Friday, 11 November 2011

Comment on reply to post: Mark on 'Models for Better Security Communities'

(comment I made on the OWASP mailing list last week which contains some ideas on where I see OWASP going next)

Stephen, you absolutely shouldn't feel guilty of 'only' contributing to OWASP through your regular bursts of energy (I put 'only' in quotes, since you are one of my favorite OWASP stories, and a talent that I'm very proud to have helped to attract to OWASP) . Your type of contributions is one of the things that have built OWASP and it is one of its most amazing characteristics.

In fact, my view, the job of OWASP 'the organization' is to make sure that when you do focus and want to commit some energy, there is an environment (or ecosystem) that will make that process as productive, enjoyable and efficient as possible.

In that light, OWASP 'the organization' should be much more like an event organizer (think 'music production company') than a big 'we have the vision and know it all' type of org.

Please don't be to hard on Mark since his heart is absolutely on the right place (and let's not really judge Microsoft's ethics since most large companies these days wont get a clean bill of health :)  ). 

One think I learned from playing music is that you have to listen to the audience's comments, and most of the times they say (from your point of view of course) the right thing the wrong way (or not the same way you would articulate it).

Mark wants a more professional and focused approach to OWASP, where there is energy and commitment in the creation of very professional, high-quality, well presented, easy to use/adopt and community-friendly deliveries (tools, books, guides, dev outreach, etc...). 

Which is exactly what I also want.
  • That doesn't mean that we stop supporting the grassroots movements and activities that allowed OWASP to be want is it today (and empower its contributors to 'just get on with it and try to find a solution'). It means instead that we need to put a lot more investment and effort into creating an operational machine that will support it (we have the talent at OWASP, what we don't have is the operational machine (which OWASP's leaders are not really good at, or have time to dedicated to it)).
Part of the problem is that there is still this view at OWASP that we need: 
  • a strong mission, vision, etc...
  • high level commitments/endorsements and 
  • centrally controlled activities
.... as if we had those anything would happen because of it :)

Part of the problem of this type of thinking, is that it creates an environment where Mark (correctly under that thinking) was expecting a level of support and endorsement for his ideas that is just not possible at OWASP. 

The irony is that there are lots of really great leaders inside OWASP that share Mark's wish for a more professional and dev-community-friendly OWASP. Unfortunately we (OWASP) still have not come up with an operational model that allow those groups to aggregate and flourish (I don't think the current Commitees structure are the right structure, but maybe the https://www.owasp.org/index.php/Security_Ecosystem_Project is a better one).

Btw, for me the only vision and mission that OWASP needs is three (or maybe two) words: Web Application Security or maybe just even two: Application Security

So please embrace Mark's ideas and comments, you might not like his style (like many don't like mine), but he is carrying a important message.

Think about this, we are lucky that Mark cared enough about OWASP that he spent his time documenting and talking about his issues and problems. We would be much worse if he had just ignored OWASP. In fact, I wish he blogged more about his ideas for OWASP since there are some great stuff in there :). He also talks to a lot of people about OWASP, specially from people who would like to be involved at OWASP but have not found their sweet spot. We need to hear those voices and find ways to connect to them.