Steve Springett

About Me

Hi there, I’m Steve Springett, and I’ve been deeply immersed in the OWASP community for quite some time. My journey with OWASP began back in 2012, and it’s been a thrilling ride ever since. I’m a proud lifetime OWASP member and currently serve as Vice Chair on the OWASP Global Board of Directors where I help drive the continued growth of the foundation and the pursuit of its mission to make secure software a reality through open collaboration, education, and innovation.

I’m passionate about helping organizations identify and reduce risk from the software supply chain. I’m an open source advocate and help lead OWASP Dependency-Track and Chair the OWASP CycloneDX Core Working Group and Ecma International Technical Committee 54 (TC54).

Additionally, I co-authored and lead the OWASP Software Component Verification Standard (SCVS), which has been referenced in its entirety in the NIST Secure Software Development Framework. In my day job as the Director of Product Security at ServiceNow, my team and I are on a mission to make sure that the software we build and deliver is not just secure, but resilient in the face of emerging threats.

Outside of my professional achievements, I find joy and balance in my personal life. I reside in the Northshore of Chicago with my beloved wife, Vera, daughter Aryana, and a Chihuahua rescue named Ani.

Why I’m running for re-election

As a current member of the OWASP Global Board of Directors, I am running for re-election to continue advancing our mission of improving the security of software for all. Over the past term, I have worked alongside fellow board members, leaders, and contributors to strengthen OWASP’s programs, grow our global community, and ensure our organization remains impactful, relevant, and sustainable.

A key focus for my next term will be building upon the revenue diversification strategies already in motion. OWASP’s independence and ability to deliver on its mission depend on a healthy, sustainable funding model. By broadening our sources of revenue, we reduce reliance on any single stream, safeguard against volatility, and create more opportunities to reinvest in our community, projects, and chapters.

I am also committed to expanding OWASP’s reach and influence through active participation in global standardization efforts. Standards such as CycloneDX, which originated within OWASP, demonstrate how our community can set industry direction, improve interoperability, and drive adoption across sectors. By engaging with standards bodies, regulatory discussions, and cross-industry collaborations, we can ensure OWASP’s voice is heard and our projects are positioned to shape policy and practice.

Outreach to broader developer communities is another priority. Security cannot be siloed; it must be integrated into the everyday workflows of developers, engineers, architects, and product teams. I will work to strengthen OWASP’s connections with adjacent open-source, DevOps, cloud-native, and other software communities, sharing our resources, collaborating on initiatives, and bringing new voices into our community.

Finally, I believe that measurement and transparency are essential to our credibility and growth. I will champion initiatives to track, measure, and communicate OWASP’s global impact, from project adoption metrics to community engagement and training outcomes. Demonstrating the tangible value OWASP delivers will inspire new members, contributors, and supporters, while helping us focus our efforts where they make the greatest impact.

I am proud of what we have accomplished, but I know there is more to do. With your support, I will continue to serve with dedication, strategic vision, and a steadfast commitment to OWASP’s mission and community.

Link to My Video

https://www.youtube.com/watch?v=VlFSCnv56CM

What open source contributions, research or visible leadership work have you done? If few, what 3 specific outcomes will you deliver in your first 90 days on the board in OWASP and how will members verify the progress?

Over the past several years, I have made substantial contributions to open source, research, and visible leadership:

• Open Source Leadership: I am the founder and current Chair of the OWASP CycloneDX project, which has grown into one of the most widely adopted SBOM standards in the world. I’ve also led the OWASP Dependency-Track project and contributed to the Software Component Verification Standard (SCVS).
• Standards Development: I currently serve as Chair of Ecma International TC54, where I lead global efforts in software and system transparency, including Package-URL, OWASP Common Lifecycle Enumeration (CLE), and the Transparency Exchange API. These standards help strengthen the global software supply chain.
• Research & Publications: I have authored multiple authoritative guides (SBOM, CBOM, Attestations) and regularly publish thought leadership in software supply chain security. My work is referenced by governments, regulators, and industry bodies.
• Visible Leadership: I serve on the OWASP Global Board of Directors and actively represent OWASP at industry events, government workshops, and international standards bodies.

In my first 90 days of a renewed term, I will focus on three priorities that directly advance OWASP’s strategic mission:

1. Evaluate and Align OKRs: Work with the Executive Director to evaluate the 2025 OKRs and establish 2026 OKRs that are measurable and aligned with OWASP’s long-term strategy.
2. Advance Revenue Diversification: Continue and expand the revenue diversification discussions already in motion, moving from concept into implementation. Updates will be shared in board minutes and community calls so members can see concrete progress on building a sustainable financial model.
3. Launch the First Annual Impact Report: With the support of the ED and OWASP staff, publish OWASP’s first yearly impact report. This will provide the community with a clear view of the impact OWASP is making today, along with a transparent roadmap for 2026.

