Tuesday, 2 October 2012

An Idea of a new model for OWASP

Here is a post/idea that has been 18 months in the making (in fact since I stepped down as OWASP board member on 12th Feb 2011)

I wrote the text below in response to Jim Manico owasp-leaders list "What is OWASP?" thread, and am quite happy with the OWASP model that I finally was able to document.

Well Jim, I think the problem is in the currently structure of OWASP, where even when there is no malice or vendor-bias by an OWASP leader, the end result comes out that way (and can be interpreted in the way you have recently).

The key problem is that the current 'Board, Committees and Project/Chapter leadership model', was created for another era when OWASP was much smaller ,  with a very different set of problems and with a much smaller WebAppSec industry. Unfortunately, I don't see a solution for the problem you describe (and others that OWASP has) until that structure is changed.

For a while there was the '...is OWASP run by Aspect Security?' now is the '...is OWASP run by Trustwave?'  maybe next is the '... is OWASP run by WhiteHat?' . Until the Board and Committees stop being seen as positions of Power + Kudos + Reputation + Carrer Advancement + 'PressReleases created on appointment', this will not be resolved. For example, it is very damaging that OWASP leaders think that they need to be Board/Committee members to get things done. This is not only false, but it creates a power-vacum where other OWASP leaders think that 'something is being done' or that 'its the other dude responsibility to do that!'. 

The reason why I left the Board 18 months ago was because I realised that the model that we had created for OWASP (which worked so well until then) was expiring and a new model was needed.

Jim description of 'OWASP is a non-profit community-service based organization'  is absolutely spot-on, and OWASP needs (in my opinion) a Board and 'Committees' (or what ever name they are rebranded as) that are focused on that simple but powerful word: Community (we will need some creativity on what body/group should have the operational parts of the current Committees that are currently working very well)

I think the time has come to handle most of the OWASP 'Power and Responsibilities'  to the OWASP employees who know OWASP more than any of us. Maybe we have a system where operational questions (like budgets, salaries, structures, etc...) are voted by majority.

We really need to re-focus OWASP Leaders energy in getting things done and re-invent OWASP in a lean, open, collaborative and effective community (and organization).

OWASP will still need a Board (or whatever name that is rebranded as). But that Board should be 99% focused on Community issues (i.e. how to empower OWASP Leaders to be productive, creative, empowered, happy). And for the 'but OWASP legally needs a board' crowd, the other 1% would be to accept the decisions taken by OWASP's leadership community and employees.

We probably will need to hire more employees to really make this work, and as per the model I'm proposing here, that decision should not be made by the 'Board or Committees'. That decision should be made by the current employees :)

The good news is that OWASP is in an strong financial position to make this work, the not so good news is that I don't think this will happen any time soon. And the hard decisions that only a 'truly independent voice' (i.e. the employees) would be able to make, will have to wait a couple more months/years.

I don't know the author or the source, but one of the best quotes I've heard is "....sometimes the best way to find the solution for a problem is to redefine the problem..." :)

Meanwhile ... OWASP is still an amazing organization, doing amazing stuff and making a difference in the WebAppSec world. 

I just want us to REALLY make a difference.  Using the mountain analogy in the Trillions video , I want us to be climbing the BIG mountain (not the smaller one we have been climbing over the last 10 years) 

I don't want to look back when I'm old to OWASP and say: 'we did well, but we missed our window of opportunity to change the world' 

I want to look back and say: "We did out best, and changed the world"

Dinis Cruz