Martin Knobloch, Global AppSec Strategist at Micro Focus, is a long-time information security leader with more than 15 years of experience in the field. With a background in software development and architecture, his focus is on software security. Martin is actively involved in OWASP where he is a frequent contributor to various projects and initiatives, as well as a member of the Board of Directors. During his career, Martin has been a recognized teacher, guest lecturer at various universities and invited speaker and trainer at local and international software development, testing and security conferences throughout the world.
I believe that OWASP is about community! Since my first encounter with OWASP at the AppSec conference in Leuven, Belgium, back in 2006, I have been actively contributed to OWASP in various ways. I have and continue to work to introduce OWASP to professionals, students, and developers. Here are a few of my engagements years:
- I serve at OWASP Netherlands chapter since 2007.
- I was chair of the original OWASP Education Committee (founded at the OWASP Summit 2008)
- I am co-chair of the annual OWASP BeNeLux-Day
- I was co-organizer of the Summit in 2011
- I have been involved in every AppSec-Eu since 2011
- I hosted several Capture the Flag events at various AppSec conferences in Europe and USA.
- I introduced the University Challenges at the AppSec conferences in Europe
- Chair of the AppSec-Eu 2015 in Amsterdam
- Co-Chair of the training selection committee of the AppSec-Eu 2016 in Rome
- Chair of the program committee of the AppSec-Eu 2017 in Belfast
- I served as comliance officer for the OWASP Foundation ins 2014 and 2015.
- Member of the OWASP Board of directors since 2016, chairman of the board in 2018 and 2019.
Next to my responsibilities as member of the BoD, I focus on developer outreach, the OWASP Security Knowledge Framework (SKF) project and supporting new chapters. I also work to connect leaders so they can collaborate on the best practices and improve the quality on the OWASP projects. Outside of OWASP, I support IAMTHECAVALRY, have been involved in working groups for the European Commission as FOSSA, AITOI and the Scientific Advice Mechanism (SAM)
Link to Video
How will you help active projects thrive and become more recognized and used by the software industry?
There are two parts to the answer to this question.
⋅⋅⋅The inside out approach: Making OWASP, the projects and deliverables known and heard about.
⋅⋅⋅Secondly, outside in approach: Listening to the software industry to hear their needs on tooling and their integration.
Regarding the first, promoting the projects. This I have been doing over the past years. For more than a decade I have been promoting the OWASP foundation in general and many OWASP projects especially at various software industry events as conferences and workshops. But without any doubt, we need a more structured and professional outreach / promotion effort. Overall, we need an overview of our projects, their usage and scope, their place in the SDLC, so our projects are easy to find and referred to. Our website must support this. We all know too well, on the wiki you only could find anything if you knew what you needed, what you were looking for.
Regarding the latter, we must connect to the software industry to hear what they expect from us, how we can assist. In the past, we had an Industry committee, actively connecting with the industries, and our developer outreach. Both are very necessary initiatives that are complementary to each other, I hope both to be revived. At the end, a project is only successful if expectation are meet regarding quality, useability and consistency with other projects. We cannot deny, the quality of our project varies a lot and the alignment over the projects overall is just not there. The projects deliverables are not aligned in layout and appearance, are not consistent in quality and sometimes duplicating or even conflicting in content.
The project committee hopefully will be a platform to improve this and the re-establishing of the project summits will play an important part to increase quality and consistency over the projects as whole.
Please describe any previous experience you have had running or on the board of a large international non-profit.
Outside of OWASP I have none, within OWAPS I have plenty.
I have been dealing with the board in my role as chair of the education committee back in 2008 to 2012. Also, as part of the organization teams of Global OWASP events, organizing OWASP summits and AppSec conferences. Further in my past role as OWASP compliance / whistle-blower officer.
Today, I am honoured to be part of the BoD for about 4 years now. Two of them, 2018 and 2019, as chairman of the board.
What, if any, aspects do you think would need improving regarding OWASP membership?
The question of the benefits of the OWASP membership is as old as the existence of the membership itself. We as OWASP always have struggled to make a good case for the OWASP membership and to explain the benefits.
I am very aware of people saying, ‘why would I need to become a member if I can use everything for free’ and a membership is not require to participate.
Indeed, all deliverable of the OWASP projects are free to use and must remain so, but the membership benefits are more than voting for the board only.
Just look at the discounts on OWASP own conferences and the discounts to many other conferences and events of organization we are partnering with. As said, currently you are not required to be a member to participate in OWASP.
There is the question ‘should leaders be members?’.
