Hello Fellow OWASP members!
I joined OWASP 11 years ago as a security-focused developer and appreciated the security content, guidance, projects and sense of community that OWASP had to offer. When I got the chance to volunteer and eventually serve on the board of OWASP Orange County I saw that as an opportunity to contribute back to the community. As a chapter leader I was able to apply my technical, organizational and networking skills to inject new life into a chapter, by holding regular meetings, increasing attendance five-fold and making OWASP a presence in the local community. Leveraging my network, I collaborated with the local chapters of ISSA, ISACA and IEEE and Webster University to hold rotating joint meetings, expanding the reach of the chapter. As a co-chair of the highly successful AppSec California conference, I take satisfaction from the knowledge that the conference is highly respected for the quality of its speaker lineup and technical content, as well as for contributing to a well-run conference. I intend to use my energy to ensure that OWASP remains a well-regarded organization and to further advance OWASP community and project goals by reaching a wider audience in the development community and prompting more companies to get serious about security and to use and adopt OWASP guidance and projects.
Link to Video
How will you help active projects thrive and become more recognized and used by the software industry?
I believe that OWASP should continue supporting projects by providing them with the needed resources to make them successful, as that only helps OWASP’s name and reputation. We also need to continue being relevant by expanding the range of supported projects to technologies relevant to today’s world, such as the IoT Project and the resulting IoT Top 10. Ensuring the empowerment of the Projects Committee is essential in assuring that projects are led by project leaders that are actively involved in their projects and they have the resources they need to make their projects successful.
Please describe any previous experience you have had running or on the board of a large international non-profit.
As an AppSec California conference co-chair, I worked with my fellow conference planners with many meetings over several months to plan and make the conference a success by ensuring that the conference program had quality speakers and trainers and that the conference was run smoothly and professionally. This was instrumental to growing the conference by increasing both the number of attendees and the number of sponsors, introducing additional events such as a Career Fair, sponsored and low-cost training and awarding diversity scholarships.
What, if any, aspects do you think would need improving regarding OWASP membership?
OWASP membership numbers are rather low for an organization like OWASP, with dozens of projects and chapters worldwide. Reports from vulnerability scanning tools map findings that map to the OWASP Top 10. Additionally, projects like Dependency Check, ASVS, Proactive Controls, ZAP and SAMM, among others, have significant community penetration. OWASP can improve its promotion of projects so that the OWASP brand can gain an even greater market acceptance and industry penetration. The key question however remains what does a member get for their membership and why do people that have put a lot of time furthering the goals of OWASP, such as chapter and project leaders, are not automatically awarded honorary memberships. Leaders that can deduct the membership cost or are reimbursed by their company for the membership, can continue to purchase their memberships. But for others, is the small amount of revenue derived from these leaders worth it in terms of the loss of feeling of community? I think that chapter and project leaders that step up and volunteer their time to promote and make OWASP better should be valued and rewarded in a tangible way.
What is your plan for increasing women and minority participation in OWASP?
As an AppSec California conference co-chair I advocated and instituted diversity scholarships for women and minorities. Helping women and minorities advance in the security field is not only right in terms of inclusivity but also helps meet the looming shortage of security practitioners in general. In order to provide a safe and welcoming environment at AppSec California we instituted a zero-tolerance policy and the planning committee included many women. The AppSec Cali conference also featured one or more women speaking almost at every time slot.
How will you help OWASP to provide an even better user experience to our target audience via our websites and GitHub organization?
The look and feel of the new git-based website looks more streamlined than the old wiki, however not all content from the wiki has been migrated and it’s not easy searching and actually finding something. Sometimes I find myself going back to the wiki to find things. We need to fix things aren’t working properly. For example, ordering OWASP merchandises should be easy, but the link with photos of the available merchandise is broken from the merchandise request form. More testing and cleaning up is necessary as a starting point and if staff can’t handle it, it should ask for help from the community or hire someone to fix these.
What kind of specific partnerships would be beneficial for improving OWASP recognition and collaboration with the broader security community?
In my Chapter Leader role, I have collaborated with other non-profit security organizations such as ISSA, ACM, IEEE and ISACA to hold common events and promote OWASP to their members, which increases the reach of OWASP and our local chapter. Another approach that was worked well is co-operative agreements to exhibit at the conference events of the organizations mentioned above as well as other local conferences such as SCALE, BSides and Shellcon. These events have a substantial cross-section of attendees interested in security in general as well as application security. In order to expand OWASP’s reach and membership we need to support chapters that do this by providing a variety of swag appropriate to these conferences and not try to save money by denying minor reasonable expenses for volunteers staffing these events.