What do you want OWASP to be
This page contains is a place holder for OWASP leader's responses to the following question:
OWASP project leaders, chapter leaders and members, as it grows what do you want OWASP to become?
- A certifying and CBK type pseudo-company like (ISC)2?
- An open source project organized along the lines of Debian, Apache, or a similar group that owns a set of projects?
- Does OWASP want to certify apps, testers, both or none? (I've seen all POV advocated)
- Who will be required to pay what kind of dues, if any?
- How formal of an organization will OWASP become?
- Is the status quo preferable to the proposed change?
For the newer members of this list, here are some pages which you might find interesting:
(Please add your local chapter and put your comments under your local chapter heading)
NY/NJ Metro 10/31 - Under membership and local chapter leaders review pending comment
Belgium Nov-1 - Pending comments from Belgium mailing members and board members
Helsinki, Finland Nov-1 - Waiting for comments from mailing list members
- I do not think OWASP is the right place to perform certifications. It makes us ‘lawmaker’ and judge at the same time. What OWASP could/should do is propose a certification scheme / criteria input for other parties. This is even a project: http://www.owasp.org/index.php/SpoC_007_-_The_OWASP_Web_Security_Certification_Framework ?
- Organization wise, I like the http://www.apache.org/foundation/how-it-works.html. The organization should not be the goal: it is there to support achieving the goals. My vote for Apache like organization: +1
- OWASP has been driven by volunteers, who invest personal time: that is worth far more than a membership fee. Let’s keep this separated.
- Over-regulation kills creativity and scares volunteers away. We should keep it very easy for people to start new projects or new chapters. When the projects/chapters grow, the contributing people and project leader(s) can regulate themselves if it is necessary to guarantee continuity. By providing some practical how-to’s and working examples instead of rules, OWASP provides the framework for successful projects/chapters.
- Some projects and chapters will ‘die’: how do we detect this and make this visible? It should be clear for OWASP users/visitors what the project / chapter status is.Define a few measurable criteria that taken together provide a good insight in the project/chapter status.
- No response from list members, the following is from Stephen de Vries (project lead)
- The Top 10 has been widely misused and misquoted as a Web Application Security Standard. This obviously indicates that a standard is what the industry is looking for. Re-working the sec. dev. guide and the top 10 project to produce a set of web app standards would be an excellent start. But, I don't think it is OWASP's role to verify compliance with, or to certify applications/products with these standards - as that would open a huge can of worms and require considerable changes to how OWASP is funded and staffed.
- The same approach as above could be applied to other aspects of app security, such as secure development. I.e. create the standards formally and provide resources around their implementation, but don't actually certify anything.