Matt Tesauro is a DevSecOps and AppSec guru with specialization in creating security programs, leveraging automation to maximize team velocity and training emerging and senior professionals. When not writing automation code in Go, Matt is pushing for DevSecOps everywhere via his involvement in open-source projects, presentations, trainings and new technology innovation.
As a versatile engineer, Matt’s background spans software development (primarily web development), Linux system administration, penetration testing and application / cloud security. He thrives on tackling technical problems, but his economics background gives him a unique understanding of business constraints and incentives around security initiatives.
Matt is a Distinguished Engineer at Noname Security and has returned to producing monthly podcasts for the OWASP podcast in 2022 after assisting Jim Manico with them back in 2009. He also is a core maintainer of OWASP DefectDojo, co-leads the AppSec Pipeline project, co-leads the OWASP New Braunfels chapter and lead the OWASP WTE/Live CD project. Previously, he rolled out AppSec automation at USAA and founded 10Security. Early in his career, Matt served as Director of Community and Operations at the OWASP Foundation, a Global Board Member of OWASP, Senior AppSec Engineer at Duo Security, Senior Software Security Engineer at Pearson and Senior Product Security Engineer at Rackspace.
Link to my video
OWASP’s Google drive link to my video
How do you intend to extend outreach to developers and developer communities outside of the security ecosystem?
The way OWASP has done that in the past is to create materials which directly address developer’s needs. Consider the Cheat Sheet Series, the Proactive Controls and the Go Secure Codding Practices Guide - these all directly address specific needs of developers and demonstrate that OWASP can address devs needs. So there’s two things that need to happen to extend this reach:
(1) Create more developer focused resources: Since OWASP is a volunteer-driven organization, we fundamentally have to either wait for someone to create a project in this area or incentivize contributions. I originally got started with OWASP by participating in the OWASP Summer of Code in 2008 - we should revisit that concept and find ways to make it an ongoing effort over a point in time exercise. The Global Projects committee is in a position to determine key gaps in our project inventory, either in terms of maturity or existence and thus create a ‘call for projects’ to drive awareness of projects OWASP would like to see. Additionally, working with the growing body of University student who can now actually study cybersecurity represents an untapped pool of resources where a win-win relationship exists. OWASP gains mature projects or fills gaps in it’s inventory while early career security practitioners gain industry experience and interactions with some of best and brightest in the AppSec community.
(2) Better spread the word to the developer community: One fundamental problem that OWASP has faced for many years is a lack of clear use-cases for it’s various projects. I’d love to see something like the “Application Seuciryt Wayfinder” but with a developer-centric focus. We should also consider spending funds actually marketing our existing projects to different constituencies. This could be done by hiring a marketing firm or working with community members, DevRel professionals or university students to help spread the word about the large body of highly useful projects OWASP already has. I’d also like to see OWASP further promote the community contributions to the website. How better to involve developers than to ask for PRs of content in Github. OWASP has already located the bulk of it’s content in the place where developers spend much of their time aka Github so the ability to do the usual Github contribution needs to be shared with the dev audience.
What practical experience can you bring to the specific challenges a nonprofit organization like OWASP faces such as fundraising, staff support, operating model/by-laws, etc?
I bring significant community involvement since 2008 and have seen OWASP from many sides in that time. I’ve run several projects that reached flagship status, was a member of the original Global Projects Committee, was a member of the Global Board of Directors of OWASP, have been involved closely with multiple events, am current a co-lead of an OWASP chapter and was a member of the OWASP staff in the past. Beyond my wide-ranging experience within OWASP, I have ~25 years working with open source software and 20+ years of broad AppSec experience including CICD/AppSec automation at large companies and startups. I am grounded by a background in Economics and understand how incentive structures can create both positive and negative results. I ran IT for OWASP in the past as a volunteer and later as a member of staff and grew to understand that OWASP’s core mission isn’t running IT systems, it’s making security visible to our community and beyond. I fully support the transition away from running systems (like the old wiki) to utilizing SaaS offerings to off-load work from the few OWASP staff members. I was involved in the early work to create By-Laws for the organization as markdown in Github to changes as commits to a git repo.
I realize that OWASP has just been through a difficult period of time and would like to help steer the org where I’ve spent almost 14 years contributing time and talents to because I truly believe in OWASP’s ability to improve security for the world.
How do you plan to become less dependent on the primary revenue stream of “Offline Conferences”?
