding tool usage, pain points, and security concerns
Months 3-4	Draft secure vibe coding guidance, create initial prompt library
Months 5-6	Build partnerships with AI coding platform vendors
Months 7-9	Develop tooling (plugins, linters), launch educational content
Months 10-12	Pilot program with 10+ organizations, collect metrics, refine guidance

Measurable Outcomes

Secure Vibe Coding guidance adopted by 25,000+ developers (tracked via downloads, GitHub stars)
Partnerships with 3+ major AI coding platforms
50,000+ developers complete training
100+ organizations implement AI code security review processes based on OWASP guidance
Measurable reduction in vulnerabilities in AI-generated code (tracked through pilot participants)

Challenge 3: Regulatory Complexity, Drift Detection, and Global Compliance Fragmentation

The Problem

Organizations face an explosion of overlapping, sometimes contradictory regulations:

EU Cyber Resilience Act (CRA) mandates security by design
GDPR, CCPA, and 20+ privacy laws have different definitions of personal data
Middle East AI regulations (UAE, Saudi Arabia, Qatar) have unique requirements
APAC frameworks vary dramatically by country
US sector-specific regulations (HIPAA, GLBA, etc.) add layers of complexity

The real challenge isn't understanding regulations—it's drift detection: Organizations document compliance but actual implementation drifts over time, creating gaps between what's claimed and what's deployed.

Action Plan: "OWASP Compliance Bridge"

1. Create Unified Compliance Mapping Framework

Show how OWASP projects (ASVS, SAMM, Top 10, AI Exchange) map to multiple regulations simultaneously
Build "Common Framework" identifying overlapping requirements across jurisdictions
Create decision trees: "If you're in X region with Y data, you must comply with Z regulations"
Develop gap analysis tools: Compare current security posture against multiple regulatory requirements

2. Address Drift Detection Systematically

Create "Compliance Drift Detection" guidance showing how to monitor and verify continued compliance
Develop automated checking tools that validate actual implementation against documented controls
Build continuous compliance frameworks integrating with CI/CD pipelines
Create audit preparation playbooks that anticipate drift-related findings

3. Build Regional Compliance Guides

EU Focus: Map OWASP projects to CRA requirements (leverage Eclipse Foundation partnership and Steve Springett's work)
Middle East Focus: Translate OWASP guidance for UAE, Saudi Arabia, Qatar AI and data protection regulations (leverage "Machines Can See" relationships)
APAC Focus: Create country-specific guides for Singapore, Japan, South Korea, Australia
Americas Focus: Bridge OWASP standards with NIST frameworks, FedRAMP, and state privacy laws

4. Establish Regulatory Advisory Relationships

Position OWASP as trusted technical advisor to regulators globally
Participate in standards development processes
Provide implementation feedback to policymakers
Create feedback loop: regulators inform OWASP of pain points, OWASP creates practical guidance

Execution Timeline

Months 1-3	Launch EU CRA compliance mapping (building on existing work), publish initial framework
Months 4-6	Expand to Middle East regulations, create drift detection guidance
Months 7-9	Complete APAC and Americas guides, develop automated tooling
Months 10-12	Establish formal advisory relationships with 5+ regulatory bodies, iterate based on feedback

Measurable Outcomes

Compliance mapping framework covering 15+ major regulations
1,000+ organizations using OWASP compliance guidance (tracked via downloads, tool usage)
5+ regulatory bodies officially citing or endorsing OWASP standards
Drift detection tooling integrated into 3+ major compliance platforms
Regional guides available in 5+ languages (English, Arabic, Spanish, Mandarin, Japanese)
Measurable reduction in compliance gaps for adopting organizations (tracked through pilot program)

Cross-Cutting Execution Strategy

All three challenges share common needs:

1. Working Group Structure

Each initiative requires dedicated working groups with clear deliverables and timelines. I will personally chair or co-chair these groups to ensure accountability.

2. Industry Partnerships

Success requires collaboration with AI platform vendors (data security, vibe coding), compliance tool providers (drift detection), regulatory bodies (global compliance), and academic institutions (research validation).

3. Developer-First Approach

All guidance must be practical, actionable, and integrated into developers' existing workflows—not academic documents that sit unread.

4. Transparency and Community Engagement with the Security Mindset

Monthly progress updates on OWASP.org
Quarterly community calls for feedback
Public GitHub repositories for all frameworks and tooling
Open contribution models welcoming practitioners globally

5. Measurement and Iteration

Every initiative includes clear success metrics, feedback loops, and willingness to pivot based on community needs.

