Saturday, 12 May 2012

What is OWASP?: OWASP is a Community (passionate about Application Security)

One of the interesting things about defining OWASP's mission is that I don't think the OWASP community can even agree on the 'definition of 'mission', never mind what that actual 'mission' should be.

Since OWASP is such a wide disperse worldwide group of people with massive disperse interests, ideas, beliefs, focus, values, etc... it is just about impossible to agree of a strategic 'mission'.

There was an attempt a while back to create a vision for OWASP (with mission, values, purpose, objectives....) which didn't really work, and currently we have an fuzzier definition of what OWASP is on the OWASP About page.

The problem I have with the current lack of definition of 'what is OWASP', is that we don't have a good way to measure our success or failure, i.e our progress.

So here is what I think OWASP is (you can call it is 'mission + vision + purpose'):

OWASP is a Community (passionate about Application Security) 

There are two key concepts in that definition:

1) OWASP is a community - At the core, this is what OWASP is. We are a massive social movement who is able to motivate a huge amount of people to dedicate their most valuable asset (time) for OWASP related activities

2) Passionate about Application Security - What is always striking about OWASP contributors is how much they are passionate about Application Security. They really care about this stuff and spend countless  efforts in trying to make it better (each on its own focused area).

And this is as far as we can define OWASP at a higher level. Everything else is a specific implementation/focus around this (basically, if something XYZ is about Application Security and it is a 'Community' activity, then that is part of the OWASP ecosystem)

And the reason why I think it is very important to put 'OWASP is a Community' at the heart of OWASP, is because it will give us a north when reviewing what is currently happening and what 'should' be happening that isn't.

I would say that every action that happens at OWASP that promotes community and creates connections between A and B, is something worthwhile doing. And when those connections are not happening, efforts should be made.

The reality is that creating, fostering and maintaining communities, is something that is very hard.

It is also something that doesn't happen by default since there are a lot of tasks (and jobs) that need to be done in order to allow a community to thrive and work.

And here is where the OWASP employees (and the 'OWASP Platform') comes into play.

That team of professional individuals is there to make the 'Community' part of OWASP work.

And the simple question "will this help OWASP's Community" should be used when faced with a financial, political or implementation decision.

OWASP is at a massive cross-road, where tough decisions need to be made and massive amounts of energy are needed in order to keep OWASP relevant and productive.

My hope is that this a simple idea (OWASP is a Community (passionate about Application Security) )  will allow those decisions to be made.

And the power of OWASP doesn't come from the Board or any other political structure. The power of OWASP comes from it's community, i.e. you.

So next time, somebody asks you 'What is OWASP?'

Just say: OWASP is a Community (passionate about Application Security)