There’s two primary factors in play for OWASP to diversify how OWASP funds it’s activities:
(1) Create things for which people will pay money: In person events are an obvious example of this and something where OWASP was too heavily invested in as show by the pandemic’s impact on funding. That said, I don’t think OWASP should diminish or remove in-person events from its funding mix. As good as some virtual technologies have gotten, nothing can truly replace an in-person event where old friends can be reunited and impromptu conversations can lead to shared knowledge or even friendships. Many of the people I’ve gotten to know in the community started with in-person accidental meetings. Beyond traditional events, I’d like to investigate new event-based and on-demand options for OWASP to raise funds.
(2) Create an increased value in membership - both individual and corporate: If someone or a company considers membership with OWASP, there needs to be a compelling reason for that membership. For some like myself, just making sure OWASP continues to serve it’s community is enough. For others, the ask will be “What do I get for my membership”. I don’t pretend to have all the answers here but believe talking with our members we can find ways to add additional value to membership. Existing ideas like streamlined conference sponsorships for corporate members are a great start. We need to find others.
Where do you see the biggest challenges for OWASP as a volunteer-driven organization in 2023+ and how do you intend to address them?
Volunteer-driven orgs face several concerns but one of the perpetual ones is the need to provide consistent service with a limited full-time staff. To address that gap, consideration needs to be made on whether an activity is fundamental to the org or can be handled by outside parties. This is easy to see in IT/infrastructure. Utilizing SaaS as much as possible allows OWASP to move maintenance and other concerns to the SaaS provider. Additionally, moving non-core items away from staff creates a situation where the most important items for OWASP have full-time engagement. OWASP has made great strides in this direction over the last several years and I’d like to see those efforts continue. OWASP staff have also made great gains in streamlining processes and consolidating data into solid ‘sources of truth’. Continued efforts on simplifying, streamlining and focus on core activities will pay future dividends by removing unnecessary work from an already busy and small group of full-time staff.
The other method to success in a volunteer-driven organization is to have a plethora of volunteers. In some areas, OWASP has already demonstrated this. Events have been successful due to the efforts of volunteers that come together for an event. The same is true for chapters - where successful, OWASP chapters have a group of volunteers (aka chapter leaders) who are directly responsible for chapter meetings happening. The one area where volunteers are not as abundant as they could be is in the project space. Yes, many projects get contributions to their documents, code and overall efforts to be successful but many projects are a single, dedicated individual’s efforts. OWASP needs to find ways to gather more volunteers around projects - this can be direct contributions like PRs or this can be spreading the word like doing a Youtube video about a project. I’m not sure exactly where this pool of potential volunteers is - I suspect universities have good potential. Perhaps, taping into coding boot-camps is another way to gain more project-focused volunteers.
Speaking of volunteers, I’d like to personally thank all 293 contributors to the community contribution pages on the OWASP website. It could be updating a broken link, correcting a typo or authoring a new page - the important part is you took the time to make things a bit better than you found them so thanks!
What do you think will help to increase the adoption of the OWASP Projects?
I accidentally answers this partially already in my answers above. One of the biggest problems OWASP projects have had is making the broader community aware of what is already a solved problem. I remember doing a talk at OWASP EU back in 2009 in Poland where my talk was primarily “Here’s some cool OWASP projects you should know about”. I fell into that outline when the case study I wanted to use got denied by a fellow AppSec friend’s company. I suddenly had to fill 3/4 of my talk with something else and, out of desperation, did an OWASP project ‘best of’ list. Fearing my talk went from a great case study to a weak list of projects, I was pleasantly surprised when it was very well received.
One key learning from that course of events was that as an OWASP insider, I was very familiar with the projects OWASP offered. The same assumption cannot be made for others in the industry - they maybe new to the field, busy or just haven’t stumbled upon some of OWASP’s hidden gems. This is why I suggested a concerted effort to market OWASP projects and make them more accessible to those in the industry, either in AppSec/Cybersecurity or development. I think the “Security Wayfinder” is a great example of this and we need to do more like that highly useful example.
Another way to increase adoption of OWASP projects is to increase the quality of OWASP projects. Some of this is offering Github integrations with tools that help increase the quality of repo’s code. I know projects like Juiceshop and DefectDojo are examples of using multiple tools to shore up code quality. Getting guides for those unfamiliar with these kinds of tools would be useful to both OWASP projects and the broader community. Also, joining related efforts like OpenSSF Best Practices Badge Program would provide increased legitimacy to OWASP projects. These need to be opt-in or somehow incentivized rather than mandated. Any signal we can add to our projects that the broader community sees as an indicator of quality should be considered.