Every few years I pop my head up and re-engage more actively with OWASP. This year I saw a bunch of chatter coming from the OWASP Summit about the need to be more developer centric and my interest was piqued again. I posted here and here. After a week of some healthy discussions it is time for me to slip back into the OWASP shadows again. I will be speaking at the AppSec USA conference in September (OWASP’s 10th birthday). More on that in due course.
OWASP holds a special place in my heart but I am not convinced that the new momentum around ‘developers’ that I had hoped was going to emerge is actually fundamentally different from what is being done today. Why slip into the shadows and not try and influence it to be what you want it to be? If I have learnt anything about community its that the majority drives a good community and if you want to influence the majority who aren’t aligned to your way of thinking you have to invest a lot of time and energy to do it. I just don’t have that time or energy for the topic right now. People often say “I hope you prove me wrong” but don’t really mean it. I do. I really do hope that @JonWillander and crew prove me wrong and get a thriving developer community engaged but it seems to me that there is still a very strong prevention (or discovery) of vulnerability centric approach as opposed to being focused on security as an enabler (the builder metaphor). It’s valuable stuff but simply not where my personal interests are or what I believe is needed and so it’s time to slip back into the OWASP software security shadows for me for a while longer. I am sure I will surface again in the future.
Now that said what I did discover over beer and email is that there are a LOT of people passionate about OWASP but also think that things could be a lot better with some changes to the way the community works. I agree. For instance @sourcecodesec told me that he would like a democratic way to run a local chapter meeting. He wants to be able to propose a meeting, have active local community members vote on what presentations are given and have attendees get to vote on presentations / presenters. This would effectively democratize the chapter meetings process and avoid any local chapter leader having too much control over what happens at chapter meetings. You would effectively get a facilitator / organizer and the local community democratically making decisions. I have thought quite a lot about this and I think as well as democratizing the chapter management process a rewards system can actually ensure the good facilitators / organizers are recognized and rewarded. Chapter management is a problem I have heard a number of times in a number of locations so I am convinced this isn’t isolated and I am convinced that an innovative social software solution could benefit all chapters and the project as a whole. I have also heard about other challenges like OWASP members who would like to submit and read tools reports and even security reviews but do so anonymously. This is also an interesting problem. How do you share data that you can trust without revealing identifies and source? I have some ideas on this as well.
I am partnering with Marius Grigoriu on a side-project we are now calling Software for Humans which is setting out to build an online community for people interested in online community and explore exactly these kinds of community & social challenges across the spectrum of online communities. We plan to push the boundary on building social software and using the community to drive feedback and direction see if our collective ideas might work in code as well as on paper. We plan to go live with our site later this week (hopefully Thursday). Our software won’t be open source but is built on Ruby on Rails an integrated with many social platforms like Twitter and FaceBook. It seems to me building better community software is the most valuable contribution I can possibly make to OWASP while also fueling my passion for building social software. Cool eh ?