I actually wanted to write a long email about his, but since I'm running out of time, here is the short version:
I just voted Abstain on the Board Election because I think that OWASP needs a new structure and the sooner we replace the current Board, Committees, etc.. with something that works, the better.
When I stepped-down from the Board 18 months ago, I did ask the other Board Members to also step-down, since my idea was that if there was no Board, we would be faced with the 'nice problem' to come up with a new model. Jeff was the only one that did it (I'm not taking the credit for it since he had his reasons), but the others stayed there and have since been re-elected or are part of the current election.
I had a big list of items that I wanted to raise (with more details on what is not working, areas that need to be addressed and ideas for the future), but I guess the two ones recurring themes are:
- Are we (OWASP) really doing our best with what we have? (just think of the brain power that exists at OWASP)
- Where is the dialog, debate, argument, passion about OWASP and AppSec? (for example, on this election, the only thing that we had were some podcast interviews (or the transcripts created via the GSD project), which I read, and .... I'm actually not going to comment since I want this to be a positive email)
Another reason to vote Abstain is to go on the record that I don't agree with the current model and that (maybe) if enough OWASP leaders also vote Abstain , the required changes will happen faster :)
Now, if you are going to vote, I also think that you should go on the record about which candidates you voted for (by email or wiki or your blog) .
This 'public vote of support' will create a two-way relationship between you (the voter) and the elected board member. It will be more transparent/open and will allow for accountability (which is another thing missing)
Note that I'm not saying that the current Board Members (and candidates) don't work hard for OWASP and help a lot. They do , just like a lot of other owasp-leaders. It's just that the current model is broken and if we really want OWASP to go to the next level and make a 'dent in the WebAppSec Universe' we need a new model.
Unless of course you think that all is great with OWASP, that we are doing the best that is possible with our human, financial and technological resources, and that no major change is need. I don't happen to share that view :)
Finally, over the past months I've been thinking and blogging about OWASP, and since I know that some of you have 'owasp-leaders email overload', I didn't post all of them here.
Here is a collection of some of my thinking and ideas:
- An Idea of a new model for OWASP
- Some ideas for OWASP GSD Project
- OWASP GSD Project (GSD = Get Stuff Done)
- ROI on OWASP investment on Projects (ie paying leaders)
- Why OWASP can't pay OWASP Leaders
- Project Management at OWASP
- Why large OWASP projects start to stale (and who should pay for the work)
- Secure coding (and Application Security) must be invisible to developers
- Great description of why OWASP Summits are special
- Some proposed Visions for next OWASP Summit
- Summits must be part of OWASP's DNA
- I want to vote for a Summit Team+Vision , NOT for a venue
- 'Using the HTML5 Fullscreen API for Phishing Attacks', OWASP MIA and 'We need SAST technology for browsing the web safely'
- Great animation that shows how BootStrapToday works
- Big Security challenges with creating APIs for US Gov agencies
- To read: ENISA on 'National Cyber Security Strategies'
- Hack Yourself First: Jeremiah at TEDxMaui
- Trustworthy Internet Movement and SSL Pulse
- Blogger in HTTP only? What happened to HTTPS?
Enjoy AppSec USA (which is the first OWASP AppSec USA that I'm going to miss since they started), and please feel free to disagree with this email (and create some debate)).