2014 Global Board Election Candidates
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
Candidates NameBrief BioWhy you would like to be elected to the Global OWASP Foundation Board of Directors?
Abbas Naderi Afooshtehhttps://abiusx.com/cvSame reasons as last year, plus to make a change
Israel Bryski8 years of experience in Technology Risk Management for Financial Services. Ambitious and driven professional with cross-disciplinary skills in IT security, control methodologies and incident response processes. Experienced in team building and mentoring. Chapter Leader for the NY and NJ OWASP Chapters since January 2012. Responsible for organizing local meetings and conferences promoting application and software security.

Worked closely with Tom Brennan, Pete Dean and Sarah Baso in arranging the AppSec USA 2013 conference in NYC in November 2013.
Chaos and change create opportunity. With the current upheaval in the
OWASP Operations Team and tensions between Leaders, Board Members and
paid staff, I can be a voice of reason. I will ensure disruptions and
negative impacts to OWASP Projects and other organizational
responsibilities are kept to a minimum.

Over the past 3 years, I worked closely with Tom Brennan and Peter
Dean on evangelizing OWASP in NY and NJ. I will focus on bringing new
OWASP chapters online, continue growing OWASP membership, find new
corporate sponsors and host regional Project Summits and other OWASP
related conferences in the tri-state area.
Bil CorryHi, my name is Bil Corry. I've been involved with OWASP for many years and have contributed to a variety of projects (anyone remember the OWASP Certification project?). I've volunteered at AppSec USA, rounded up speakers for chapter meetings in Chicago and the Bay Area, hosted a Bay Area chapter meeting, and have been a trainer using the OWASP Secure Coding deck. You might have also seen me at W3C, IETF, and WASC (cookie specification, content security policy, WASC Threat Classification, etc). Professionally, I worked as a web application developer for more than a decade before moving into security full time. I'm currently living and working in Europe (Luxembourg) for PayPal (I do not represent the views of my employer).In my opinion, the main pain points of OWASP all center around the maturity of the organization and its processes. I am running for the Board because I'd like to focus on maturing the processes so that we eliminate a lot of churn that currently happens on the OWASP mailing lists.
Rowland Johnson•CEO of Nettitude, A Penetration Testing & Cyber Security Co with offices in UK and US
•Responsible for strategy and mission for Nettitude Group
•Responsible for forming Nettitude UK in 2003 and Nettitude US in 2011
•Employer of 75 staff, split between the UK and US
•Strong security skills (CISSP, CLAS, PCI QSA, PA-QSA, etc)
•Strong Penetration Testing skills, (CREST / CHECK Team Leader)
•Strong Incident Response Skills based around Network Intrusion Analysis (CREST Intrusion Analyst)
•Strong communication skills
•Sound understanding of Marketing, Sales, Finance, Operations, HR, Legal
•Board Member of CREST - Council of Registered Ethical Security Testers. I have been in this role for 5 months. Since being elected to this position, I have been given responsibility for Internationalisation.
•I am keen to assist in professionalising the Cyber Security industry.
•Due to my role at Nettitude, I am able to make decisions on how I manage my time. If I were elected to the board at OWASP, I believe I would be able to dedicate a significant amount of my time to further OWASP awareness and adoption.
I would like to put something back in to the industry that I am very passionate about. I have helped develop a profitable security consultancy with presence in both the UK and North America. I understand technology, risk management and information assurance and am able to communicate at a business and technical level alike.

I understand technology, and historically have been immersed in penetration testing, security auditing and risk and compliance. I am still an active Penetration Tester, however my key role at Nettitude is now based around leading our organisation and developing our capability in both the UK, US and EMEA markets.

As a business owner that has grown a company from a start-up, I have a strong understanding of business, marketing and sales. I also have experience around HR and Legal, and through this blend of skills and experience I believe I can bring something tangible to the OWASP Board.

I have links to a number of UK Universities and regularly provide guest lectures. I would be keen to publically promote OWASP in the UK, US and Middle East through speaking engagements and through the wider media.

