I am a lifetime member of OWASP and I’ve been involved with OWASP since 2008. I am currently serving on the OWASP Foundation Board of Directors, and in the past I have served on the Compliance Committee, the Global AppSec San Francisco Organizing Committee, the Policy Review Committee, and I was the Chapter Leader of the Nashua Chapter. I’ve volunteered at AppSec USA, rounded up speakers for chapter meetings in Chicago and the Bay Area, hosted a Bay Area chapter meeting, helped WIA become a 2.0 Committee and have been a trainer using the OWASP Secure Coding deck.
I have contributed to the technology that underpins the “World Wide Web”, namely HTTP (RFC 7230), HTTP Cookies (RFC 6265), TLS (RFC 6125), and the HTML specification. If you have ever used a web browser to visit a website, then you have personally benefited from my efforts. Additionally, I’ve contributed to securing the web, including my participation in OWASP and WASC, and contributed to the design of various browser security and privacy controls (Content Security Policy, secure cookies, secure logoff, clickjacking protection, and more).
Beyond my contributions to the web, I’ve also served on the W3C Tracking Protection Working Group, which produced the specification for the Do Not Track web header, and the European Payments Council’s Payment Security Support Group, a trade group primarily focused on payment security and payment authorization in the European market.
In my professional capacity, I spent over a decade working as a web developer before switching to information security. As a security professional, I’ve worked for the largest fintech company in the world, PayPal, in both North America and Europe, and I’ve worked at the largest mobile chip design company in the world, Arm. At PayPal, I was responsible for application security across all product lines and subsidiaries worldwide, and for a time, I was the Information Technology Officer of the Bank, a statutory position within PayPal’s licensed banking unit based in Luxembourg (Europe). At Arm, I was responsible for the end-to-end security strategy for their connected devices products (aka IoT, internet of things) and reported two levels down from the CEO. Many people are unfamiliar with the Arm brand, however anyone using a mobile device has used an Arm product as nearly every mobile device on the planet has an Arm processor, including every Apple and Android phone and tablet. Currently I am serving as the Chief Information Security Officer at a fintech startup, Sarine.ai, focused on payments, fraud, and compliance.
Link to My Video
How do you intend to extend outreach to developers and developer communities outside of the security ecosystem?
OWASP is a volunteer-driven organization. Extending outreach to developers and developer communities is within the scope of the Outreach Committee. If this is an important issue to you, I encourage you to join the Outreach Committee and start an effort to do so. You can learn more about the Outreach Committee here:
What practical experience can you bring to the specific challenges a nonprofit organization like OWASP faces such as fundraising, staff support, operating model/by-laws, etc?
I am already serving on the OWASP Foundation Board of Directors. Beyond the experience of already serving on the Board, I am a Chief Information Security Officer at a startup and I am nearly done with my Master in Legal Studies focused on Corporate Compliance. I also have extensive experience volutneering for OWASP (you can read about it in my bio above).
How do you plan to become less dependent on the primary revenue stream of “Offline Conferences”?
OWASP is already less dependent on conference revenue. We had to cut expenses and find other sources of income to ensure the organization stayed afloat. The budgeted income for conferences in 2022 is $1,375,000 (see https://owasp.org/www-staff/budget/2022). The actual income from conferences in 2018 was $3,400,843 (see: https://owasp.org/assets/financial/2019_OWASP_Budget.pdf). The difference is $2,025,843, which is a sizable number to have to manage a shortfall. I encourage you to review the 2022 budget to see how the Board has approached readjusting the organization’s finances to ensure we’re able to continue meeting the needs of our community and will be around for a long time to come. One big difference from 2018 you might notice is the Foundation Staff have really gone all out to increase both personal and corporate memberships over previous years. Thank you for being a part of that growth.
Where do you see the biggest challenges for OWASP as a volunteer-driven organization in 2023+ and how do you intend to address them?
If you had asked me a few years ago, I would have answered that OWASP needed to mature its processes. However, the Foundation Staff along with volunteers have done a fantastic job of improving the structure and function of OWASP, including our policies. We’re currently updating our Bylaws. We’re enforcing the activity rule for chapters to ensure we don’t have orphaned/abandoned chapters. There’s a lot of great work happening that greatly improves the organization that is largely hidden from the membership.
The biggest challenge I see now is also something that is largely hidden from our membership, which is ensuring we are properly staffed and that our staff is well taken care of. OWASP has always had a small staff to support our large mission and our large base of international volunteers. It is a lot of work to keep OWASP running and our staff work tirelessly every day on our behalf. This particular problem is one that can only be solved by the Board, and it’s one I’d love to see us tackle.
What do you think will help to increase the adoption of the OWASP Projects?
If you take a look at the OWASP Projects page, you’ll see we have 262 projects:
Truly a testament to the volunteers that contribute to OWASP. However, with so many projects, it’s unlikely we can educate everyone on what all 262 projects do, and if you don’t know they do, how can you adopt them?
Instead, the best approach is to focus on making it easy to find the projects that solve your problem. If you look at the Projects page, you’ll notice the handy visual guide put together by the Integration Standards Project which helps categorize the projects based on what you might be trying to solve for. I think we need more of that to help members discover the projects that area available for them to adopt and use.
I personally use so many resources provided by OWASP that are invaluable, such as SAMM for assessing the maturity level of my application security program. But if you had not heard of SAMM and did not know when or why to use it, it would be hard to get you to adopt it. How do we overcome that barrier? I’d love to see free training at our conferences (both in-person and online) that help our members know when and how to use these projects, but rather than advertise “SAMM training” instead advertise the problem it solves, i.e. “Learn how to assess the maturity of your AppSec program.”
Of course, if you have other ideas, this is a volunteer-driven organziation. Jump in and contribute!