Kelly Santalucia
About Me
Hi! I’m Kelly Santalucia.
While I don’t come from an AppSec background, I know OWASP deeply, having had the privilege of working for the Foundation for 15 years. OWASP is a special organization that holds a big part of my heart, and I’ve been fortunate to experience both sides, how the community thrives and how the Foundation operates behind the scenes. This perspective gives me a unique understanding of the challenges we face and the opportunities ahead.
I am a long-time OWASP member passionate about advancing open source security, transparency, and community impact. As co-leader of the OWASP Virtual Chapter and former lead of the OWASP Executive Advisory Report (EAR) Project, I have worked closely with global members and industry leaders to understand how OWASP can best serve both practitioners and partners. My focus has always been on building bridges between chapters and the global community, between projects and contributors, and between OWASP and the organizations that benefit from its work.
If elected to the board, I will help secure financial sustainability, stronger chapter engagement, advance OWASP projects, and a global marketing strategy that elevates OWASP’s visibility beyond the AppSec community. I believe OWASP’s greatest strength lies in its people, and I am committed to ensuring every member, chapter, and project has the support needed to thrive.
Link to My Video
What open source contributions, research or visible leadership work have you done? If few, what 3 specific outcomes will you deliver in your first 90 days on the board in OWASP and how will members verify the progress?
Open Source Contributions and Leadership
I am a long time OWASP member and the co-leader of the OWASP Virtual Chapter which was established earlier this year and led the OWASP EAR Project, where high-profile companies were interviewed to understand what benefits they would value most from OWASP in exchange for financially supporting the Foundation.
If elected to the board, in my first 90 days I will:
- Publish a corporate engagement plan alongside the OWASP staff, building on EAR findings to deliver valuable, sought after benefits for industry partners to help increase revenue for the Foundation.
- Strengthen transparency by announcing board meetings in advance to the community, encouraging members to join and participate, and sharing quarterly progress reports on the Executive Director’s OKR’s with members of our community.
- Revitalize and accelerate OWASP projects by fostering stronger community contributions, providing clearer leadership support, and driving measurable progress.
Members will be able to verify progress through visible corporate engagement wins, published updates, and expanded contributions that drive the development of more flagship projects.
What do you see as the top three challenges for OWASP to increase impact and visibility worldwide? Please provide actionable plan which you can spearhead and lead if need be for the goals you plan to achieve
Challenge #1: Financial Sustainability and Funding Growth
OWASP’s growth and reach are limited by unpredictable revenue streams and dependence on sporadic sponsorships and event-based funding. This instability prevents investment in long-term projects and global initiatives.
Action Plan
- Expand Corporate Partnership Program: Create structured tiers tiers where organizations are recognized for supporting OWASP projects, chapters, and community growth, not just events or corporate support.
- Grants and Public Funding: Proactively source government, foundation, and philanthropic grants that align with OWASP’s role in public-interest cybersecurity education alongside the OWASP staff
- Individual Giving and Sustainers: Strengthen recurring donor programs with clear messaging around the global public good OWASP provides.
Challenge #2: Fragmentation of Local Chapters and Inconsistent Engagement
OWASP’s 200+ chapters are its strength, but they vary widely in activity and support. Some thrive as vibrant communities, while others struggle with leadership turnover and lack of resources.
Action Plan
- Chapter Health Dashboard: Build a transparent, regularly updated dashboard that tracks chapter activity, leadership status, and engagement metrics so members, leaders, and the board can quickly identify where support or intervention is needed.
- Regional Summits: Support regionally scaled events to build momentum in areas where global conferences may be inaccessible.
- Mentorship Network: Pair high-functioning chapters with developing ones to transfer knowledge and strengthen the global network.
Challenge #3 Marketing & Brand Visibility (Ambassadors, Advocates)
OWASP’s reputation is strong with AppSec professionals, but it lacks broader recognition among other organizations, CISOs, policymakers, educators, and the wider tech industry. This limits recruitment of new members and supporters.
- Strategic Additions: Advocates & Ambassadors
- Ambassadors
- Role: High-profile, visible representatives who champion OWASP externally.
- Profile: Senior CISOs, CTOs, policymakers, educators, and thought leaders.
