Sam Stepanyan

About Me

Hello everyone,

My name is Sam Stepanyan, and I am honoured to run for re-election to the OWASP Global Board of Directors in 2025. Seeking a second term on the Board gives me the opportunity to maintain momentum on the initiatives I have started, while providing the continuity and leadership needed to strengthen the OWASP Foundation.

I have been an active member of OWASP since 2010, leading the OWASP London Chapter since 2015 and serving as Project Leader for the OWASP Nettacker Project. I volunteer my time on Board service, Chapter leadership, and project development, reflecting my long-standing commitment to giving back to the community. Over the years, I have organised numerous community events, mentored new contributors, and championed OWASP projects to a global audience.

My Board experience has given me the insight to address OWASP’s organisational challenges, while my hands-on volunteer chapter and project work keeps me closely connected to the needs of our community.

Outside of OWASP, I work as an independent Application Security Consultant & Architect in the financial services industry in London, where I apply my security expertise to help organisations design, build and deliver secure software.

Link to My Video:

Sam Stepanyan - OWASP Board Candiate Video 2025

What open source contributions, research or visible leadership work have you done? If few, what 3 specific outcomes will you deliver in your first 90 days on the board in OWASP and how will members verify the progress?

• I am a long-time active member of the OWASP community and a Chapter Leader of the OWASP London Chapter (since 2015), organising hundreds of OWASP London Chapter meetings with speakers from major tech companies and cybersecurity vendors. I became a member of OWASP in 2010 and have been attending OWASP London Chapter meetings as an attendee since 2008.

• My very first OWASP Global AppSec conference was OWASP AppSec Research in Hamburg in 2013. I also helped to organise and run the OWASP Global AppSec Europe conference in London in 2018.

• In 2020 I took on an additional leadership role as Chair of the OWASP Chapter Committee. In this position, I worked with fellow committee members to provide guidance and support to OWASP Chapter leaders worldwide to ensure that OWASP Chapters have all the resources to help them succeed.

• In 2023 I was also nominated for the OWASP Web Application Security Person of the Year (WASPY) award, which is an annual award given out by OWASP to recognise contributions in various categories. I was honoured to receive this award in the Chapter Leader category.

• Over the years I have contributed to several OWASP projects including OWASP Top 10, OWASP Nettacker and OWASP ZAP. I am also one of the Leaders of the OWASP Nettacker Project. If you have never heard about OWASP Nettacker — do check it out!

• I have served as a mentor in the Google Summer of Code (GSoC) program, guiding students working on OWASP projects. In this role, I not only helped them develop technical skills but also introduced them to OWASP’s mission, community, and the importance of secure software development. Many of these graduates have gone on to become ambassadors for OWASP in the industry, bringing knowledge of application security best practices and open source security tools to their employers.

• In addition to my chapter and project leadership, I have been active in bringing OWASP into academic environments through guest lectures and conference presentations. I have spoken at several UK universities and educational forums to introduce students and faculty to OWASP projects, secure coding practices, and the OWASP Top 10. Examples include talks at Kingston University, the University of Roehampton, the University of Hertfordshire, and the Advances in Cyber Security Education Conference. These engagements not only inspire the next generation of cybersecurity professionals, but also strengthen OWASP’s visibility in academia, laying the groundwork for student chapters and long-term educational partnerships.

• I regularly represent OWASP on the international stage, speaking at leading security conferences such as Black Hat Europe, Black Hat Asia, BSides Athens, BSides Krakow, BSides Dublin, BSides London, AppSec Israel, and several OWASP Global AppSec Conferences. I have also staffed the OWASP Booth at several conferences including NDC Europe and ISACA.
  This October and November I will be speaking at OWASP LASCON 2025 in Austin, Texas, and OWASP Global AppSec in Washington, DC.
  These engagements amplify OWASP’s mission, showcase its projects, and help to connect our community with practitioners, researchers, and the industry worldwide.

• I have also been featured on multiple industry podcasts where I evangelise and share OWASP’s mission, vision and resources with global audiences.

