Saturday, 12 January 2013

OWASP Principles based on NHS?

For a while now, my view is that OWASP's Mission, Focus and Vision should just be: "WEB APPLICATION SECURITY"

That's it. OWASP's community and scope is so wide (a great thing) that trying to be even more specific will end up in a massive thread and unproductive discussion (where just about everybody will be a bit right about something)

In you look at the current text in the owasp home page (which I helped to write) it says:

The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.

I don't really agree with this mission, since for example I think that OWASP should be "Making Security Invisible (by Becoming the Developer's Best Friends)". I.e. Invisible not Visible :)

Also, where is 'writing secure code' on that mission :)

That said there is (some) value in documenting and talking about values and principles, so while writing the Private threads are SO inefficient, Application Security Knowledge is available at the point of Need, and Password Hashes over SSL post, I had a look at the NHS core principles and constitution, and I wonder if we can re-write them :)

Here are the seven key principles that guide the NHS, 'OWASP Style':
  • The NHS OWASP provides a comprehensive service, available to all irrespective of gender, race, disability, age, sexual orientation, religion or belief
  • Access to NHS  OWASP services (and knowledge) is based on clinical Web Application Security need, not an individual’s ability to pay
  • The NHS  OWASP aspires to the highest standards of excellence and professionalism
  • The NHS  OWASP services must reflect the needs and preferences of developers, security professionals and application consumers patients, their families and their carers
  • The NHS  OWASP works across organisational boundaries and in partnership with other organisations in the interest of application security patients, local development communities and the wider population
  • The NHS  OWASP is committed to providing best value for taxpayers’ money its funds and the most effective, fair and sustainable use of finite resources
  • The NHS  OWASP is accountable to the public, communities and patients professionals it serves
This would of course mean that OWASP's OpsTeam (the current employees) take a much stronger role, and that the OWASP 'machine' is given the resources/authority to become the strong services oriented team that it wants to be.

A key challenge will be to do this without paying OWASP leaders (NHS does pay its doctors) which in my view shouldn't be done. See Why OWASP can't pay OWASP Leaders and On how to get paid to work on OWASP projects 

Maybe I should add these principles to the list I wrote at I wish that OWASP in 2014 ...