Background and community introduction
In January 2003, The New York Times, having been the victim of persistent attacks, experienced a breach which lasted four months. In February, Twitter, Pinterest and Tumblr inadvertently suffered a breach after their customer service system got hacked. In October, the Federal Reserve Bank website was hacked by Anonymous; the political hactivist group. A little bit before Christmas, cyber-thieves stole nearly 40 million target customers’ credit and debit card numbers along with the PIN numbers used to directly access bank accounts. In many other cases, however, there is no hacker involved. In June 2013, a system bug exposes over 6 million Facebook users’ personal data. Luckily this bug has not been exploited maliciously. 2013 has been clearly a terrible year for data security and privacy. Unfortunately 2014 is not going to different with hackers developing new methods to bypass security restriction and take advantage of security bugs.
The first connotation when thinking about hacker is a bad one but that not always the case. There are surprisingly different kinds of hackers who break into systems but don’t necessarily destroy them, who have the public’s best interest at heart. These people are white-hackers, or “good hackers”, also known as ethical hackers. Some of those hackers are working for a leading security company and some other are volunteering in the OWASP foundation.
The OWASP Foundation (www.owasp.org) was established as a non-for-profit charitable organization in the USA on April, 2004. OWASP is an open community dedicated to promoting security awareness and enabling organizations to develop and maintain secured and trusted applications.
Participation in the OWASP community and the way it affects innovation
Who participates? OWASP is very organized and structured organization. Regardless, almost everyone associated with OWASP is a volunteer, including the OWASP Board, Global Committees, Chapter Leaders, Project Leaders, and Project members. Anyone who is passionate about security or who want to leverage natural hacking skills for a good cause can join OWASP. Who does not participate? OWASP are very strict about keeping themselves free from commercial pressures to ensure their long-term success. This allows them to provide unbiased and practical information about application security. As such, OWASP is not affiliated with any technology company, although they do offer corporate membership which is reserved to companies who annually donate money to keep the organization going.
What are the formal rules that guide participation? Members must agree to follow the organization’s ethics and principles which are based on four core values; open, innovation, global, and integrity. To submit new ideas or creative material contributors should first become a member by paying a membership as individual, corporate, academic center, government or supporter. The ideas can be received through different channels; forums, projects, chapters, and conferences. OWASP uses the wiki platform as the online collaboration tool to collect the ideas from the members. To take an idea to the next level, members can opt to participate in a collaborative projects. These projects are where the innovation occur. Everyone can start a new project; application developer, software architecture, authors, or individuals who would like to support the community. Projects can start from scratch or build upon ideas of other members. Projects are well structured and governed by project managers. Overarching all those projects is the OWASP project manager who is elected as part of the OWASP operation staff annual election.
The Open Innovation Argument and OWASP
Solving security issues is a constant chase in which all the companies participate. OWASP realize that most of the knowledge needed to solve the security challenge does not reside inside those companies. The only way to maintain a comprehensive knowledge about security and the newly gushing threats is by having variance in sources of information. OWASP community includes members in 75+ countries and 6 continents with wide range of backgrounds; developers; security audit, law enforcement, legal audits, risk managers, executive managers, press and entrepreneurs. This special blend enhances the population of innovative solutions to tackle even the hardest security issues. Moreover security knowledge is becoming more specialized; mobile security, cloud computing security, financial security and more. This specialized knowledge resides only in communities such as OWASP and cannot possibly exist in one firm/company.
Both firms and individuals benefit from the engagement with the OWASP community. OWASP financial team (part of annually elected operation management team) support innovative security research with grants. This allows the community to vote for important issues and help the main contributors by having OWASP financially supporting these efforts. Additionally, the OWASP IT team provide technical infrastructure (e.g. virtual labs) for community teams.
Most importantly, all of the OWASP tools, documents, forums, and chapters are free and open to ANYONE interested in improving application security.
Building organizational capabilities inside OWASP
OWASP is a well-structured organization. The internal boundaries structure enables the organization to scale and grow. To cope with the challenge of specialized security areas, OWASP community knowledge is funneled through projects and strategic areas (see: Process below).
The security tools that created by the community are shared across functions inside OWASP. This help groups to focus on specific areas on one hand but also to enjoy the fruits of other groups on the other hand. The external boundaries are extended through global conferences and local chapters in more than 64 countries. The diversity of the OWASP community serves as the vehicle for cross-pollination and synthesization of ideas generated by the community. However this is also where the innovation capabilities within OWASP community can be improved. Although OWASP is strictly refrain from any specific technological affiliation in order to remain authentic and unbiased, they should find a way to embrace knowledge created by organizations and professionals. Companies like Symantec, Kaspersky Lab and others who specialized in niche areas (e.g. viruses and malwares) have access to substantial amount of money for R&D purposes. Given that the IP issues can be solved, composing team of community members and professionals from these companies can create complementary pairs.
· Top 9 security breach in 2003 by Lauren C. Williams. ThinkProgress
· The world’s biggest data breaches and hacks of 2013. ZDNet
· Federal Reserve Bank website hacked by Anonymous. CNN
· Why good hackers make good citizens. Catherine Bracy. TED Talk Sep 2013
· OWASP Website
· OWASP Initiatives group website
· OWASP Governance and policy website
· OWASP Core values and code of ethics website
Kobi (Yacov) Magnezi, קובי מגנזי