Why I'm Positioned to Lead This

Data Security and Governance in AI

Founded OWASP AI Exchange, established relationships with AI vendors and research institutions

Vibe Coding

Deep technical background in software development, DevSecOps, and developer education

Regulatory Complexity

Existing relationships with EU regulators (CRA work), Middle East policymakers ("Machines Can See"), and multi-jurisdictional compliance experience

I don't just see these as OWASP challenges—I see them as the defining security questions of the next decade. OWASP must lead, and I'm committed to making that happen.

Q3. Several OWASP projects are stale and leads are unresponsive. If elected, what is your concrete, time bound plan to triage these projects, re-engage with inactive leads or relaunch based on clear criteria and timelines?

My Approach to Project Triage

It is natural that some projects which were highly relevant in earlier years may no longer reflect current priorities, and that project leaders may have moved on or have limited bandwidth due to professional or personal commitments. My practical, time-bound plan is as follows:

Within 30 Days

Publish a Project Triage Criteria Document (factors: last commit activity, contributor responsiveness, usage metrics).

Within 60 Days

Conduct outreach to inactive leads, offering concrete support (e.g., co-leads, sponsorship assistance, or mentorship).

Within 120 Days

Projects with no response → moved to "Archived but Recoverable" status.
Projects with activity → paired with additional support and visibility boosts.
Projects with potential but no active leadership → open calls for new project leaders, publishing the list to members for transparency.

Verification

Progress will be tracked monthly on OWASP.org, in focussed forums and discussed during quarterly community calls.

Additional Strategic Initiatives

Nurturing Critical Projects - Active and Emerging

Projects like the Data Security Top 10, last updated in 2023, highlight the need to revisit areas of emerging importance such as data classification and protection. However, our focus must extend beyond dormant projects to actively groom and accelerate both existing critical projects and emerging initiatives that address today's evolving threat landscape. This includes providing strategic guidance, resources, and community support to ensure these projects achieve maximum impact and adoption across the industry.

"Scrum of Scrums" Model for Project Collaboration

I will initiate a "Scrum of Scrums" model to bring project leads together, identify overlaps or duplications, and establish monthly cadences within domains such as:

AppSec Domain: Web Top 10, API Top 10, Serverless Top 10
Threat Modeling
AI Domain: AI Exchange, GenAI, Verification Standards, AIMA

This will drive stronger synergy, collaboration, and consistency across projects.

Q4. What kind of support will you provide for Arab countries in regard to trending legislation in security, privacy and data protection, for software, OT, and cloud? Will you plan for specific events to cover the growth of talents and skills in secure coding in this particular region?

Understanding the Middle East Technology Landscape

The Arab region, particularly the Persian Gulf states, represents one of the most dynamic technology markets globally. The Kingdom of Saudi Arabia, the United Arab Emirates (UAE), and the State of Qatar are moving rapidly to establish themselves as global centers of investment and innovation in artificial intelligence (AI). These nations are making substantial outlays in technology and infrastructure as they seek to diversify their economies away from oil dependency.

Critically, their governments are implementing comprehensive digital regulations and AI strategies in a bid to attract foreign investment and develop technology companies that can compete with American and European counterparts. While Gulf countries face significant challenges in achieving their AI and digital development goals, they are making considerable progress, due in part to early public-private initiatives and clear, decisive policy leadership.

This creates a unique opportunity—and responsibility—for OWASP to provide world-class security guidance precisely when these nations are building the regulatory and technical foundations that will define their digital economies for decades.

My Commitment to Supporting the Arab Region

Having established relationships through my participation as a panelist at "Machines Can See"—the Middle East's largest AI conference—I've witnessed firsthand the region's appetite for authoritative security guidance and talent development. My plan includes:

1. Policy and Legislation Engagement

Collaborate with regional academic institutions, policy bodies, and regulators to map evolving legislation in security, privacy, AI governance, and data protection
Ensure OWASP guidance (ASVS, SAMM, AI Exchange, Top 10) is contextualized for local regulatory compliance and addresses region-specific infrastructure challenges
Build on existing relationships with Middle Eastern regulators established during "Machines Can See" to create formal advisory channels
Position OWASP as a trusted technical partner for governments implementing their AI and digital strategies