Through my role on the CREST board, I have good relationships with other Cyber Security organisations in the UK. I have been given responsibility for Internationalisation and consequently I am actively involved in conversations with regulators, professional bodies and other market influencers. If I were elected to the OWASP board, I believe I could bring increasing levels of synergy and consistency to two bodies that are actively involved in securing people, process applications and technology.

Why Vote for me to be on the Global Foundation Board of Directors
I would describe myself as a people person, and as such I believe I am good at working in extended teams, learning and listening to others. I am prepared to stand up and be heard. I am keen to lobby appropriate bodies to create public awareness of all of the positive work that OWASP members contribute within our industry.

I have a desire to support the professionalization of our Industry. Through my current role at CREST and my relationships with other stakeholders in the community I am able to speak to many people about Application Security and OWASP initiatives. If I am elected to the OWASP board I will work tirelessly to promote our community objectives and shape our industry in a professional and ethical manner.

I will reach out to organisations and people that are not currently members of OWASP, but that have a vested interest in our industry. I am keen to listen, I am keen to take on board feedback and I have an overall ambition to assist OWASP move forwards to continue achieving its objectives.

I want to continue the great work that the current and previous board has delivered and I want to build on this in the coming years. I am the kind of person that wants to be measured against what I do, and not just what I say.
Tahir KhanChief Information Security Officer at large financial software company with over two decades professional experience in networking and information security and assurance across multiple platforms including software, hardware, mobile, networking, and databases. Mr. Khan has led teams in the design, security, deployment and management of enterprise network infrastructures for large-scale governments and businesses. In his current role at, he is responsible for designing and directing their network infrastructure, network security, fraud detection and incident response teams. Mr. Khan’s leadership ensures the security of his company;s entire enterprise. He currently holds a Master’s of Science in Computer Forensics from George Mason University where he is also an adjunct professor teaching Penetration Testing Forensics, Mobile Application and Security Analysis, and Anti-Forensics.Given my passion for information security, my current role as a CISO for a financial company, and my position as an adjunct professor in the Volgenau School of Engineering at George Mason University I believe that I could contribute greatly to OWASP’s core mission in a variety of ways.

1. Academic Outreach. I would like to enhance the reach of OWASP at the university level, starting with George Mason. Currently I teach courses in Penetration testing, Mobile Application and Analysis and Anti-Forensics. These topics lend themselves to the promotion of OWASP's core tenets and it would be my aim to not only emphasize these with my students but with other departments in the college until a core outreach kit can be systemized and used for universities across the nation. Universities are the breeding ground for the next generation of software developers and computer scientists, and that is where the message should be delivered. I would work together with any existing student chapters, to give them a different perspective on the delivery of the OWASP message.

2. Creative Partnerships. I would like to organize pro bono consulting for start-ups. Experts in their respective fields could offer a few hours of services helping deliver the OWASP message which would help strengthen the next generation of companies. To start, we could propose this students in University classes who have the expertise but little professional experience. The consultancy experience would benefit them as they build their resumes and use real-world cases to expand their academic growth while also benefiting the companies by exposing them to the insights of young talent, OWASP methodologies, and ultimately creating a more secure online world for all of us.

If it is not clear, I am passionate about OWASP's mission and am highly enthusiastic to use my skills and resources to further the cause.
Timur KhrotkoCurrently I'm the leader of the Hungary chapter.

In my view security is a human, organizational, business problem in first place, its IT aspects are secondary. Regarding the AppSec I think that we have to take the flag of software security out of the ethical hackers’ hands, because preventive software security is the modern challenge. We need the AppSec to be built into business decisions, vendor contracts, requirements and certification.

My academic degrees: PhD (Business management), MSc (Information management), MSc (Finance). My research topics are stereotypes of thinking in general and behavioral patterns of executive managers in particular.

I spent the recent 12 years running small independent software vendor and security consulting firms. The main achievement of the ISV was an enterprise IDM solution based on innovative methodology. The current consulting firm (azd.se) is focused on AppSec.