What do you see as the top three challenges for OWASP to increase impact and visibility worldwide? Please provide actionable plan which you can spearhead and lead if need be for the goals you plan to achieve

The top challenges that I see are:

1. Sustainable Funding and Revenue Diversification

Challenge: OWASP’s ability to scale its global impact is limited without a stable, diversified funding model. Reliance on narrow revenue streams exposes the organization to risk and constrains investment in projects and chapters.

Action Plan: I will continue leading revenue diversification efforts already in motion, expanding corporate partnerships, exploring grants, and creating new value-driven revenue streams.

1. Marketing and Outreach

Challenge: OWASP’s marketing is underdeveloped and often fails to meet our audiences where they are. To increase visibility and inclusivity, we must reach new communities beyond traditional security circles.

Action Plan: Building on the 2025 OKR given to the Executive Director to establish relationships with two new communities, I will drive continued outreach in 2026. This means expanding OWASP’s presence at external conferences, embedding ourselves in adjacent communities, and ensuring our community represents the full spectrum of stakeholders, from policymakers, CISOs, and privacy advocates to safety experts and security practitioners.

1. Measuring and Communicating Impact

Challenge: OWASP delivers tremendous value through projects, chapters, and training, but lacks consistent measurement and storytelling to communicate that impact.

Action Plan: With support from the Executive Director and OWASP staff, I will spearhead OWASP’s first yearly Impact Report. This report will highlight project adoption, community engagement, and working group outcomes, while also setting a transparent roadmap for the following year. By making our results visible, we inspire new members, contributors, and supporters to join us.

Several OWASP projects are stale and leads are unresponsive. If elected, what is your concrete, time bound plan to triage these projects, re-engage with inactive leads or relaunch based on clear criteria and timelines?

This is an operational issue, and the OWASP Board should not be directly managing or policing projects. However, it is a strategic priority for our stakeholders and community to be able to easily discover and engage with healthy projects, and to know where their contributions can have the greatest impact.

In my next term, my concrete, time-bound plan is to leverage the Contributing.yaml standard currently being drafted at Ecma TC54. Within the first year of ratification, I will champion its adoption across all OWASP projects. This will provide a uniform, machine-readable way for every project to declare its state, support needs, and contribution opportunities.

How this helps triage:

• Projects that are inactive or abandoned can explicitly declare that status in contributing.yaml.
• Active projects can clearly signal how contributors can help (development, documentation, outreach, etc.)
• The community and the Foundation can then make informed decisions about relaunching, archiving, or investing in projects based on transparent criteria rather than subjective judgment.

This approach creates a sustainable, standards-driven framework for project lifecycle management. It avoids the Board stepping into operational roles, but still delivers a measurable, time-bound solution that increases transparency, accountability, and contributor engagement across the entire OWASP project portfolio.

What kind of support will you provide for Arab countries in regard to trending legislation in security, privacy and data protection, for software, OT, and cloud? Will you plan for specific events to cover the growth of talents and skills in secure coding in this particular region?

OWASP is registered 501(c)(3) non-profit foundation. This means we cannot lobby in any jurisdiction. However, we can and should serve as an authoritative, neutral source of information that policymakers, regulators, and practitioners can rely on to inform both policy and practice.

From a global perspective, it’s important to recognize that not all jurisdictions are moving in the same direction. While some are advancing legislation in security, privacy, and data protection, others are moving in the opposite direction. OWASP must remain apolitical and focused on what we do best: providing vendor-neutral, community-driven resources that raise the baseline of software and system security.

In Arab countries specifically, OWASP can support stakeholders in three ways:

• Authoritative Guidance: Leverage OWASP projects like ASVS, SAMM, and the AI Exchange to provide frameworks that align with emerging regulations in software, OT, cloud, and AI. These are globally applicable but can be mapped locally to meet regional needs.
• Talent and Skills Development: Empower local chapters to host secure coding trainings, hackathons, and community events. The Board’s role is not to run these events, but to support, amplify, and connect them with OWASP’s global resources.
• Community Expertise: OWASP already includes some of the world’s leading privacy and data protection experts. By engaging them in regional conversations, we can ensure OWASP content reflects best practices in privacy and security while staying politically neutral.