Today Tom Brennan (Twitter: @brennantom), Tobias Gondrum (Twitter: @tgondrom), and I (Twitter: @spoofzu) were all interviewed as candidates for OWASP’s Global Board of Directors. I’m not planning to write an interview spoiler before the podcast is published but I want to follow-up with the points I introduced in the interview that make me unique as an OWASP board candidate.
Reduce gap between security practitioners and developers
For the past 3 years I have been leading security for the Java platform at Oracle. Like many security leadership positions, my role was one of influence. One of the improvements I made was to include a full security track at Oracle’s JavaOne conference. Today security and development are largely considered two different disciplines and each with it’s own type of conference. The challenge with the approach is that developers with limited budgets are not likely to attend a security conference. After some thought, I considered the best way to close the gap was to bring the security conference to the developers – the security track at JavaOne was born. The first year of the security track I asked OWASP leaders Jim Manico (Twitter: @manicode) and Michael Coates (Twitter: @_mwc) for assistance which they graciously provided. I didn’t have high expectations for the first year since it takes time to build some momentum. To my surprise, the security track did reasonably well in it’s 1st year with attendees and today it’s the 3rd most popular track at the conference. According to Frank Kim (Twitter: @thinksec) at SANS Institute JavaOne is the first software developers conference to have a full security track. I’m proud of the security focus at JavaOne but it’s my strongest desire we start a trend and continue across industry. I’m not so sure moving a security track into every developer conference is the right way to go but I would like to explore different ideas to bring security closer to developers. For instance, today B-Sides hosts smaller security conferences in the vicinity of larger security conferences. Attendees at flagship security conferences can take in a B-Side conference by extending their stay slightly. Fitting two conferences into one is a lot easier on the budget. Based upon the reception of security within the development community at JavaOne, OWASP can host smaller conferences along side key developer events like JavaOne USBrazil, JavaZone, Devoxx, FOSDEM, and perhaps other venues where .NET folks hang. These are the types of ideas I would like to explore with the board.
New directions for OWASP
OWASP must evolve in new directions. I contend that if we educated all developers on security, provided many more helpful projects, it would not be enough to impact the quality of security throughout industry many of us desire. Security is a business quality problem and it can’t be solved with more code or even better code. At the moment, industry is positioned at a fragile juncture in it’s security journey. Many security experts see increased government regulations on the horizon. Others think cyber insurance will increase in popularity and the desire for the lowest rates will drive security improvements. Still others anticipate future legislative changes imposing product liability on the technology industry. One thing is certain, if industry fails to take action on security then they will also loose some control over their destiny. As a trusted partner, OWASP is in a unique position to assist by forging new alliances with industry and governments. OWASP will leverage it’s expertise to develop a voluntary industry wide security program. The program will have means to encourage systemic improvement while remaining sensitive to industry concerns. My initial plan is a security program emphasizing a practical amount of transparency with a focus on security quality or results. Transparency is important to ensure industry maintains confident in it’s software supply chain risk profiles. Next, a results based approach to security provides OWASP the opportunity to influence industry while providing member companies business agility and flexibility to achieve their security objectives. Throughout the course of the program OWASP will measure the effectiveness of this new security program against progress of it’s members on security. Based on the program effectiveness and industry security trends, the program will be improved as necessary. Why will industry submit to a voluntary security program? Industry must demonstrate leadership in security with remarkable improvements or industry will be lead. Every day the cadence around exploitation increases. Customers are demanding more visibility into development and delivery of software products and services. In response, businesses are demanding more insight to their supply chain security. “Trust us it’s secure”, is no longer acceptable. There are also significant benefits for OWASP individual members like improved emphasis on security throughout member companies, more visibility in the board room, etc. At first, the notion of any transparency seems unnatural but I have been working on this for 3 years with the Java platform team. Java is largely open source we provide the public with a significant amount of information around the platforms vulnerability management. The program fits well with OWASP’s approach for transparency in all it does but can be applied to industries benefit more broadly. I shared some of my thoughts but I welcome your ideas as well.
If you vote for me in the OWASP global board elections this fall you will be voting for someone who wants to bring security closer to developers and who desires to take OWASP in some new directions. It’s an ambitious effort for both myself and OWASP, certainly I will need some assistance, but the potential benefits for members and industry are large.
Previous article, OWASP 2015 Global Board of Directors Candidate