First 90 Days - Three Measurable Outcomes

In my first 90 days of a renewed term I will focus on these 3 measurable outcomes I plan to deliver:

Outcome 1: Chapter Leaders Orientation Course

The Problem: Currently, many prospective chapter leaders applying to start new OWASP Chapters do not understand what is required of them, how the OWASP Foundation works, or what OWASP policies and procedures entail. They simply tick the box in the commitment agreement confirming they have “read” all policies (e.e.g. the Chapters Policy, Expenses Policy, Code of Conduct) without actually reading or understanding these critical documents. As a result, many new chapters either remain inactive, because they do not understand the minimum events per year requirement, or overload the Foundation staff with questions without delivering any value to their local community.

Deliverable: Develop and launch a structured onboarding training course for new chapter leaders, including video modules and quizzes to ensure understanding of OWASP policies, requirements, and responsibilities. This will reduce inactive chapters and significantly improve community value delivery.
Verification: The course will be available on YouTube.

Outcome 2: OWASP Certified Secure Developer (OCSD) Certification Syllabus

The Problem: There is a clear need for a respected certification that validates secure coding abilities. I believe that this certification perfectly aligns with OWASP’s mission and will provide immense value to developers and the industry. Having OWASP-certified developers on staff will give organisations assurance that their developers truly understand secure coding best practices - this will help companies reduce risk, increase customer trust, and strengthen their competitive edge.

Deliverable: Complete and publish the OWASP Certified Secure Developer (OCSD) Certification Syllabus.
Verification: Open-source project repository live on OWASP GitHub.

Outcome 3: Official OWASP Training Event in London

The Problem: OWASP has traditionally offered official training sessions only at the annual Global AppSec conferences in the USA, Europe, and Asia. While valuable, this limits training availability to just nine days per year. Many organisations cannot justify sending employees abroad for multi-day conferences, and this restricted schedule also limits OWASP’s ability to generate revenue from training.
Working with my OWASP London colleagues, we worked on the idea of launching an official OWASP Training program delivered independently of conferences. The first event will be held in London, with the model gradually expanded to other major locations across Europe, North America, Africa and Asia.

Deliverable: Official OWASP Training Event in London planned and published.
Verification: Training event listed on the OWASP website, with official courses available for booking.

What do you see as the top three challenges for OWASP to increase impact and visibility worldwide? Please provide an actionable plan which you can spearhead and lead if need be for the goals you plan to achieve

Answer

Challenge 1: Limited Awareness of OWASP Among Developers

The Problem: It is now 2025, yet many software developers remain unaware of OWASP, its standards, guidelines, and projects. Some may have heard of vulnerabilities such as SQL Injection, but only a small percentage realise this is part of the OWASP Top 10. This lack of awareness not only limits the adoption of OWASP resources in everyday software development, but is also causing many of the security issues and breaches we experience daily. Developers are working without knowing that OWASP provides authoritative, free, and vendor-neutral application security and secure coding guidance, standards, and tools.

Actionable plan:

• Proactive outreach through developer conferences and meetups, ensuring OWASP has a presence where developers already gather.
• Promote OWASP Training (and the Certification when it is ready) at developer conferences and events.
• GitHub Integration: Collaborate with GitHub to introduce OWASP security advisory templates and PR comment bots that reference relevant OWASP resources when security issues are detected. Advocate for GitHub Copilot Code Review to incorporate security checks and references to OWASP projects, embedding security guidance directly into developers’ workflows.

Challenge 2: Limited Adoption of OWASP Standards by Governments and Standards Bodies

The Problem: While OWASP projects like the Top 10, ASVS, SAMM, and CycloneDX are widely respected in the security community, their adoption by governments, regulators, and standards bodies remains inconsistent. Without official recognition, OWASP resources are underutilised in legislation, compliance frameworks, and procurement requirements, which reduces their global impact and slows industry-wide improvement in software security.

Actionable Plan:

• Policy Engagement: Establish an OWASP Government & Standards Working Group to engage with regulators, standards organisations, and policymakers worldwide.
• Advocacy for OWASP Flagship Projects such as ASVS, SAMM, CycloneDX, and GenAI Projects: Promote adoption of OWASP’s established projects together with emerging OWASP GenAI Projects as frameworks and benchmarks for secure AI development and compliance.
• Strategic Partnerships: Collaborate with international bodies (e.g. ISO, ENISA, NIST) to align OWASP projects — including GenAI initiatives — with existing and upcoming security frameworks.
• Showcasing Success Stories: Publish case studies highlighting where OWASP projects, especially GenAI frameworks and guidelines, have been referenced in standards or policy, building momentum for wider adoption.

