I’m a Principal Security Architect at the Federal Reserve Bank of San Francisco with over 10 years of application security experience. I focus mainly on software architecture and providing security first and foremost through simple architectures. I, along with Chad Hollmand, co-lead the Sacramento OWASP Chapter. During my career, I’ve had the opportunity to teach AppSec at UC Davis, speak at various events, and am a sitting SFS Advisory Board for California State University, Sacramento. I always knew OWASP for their famous OWASP Top 10 project. But I fell in love with the organization when I attended ICCS at Fordham University in 2013. I learned so much about the organization and since then, I’ve been both benefiting and contributing to OWASP in many ways.
Link to Video
How will you help active projects thrive and become more recognized and used by the software industry?
OWASP largely competes with other other organizations that attempt to provide “security guidance” through compliance. I think that these frameworks are largely unimplementable in any modern software development shop and mostly impractical guidance. OWASP shines where other organizations fail. We are a community of techies trying to solve technical problems. That’s why our projects are the most referenced when it comes to solving security problems. But that also creates a weakness in our strategies. Our projects lack cohesiveness that can produce an implementable framework and process for organizations to follow.
For example: ASVS is a fantastic tool for securing the architecture of an application. However, without further guidance on how ASVS can fit into the entire lifecycle software, it is largely a tool that only the techies of the company will look at. Even if implemented, it does not provide performance indicators that will help those techies get support the executives suit to build a framework around the tool. Lastly this results in lack of feedback to OWASP. At best, this ecosystem creates users of our tools and resources with little to no feedback loop for OWASP to capitalize on.
Please describe any previous experience you have had running or on the board of a large international non-profit.
I don’t have any experience on a large international non-profit. But I am a contributing member as an advisory board for CSUS SFS.
What, if any, aspects do you think would need improving regarding OWASP membership?
There are many facets to why a membership is important.
Lets first talk about corporate contribution to OWASP.
I personally know of so many public and private enterprises that have modeled much of their security around the outputs of OWASP. Projects like ZAP, ASVS, and dependency check just to name a few. The projects are possible because of the great volunteer community we have gathered. But thats only possible because of OWASP organization. I think we can do more to show the value that we bring to these organization. Just like us, they have invested time and energy to bootstrap their organizations with our products. They have a vested interest to see it continue to mature.
Second, I want to talk about personal contribution to OWASP. I have put my own time and money into the OWASP chapter here in Sacramento. I truly believe in the mission of OWASP. Why wouldn’t I want to contribute to the organization that has made my career possible? I take pride in many thing. I’m an avid skier and represent and show off those brands when I’m on slopes. If you’ve known me more than 3 minutes, you probably know that I love subaru’s. I support those companies because I believe in their product. Why wouldn’t I do the same for OWASP.
Finally, I think our membership is not very well known. I’ve known about OWASP for a very long time. But it wasn’t until I took over the Sacramento Chapter that I learned about the membership. We also need to show value for our membership. It’s part of OWASPs DNA to make its products available for free, and it always will be. But we have many value add services that can be benefit to members. These could be like the discounts we already provide to our trainings and conferences to exclusive merchandise. We can play around with ideas of providing a behind a scene look into “the making” of our products. But most of all, I think we should provide a platform for the community to figure out how we can improve our memberships.
What is your plan for increasing women and minority participation in OWASP?
I struggled with this question a lot. I even tried to “call-a-friend” to get some help. More than anything, I don’t think I’m qualified to answer this question and feel like an imposter trying to answer this.
That said, let me give it a try.
I don’t think this is something for OWASP to solve, or rather, the problem is outside of OWASP. We can certainly address the symptoms of the problem by making a welcoming community where everyone’s ideas are valued. Standing strong together to eradicate intolerance. But ultimately, I think this is something much bigger than OWASP to solve. The best we can do is teach the world that our community is striving because of our diversity. I think OWASP can do al ot of things, like teach developers be better developers. But unfortunately, I don’t think OWASP can teach people to be better people. Thats something we personally have to take on. OWASP must provide the platform to have these conversations and utilize our community to solve this problem at its root (our workplaces, schools and even pre-schools). Women and minorities belong in tech!
How will you help OWASP to provide an even better user experience to our target audience via our websites and GitHub organization?
The great thing about OWASP is that we are the consumers of our own products. Every project was built because we needed. But at the same time, we are blind to the needs of large enterprises. We are providing the pieces to the puzzle, but often times stop at telling an organization on how to put it together. I hope to see OWASP move in a direction to provide complete portfolios, strategies, and roadmaps to organizations unbothered by vendor names. Focusing on Security, and not technical implementations.
What kind of specific partnerships would be beneficial for improving OWASP recognition and collaboration with the broader security community?
OWASP is actually ahead of the game here. Let me explain. We focused on Application Security while many of other organizations put their focus towards compliance. The problem with many compliance frameworks is that they look at a binary world of possibilities out there. Turn on this control and you are fixed. We took a software driven approach. That’s why we are never used to Secure anything. But rather to teach. While that was a weakness for a long time, I think in the next few years, it will become a strength.
As organizations move to the cloud or embrace a software defined world, where everything from your network topology, to DNS, to IAM is defined by code, stratifies of decades past of meeting compliance requirements will have dimensioned return. Often to the determent of security. I’m not saying we shouldn’t have compliance. But I think its OWASP first then compliance. In that light, we should partner with compliance communities that describe what needs to happen, but stop at prescribing the how. We are fortunate to have a community of techies by techies that can solve the technical challenges.