Web Admin Blog Real Web Admins. Real World Experience.


My First Six Months as an OWASP Board Member

When I first put my name in the hat for the OWASP elections in the fall of 2013, I thought I knew what I was signing up for.  I thought that my seven year history with the organization in a number of different roles (Chapter Leader, Chapter Committee Chair, AppSecUSA Chair) had me well prepared for the duties of an OWASP Board member.  I told my wife that it wouldn't be a big deal, mostly something that I could do in my spare time while at work, and that it would feel good to be able to make a difference on a bigger scale than I'd done to date.  I ran for the Board on a platform of wanting to support the growth of the OWASP chapters around the world and wanting to drive visibility, and ultimately buy-in, back to the community.  I told myself that as passionate as I was with these things as a community member, it was time to either put up or shut up.

Here I am, six months later, as an elected member of the OWASP Board of Directors and I can honestly say that no prior experience could have prepared me for this.  It's not a good thing or a bad thing, it's just very different than I expected.  As a community member, I remember being at the AppSecUSA conferences and struggling with how to introduce myself to these "famous" OWASP Board Members.  I was a just a chapter leader struggling to come up with ideas to engage the Austin security community while these guys were literally trying to change the world.  They were the figurative "Rock Stars" of my little security world.  Needless to say, I see things a bit differently now, but it's probably not what you think.

When I look at my fellow Board members, I do still see those "Rock Stars".  I can't even begin to tell you how much I look up to guys like Jim Manico for literally spending every day of his life trying to make the world more secure.  I constantly have to tell myself that even though I don't consider myself a security rock star, the community saw something in me and put me on the Board for a reason and I continue to hold myself responsible for executing on the platform that I laid out in my election materials.  But what I've come to realize now, that I didn't realize before my election, is that even though it feels the other way around, it's really the community, not the Board that holds the power in OWASP.

When I look back at the discussions that we've had as a Board over the past six months, other than setting strategic goals, the vast majority of our meetings have focused on operational and governance issues.  Through this process, I have come to the realization that while extremely important to keeping OWASP, as a non-profit organization, afloat, this isn't the kind of exciting world-wide impact stuff I thought I had signed up for.  As an example, my first two months as a Board member were spent in large part re-investigating a situation that a previous Board had closed the books on long ago.  In the process of trying to help the individual involved, I was twice accused by that individual (and acquitted) of violating OWASP's Code of Ethics.  Talk about gratitude.  Since then, it seems like it's been putting out one small fire after another.  More recently, I've spent many hours working with the Board and the Executive Director to grapple with an employee who resigned from the organization only to have members of our community question whether we, as an organization, did enough to keep them here, without knowing all of the details.  It blows my mind how the Board can have unanimous support for an item, feel confident that it's in the best interest of the organization, and still be called into question as to whether we are somehow being underhanded in our decisions.  It's like we sometimes forget that the Board is made up of seven people, from all over the world, with vastly different beliefs, desires, and even visions for OWASP.  If you can get that many people, that diverse, on the same page, then there's something to be said for that.

So, I guess in a nutshell what I'm saying is that while I feel that it's quite the privilege to be serving on the OWASP Board alongside some of the people I respect most in this industry, there is definitely a part of me that feels like the stuff that OWASP does that has the most profound impact on global security isn't what we do on the Board, but rather, what the community does in our Chapters and Projects.  The Board is there to support you, the community.  To create the policies to make you successful.  To provide the staff to make your lives easier so that you can spend your time doing things that accomplish OWASP's mission.  In addition, I want to dispel any notion that the Board is some sort of an Ivory Tower.  There should never be an "us vs them" mentality at OWASP because the Board is made up of people who have been, and in many cases still are, in the trenches right alongside the community.  The Board, to put it simply, is just a group of Chapter Leaders, Project Leaders, and other members of our community who, like me, decided that it was time to put up or shut up.  People who, for whatever reason, the community elected as our leaders to evangelize the OWASP mission and make the community that we hold near and dear to our hearts successful.  To think that anyone would volunteer to be a Board member only to destroy our community is absurd.  While I may not necessarily agree with everything my fellow Board members say or do, I have never questioned their loyalty to OWASP and I hope you don't either.

With all of the above having been said, I feel that it's also important to say that being an OWASP Board member is also an amazing opportunity to be a catalyst for change.  Over the past six months the Board has stepped up to the task of driving visibility and control back to our community.  We've instituted a new polling system that the Board have used to take the pulse of the community on key issues.  Michael has taken on the responsibility of weekly calls with the community in order to keep them informed of key issues and allow them to provide feedback.  And we are currently working on bringing back the committees under a new structure that will encourage participation and empower our leaders to take action.  OWASP even won the SC Magazine Editor's Choice Award at this year's RSA Conference.  Regardless of how you've felt about OWASP in the past, I feel quite strongly that the future for OWASP is so bright we're going to need a good pair of shades.