2. Arabic-Language Resources and Localization

Expand Arabic-language resources for OWASP flagship projects, making secure coding materials accessible to the region's rapidly growing developer community
Launch a bi-lingual Secure Coding Webinar Series (Arabic & English) in partnership with local universities, training organizations, and chapter leaders
Develop localized content that addresses regional development patterns, regulatory requirements, and infrastructure considerations specific to Gulf economies

3. Regional Chapter Activation and Partnership

Partner with existing chapters in the regions to amplify local impact and coordinate regional initiatives
Support chapter leaders with funding frameworks, marketing materials, and speaking opportunities at international conferences
Facilitate knowledge sharing between Arab chapters and the global OWASP community
Connect regional chapters with the public-private initiatives driving technology development in their countries

4. Talent Development Programs

Align secure coding training programs with both the Arab Cybersecurity Strategy and practical development needs
Establish mentorship connections between regional practitioners and global OWASP project leaders
Support the region's goal of building indigenous technology capabilities by providing world-class training resources

5. Regional Flagship Event

Work towards hosting "Middle East OWASP Day" within 18 months, focusing on:

Legislative and compliance updates relevant to regional digital transformation initiatives
Networking opportunities connecting regional talent with global enterprises and investors
Showcase of local security innovations and success stories
Policy dialogues with government leaders shaping regional AI and digital strategies

6. AI Exchange Leadership in the Region

Build on OWASP AI Exchange's established visibility in the Middle East through continued engagement at premier regional conferences
Leverage our existing Middle East-based sponsor to deepen regional partnerships and demonstrate ROI for local enterprises
Position OWASP as the authoritative voice on AI security standards for the rapidly growing MENA AI ecosystem, directly supporting regional governments' goals of attracting foreign investment and building competitive technology sectors

Why This Matters Now

The timing is critical. As Gulf states implement their digital regulations and AI strategies, they need trusted, vendor-neutral security guidance to ensure their infrastructure is built on solid foundations. OWASP's open-source, community-driven approach aligns perfectly with their goals of:

Building transparent, internationally recognized standards
Attracting foreign investment by demonstrating security maturity
Developing local talent capable of competing globally
Creating regulatory frameworks that balance innovation with protection

Scalable Model for Global Impact

This approach creates a replicable framework for OWASP's expansion into other underserved markets. By focusing on:

Localized Content & Language Accessibility
Regional Partnership Development
Talent Pipeline Creation
Regulatory Alignment
Public-Private Collaboration

We demonstrate OWASP's commitment to openness, inclusivity, and global neutrality while building sustainable engagement models that can be adapted worldwide.

Verification Metrics

Metric Category	Specific Targets
Arabic-Language Resources	5+ flagship project translations in Year 1
Regional Events	Attendance metrics for webinars, workshops, Middle East OWASP Day
Chapter Growth	New chapters formed, meeting frequency across Arab countries
Partnerships	Regional sponsor acquisition (companies, universities, government bodies)
Developer Participation	Arabic-speaking developers in OWASP projects and certifications
Policy Engagement	Advisory roles, standards adoption, regulatory citations of OWASP guidance
Standards Adoption	Documented adoption of OWASP standards in regional digital transformation initiatives

This comprehensive approach positions OWASP to play a pivotal role in shaping the next generation of security professionals in the Arab world while directly supporting the region's ambitious technology and economic diversification goals. It reinforces the foundation's global mission and demonstrates that OWASP can be a strategic partner in national digital transformation initiatives worldwide.

Ready to Lead. Ready to Deliver.

This isn't just a campaign—it's a commitment backed by concrete plans, measurable outcomes, and transparent accountability.

What You Get With Your Vote:

✅ $200K sponsorship revenue in 90 days
✅ 3 Working Groups activated
✅ 15+ projects triaged and revitalized
✅ Global policy influence established

✅ Monthly progress reports on OWASP.org
✅ Quarterly community calls for accountability
✅ Transparent metrics and verification
✅ Proven execution track record

Vote for leadership that doesn't just promise change—but delivers it.

🎤 Conference Speaking & Industry Engagement

A visual journey through global conferences, speaking engagements, and professional milestones

Aruneesh Salhotra Professional Highlights Collage

Aruneesh Salhotra Conference Speaking Engagements Collage

These moments capture the collaborative spirit, global reach, and industry impact that define my approach to cybersecurity leadership.

Watch Star