Mark Curphey

About Me

mark-curphey-headshot-b w

As the founder of OWASP in September of 2001, I will always be incredibly proud to be associated with a project that is a vibrant global community and has improved the security of the entire Internet. I have not been directly involved in individual projects or day to day operations for many years, but I constantly listen to and talk with people about every aspect of OWASP. It is, and always will be, my baby.

As part of the election process I have been asked to create a bio. I have jammed it in to the bottom of the page because I don’t think this is about me, this is about OWASP itself. OWASP currently has no mechanism to propose and get a mandate for radical change, and so twenty one years after starting it, I have decided to run for election to the board of directors, so I can drive the changes that will keep it at the forefront of the industry for years to come. I am not asking to be voted into to a caretaker or custodial role. Directors that have come before me and some of the other current candidates that I know and respect have done and will do an excellent job of that.

As with other elections around the world I have published a manifesto https://www.mark-curphey-for-owasp-2022.com/ outlining what I believe in and how I will operate but more importantly what we can do together. By publishing this manifesto I am asking for a mandate from the members to make these changes happen. I have previously shared some of my thoughts in my keynote at the OWASP 20th anniversary event, 20:20 - The history and the future.

If you share my vision for OWASP, want to see the change I have laid out here and believe that I can make it happen then please vote for me.

Link to My Video

https://www.youtube.com/watch?v=pmQ8ugjYIkI

How do you intend to extend outreach to developers and developer communities outside of the security ecosystem?

I think the question is larger than just developers, its about both attracting deeply technical people and appealing to develpoers, cloud security architects and more.

To get anything done in a community you need talent and to get the right things done in an application security project you need deep technical talent. It’s not that OWASP doesn’t have deeply technical people, it’s just that there aren’t enough of them and not enough of the right type and we need to fix that.

When you ask deeply talented people that don’t participate, either choosing not to or having left the project “Why not?”, you will very often hear them describing OWASP as a bureaucracy. Others will describe it as an organization that operates for the lowest common denominator by trying to keep everyone happy. That is of course hard to hear but these are not edge cases.

In the application security discipline where deeply technical problems are abundant, the fact that OWASP is not the de facto community to turn to and participate in for many deeply technical people is a missed opportunity for the project to make a big impact. There are opportunities for language analysis and improvement, runtime analysis and improvement, devsecops automation, debugging and much much more. OWASP doesn’t even have a credible SAST project today, probably the most widely accepted and understood application security analysis technology. Let’s fix that fast.

OWASP has and always had had a membership bias of security consultants. At the 10th anniversary keynote (I think) I did a show of hands in which I asked the audience how many people understood HTTP and how many people could code. It was shocking to see almost everyone understood HTTP but less than 50% could code. I think this has changed but it’s also fair to say there are an abundance of penetration testers and few developers. We need to change this.

It is equally true that the majority of the chapter meeting talks are high level and rarely novel which doesn’t help recruiting talent. I attended a very well organized and well attended chapter meeting last week where excellent speakers unfortunately gave very basic talks and ones that have been given over and over again at other meetups. At the start of the meeting a show of hands revealed that a very large portion of the attendees were at an OWASP meeting for the first time but at the break I estimate 30-40% of the attendees left. The reality is deeply technical people want to work with deeply technical people on deeply technical projects and we have to break this cycle.

Other communities have found ways to cater for a spectrum of abilities and interests across the community but we need to be deliberate, conscious about how we do it and frankly do a better job than we do today.

We also need ro redesign OWASP.org to appeal to the new breed of people that need help. If you go to the website today there are hundreds of projects of varying quality and value, that no-one, especially developers looking for security help can be reasonably expected to wade through. In fact if you come to the web site today as a CSO, a developer, a cloud security engineer, an auditor, a journalist or any one of a myriad of other people coming to the web site for help, you will be totally lost.

The most important asset that OWASP has, the homepage, is focused internally on members’ needs and not externally on those that need help. Deciphering the tools roadmap requires inside baseball.

What practical experience can you bring to the specific challenges a nonprofit organization like OWASP faces such as fundraising, staff support, operating model/by-laws, etc?

[From my manifesto] Sure, I founded OWASP but that is definitely not a reason to vote for me. The idea for OWASP was one thing, but it was execution and hard work of a team that has made it what it is today. I did have the vision, set the direction and did a lot of hard work in the first few years to lay the foundations. I am hopefully doing the same now.

My track record and experience shows that I get stuff done. I have run a large team at Microsoft, founded three startups (selling one so far) raising over $50 million dollars from top tier Silicon Valley investors, something that is important when you read about my plans for the OWASP Investment Fund.

I have important relationships across the global tech and security community to open the right doors. This is important when you hear about changing the funding model and partnering with governments and industry.

I have the history, the experience, the connections and the track record to make this happen.

How do you plan to become less dependent on the primary revenue stream of “Offline Conferences”?

Money helps make things happen. Today OWASP scrapes along with personal membership fees, conference and training revenue and relatively small corporate donations. A few million dollars a year may sound like a lot but it’s peanuts for a global community with a mission that is literally critical to the future of the world. I appreciate it’s more complex than this but for the most part OWASP is a community funding model.

