Feb 13, 2011

New OWASP Board – My 10 Questions

At the OWASP 2011 Summit I attended some of the sessions on OWASP Bylaws and OWASP Governance. I agree we need to update and define roles and duties but there are more urgent issues.

Discussing the board is complicated if you're not natively English speaking. Asian, South American, and European OWASPers tend to know English appsec terms but they do not know the nuances in what's being said about governance. This effectively means only English speaking people will define how OWASP should be governed and mainly English speaking people will run for the board. Today the board consists of 4 Americans, 1 Irish, 1 Portuguese living in London, and 1 Belgian. That is neither representative nor good for OWASP.

I'd like to see the OWASP board grow more diverse. Therefore I will ask the questions below to the members who run for the board. Note, this is not a requirements list, rather parameters I'd like to see diversity in.

  1. Which human languages do you speak?
  2. In which parts of the world have you lived at least 3 months?
  3. Have you shipped production code? How long ago?
  4. Please provide a list of web technologies you consider yourself proficient in (markup, styling, scripting, server-side code, server configuration and operational setup ...)
  5. What is your typical appsec role (pentester, trainer, developer, project manager ...)? Are you a consultant, vendor, or do you have an appsec role within an organization?
  6. Please provide a list of appsec activities you consider yourself proficient in (code auditing, threat modeling, SDLC implementation ...)
  7. Have you run or are you running an OWASP chapter? Which?
  8. Have you run or are you running any OWASP projects? Which?
  9. Do you have a college or university degree? (No requirement, I just want the right mix)
  10. Do you have a postgraduate degree? (I'd like to have at least one on the board)

There are no correct or preferred answers to the questions above. I only want to ensure we have people from as many parts of the appsec community as possible. For me that's more important than knowing all the English terms in our bylaws or policies.


  1. Agree with all of them, although a little confused as to why a degree would be required?

  2. @Daniel: Sorry. It's not a list of requirements, rather parameters or dimensions I believe the board needs to cover. So I'd like at least one board member without a degree, at least one with a degree, and at least one with a postgraduate degree. The community has that diversity and I think it gives important perspectives – practitioner vs researchers and such.

    I updated, trying to make it more clear.

  3. They are all good John, glad you cleared up the degree question :)

    I would also ask what app sec work they actually do, I'd love to see less people who are consulting/vendors/hands off app sec people (i.e. scan a site, scan some source code and give a report) and more people who do app sec in the real world on the board. I mean those people who actually work in an app sec role in an organisation everyday, working with a development team everyday, working with PM's and "C" level everyday selling security at all of these levels. People who have real responsibility for delivering secure code and not delivering a report at the end of an engagement.

    You get those people on the board and we might start to see deliverables useful in the real world - i.e. less talking, less guides which are almost all text and no code, tools that work and so on.

  4. @Daniel: Good comment on consultant/vendor/appsec within org. I've added that to question 5 since I totally agree.

    I'm moving from a consultant role to being a bank employee, on the development team. I'll be on the client side of things as well as doing my daily job for endusers.