I am a lifetime member of OWASP and I’ve been involved with OWASP since 2008. I am currently serving on the OWASP Compliance Committee, the Global AppSec San Francisco Organizing Committee, the Policy Review Committee, and am the Chapter Leader of the Nashua Chapter. I’ve volunteered at AppSec USA, rounded up speakers for chapter meetings in Chicago and the Bay Area, hosted a Bay Area chapter meeting, helped WIA become a 2.0 Committee and have been a trainer using the OWASP Secure Coding deck.
I have contributed to the technology that underpins the “World Wide Web”, namely HTTP (RFC 7230), HTTP Cookies (RFC 6265), TLS (RFC 6125), and the HTML specification. If you have ever used a web browser to visit a website, then you have personally benefited from my efforts. Additionally, I’ve contributed to securing the web, including my participation in OWASP and WASC, and contributed to the design of various browser security and privacy controls (Content Security Policy, secure cookies, secure logoff, clickjacking protection, and more).
Beyond my contributions to the web, I’ve also served on the W3C Tracking Protection Working Group, which produced the specification for the Do Not Track web header, and the European Payments Council’s Payment Security Support Group, a trade group primarily focused on payment security and payment authorization in the European market.
In my professional capacity, I spent over a decade working as a web developer before switching to information security. As a security professional, I’ve worked for the largest fintech company in the world, PayPal, in both North America and Europe, and I’ve worked at the largest mobile chip design company in the world, Arm. At PayPal, I was responsible for application security across all product lines and subsidiaries worldwide, and for a time, I was the Information Technology Officer of the Bank, a statutory position within PayPal’s licensed banking unit based in Luxembourg (Europe). At Arm, I was responsible for the end-to-end security strategy for their connected devices products (aka IoT, internet of things) and reported two levels down from the CEO. Many people are unfamiliar with the Arm brand, however anyone using a mobile device has used an Arm product as nearly every mobile device on the planet has an Arm processor, including every Apple and Android phone and tablet. Currently I am working at a fintech startup, Recurly, in the role of Security Assurance which includes information security and compliance activities.
Link to Video
How will you help active projects thrive and become more recognized and used by the software industry?
Projects thrive when they have enough volunteers to continue to improve the project, and a community of users that adopt the project and provide feedback. Projects become used and recognized when they meet a need in a substantial way. The Board can help Projects in three ways:
- Provide budget support
- Provide promotional opportunities (website, conferences, etc)
- Provide an operating framework
You’ll notice that none of the above guarantees a project will thrive or be adopted more widely. That’s because the Project, not the Board, is the primary driver of its success. The Board could become more involved, but I suspect Projects would prefer their autonomy.
All of that said, Projects are an important part of delivering the mission of OWASP and as a Board member, I would be open to exploring new ways to support them.
Please describe any previous experience you have had running or on the board of a large international non-profit.
Depending on who you ask, a “large” non-profit has revenues of over $50M to $100M. OWASP is under $5M, putting it in the “medium” category at most. I am unaware of any Board member, past or present, that has experience sitting on a non-profit Board with revenues of over $50M.
Regardless, the OWASP Board is supposed to be made up of OWASP members, we’re not looking for professional non-profit Board members, we’re looking for motivated and spirited individuals to join the Board to help shape the mission and direction. I would encourage you to look at the passion, skills, and talents of the candidates and decide based on that.
For myself, I’ve volunteered with OWASP for over a decade and have attended a variety of Board meetings – I know how they operate. Additionally, I am on the Compliance Committee, so I am well aware of the various Bylaws, rules, guidelines, and codes by which OWASP is governed. Finally, I’ve operated my own $2M business with employees, so I am comfortable with budgets, finances, cash flow, forecasting, and everything else that goes with maintaining my fiduciary responsibility.
As far as the international aspect to OWASP, I lived and worked in Europe (Luxembourg) for four years and attended OWASP events while I was there. I know first-hand how important the international community is to the success of OWASP.
What, if any, aspects do you think would need improving regarding OWASP membership?
I agree with the new Membership policy.
What is your plan for increasing women and minority participation in OWASP?
Increasing diversity in OWASP is something I have always been a champion of. I joined OWASP’s Women in AppSec Committee several years ago, before it was a committee, and was instrumental in shepherding it into a committee using the OWASP Committee 2.0 rules. That’s why I am so ecstatic that Andrew van der Stock, OWASP Executive Director, is actively focusing on diversity and inclusion for OWASP.
Specifically, with regard to increasing participation by women and minorities: the biggest lift OWASP can do is ensure that we offer a welcoming environment for women and minorities. As a Board member, I would require every OWASP event to meet its obligation to have a safe, welcoming environment by enforcing the Anti-Harassment Policy and ensuring it has teeth and is used in real-time at events. One bad experience at our event means that person will likely never return, and further, they will tell others about their experience, causing yet more people to never give us a try. There is no way to increase participation without having this in place.
How will you help OWASP to provide an even better user experience to our target audience via our websites and GitHub organization?
Modifying the website to provide a better user experience is an operational issue handled by the Foundation Executive Director and Staff. The Board can call this out as a priority and can provide resources, but ultimately the Foundation Executive Director and Staff are responsible for this.
What kind of specific partnerships would be beneficial for improving OWASP recognition and collaboration with the broader security community?
OWASP already enjoys broad recognition and already has collaboration with different organizations. One area I think OWASP would find great value for partnering is with universities on secure coding curriculum. Students do not emerge from the university with enough knowledge of application security issues to be prepared for the working environment. OWASP could help develop curriculum while also elevating its recognition as a leader in application security.