Thursday 4 October 2018

My comments on the "Open Letter to the OWASP Board from the OWASP Chapters"

Thanks Josh (and others who put this Open Letter together) for the effort and passion on Owasp and in continuing to try to find solutions to improve the current situation

Although I don't agree 100% with the solutions presented in this document (see some of my ideas below), I'm happy to sign it since this is the kind of fact based discussions and conversations that we must have as a community (one request, can we put this letter in a GitHub repo so that we can send comments using git and sign it using Pull Requests)

Note that I have not been that involved lately in Owasp foundation threads (including reading all my email), but the key themes of decentralisation and openness are key for Owasp future and require creative solutions

My view on situations like this Open Letter, is that this is a great example of the passion that our community has for Owasp (which is a very positive thing). It is not good that they needed to resort to an Open Letter to raise the issue, but what is important is how we all react to the challenge and help to improve Owasp's future and organisation

In terms of improving the current operational model, here are ideas I would like to see implemented, that I believe would help with the current friction points and unblock Owasp:

  • Creation of Global Committees (and let the Owasp leaders who want to work for the foundation for free, get on with it and propose solutions)
  • Creation of a global fund available to ALL chapters and projects
  • Hiring of operational resources (via Upwork for example) allocated to local chapters/projects   (with a remit to also help a bit centrally)
  • Proactive central use (by Owasp Foundation) of the chapters/projects funds on activities that directly benefit those chapters or projects  (like the idea above to hire resources to help projects or chapters)
  • Bring Owasp leaders together in events like the Owasp Summits (which is where a lot of the strong bonds that exist today between the Owasp leadership community have been created, and where a lot of work on Owasp projects and chapters gets done)
  • Be radically transparent and open with what happens in the foundation, where just about everything is shared and made available publicly (from comms , to finances , to requests processed, to current tasks being done). My view has always been that the Owasp employees work crazy hard and create magic every day. Unfortunately the visibility of what they do is not clear to the rest of the Owasp community, which tends to create the situation and feeling in the wider community of 'what are they doing all day?' 
I also would like to see the current Owasp board (and other Owasp leaders concerned with the governance of Owasp) to REACH OUT to Owasp leaders that have been here for a while (who passionately believe in Owasp, since after all we helped to build Owasp), in order to ASK for their ADVISE and LISTEN to their views and ideas (all these comms should also be opened and 'on the record')

This last point is the most important one. One of Owasp's main assets is the amazing set of talented individuals  that loves Owasp and wants to help.

I am one of those individuals and unless I missed it, I don't think that I have been requested to help out (and as you can see by this email, I want to help)

If you want to read more ideas (that can be implemented now) please see my "I wish that Owasp in 2014..." blog post at:

I also published a book a while back on leanpub called "Thoughts on Owasp" made of the multiple blog posts I wrote about Owasp when I was an Owasp board member. You can get this book for free at I wonder how many board members have read it? (note that the amount of feedback that I have received on that book as been very little)

So ... let's take Owasp to another level and let me know how I can help