Board Submitted Core Values

1. VENDOR NEUTRAL

Maintaining a unbiased and technology agnostic approach to solving application security problems.

Everything OWASP does should be free from undo influence of commercial interests. Input from vendors is fine, but OWASP should not produce anything that is clearly heavily biased or influenced by a vendor and our conferences and chapter meetings should not have talks that are heavily biased to a particular vendor or are advertisements for that vendor's products or services.

OWASP as an organization must always be aiming for reaching its goals while staying vendor- and political neutral.

2. OPENNESS

All the products created within OWASP must be openly available for use by everybody, without limitation.

All the OWASP community activities should be open for people to join and understand what OWASP is about.

Open, Independent, Respectful and Focused

everything at OWASP has to be free and open to everyone. The security industry has failed to make information about security open for too long. This has led to some profitable consulting companies, but is not good for the world. We need an accurate, well-organized, useful body of knowledge that is free and open for everyone.

Everything OWASP does should be free and open. There are some caveats to this but certainly everything we put up on our website(s) should be free. The only thing we charge for is membership (which is voluntary) and for attending our conferences and our conference training (which is also voluntary).

3. NON-PROFIT

OWASP does need an income to support the projects and organization, but should never be used for personal or organization monetary gain.

Everything OWASP does should be free and open. There are some caveats to this but certainly everything we put up on our website(s) should be free. The only thing we charge for is membership (which is voluntary) and for attending our conferences and our conference training (which is also voluntary).

4. GLOBAL

a global community of technical peers without prejudice to nation

A group of individuals working together to achieve a common goal where rough consensus determines the actions of the group.

5. APPLICATIONS SECURITY FOCUSED

Everything OWASP does should be related to application security in some way, such as tools, documentation, processes, buildling community, education, etc. There is a W in OWASP that stands for Web, and I think that should be our primary focus, web security, but I don't think it should be exclusively web security.

Enable the creation of Safe Applications

a global community of technical peers without prejudice to nation

6. COMMUNITY

A group of individuals working together to achieve a common goal where rough consensus determines the actions of the group

OWASP should work to include and accept as many members and projects as possible. We should serve as the incubator of projects from which will emerge many great things, and clearly some will not grow and thrive, but thats OK. This also includes being an international organization.

Having the best, brightest and passionate individuals working on concert to produce solutions to application security problems. Being the common body of knowledge for application security.

People are donating their precious time to OWASP in their free time. OWASP should never become a 'job', but must be a fun and engaging community to participate in.

7. OPEN SOURCE

The open source model includes the concept of concurrent yet different agendas and differing approaches in production, in contrast with more centralized models of development such as those typically used in commercial software companies.

A main principle and practice of open source software development is peer production by bartering and collaboration, with the end-product, source-material, "blueprints" and documentation available at no cost to the public

For our projects, allowing anyone zero-cost use, access to the source code, ability to redistribute and make derivative works.

All the products created within OWASP must be openly available for use by everybody, without limitation.

All the OWASP community activities should be open for people to join and understand what OWASP is about.

Connect the community and enable Serendipity, in order to accelerate the speed of change

8. VISIBILITY

Public in our actions and our work. Allowing for maximum transparency into our work and projects. Also, influencing open and transparent actions by all the players in the software market.

Transform Security Knowledge into Bussiness Intelligence

9. ETHICS


 * Perform all professionalactivities and duties in accordance with all applicable laws and the highest ethical principles;
 * Promote the implementation of and promote compliance with standards, procedures, controls for application security;
 * Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the course of professional activities;
 * Discharge professional responsibilities with diligence and honesty;
 * To communicate openly and honestly;
 * Refrain from any activities which might constitute a conflict of interest or otherwise damage the reputation of employers, the information security profession, or the Association;
 * To maintain and affirm our objectivity and independence;
 * To reject inappropriate pressure from industry or others;
 * Not intentionally injure or impugn the professional reputation of practice of colleagues, clients, or employers;
 * Treat everyone with respect and dignity; and
 * To avoid relationships that impair — or may appear to impair — OWASP's objectivity and independence.

10. EFFORTOCRACY

At OWASP, anyone can take on any project that is reasonably aligned with our overall goals. We are not a top-down bureaucracy. In fact, some have described OWASP as upside-down – meaning that the people who do the most work and produce the most value are promoted within the organization. We loosely follow David Clark’s idea that we “We reject: kings, presidents and voting. We believe in: rough consensus and running code”

OTHER DEFINITIONS

Mission-Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks

Expertise-Having the best, brightest and passionate individuals working on concert to produce solutions to application security problems. Being the common body of knowledge for application security.

Respect-Everybody's opinion and believes must be respected within the OWASP community. This allows for open and honest discussions on OWASP projects and activities.

Open, Independent, Respectful and Focused

Fun-People are donating their precious time to OWASP in their free time. OWASP should never become a 'job', but must be a fun and engaging community to participate in.

Transformative-Transform Security Knowledge into Business Intelligence

Workable Applications-Connect the community and enable Serendipity, in order to accelerate the speed of change

Enable the creation of Safe Applications

Make Application Security InVisible to developers and Visible to buyers

Ecosystem-A guiding philosophy is that security is not a product, is not a process, and cannot be forced, but is an artifact of a properly functioning ecosystem. In the past we have focused on the major market failure in software… visibility. But OWASP is here to help inspire, support, and grow both the “builder” and “breaker” sides of our ecosystem. This includes a belief in balancing implementation, verification, and management activities – instead of just focusing on attempts to “hack ourselves secure.”

Enable Innovation-We believe that security is critical to our ability to innovate in information technology, and reject the idea that security is opposed to usability, performance, or progress.

Embrace Responsible Commercial Activities – This is a tricky one. OWASP supports commercial activities consistent with our goals. And it simultaneously rejects attempts by commercial organizations to mislead, scare, or over claim.

Civility – We will not abide abuse of our community.

Risk Assessment-We promote the idea that organizations can and should take risks with information technology. Rather than fight risk taking, we intend to help people and organizations make informed decisions about the risks that they choose to take.

Inclusive-OWASP should work to include and accept as many members and projects as possible. We should serve as the incubator of projects from which will emerge many great things, and clearly some will not grow and thrive, but thats OK. This also includes being an international organization.

Independent-OWASP as an organization must always be aiming for reaching its goals while staying vendor- and political neutral.