What do you want OWASP to be

This page contains is a place holder for OWASP leader's responses to the following question:

Question
OWASP project leaders, chapter leaders and members, as it grows what do you want OWASP to become?


 * A certifying and CBK type pseudo-company like (ISC)2?
 * An open source project organized along the lines of Debian, Apache, or a similar group that owns a set of projects?
 * Does OWASP want to certify apps, testers, both or none? (I've seen all POV advocated)
 * Who will be required to pay what kind of dues, if any?
 * How formal of an organization will OWASP become?
 * Is the status quo preferable to the proposed change?
 * Other?

For the newer members of this list, here are some pages which you might find interesting:


 * About_OWASP
 * How_OWASP_Works
 * OWASP_brand_usage_rules
 * Chapter_Rules
 * Chapter_Leader_Handbook
 * Category:Chapter_Resources
 * Tutorial
 * OWASP_Education_Presentation

Answers
(Please add your local chapter and put your comments under your local chapter heading)

CHAPTERS
NY/NJ Metro 10/31 - Under membership and local chapter leaders review pending comment

Belgium Nov-1 - Pending comments from Belgium mailing members and board members

Helsinki, Finland Nov-1 - Waiting for comments from mailing list members

PROJECTS
Education (Seba)
 * I do not think OWASP is the right place to perform certifications. It makes us ‘lawmaker’ and judge at the same time. What OWASP could/should do is propose a certification scheme / criteria input for other parties. This is even a project: http://www.owasp.org/index.php/SpoC_007_-_The_OWASP_Web_Security_Certification_Framework ?
 * Organization wise, I like the http://www.apache.org/foundation/how-it-works.html. The organization should not be the goal: it is there to support achieving the goals. My vote for Apache like organization: +1
 * OWASP has been driven by volunteers, who invest personal time: that is worth far more than a membership fee. Let’s keep this separated.
 * Over-regulation kills creativity and scares volunteers away. We should keep it very easy for people to start new projects or new chapters. When the projects/chapters grow, the contributing people and project leader(s) can regulate themselves if it is necessary to guarantee continuity. By providing some practical how-to’s and working examples instead of rules, OWASP provides the framework for successful projects/chapters.
 * Some projects and chapters will ‘die’: how do we detect this and make this visible? It should be clear for OWASP users/visitors what the project / chapter status is.Define a few measurable criteria that taken together provide a good insight in the project/chapter status.

Java Project
 * The Top 10 has been widely misused and misquoted as a Web Application Security Standard. This obviously indicates that a standard is what the industry is looking for.  Re-working the sec. dev. guide and the top 10 project to produce a set of web app standards would be an excellent start.  But, I don't think it is OWASP's role to verify compliance with, or to certify applications/products with these standards - as that would open a huge can of worms and require considerable changes to how OWASP is funded and staffed.
 * The same approach as above could be applied to other aspects of app security, such as secure development. I.e. create the standards formally and provide resources around their implementation, but don't actually certify applications.
 * Continue to grow the wiki idea of security sharing for application. OWASP is becoming the primary source of security information for web app vulns. The more developers and security experts start to view and update the OWASP site, the better.


 * Continue the focus on OWASP top 10 and other studies of web vulns. These top 10 lists/studies/reports are being used within company and professional presentations and credit is given to OWASP as the official source of web app info.


 * I think OWASP should offer some sort of professional certification. Perhaps it can be part of the OWASP conferences. Provide some sort of certification for the training tracks which are offered. These tracks are sources of great information which is specific to a technology. Why not offer either a certificate of completion or a test and certification?  In my opinion, certifications from well known organizations will significantly drive conference attendance. (One reason why sans does so well)


 * It would be interesting to explore the idea of certifying an app. I can envision the OWASP stamp of approval for an item that has been developed securely (whitebox) and passes all blackbox security tests throughout the development cycle.


 * Charge for conference attendance, sponsorship, certifications, product certifications
 * Charge for vendor attendance at conferences
 * I like the current idea of membership which provides the benefit for commercial license of OWASP projects. I think that's a good idea to continue pushing, especially as the OWASP project keep growing.