So, I'll end this post very similar to how it began.  The OWASP Foundation is currently accepting nominations for the OWASP Board of Directors.  If you've ever felt passionate about Information Security or felt like you have big ideas to make OWASP a better community, then now is the perfect time to throw your hat into the ring as I did.  I can't promise that it'll make you a security rock star.  I can't even promise that the work is glamorous.  And my experience, thus far, has been that it's been countless hours of volunteer work with little appreciation for what gets done.  But, what I can promise, is that OWASP is making the world a better place and the Board plays a vital role in making that happen.  You, too, can be a catalyst for change.

Comments (10) Trackbacks (0)
  1. Yet again, the tone of this entire post is “I’m above you all, and I’m here to support you. Now work”.

  2. Abbas, I’m not sure what you have against me or why you keep taking my comments to mean something they do not. To the contrary, I am extremely humbled to have been elected to the OWASP Board and consider myself a servant of the community. It was exactly this type of “Us vs Them” mentality that I was hoping to dispel by my post. Can you please help me to understand where you feel that I went wrong here?

  3. Thx, Josh! Was a good read. I appreciate your down to the earth view.

  4. Abbas, I don’t know you. I do, however, know Josh. Josh, in my opinion, is a “rock start” here in Texas. I can, and do speak for this Great State – some even call it a Nation. Josh has been instrumental in Austin, mostly through his work at OWASP, but he participates in various other security groups in the community (ISSA, BSides, etc). Abbas, what I read was a humble, honest write-up on his work and experiences. I got Josh’s back and support him 100%.

    So take a chill pill and turn the negative comments into positive action.

    You’re doing a great job! I look forward to running into you again soon amigo!


  5. I agree with Abbas. I find you to be very mesogynistisic, as if you are better than women in OWASP? We are part of the community too!

  6. Wanda, I’m speechless. I have never said anything, to my knowledge, indicating I am better than women in OWASP in this post or otherwise. Or even outside of OWASP for that matter. Can you please provide me with an example? With a wife and four young daughters, I feel like, if anything, I’d swing the other way, but maybe I’m missing something?

  7. Wanda, I will say that while I consider myself very open to constructive criticism, and absolutely want people to tell me if they have an issue with something that I’ve said or done so that I can improve upon myself, I’m not particularly fond of people who trash talk others while hiding behind anonymity on the Internet. Male or female, doesn’t matter, but hiding behind Tor nodes and fake names doesn’t do anyone any good. If you ever decide that you’d like to actually talk about this so that I can help to change your mind about me, then I’m sure you know how to reach me.

  8. Josh,

    I am continually impressed with your hard work and dedication on the OWASP board. You are one of the most active members on the OWASP board and you dive into the most difficult of issues without blinking. We are very lucky to have you and your dedication on the board.

    I’m honored by your statements above, thank you. Like you I care about OWASP and am doing my best to make decisions that are in service to the community and our shared mission. Even when we disagree, I know you are always doing your best to make decisions that are most helpful to the community and our mission of application security awareness.

    Thanks for all you do.

    Jim Manico
    OWASP Board Member

  9. Thank you for the interesting insights into what goes into making an organization (and a community) like OWASP run. Your view is humbling and inspiring at the same time – that it is the Chapters and the Projects that are making the real difference – while the Board is supporting / facilitating.

    FWIW, I don’t find anything in here or in our various mailing-list-convos that hint at any misogyny or holier-than-thou-ism from you. Perhaps some of the dissent and unpleasantness is a result of diverse cultural backgrounds, views and priorities.

    Thank you for stepping up and doing your bit to make OWASP a better place.

  10. Well Josh, you’re a better man than I. I got turned off of participating in nonprofit leadership a long time ago – it brings out people willing to go nuclear over the lowest stakes imaginable. I’ve participated in several, and seen the all too frequent psychos, malcontents, and ingrates both sitting on nonprofit boards and also on the outside hassling the leadership and it makes me dislike humanity to the point that I ask “why am I giving of myself to benefit these people again?” Reading some of those OWASP threads gave me some pretty significant flashbacks.

    I still help run user groups and such, but only up until someone says “we really need to incorporate as a nonprofit and have a charter and board and bank account” and then I bail. In general I feel that 99% of the benefit is derived from those local user groups that let practitioners meet and learn from each other, and those don’t need organization greater than a couple people with the starch to tell the weirdos “no” and the GTD skills to get a venue and announce some meetings.

    Having said that, I certainly hope OWASP can overcome its hurdles because with the OWASP Top 10, ESAPI, and AppSec they have added value to the greater security community beyond just the user group aspect. You just couldn’t pay me enough to be on the Board :-).

    While Josh (like pretty much everyone in the security industry) doesn’t always express himself in the absolute most perfect way, I’ve known him for many years – heck, we got Austin OWASP kick-started together back in the day because he and James were interested in information security and wanted to learn more and get deeper into the field – and he’s always had a passion to help out the community and advance the state of security and its practitioners. People are inspired by other people doing more either to a) do more themselves to meet their example or b) to tear down those people to justify their inaction. Josh has always been the former type. The world needs more of those. Don’t be one of the latter type. No one likes them.

Leave a comment

No trackbacks yet.