I am a Russian citizen born and permanently living in Budapest, Hungary (EU).

More details: ru.linkedin.com/in/timurx
My targets:

1. Make OWASP turn more to the accessibility of the AppSec in practice (business and bureaucratic organizations). For example it is our task to give Top 10 additional tuning and packaging so that office folks can use it with minimal effort in application procurement and vendor contracts (Application Security Procurement Language is an excellent start off).

2. Make the OWASP portfolio and the sense of its elements more accessible to the corporate and professional management and the CISO-s. The mainstream of these people will not read texts, but they consume infographics, schemes and videos. We need to serve such visualized stuff! (See ASVS, it already has a certain graphical layer, or imagine that T10 is placed on a graphical map of AppSec tools.)

3. Make OWASP visual representation, the website and other devices of AppSec propaganda visually more attractive and dramatized. A good example: http://youtu.be/yeepZr64XjU . The AppSec is already visible, let's make it more visual.

4. Engage our volunteers to provide their thoughts and feedback on OWASP projects and policies more actively. Engage other AppSec specialists too, not all good folks want to belong here, but are open to help.

5. Let 10 OWASP projects be flagships instead of letting the Top ten to park at that position. Instead of being an organization associated with the T10 only by the mainstream security guys, make them remember at least 4 of 10 of our most promoted projects.

The above targets can in part be covered by projects. But as a board member I could help the community and the Foundation take the turn to organizational practice which will guarantee that targets succeed.
Matthew KondaI am a Builder.

For 17+ years I have constructed highly scalable, enterprise grade systems with agile programming practices and diverse toolsets (perl, java, rails, clojure, etc.). I have run large teams of developers. I have utilized agile project management practices to help businesses to prioritize features, manage scope and deliver according to expectations. I have managed the operations side of hundreds of thousands of monthly vulnerability scans to ensure they were smooth. I have seen and helped fix a lot of code written by security experts. When I am not building I am coaching IT and Dev leaders to factor security into their projects or training developers about security.

For most of my career I did not write very secure code. I was surprised to learn about OWASP when my applications started getting penetration tested - terrifyingly late in my career. Honestly, I was angry at the penetration testers who seemed to think so much less of me and my team for our mistakes. At that time, I decided to be a champion for developers and work to spread the word about application security so that we (the developer community) could be empowered to build robust systems from the beginning. Throughout that effort OWASP has been a foundational resource. There is nothing else close.

Along the path to bring OWASP and application security to developers, I have contributed to OWASP through the Rails Security Checklist, through talks at AppSecUSA 2012 and 2013 and in local Chicago chapter meetings where I have tried to explore a committee focused on developer outreach. I have also brought the application security message to developers via RailsConf 2014 (the biggest global Ruby on Rails conference), WindyCityRails, LoneStarRuby and the Chicago Java User's Group.

So while I have come to understand application security technically and now consider myself an expert in applying application security practices to development projects, my strongest assets are communication and project leadership experience.
Let me start by saying that OWASP has accomplished an amazing amount in its short history. Getting 43K members and running local and national conferences, producing tools, curating content, and establishing itself as THE source for application security information is a huge achievement that should be appreciated by all of us.

That being said, I see this as a critical inflection point for OWASP. The organization could stay focused on application security practitioners and continue to be successful. On the other hand, it might be able to draw from millions of developers and expand its membership and impact by an order of magnitude.

If you think this is the future and you want to see builders represented more strongly on the board, you should elect me.

One thing I would like to see OWASP do is to prioritize and improve developer engagement and outreach. I have seen OWASP booths at conferences for security folks and CISSP's but rarely at developer focused conferences. In my opinion, we need to experiment with outreach activities and find ways to effectively engage developers. We need to measure our results and find things that work. Maybe it means adapting grassroots organizing techniques of identifying prominent developers or companies in each location where there is an OWASP Chapter and working to get to know them. Maybe it involves pairing with developers on OWASP open tools. Maybe it just means focusing on talking to people. The bottom line is that if an OWASP falls down in a forest where there are no developers, what will its significance have been compared to its potential?