If you ask me, that is the big elephantin the room and my answer is: Yes, you should.
Living the example, I have been a paying member for almost as long as I have been involved with OWASP. So, you might ask, ‘why would you, who contributes time as leader have to pay contribution to become a member’? Plenty of times I heard, ‘My time spend on OWASP projects and or chapters is more valuable than the money?’ Yes, the time invested by the leaders, and to be frank many more volunteers, is much more valuable than the membership fee.
But if that is your argument, you are missing an important point, as it is not a question of the money versus time. It is the acknowledgement, being a member of OWASP. Do you believe in OWASP?
As a leader standing in front of your chapter members, project contributors and other volunteers. Can you truly represent our organization while you are now willing to be a member?
There is no distinction of membership. Either you are a member or not. The question if a leader or contributing volunteer must pay membership fees is another question. This requires an honest and transparent policy of what do we expect form an individual to be allowed a free membership. I think the current “one-year honourable membership” is not just. In my understanding, an honourable membership is not time limited and gained after extraordinary or long times service to an organization. A “free one-year membership” reward is something else. We need the community to be part of defining a fair and just solution.
Back to answering the question, in the past we had a membership committee. That would be the place for the community to actively improve our membership benefits, policies and regulations.
What is your plan for increasing women and minority participation in OWASP?
It would be ignorant to presume to have the answer to a problem that you have not experienced yourself.
I truly belief, the first step in helping is to listen. Listening to the women and other minorities what they have to say. Hearing the problems, they encounter, how they can be supported and how we can help. With the transformation of WIA to the “WIA, Diversity and Inclusion Committee”, we have done an important step in that direction. One of the key responsibilities of that Committee is to create a safe place to meet pears, to exchange, to support, to ask questions, and to share experiences, successes and frustrations. But this is not where to “hide them”, but to emphasis their voice!
Of course, after listening comes execution, to engage and make happen. Just listening without actions does not help. Here lies another task for the “WIA, Diversity and Inclusion Committee”, to be the foundations conscience and to nudge, ping and kick and push us, the board and the community, doing what has been asked of us.
To hold us to our words! As constant reminder for improvements.
This is a long-term assignment and not a single solution problem.
At the end and at the bottom line, it is everybody’s responsibility to appreciate and encourage each other, independent to gender, race, belief and background.
To live up to our policies for them not to be just words, but our true ethic values.
For everybody, to step up when you see wrong doing, to stand beside who is in need of support, to stand in front of who needs protection. To say halt to who does wrong. OWASP must remain an open and welcoming community for all.
How will you help OWASP to provide an even better user experience to our target audience via our websites and GitHub organization?
As mentioned before, in my opinion OWASP has neglected the importance of quality, maturity and professionalism in our projects, as well as the overall consistency in appearance and content. The user experience of our website is one of those neglected aspects for sure.
To answer the question, first is to identify who our users are. What is our websites target audience?
If you look from the OWASP perspective, those are our leaders and volunteers. We may assume our community to be technical, technical enough to use Git. Therefore, I do not expect our community not to have any problems to use GitHub for our website, project and chapter pages and project deliverables. So why are we not yet 100% converted from the wiki to the new environment?
In my opinion, we should hire forces to complete the 100% shift and fix the broken references, just to be done with this.
I truly belief the benefits outnumber the inconvenience regarding the move away from the Wiki and towards GitHub. In my opinion, the GitHub generated website has a more modern, more professional and user centric experience then the wiki ever had. Of course, it is not all rainbows and unicorns, we are not there yet. And of course, there is a reason for this question.
People are not happy with where we are right now. To constantly work on improvement is also important for our website. OWASP always could rely on its community. There has already been a great improvement effort of the first version when the community stood up as they did not like what they saw and they changed it. I am very much in favour of and encourage a website committee / project under the guidance of our staff.
The website deserves a higher priority. If required, a professional service should be hire where needed.
What kind of specific partnerships would be beneficial for improving OWASP recognition and collaboration with the broader security community?
OWASP has a very special place within the security community, to my knowledge being the only community with the focus on software security.
As such, joint ventures with the more GRC focussing communities is most definitely benificial.If it is just to prevent misunderstandings and to ensure we maintain relevance. Same is true for other security communities. But we must most definitely look beyond the security communities.
In the past I was part of the outreach activities. In my opinion, the outreach to software development related communities in general is most important. Not only to developers, but all software development related professions as analyst, architects, testers, project managers and all the stakeholders. Also, we need to engage with the policy, standards and law-making communities.
The likes of an industry or outreach committee would be great to organize and maintain such outreach efforts.