I am standing again for the OWASP Board, again representing the Asia Pacific region, which is a huge growth area for OWASP globally. The growth opportunities in Australia, New Zealand, Singapore, Japan, Malaysia, Philippines, and in particular, Indonesia are immense.
My goals for OWASP is to transition us from a small fast growing non-profit to a healthy sustainable non-profit, a future OWASP where we can directly employ OWASP Leaders to work on their projects, chapters can use their funds to help employ Foundation staff to help them grow, and we have 4 global and at least 10 large regional events worldwide.
My election platform for 2017 – 2018 is:
Sound financial management and growing OWASP to $5m per year by 2019. I have been OWASP’s treasurer in this last year, and for the first time in a long time, OWASP has had a treasurer with an active interest in finance and how we can best manage our funds. With sound financial management, OWASP can grow and do all the things that I and other candidates will promise. Without sound management, and keeping a lid on administrative expenses, we will go out backwards. We had some moments this year, which I hope we can start to avoid as we grow in future years. My goal for 2017 is to have a solid year on year revenue growth whilst keeping a lid on expenses, which will then allow us to do amazing things in 2018. We need to do some big ticket items in 2017 – including a web site revamp and go from 2 to 4 global conferences, as well as change the model by which we help and fund regional conferences. Conferences are a major profit centre for OWASP, so we have to get this right, as we carry a lot of debt for these conferences until all the bills are paid. But get it right, OWASP’s mission is achieved – awareness, training, outreach, chapters, members, and projects all benefit from sound financial management. I have this experience, and I want to continue on as Treasurer if re-elected.
Developers. OWASP was originally a developer centric initiative, but as we grew, the breaker and defender community materials and projects took front and centre. That focus led to us being where we are today, but we have lost a core part of our mission – developers. Too few developers know about us, and yet we are the go to source in every pen test result conducted worldwide. Too many of our developer centric materials are woefully out of date. I propose to establish a program of works to ask developers and listen to what they need, and then work out what we can re-use, re-vamp, or retire. This will be a major focus for me in 2017-2018, and I hope we can one day again be the first in mind of all developers.
Greater education outreach. I recently put up a successful motion to establish an OWASP Education platform, which I will be a plan into place by the end of the year, and funding properly next year. I see OWASP’s future in having the most up to date training and associated developer materials, as this is our Members #1 request – more training. I want the OWASP Education platform to be a place where free and paid training, webinars, and a one stop shop for all our of education materials. This is yet to be worked out exactly how it will work, but I hope to have this as a membership benefit – that members get access to all free and paid materials, with a certain number of paid material hours per year. And as a positive side note, OWASP members can enrol to be trainers in their local regions, be trained and give OWASP training in their area. This is a huge win for everyone, and will allow OWASP to go to the next level.
Tertiary syllabus and outreach. As a logical outgrowth of our Education platform, I have long advocated for a “train the lecturer” and to provide completely free and open teaching materials and to bring our main materials up to scratch so they can be used in a tertiary course setting, either as a semester long course in application security, or as a major in a three year degree, and eventually, establish a masters by research program, where OWASP helps provide both supervisors and mentor existing PhD supervisors who may struggle to understand what their students are researching.
Projects. OWASP will soon cross the $3m / year in annual revenue, and I see a day where we will have $5m/year revenues. As long as we keep a lid on expenses, this should be entirely spent on our mission, which should mean at least $1-2m a year on projects. I want to be in a position where OWASP Project Leaders can apply for a grant to work on their project full time for a period of time (say 3-6 months) to get the next version out or to make their project a Flagship project. Working with our Senior Technical Project Coordinator, successful projects will define a roadmap of agreed deliverables, apply for a grant to work on it, and then take a sabbatical from their day job to complete the agreed piece of work. To fund this more fully, we need to have better sources of project funding, to put projects front and centre when joining OWASP, during Conference selection, and to ensure that we go get corporate sponsorship – which may make it easier for individuals to work on things our corporate sponsors want to be improved.
Diversity. OWASP’s job here is not done. I hope with a renewed Board in 2017, I will be able to resolve OWASP’s embarrassing lack of female keynote speakers, and frankly statistically impossible male:female ratios for things such as conference paper committees. That I am extremely disappointed that I haven’t been able to convince a majority of my fellow Board members OWASP these last two years, where the meritocracy fallacy is acceptable as a status quo was brought up more than once. As a Board, we have a responsibility – and must actively change – to reflect our industry’s diversity: in gender, ethnicity, geography, in all diversity aspects. Organisations with a diverse Board always do better than those dominated by white men, so I look forward to working with a new Board, hopefully this time getting needed reform through. OWASP members can help with this goal – please elect women and folks not from the US to the Board. We are a global organisation, and our Board should reflect that.
Chapter reform. I want OWASP and awareness of OWASP to grow in its own right. We are faced with many of our chapters drawing on OWASP funds, but promoting themselves as “Security meetups” or indeed as another brand entirely. This is a terrible waste of OWASP’s funds – we are not a piñata to be hit when another group wants money. I will be working shortly to ensure OWASP’s branding and message is front and centre of all that we do, and re-energise our chapter base.
Funding the website revamp. We need a new website, and I will be working with Tom Brennan to establish a strong budget to get this done by the first half of 2017. It’s not as easy as reskinning our MediaWiki, we have a LOT of material that a LOT of people and other standards use and link to, so we can’t just retire things.
If you have any questions relating to my platform, or indeed anything about OWASP or OWASP’s finances, don’t hesitate to ask away in the comments, or on Twitter (@vanderaj) or on Google+ (+Andrew van der Stock).