Jerry Hoff

About Me

For over 15 years, I’ve dedicated myself to building, teaching, and advancing the global application security community through OWASP. Over the years, OWASP has been more than an organization to me. It has been a family that has shaped my career, given me lifelong friendships, and inspired me to contribute back to the global security community.

My professional journey has included leadership roles at Aspect Security, WhiteHat Security, Sony Electronics, and NTT. Today I run AppSec Training, a boutique company dedicated to helping development and security teams strengthen application security through education.

I aim to empower volunteers, strengthen funding, expand OWASP’s global visibility, and ensure our projects and chapters flourish. I’m committed to helping OWASP grow as the definitive global voice in application security.

Video

Why I’m running for the OWASP Board | 2025 Jerry Hoff Video

Question 1: What open source contributions, research or visible leadership work have you done? If few, what 3 specific outcomes will you deliver in your first 90 days on the board in OWASP and how will members verify the progress?

I’ve been an OWASP member since 2008, and a lifetime member since 2010. In that time, I’ve worked on the following projects

• Antisamy.NET (rich HTML purifier to mitigate XSS while allowing HTML input)
• WebGoat.NET (still used by universities, a C# broken web app inspired by the original OWASP WebGoat).
• OWASP AppSec Tutorial Series (https://www.youtube.com/@AppsecTutorialSeries)
• OWASP Virtual Chapter Co-Leader (https://owasp.vc)
• OWASP Jeopardy (performed at many live conferences to engage and educate in a fun and memorable way)
• OWASP Executive Advisory Report to the board (To drive more revenue to the foundation to invest back into the OWASP community)

This track record shows my long-standing commitment to OWASP’s mission, both in creating tools and leading communities.

And in the first 90 days, this is what I will do:

1. Support members, chapters and volunteers: OWASP’s strength is its people. In my first 90 days, I’ll launch a monthly spotlight series highlighting chapter achievements, establish a volunteer recognition program, and host virtual town halls to directly engage with our community.

2. Fundraising Support: Empower the OWASP Staff to update our benefits for corporate supporters! I’ve already been working with OWASP staff behind the scenes for months now, and it’s coming into focus. I’ve interviewed security leaders asking why they aren’t OWASP corporate supporters, and I got great feedback. Most told me, they wanted different benefits, so that’s what we’ve been working on and that will go live within the first 90 days. 


3. More corporate supporters : I will work with staff and my network to bring several new large corporate supporters within the first 90 days. OWASP resources are used by nearly every company on the planet, but our corporate supporter list, while strong, doesn’t yet reflect OWASP’s global impact.

These are outcomes I can commit to, and will deliver because I have been working for a long time on them behind the scenes. But as a board member, my focus will be on empowering the OWASP staff and community to succeed.

Question 2: What do you see as the top three challenges for OWASP to increase impact and visibility worldwide? Please provide actionable plan which you can spearhead and lead if need be for the goals you plan to achieve

1. Visibility: although we have great conferences, and the usage and downloads of OWASP materials and tools are staggering, we are not yet visible enough on the world stage. Our mission is “to be the global open community that powers secure software through education, tools, and collaboration”. To be global means we need to reach the globe, on a continuous basis. when anything in application security or related fields is happening, OWASP must be the go-to global voice for AppSec. As a board member, I’ll help establish media relationships and ensure OWASP experts are accessible worldwide. 


2. Funding: it’s not glamorous, but it’s necessary. Funding alone doesn’t solve everything, but without it, nothing else is possible. And that is the part of the puzzle we need to fix to give OWASP the stability and funds to achieve its full potential. The action plan is outlined in my recent presentation to the board in the OWASP Executive Advisory Report (OWASP EAR)

3. Support: What I love about OWASP is its openness. Anyone can come in and contribute. But we need a strategy to better support projects and chapters. There are projects and chapters out there that are doing really amazing things, and with a bit of support they can do even more. 

The action plan is to establish regular forums for project and chapter leaders, listen to their needs, and ensure staff have the resources to help them succeed.
   

Question 3: Several OWASP projects are stale and leads are unresponsive. If elected, what is your concrete, time bound plan to triage these projects, re-engage with inactive leads or relaunch based on clear criteria and timelines?

This is a great question, but to put it into context, I don’t think the board or board members should be doing that work, but instead we should be establishing a framework that ensures projects and project leaders thrive and are appreciated within OWASP.

From a board member point of view, we should:

1. First 90 days: Work with OWASP community and staff to prioritize which projects are most important to the mission of OWASP.
2. Within 6 months: Work with the OWASP community and staff to agree on and publish project health criteria for projects.
3. Within 9 months: Ask for a triage report of all projects, labeling based on the health criteria.
4. Starting 2026: The board can then support and oversee a community-driven leadership campaign to help find leaders for projects in priority order based on their importance to the OWASP mission and the global community.
5. Support the community in adopting an ongoing review process for projects, ensuring transparency and sustainability. Archived projects should, of course, remain available for reference.
   

Question 4: What kind of support will you provide for Arab countries in regard to trending legislation in security, privacy and data protection, for software, OT, and cloud? Will you plan for specific events to cover the growth of talents and skills in secure coding in this particular region?

I believe that security, privacy and data protection all fall under OWASP’s core mission. OWASP is a global organization, and definitely should be focused on serving people all over the world in this manner. I mentioned previously that increasing funding to OWASP is a core responsibility of the board and one that I will absolutely focus on.

OWASP should continue to produce educational materials in many languages and empower regional chapters to deliver training aligned with local needs, helping talent worldwide grow in secure coding and related skills.