Standing for the OWASP Board

I have formally submitted my name to be in the Board Elections 2014.

I am standing for:

• Reforming the Board. We need to improve the independence, ethics and dispute resolution processes. I will be a root and branches reformer to encourage the Board to make a couple of the positions available to truly independent directors. I will be encouraging all current Board and future Board members to undertake an Institute of Company Directors course to understand their duties, and the way they integrate with the Foundation they are responsible for.
• Inclusion. I want OWASP to adopt one of the many fabulous inclusion policies for our community and our conferences. Everywhere you look, such as Reddit or Slashdot, it’s all too easy for the odd bad apple to come in and ruin a working community or local group with unnecessary drama. We need to make sure our policies and standards are inclusive of all who want to participate, regardless of merit or standing; but this has an important caveat – not at any price. We need to make sure we are an open and safe community for all of humanity, those from outside the USA, regardless of gender, sexuality, religion, politics, ethnic background, and all the other ones I’ve missed.
• Projects. We must broaden our church to be truly inclusive of modern web applications, web services, cloud, system, embedded and mobile. I propose the Board create a process for RedBook style short intensive workshops of 1-2 weeks where projects can ask for funding to move their project to completion or a much higher state of quality. This should be backed by industry participation, ensuring our core deliverables are actually useful to developers and architects. The days of funding anyone but the content creators must end. We need to be famous for our developer centric projects, and these projects should be immediately useful to developers and their teams.
• Standards. We need to be the trusted advisor to PCI, NIST, and ISO. This is not an easy path to take, but if we are not at the table, we become irrelevant. Additionally, we have an opportunity to take our flagship standards products (Application Security Verification Standard and Proactive Controls) and plug a market hole for easily applicable advice to developers. Developers don’t read ISO 27034, they don’t read PCI DSS. They should be reading and using our materials.
• Education. We need to create University level course (100, 200, 300) with the help of a university educator. I propose that we ask a range of universities to come to AppSec USA and start the process of formulating a curriculum, which once completed will become the default standard university curriculum for application security.

I know there are excellent candidates already. I encourage you to ask them their positions on reforming the Board, Projects, Standards, and Education. With your vote, you get to choose the future of OWASP. I want to bring us back to our core mission of being relevant to developers, the literal standard bearer for all application developers, and the thought leader for the next generation of contributors and supporters.

I will expand on these points in future blog posts over the next week or so, as well as providing links to assist you in voting early.