Thursday 1 November 2012

I wish that OWASP in 2014 ....

In 2014, it would be amazing if OWASP  has:

  • an environment where:
    • developers collaborate with security professionals
    • 'Secure coding questions' can be asked and answered
    • browser and framework vendors/creators come together to work on the hard problem of 'web security'
    • governments, companies and 'web players', come together to define (and present) action-plans, standards  and deliverables
    • the latest research is presented and the new generation of security-focused developers/researchers can find home(s) to develop, nurture and present their ideas
  • OWASP projects (tools, documents, services) that:
    • have so much quality that they are 'best in class' and raise the bar for the whole industry
    • are funded because: a) they add really value, and b) users want/need the next versions/features/bug-fixes (see OWASP Project Partnership Model
    • generate enough revenue that allows full-time staff (devs, qa, documentation, etc...) to be paid at fair market value (for their skills). With a cavet that OWASP cannot pay its leaders
    • are easily consumed by other tools (the project's materials and capabilities)
    • add so much value to companies, that they become OWASP Paid Corporate members, not because it is the 'right thing to do' but because they get so much value from it that they don't want the 'OWASP train' to slow down
    • have a lot of resources available to them (with real/tangent benefits for being an 'OWASP project')
    • are given a 'fair change' to succeed and mature (with 'non performing/accepted' projects quickly removed), taking into account that a lot of projects are just an (healthy) way to create 'OWASP Leaders'
    • can be consumed from the developer's IDEs and integrated into the multiple SDL phases/activities
    • can be consumed from 'cloud services'
  • multiple ecosystems targeted to specific languages, frameworks and communities
  • OWASP chapters that deliver regular training sessions and 'hands-on' workshops to its community
  • universities that teach OWASP materials (and that share them for others to use)
  • colleges/schools that use OWASP materials to create a new generation of developers and security professionals that have passion, love to hack and respect the art of 'creating secure code'
  • OWASP conferences that bring together the OWASP leaders (in a very non-cost-effective way) so that those leaders can work together, present their ideas and meet its users
  • OWASP conferences/chapters that do presentations under a TED-like format (15m max), with its videos reaching wide audiences
  • OWASP conferences/chapters that publish: books of its presentations, academic papers, panel's conclusions/recommendations/action-plans
  • co-organised events at non-OWASP conferences (specially on developer-focused large conferences)
  • lots and lots and lots of OWASP booths at non-OWASP events (in fact every 'mid size' OWASP chapter should do it at local conferences/events)
  • a 'owasp leader hospitality program' that looks after OWASP leaders when they travel (to OWASP events) 
  • very small (if any) instances of 'OWASP leaders burned out' cases  (this usually happens to conference's organisers)
  • strong demands on its project leaders/contributors to present regularly at OWASP conferences and chapters
  • an 'project reviewers/users' community that works with OWASP projects in reviewing, mentoring and using those projects
  • a 'serendipity' social graph engine that connects OWASP leaders/contributors with each other (when they are traveling around the world)
  • multiple mobile apps that make OWASP 'goodness' easy to find and consume
  • very few barriers of entry for new ideas to occur (and projects and chapters to be created)
  • low tolerance for non performing activities, projects, chapters or 'leaders' (i.e. when something is not working, remove/clean/break it very quickly it)
  • an army of editors for the OWASP Wiki, with very high rigour and quality-requirements for its content
  • a much bigger OpsTeam (OWASP Operational Team) that makes this all possible, empowers OWASP's leaders and makes the hard decisions required to keep OWASP's community working
  • a much more transparent and open OpsTeam where 99% of emails and other OWASP related activities are published and easily consumed (think email boxes published with read-only/viewing privileges)
  • a model where OWASP leaders are empowered to make financial decisions/commitments and spend the available OWASP funds in the way they believe is best, with no (very little) questions asked and very fast approval cycles (see the GSD project for details) 
  • a reputation-based trust model where OWASP leaders/contributors are highly respected (and valued) by its peers, employees and industry (think StackOverflow points/badges solution)
  • a high standard for 'what is an OWASP leader' based on respect, talent, energy and deliverables
  • a model where it doesn't matter what title an OWASP leader has, but what has he/she created or delivered
  • a number of certifications based on the model described in the OWASP Red Book , and wide adoption of the other books:  Green, Blue, Yellow, Purple and Gray
  • lots and lots and lots of writing on OWASP's and WebAppSec ideas, topics, strategies, etc... (both in agreement and disagrement on what is happening). The resulting arguments (both pro and con) should then be consolidated in easy to consume and distributed packages
  • large number of isolated 'owasp houses' where it is possible to go and spend dedicated time just coding, learning, collaborating, debating, fixing apps, breaking apps, writing SAST/DAST rules, etc... 
  • Invested in Developing Software Security Talent under Mark's or similar programs
  • The OWASP CheatSheets are available in a number of formats (book, tablets, mobile, IDEs)
  • helped to create a set of common schemas and rules for the multiple SAST, DAST and 'everything in between' tools
  • a website that is easily consumed and its content forked (with the content available as git repositories)
  • a collaborative/thread discussion environment (think StackOverflow or Reddit vs the current mailman solution)
  • a proper OWASP books collection and distribution on major bookstores/eStores (as per the original vision and design)
  • a place at the table on the most important web application security related discussions/threads
  • multiple summits where everything comes together and everybody is working 100% of the areas they are passioned about, collaborating with other like minded individuals and creating magic
  • regular 'OWASP Tours' where multi-city/country events allow ideas/projects to be presented, debated and improved 
  • an active role in the evolution of the new generation of fast-deployment-SDLs (in public or private clouds) with security baked into the 'deploy' workflow
  • a number of standards that allow the pragmatic evaluation of security services (by commercial vendors) so that the best ones are rewarded for their excellence
  • a standard for the first generation of Software/Application Security Labels that would allow consumers to make informed decisions
  • helped and accelerated the change of focus/investment on 'Network Security' into 'Application Security'. Note: this would expand the current AppSec market by 10x  (and OWASP by 10x)
  • helped to bridge the gap between the application security industry and the software-development industry, where they realize that the tools (and services) currently provided in the AppSec world can add a LOT of value (after a couple tweaks). Note: this would expand the current AppSec market (and OWASP) by another 10x
The best part is that this is all doable because OWASP already has enough funds, community, brand and people to kickstart this.

Posted by at
Labels: , ,