Other not for profit communities like the CNCF and OSSF operate more like not for profit companies, raising hundreds of millions of dollars each year from large corporate sponsors and government grants. They use that money to provide community resources and strategically fund these communities to have a massive impact on open source. This type of funding model is not new or specific to software of course. It is common with hospitals, education and other charities. Médecins Sans Frontières would not be able to operate on donations from their own volunteers and perhaps the most famous although granted somewhat unique example is the Gates Foundation that recruits the best scientists in the world to solve important problems for the world.

To give you an idea of the type of impact that this funding model can achieve the OSSF has started funding the development and hosting of SigStore bringing code signing to the masses and recently started paying security consultants commercial rates to find and fix vulnerabilities in important open source. Jim Zemlin from the Linux Foundation raised $6M over a weekend to fully fund core developers to fix the vulnerabilities and and improve the security of openssl when heartbleed crippled the internet.

Organizations with funding models like this can pay commercial rates and competitive commercial salaries to attract the right talent.

As I said above, money helps make things happen. OWASP needs to move from being community funded to commercially funded. The leadership at the Linux Foundation has even offered to help me do it.

Where do you see the biggest challenges for OWASP as a volunteer-driven organization in 2023+ and how do you intend to address them?

OWASP has a strong brand but it is no longer just about the web and we should change the meaning of the acronym to the Open Worldwide Application Security Project.

OWASP has a mission statement today which from the about us page is

As the world’s largest non-profit organization concerned with software security, OWASP: Supports the building of impactful projects; Develops & nurtures communities through events and chapter meetings worldwide; and provides educational publications & resources.

This is a complicated mission that is inwardly focused and we should change the mission to be

Help Secure the World’s Software

We also need to address the culture. When you treat people like adults they behave like adults and when you treat people like kids with loads of rules to follow then they behave differently. The best community model, that also happens to be the nicest one to work under, is when you empower individuals to do the right thing and hold individuals accountable for bad behavior if it happens. The latter is as important as the former. What you don’t do is penalize everyone with rules for others’ bad behavior.

We can achieve a balance of autonomy and expectations with a set of community values. Atlassian, a multinational developer tools company is famous for company values which you can read at https://www.atlassian.com/company

Our unique values describe, at the most fundamental level, what we stand for. These five values shape our culture, influence who we are, what we do, and even who we hire. They’re hard-wired into our DNA and will stay the same as we continue to grow.

Open company, no bullshit Play, as a team Build with heart and balance Don’t #@!% the customer Be the change you seek We should adopt a set of community values like those below.

Be a good human, a good team player and a good community member. Trust people to do the right thing and hold them accountable if they don’t. We are a meritocracy. Recognize, celebrate and reward merit. Get shit done without bureaucracy, politics or bullshit. No sales pitches anywhere.

On the last point we need to be open and honest about the motivations of companies and individual participation and the community values need to reflect that. People and companies participate for many reasons, but one of the most common (again if we are all being honest) is for the sake of developing personal and company brands. There is nothing wrong with that, but where it breaks down is when people leverage OWASP in a way that is not beneficial for the broader community. Open source communities are about paying it forward. It’s not about instant gratification and you have to trust you will be paid back based on the merits of your actions.

What do you think will help to increase the adoption of the OWASP Projects?

I actually dont think blindly increasing adoption of OWASP projects is the right approach. Today there are often many projects that do the same thing and sadly many projects that if we are being honest with ourselves offer little value. Many other projects have been effectively abandoned.

We have to be smart and deliberate about where we direct our effort. We have to have tools that are clearly recommended as best in class, work together, are actively developed, funded and supported. We also have to accept that not everyone is capable of creating a project that is of the standard the community deserves and that there needs to be a clean out.

The right way to approach this is to hire a Chief Product Officer who is used to managing a portfolio of projects and that can put in a process to manage the entire community project landscape.

Why Should You Vote for Me?

Sure, I founded OWASP but that is definitely not a reason to vote for me. The idea for OWASP was one thing, but it was execution and hard work of a team that has made it what it is today. I did have the vision, set the direction and did a lot of hard work in the first few years to lay the foundations. I am hopefully doing the same now.

I have the history, the experience, the connections and the track record to make this happen.

Why You Should Not Vote for Me

I get stuff done and create change. I believe in leadership and not in committees. I value doers, and not talkers. I value true meritocracies. I have zero time for personal politics, bull shitters and people who get in the way of progress.

I recognize that style of operating is not everyones cup of tea and I want to be clear and upfront that if I am elected it will not be business as usual.

I am asking for a mandate for change and not just a seat at the table to talk about change. You may see the project in a different light than I do, value different things, and may not want change.

If that describes you, then you shouldn’t vote for me.

How I will Lead OWASP to a Better Place

Change is hard. I get it. In today’s day and age, an authoritarian regime is just as ineffective as a hopelessly tangled bureaucracy. I will make sure the tough conversations happen, and the hard decisions get made. But I will also ensure that members are consulted and listened to, and that people’s opinions are respected, even where there is disagreement. I will make sure there is good communication around why decisions are being made, because, while it’s impossible to find consensus on any issue in a reasonable time across a diverse set of technical people with strong opinions, transparent decision making at least can help achieve broad alignment. Still, not everyone will be happy. That is a fact of life about change, but together we can make changes with empathy and respect and in a way that everyone will at least understand and appreciate.

Watch Star