Fred Donovan

About Me

Hello, I am Fred Donovan, a divisional security lead and application security architect for a large multinational corporation. I help lead the application security program for over 350 security champions across several countries. I am a Lifetime OWASP member with 18 years of leadership activities, including project contributions, conference presentations, and serving as a chapter leader. My AppSec experience spans over 20 years in both public and private sectors as a builder, breaker, and defender, leveraging OWASP tools and resources to strengthen defense-in-depth security postures.

Link to My Video

FD_Video

What open source contributions, research or visible leadership work have you done? If few, what 3 specific outcomes will you deliver in your first 90 days on the board in OWASP and how will members verify the progress?

For all questions, please see my video above for a more broad discussion on each.

I have been a leader of large scale development practices for over 20 years as well as a volunteer on several OWASP projects. As a keader, it is my responsibiity to understand how open source is utilized within development activies from integrating continusous, implementation of that code in applications, and parsing the libraries for malware. I am also a author of internal standards and policy implementations.

What do you see as the top three challenges for OWASP to increase impact and visibility worldwide? Please provide actionable plan which you can spearhead and lead if need be for the goals you plan to achieve

Revised Funding Approach: OWASP is too heavily reliant on conferences for funding. We are not effectively engaging the vast community of companies that utilize OWASP resources without contributing back through funding or project assistance. As discussed in my video, we need to build a model that allows corporations to directly support major work on projects they want to sponsor. With the right funding models, this will enable corporations to establish internal OWASP chapters that can focus their efforts on specific flagship projects. This approach would create a mutually beneficial ecosystem where companies investing in OWASP resources can actively participate in strengthening the tools and standards they depend on.

OWASP Community Involvement: We are not actively engaging with organizations that produce legislation, standards, and requirements on software security. The recent NPM attack serves as a prime example. OWASP leadership should have been proactively communicating the approaches and best practices that OWASP has developed to address these issues. The Board and Executive Director need to be visible during these critical situations and not merely through LinkedIn and X posts, but through direct engagement with government agencies, standards organizations, and news outlets. This requires leveraging relationship building skills to effectively communicate OWASP’s strengths and thought leadership.

Lack of Global Focus: As someone who works with individuals across multiple countries, I can confirm that OWASP still has a perceived identity as primarily a US organization, and to a lesser extent, an EU organization. While we have excellent contributors in several countries, we need to improve our engagement model to actively participate in conferences and workshops that reach a global audience. To increase our worldwide exposure, OWASP should immediately launch monthly Global Workshops. These workshops should be led by Board members who have experience working at the international level and collaborating with bodies like NIST and ENISA. We have an opportunity to be the conveners of discussions on the most critical topics that all development organizations are addressing. My initial suggestions focus on AI Security and Supply Chain Risk Management. This requires Board members like myself who have extensive international experience and can contact regulatory bodies and standards organizations to bring their experts into these workshops. This is not a funding model; this is a strategy to expand OWASP’s reach, reputation, and global impact.

Several OWASP projects are stale and leads are unresponsive. If elected, what is your concrete, time bound plan to triage these projects, re-engage with inactive leads or relaunch based on clear criteria and timelines?

We need to systematically review all projects and build a usable dashboard with criteria that can be easily assessed by the community. This will provide a clear understanding of which projects are actively needed, which can be retired, and where we need new leadership. We have the data available, so this initial assessment can be completed quickly. Once project prioritization is visible through the dashboard, we can launch monthly Town Halls for each project to engage community members who are motivated to contribute and take on leadership positions.

What kind of support will you provide for Arab countries in regard to trending legislation in security, privacy and data protection, for software, OT, and cloud? Will you plan for specific events to cover the growth of talents and skills in secure coding in this particular region?

Software security is a fundamental need for all businesses, regardless of location. Anyone who wants to access our resources can do so freely. In the context of OWASP’s productions and projects, software security should not be constrained by politics. Nevertheless, privacy and data protection standards vary by country and must be respected accordingly. As an educator, I can confirm that intelligence and capabilities are not determined by where a person resides. OWASP already serves as an enabler of AppSec education through our resources, reaching every country globally. Regarding specific events, we can expand our catalog of online events for international markets and should evaluate any legal implications as we do so.