- Function: Represent OWASP at government briefings, academic roundtables, industry boards, and executive forums.
- Impact: Builds credibility with decision-makers and strengthens OWASP’s presence outside of developer/security circles.
- Advocates
- Role: Community-driven evangelists who amplify OWASP within their networks.
- Profile: Practitioners, chapter and project leaders, project contributors, educators, and industry partners.
- Function: Drive visibility through blogs, podcasts, social media campaigns, and integration of OWASP into local events or curricula.
- Impact: Scales OWASP’s voice, creates consistent messaging, and engages diverse ecosystems.
- Ambassadors
Action Plan:
- Create a centralized global marketing strategy that local chapters and projects can adapt, including social media campaigns, press outreach, and industry thought-leadership.
- Launch an OWASP Global Speakers Bureau - a vetted roster of industry experts, chapter and project leaders, and practitioners who can represent OWASP at global conferences, universities, and government roundtables. This ensures consistent messaging, thought-leadership presence, and greater brand visibility across different regions.
- Partner with universities to embed OWASP materials into curricula. Position Advocates as guest lecturers and Ambassadors as keynote speakers.
- Industry & Policy Engagement Ambassadors represent OWASP in government and industry alliances, while Advocates amplify OWASP’s success stories and impact within the network.
By addressing financial stability, chapter engagement, and marketing visibility, OWASP can significantly increase its global influence.
Several OWASP projects are stale and leads are unresponsive. If elected, what is your concrete, time bound plan to triage these projects, re-engage with inactive leads or relaunch based on clear criteria and timelines?
If elected, I will push for the OWASP staff to launch an up to date 90-day project revitalization plan to address stale OWASP projects:
- By Day 30: Publish an up to date inventory of projects, categorizing them as active, stale, or unresponsive.
- By Day 60: For projects with unresponsive leads, recruit new leads from our community.
- By Day 90: Any projects still without active leadership will be formally marked dormant, with clear, published criteria for how new volunteers can relaunch them.
This plan ensures that within three months, every OWASP project will have a visible status, an engaged leader, or a clear path forward. We can’t afford to let great ideas die in limbo. Together, we’ll keep OWASP’s projects thriving.
What kind of support will you provide for Arab countries in regard to trending legislation in security, privacy and data protection, for software, OT, and cloud? Will you plan for specific events to cover the growth of talents and skills in secure coding in this particular region?
OWASP’s role is to inform, educate, and empower. In Arab countries, our support would come through vendor neutral resources, localized community engagement, and events aimed at providing knowledge and growing the next generation of secure software professionals.
Support for Arab Countries on Security, Privacy, and Data Protection
OWASP can provide vendor neutral and community-driven resources that help governments, enterprises, and individuals better understand security, privacy, and data protection trends.
For the Arab region, this support could include:
- Educational Resources: Continue publishing and improving open-source projects, guidelines, and references on software, operational technology, and cloud security. These can help organizations interpret and align with emerging data protection frameworks without OWASP taking a policy position.
- Knowledge-Sharing: Encouraging local chapters to host more meetups, hands-on workshops, and webinars.
- Translation & Localization: Supporting community-driven efforts to translate OWASP’s flagship projects and documentation into Arabic, making them more accessible to all in the Arabic region.
Building Skills and Talent in Secure Coding While OWASP does not provide certification or commercial training, we can support talent development in the Arab region through:
- Regional Events: Encouraging and supporting the OWASP staff to work with the local Arab chapters to host AppSec Days or training tracks within Arab countries.
- University Engagement: Support the OWASP staff in fostering partnerships between local chapters and academic institutions across the region.
- Mentorship and Community: Support OWASP staff in empowering local practitioners to contribute to existing projects or launch new ones and engage with experts through local chapter meetings or encourage them to start a chapter themselves.
Thank you for taking the time to learn more about me and my vision for taking OWASP to the next level. I would be honored to have your vote and the opportunity to represent our community. Even if you choose not to vote for me, I hope you will support another candidate who shares the same passion and commitment to OWASP’s mission.
Disclaimer: I used a GPT-based tool to help refine parts of this page for clarity and flow. The final wording is mine, and the views and positions shared here are entirely my own.