Challenge 3: Lack of Sustainable Funding for OWASP

The Problem: OWASP’s current funding model relies heavily on conference revenue and a small pool of corporate memberships and sponsorships. This makes the Foundation financially vulnerable, restricts our ability to scale projects and chapters, and limits investment in new initiatives. To thrive, OWASP needs more diverse and sustainable funding sources.

Actionable Plan:

• Expand Industry Partnerships: Develop tailored sponsorship packages for enterprises, cloud providers, and security vendors that highlight the benefits of supporting OWASP projects and training.
• Government and Academic Grants: Actively pursue grants for open-source security, privacy, and education initiatives, especially where OWASP projects align with regulatory or educational goals.
• Training Revenue: Promote OWASP Training (and future Certifications) as ongoing revenue streams, independent of conferences, and expand these globally.
• Corporate Adoption Campaigns: Launch a programme that recognises companies that adopt and contribute to OWASP standards, encouraging financial support alongside community contributions.

Several OWASP projects are stale and leads are unresponsive. If elected, what is your concrete, time-bound plan to triage these projects, re-engage with inactive leads or relaunch based on clear criteria and timelines?

Answer

OWASP is home to hundreds of projects at different levels of maturity — from Incubator projects that encourage innovation, to Lab projects that are maturing, to Production projects that are production-ready, and finally to Flagship projects that demonstrate strategic value to OWASP and to application security as a whole.
The Flagship projects are strategic Foundation assets that must not be allowed to go inactive, as they represent OWASP’s credibility and global influence.

Action Plan (within 90 days):

• New Working Group: Establish a Projects Health Working Group focused on the health and sustainability of strategic projects. This group will work alongside the Project Committee but with a clear mandate to protect OWASP’s flagship initiatives.
• Governance & Policy Update: Collaborate with the Project Committee to update the project governance model and the project policy, introducing clearer expectations, escalation paths for inactive leaders, and smoother onboarding for new co-leaders or contributors.
• Leveraging OWASP Nest: We already have a valuable resource in OWASP Nest (nest.owasp.org), which provides deep insights into project activity, contribution opportunities, and communication channels. OWASP Nest should become the data source for project audits, governance decisions, and transparency, giving the community clear visibility into which projects are thriving, need support, or require leadership changes.

What kind of support will you provide for Arab countries in regard to trending legislation in security, privacy and data protection, for software, OT, and cloud? Will you plan for specific events to cover the growth of talents and skills in secure coding in this particular region?

Answer

OWASP already has several active chapters in the region, and these local chapters and volunteers are vital for connecting governments, industry, and academia with OWASP’s resources. By empowering and supporting these chapters, we can ensure that OWASP guidance, standards, tools and resources reach policymakers, enterprises, and developers in the region, while also fostering local talent in secure coding and application security.

Before the pandemic, OWASP ran the OWASP AppSec Morocco & Africa conferences in the region, which I believe should be re-established.

Action plan:

• Re-launch OWASP AppSec Morocco (and Africa) as a regional flagship event, reinstating the conference + ‘at-conference’ training model with local chapters’ support, and making it an anchor event for the region.
• Host an Official OWASP Training Event in the region.
• Support local chapters in running Capture the Flag and Secure Coding Tournaments to engage and inspire their communities.
• Engage with OWASP’s existing Corporate Supporters to identify those active in the region and encourage their support and sponsorship of regional events.

Closing statement

OWASP is loved by so many because it fosters a strong sense of community and belonging. It gives people the chance to be part of something meaningful and impactful, where collaboration leads to real change.

Our community is OWASP’s greatest asset. The people who contribute through meetups, conferences, summits, and projects form a vibrant, diverse, and passionate movement. There is nothing quite like the experience of working together to tackle critical security challenges, and it is this collaborative spirit that makes OWASP truly unique.

If re-elected, I will continue to support and strengthen this community, ensuring OWASP remains a welcoming and impactful place for all.

I would be honoured to have your vote. Thank you.