Matt Tesauro

As you consider how to cast your vote for the newly created 6th OWASP Board Member, I thought I'd put a bit about down about my past involvement with OWASP and where I think OWASP should be heading in future.

Future directions for OWASP
I'd break my thoughts on the future direction of OWASP into two distinct areas: Long term direction and goals & short term specific items.

Long Term Direction and Goals

 * Increase the OWASP community
 * OWASP needs to work on the following issues to maximize its community
 * Identify how to divide the community into teams
 * These would be 'below' the Global Committee level but above members/chapter leads/project leads
 * Teams would also help to further diversify the community
 * e.g. a graphics team, marketing team, ...
 * Find a clear and effective method for the teams, global committees and the board to communicate
 * Its hard for Global Committee members to communicate with the board as a group – the list is closed.
 * Good clear communication channels are paramount for OWASP to scale upwards
 * Make sure that OWASP is a compelling choice for potential projects/chapters
 * Find and fulfill the needs of project/chapter leaders
 * Show and/or list the reasons why you'd want to host a project at OWASP or start a local chapter
 * Bring this message outside our community to other related groups – programming conferences, software engineering groups, ...
 * Reach out to other related groups to increase the community
 * People in our target audiences can be brought into the fold
 * Coders, Testers, Auditors, Project Managers, Industry, ISVs, ...
 * How many IT things have web-based management interfaces? Those companies are potential members, contributors, or users.
 * Better define the scope of the Global Committees and the newly created teams (mentioned above)
 * Demonstrate, list and otherwise encourage the use of the opportunities offered by joining the OWASP community
 * Produce a Code of Conduct for the community
 * Sets expectations for the community as to how discourse should occur.
 * Will become increasingly important as the community grows
 * Tailor appeals to specific audiences - including grouping projects for various audiences
 * Coders
 * Testers
 * Auditors
 * Project Managers
 * Industry (ala PCI)
 * Set a specific direction from the board
 * Short, medium and long term goals
 * Get someone external in to work with the board
 * I have a source for this who is willing to work only for direct expenses and who has consulted with boards of fortune 500 companies
 * Deliverable from this meeting are the goals for the short, medium and long term
 * Ensures that the work of the global committees is in line with OWASP as a whole
 * Provides a yardstick to measure OWASP's progress overall
 * Education is HUGE
 * OWASP CBT (computer-based training) project would be a huge plus for OWASP
 * University program need more effort/focus
 * In University is the best time to reach programmers
 * Industry is HUGE
 * Really need to drill into the issue of what OWASP can do to demonstrate value to businesses
 * When businesses see this, they'll have a reason to be a sponsor.
 * Find examples of “what they are buying”
 * Find places where OWASP provided 80% to 90% of what they need-
 * e.g. A previous employer funded the GPL'ed development of Moodle's individual class backup system because that was a required feature. Since the rest was already free, total acquisition cost was only $5,000.  Those are easy 'sales' to business for support.
 * Industry includes Government
 * Based on what I saw at AppSec Brasil, governments are starting to value app sec
 * OWASP would like find great traction with government outside the big two (non-US, non-EU) as happened in Brasil
 * Government is also starting to see the value in open content and open source.

Short Term Specific Items

 * OWASP Archive & web hosting in general
 * For details on this,see "Currently Working on for OWASP below
 * Sub-domaining owasp.org
 * Bring more projects 'closer to home' while increasing project leaders freedom to experiment
 * For details on this,see "Currently Working on for OWASP below
 * Re-think creating OWASP forums
 * OWASP is loosing a ton of good content in mailman posts
 * Many people will become 'contributors' by answering forum posts
 * OWASP forums as an open and free version of Experts exchange for application security
 * Forums as an initial draw of people into the larger OWASP community

Past involvement with OWASP
OWASP Live CD – SoC 2008 to present

There have been ~300,000 downloads of the OWASP Live CD since I first made my version available last fall. The OWASP Live CD is available as an ISO image and VM images for VMware and VirtualBox.

OWASP Podcast “roving reporter”

I've helped Jim Manico with the OWASP podcast by recording interviews at various conferences or over Skype. So far, I've done AppSec EU 2009, a couple of individual interviews and will be at AppSec DC 2009 with mic in hand.

OWASP Global Projects Committee (GPC)

I joined the GPC after the Portugal Summit. I've been very active in the GPC and was the principal author of the Assessment Criteria v2.

3 OWASP Testing Guide classes

I've created and will donate 3 classes on the OWASP Testing Guide. There are 1, 2 and 5 day versions of the class. Each class includes a schedule, handouts, slides, labs and 2 VirtualBox VM images – the OWASP Live CD and a server with vulnerable web applications called “Attack Me, Ltd.” These will be donated to the Education project at AppSec DC 2009.

Presentations about OWASP
 * OWASP Austin Chapter on Securing Sensitive Configuration Data in .Net
 * TRISC 2009 (Austin) on the OWASP Live CD
 * DHS Software Assurance Workship (D.C) on the OWASP Live CD
 * ISSA Austin Chapter on Open Source Tools for Security
 * AppSec EU 2009 (Poland) on the OWASP Live CD & OWASP ROI
 * AppSec Academia (UC Irving) on the OWASP Live CD
 * OWASP Austin Chapter on OWASP ROI
 * AppSec Brazil 2009 on OWASP ROI
 * AppSec D.C. 2009 on the OWASP Live CD

Currently working on

 * OWASP Archive – I'm working with the Open Source Labs to determine if OWASP could use their services to host an FTP mirror. The mirror would include the latest releases of all OWASP projects. It could also be expanded to hold conference material such as presentations and videos. The OWASP Archive would remove the risk of the project releases becoming unavailable should the project lead decide to no longer maintain the project. This is especially true for those projects which use non-owasp.org hosts to deliver their project files.


 * Sub-domaining www.owasp.org – I'm looking into the possibility of offering sub-domains of owasp.org to projects which have traditionally been hosted externally. Beyond being a nice perk to projects, this would allow projects that need more then the wiki can offer a method of remaining on owasp.org but offering extra options to their users. Some possible sub-domains that come to mind are o2.owasp.org, esapi.owasp.org, samm.owasp.org and livecd.owasp.org.


 * Converting the OWASP Live CD from SLAX to Ubuntu. This will allow for a much more robust and flexible Live CD. For each addition to the Live CD, a separate .deb package will be created and an apt-get'able repository will be created. The conversion will also allow for easy custom versions of the Live CD – for example, an OWASP ESAPI version could be created with ESAPI, the J2EE reference implementation, Eclipse and Swingset. This could be offered as an ISO or VM image.