At yesterday's OWASP board of Directors meeting, I resigned my board position.

My passion is and always has been for a community that is laser focused on building a curated set of consistently high quality, practical, open-source solutions to security problems faced by software developers building software in the wild. In my opinion, OWASP is, and always has been, predominantly focused on building projects for the security community itself, and in recent times an increasing number of projects, approaches and decisions that mainly benefit security consultants and vendors. Said another way, I think it largely scratches its own itch.

While everyone on the current board agrees that change is needed in a variety of areas, and are working in a positive way with positive intent on behalf of the community, I was voted in on a manifesto of radical change. After 90 days, I came to the conclusion that my views on where OWASP is today, what needs to change, the urgency of that change, how that change should happen and how OWASP should operate, is very different from the majority of the other board members and in an organization where change happens through majority board votes I simply won’t be able to make that change happen.

I certainly appreciate, and in fact have a reenergised understanding about many of the advantages and the magic of the current OWASP structure. It means that anyone can create a project which encourages innovation and new ideas from which several stand out projects like Zap, Dependency Check / Track and CycloneDX have emerged. It also means that anyone can create local meetups and talk at local meetings. It is for the most part, organised and self-governed where the barrier to participate is essentially zero.

That model however has some very real disadvantages which have resulted in a very large number of ‘mixed quality’, uncoordinated projects. Similar issues are true of local chapters.

Another model is a centrally-funded, centrally-organised community that can attract and generate funding to invest in a focused, planned and coordinated set of sustainably high quality projects. That is a fundamentally different type of community with a different governance model, different funding model, different operating model and will result in different outcomes than OWASP.

There are clearly advantages and disadvantages of both types of community. They are benefiting different people, focused on different outcomes, and operate in very different ways.?

Rather than pushing for that radical change at OWASP to move from one model to another, I am going to focus my time on exploring creating that different type of community. I think it should, could and hope it will work in a positive way with OWASP and if done right it will help the tide rise for everyone. It's not competitive, nor should it be, it's just different. Different horses for different courses as they say.

It's not going to happen overnight and I will continue to support and help the OWASP board and OWASP community in any way I can.

#owasp #devsecops