Tuesday, 16 October 2012

OWASP Board Election: Why I voted 'Abstain' and why you should go on the record with your vote

(as sent to the owasp-leaders list)

I actually wanted to write a long email about his, but since I'm running out of time, here is the short version:

I just voted Abstain on the Board Election because I think that OWASP needs a new structure and the sooner we replace the current Board, Committees, etc.. with something that works, the better.

When I stepped-down from the Board 18 months ago, I did ask the other Board Members to also step-down, since my idea was that if there was no Board, we would be faced with the 'nice problem' to come up with a new model. Jeff was the only one that did it (I'm not taking the credit for it since he had his reasons), but the others stayed there and have since been re-elected or are part of the current election.

I had a big list of items that I wanted to raise (with more details on what is not working, areas that need to be addressed and ideas for the future), but I guess the two ones recurring themes are:
  • Are we (OWASP) really doing our best with what we have? (just think of the brain power that exists at OWASP)
  • Where is the dialog, debate, argument, passion about OWASP and AppSec? (for example, on this election, the only thing that we had were some podcast interviews (or the transcripts created via the GSD project), which I read, and .... I'm actually not going to comment since I want this to be a positive email)
Another reason to vote Abstain is to go on the record that I don't agree with the current model and that (maybe) if enough OWASP leaders also vote Abstain , the required changes will happen faster :)

Now, if you are going to vote, I also think that you should go on the record about which candidates you voted for  (by email or wiki or your blog) . 

This 'public vote of support' will create a two-way relationship between you (the voter) and the elected board member. It will be more transparent/open and will allow for accountability (which is another thing missing)

Note that I'm not saying that the current Board Members (and candidates) don't work hard for OWASP and help a lot. They do , just like a lot of other owasp-leaders. It's just that the current model is broken and if we really want OWASP to go to the next level and make a 'dent in the WebAppSec Universe' we need a new model.

Unless of course you think that all is great with OWASP, that we are doing the best that is possible with our human, financial and technological resources, and that no major change is need. I don't happen to share that view :)

Finally, over the past months I've been thinking and blogging about OWASP, and since I know that some of you have 'owasp-leaders email overload', I didn't post all of them here. 

Here is a collection of some of my thinking and ideas:
I also tagged a number of posts with OWASP MIA, which where the cases where I was thinking "humm.... shouldn't OWASP be involved in here?"
Enjoy AppSec USA (which is the first OWASP AppSec USA that I'm going to miss since they started), and please feel free to disagree with this email (and create some debate)).