OWASP AppSensor Project/ProjectLeaderStatement-DennisGroves
What do you want to do with the OWASP AppSensor project?
I feel OWASP AppSensor is one of the most important and exciting OWASP Application Security ideas that I have seen in some time. I believe that fundamentally ‘the chain of trust’ does not exist in practice, and that all applications must operate in a hostile environment.
Another way of stating this is to say that the perimeter is dead. Many groups including OWASP, the Open Group, and WASP have been saying this for over a decade now. This is further evidenced by the numerous negative headlines caused by groups such as Lulzsec and Anonymous.
OWASP AppSensor is that first instantiation of and idea about how to deal with operating in a hostile environment. I say first instantiation; because I believe that in the future, the use of an OWASP AppSensor will be so basic that nobody will build an application without this pattern.
Incidentally, I believe OWASP AppSensor is a much greater pattern than the currently documented pattern. OWASP AppSensor is one of the first practical security architectures for security architects, a development design pattern for developers, and finally an operational practice for security operations once it is built.
I feel leading this project is a great opportunity to document and develop each of the pattern areas: Architecture, development & operations further. However such ambition is not done alone, it requires strong community support. I propose further development of OWASP AppSensor project begins by increasing adoption of OWASP AppSensor and growing the OWASP AppSensor Community.
Increasing Adoption of OWASP AppSensor
Increasing adoption begins with marketing the idea of OWASP AppSensor both inside and outside of OWASP. This requires getting OWASP AppSensor in front of as many people as possible. Marketing is a discipline in its own right; nevertheless, I plan on developing a message and submitting that message for talks at various shows around the world to increase adoption of the OWASP AppSensor.
Additionally, I think that seeking publication in more journals like we did in 2011 with Crosstalk, is a very important outreach initiative for this project. I believe that this increased exposure to the OWASP AppSensor is an important first step to both growing the community and increasing adoption of this project.
By increasing OWASP AppSensor adoption, reference implementations also increase. Also encouraging adoption allows OWASP AppSensor to overcome the barriers to adoption, by working with implementers to overcome those barriers. This makes adoption of the OWASP AppSensor even easier.
Growing the OWASP AppSensor Community
My goal is to build a developer community to participate in furthering the science behind the OWASP AppSensor concept. I think we can increase support and lower barriers to adoption through community efforts by championing the benefits of the OWASP AppSensor through its use in other community projects.
In addition, I see the opportunity to increase the projects with additional reference implementations and documenting the process. For example, we could create a reference implementation on our own Media wiki. How would that work? What would we learn that we could document for businesses wanting to adopt OWASP AppSensor for their legacy platforms? I believe such questions are fundamental to further increasing adoption of the OWASP AppSensor in industry.
Moreover, I believe we need to increase development of documentation for management, architects, developers, testers, and operations. Implementation of OWASP AppSensor in a commercial setting increases the touch-points across many teams, and at different stages of the OWASP AppSensor life-cycle.
As a community, we most efficiently grow through developing projects and information that makes it possible for security consultants to sell the concept of OWASP AppSensor to their clients, and the information to deploy it effectively. Our members and our sponsors are those consultants. Making it easy for our members and sponsors, makes it easy for them to recommend and support OWASP AppSensor.
The key message that I want you to take away from all of the above, is that I have a vision for OWASP AppSensor that is partly based on my experiences implementing OWASP AppSensor commercially.
Do you feel you have sufficient time to tackle leadership of this project?
I realize that many of the ideas and initiatives proposed here will take time to both instantiate and deliver. Truthfully, I think that one of the main issues with OWASP AppSensor is that the idea is so powerful that marketing, managing, selling, developing, and documenting are all full time endeavors for all involved.
I am well aware of the time commitments not only from starting OWASP, but also from drafting the initial OWASP guide to the many OWASP chapters I have started. The reality is that some weeks I will have more hours than others. Fortunately one of the greatest strengths of OWASP is the community of volunteers, and I believe that the time investments can be managed as we all pull together toward a common vision.
I can also say that I have been committed to OWASP AppSensor since I discovered it in 2009, and I remain committed to its success.
Why are you a good choice to lead AppSensor?
I am already grateful to work with all of you, and to have my name associate with so many incredible people on such an important project.
I also believe that leadership is actually an honor granted by the community. The community either agrees with your vision and actively support it; or they fork the project and do something else.
I do not know that I am the best choice to lead AppSensor; I have shared my vision with the community, and I hope the community shares this vision. If they do then perhaps they will actively support that vision by choosing me to lead.
To directly answer the question, I leave you with the following:
I am passionate about OWASP AppSensor I have a vision for OWASP AppSensor I have some experience building community I also have professional management experience