Beyond doing developer outreach, I believe OWASP also needs to continue to focus on building developer centric content. The checklists on the wiki are a positive step. Making information digestible to developers is a hard challenge we cannot shy away from. We will do best at this if we can bring developers into OWASP to help build the content they need!

Operationally, I would like to see OWASP work on communicating project status and organizational metrics in a more systematic way. By providing some simple infrastructure for tracking progress, perhaps we can help project teams to stay on track or shift resources according to importance. We can understand where chapters are thriving and where they are not. We can recognize our successes and build on them. We can identify failures and work through them. It is currently very difficult to understand where OWASP money and time is focused. These metrics will also be beneficial as priorities change because the changing focus should be measurable and reflected in some kind of reporting format that the community can digest.

I am vendor neutral. I know that there are no tools that solve all important appsec problems. I do not like to push security through fear. Rather, I choose to focus on people and concepts like privacy that are valued positively. I am active in the Rugged Software movement.

I am happy to see teams work on technical projects and expand the tool portfolio, but I think that there may be some hard choices ahead and there needs to be stricter open prioritization around these projects to align with the core mission. Suppose that OWASP can't be good at everything, how should priorities be managed? How should resources be allocated? How can we maximize the impact of members input while giving them opportunities to contribute? I believe we need to start by empowering OWASP to measure these things so that we can make sure our priorities are reflected in our investments of time and money.

Thank you.
Matt Konda
Jim ManicoMy name is Jim Manico and I am an official lifetime member of OWASP. I've been an elected board member of the OWASP foundation since the beginning of 2013 and an active volunteer since 2007. I have consistently participated in numerous aspects of the OWASP foundation and plan to continue doing so. I believe in our mission and our community. The mission we seek to serve is a challenging one and requires a serious commitment and perseverance.

Since making my first wiki edit in January 2007 I have been an active and dedicated volunteer for the OWASP foundation and community.

When I first joined OWASP, I was amazed at the many brilliant security minds within the organization and wanted to capture this special moment in time when the application security industry began to really take off. My passion for sharing security information with others (and wanting a platform for the brilliant OWASP security minds to share their opinions) led me to host the first OWASP podcast on November 21, 2008 and I continued to host the podcast until March 2014. As I shifted focus, I continue work on a variety of secure coding projects for the foundation in addition to my board duties.

Through the years I have traveled to OWASP chapters around the globe. From Ghana to Helsinki and many points between, I have always maintained vendor neutrality and OWASP integrity as our mission and bylaws demand.
I would like to continue my stance of strong vendor neutrality, project quality and accountability throughout the organization. If re-elected, I would like to continue to push power away from the board in support of bringing committees back to the OWASP foundation. While on the board, I plan to continue actively supporting and working on a number of OWASP projects including the OWASP Proactive Controls, the OWASP Cheatsheet series, the OWASP Java Encoder, the OWASP HTML Sanitizer and the OWASP JSON Encoder project. I feel board members should stay active in the community and be a deep part of of the organization they wish to lead.
Mateo MartinezMcAfee Foundstone Professional Services Consultant based in Montevideo, Uruguay. Working in Information Security Services since 2001. I have worked primarily in the domain of Information Security, AppSec, BCP/DRP & Risk Management for financial institutions, banking security and information technology infrastructure strategic consultancy. I´m CISSP, ITIL, PCI QSA, ISO 27001 Lead Implementer and Microsoft Certified Professional.

I´m founder and leader of OWASP Uruguay and involved in the following OWASP Projects:

- OWAP Software Security Assurance Process (Inactive)
- OWASP Students Chapters Program
- OWASP Hacking Lab
- University Challenge
- Open Cyber Security Framework Project

Linkedin: https://www.linkedin.com/in/mateomartinez
Currently OWASP Board of Director has people from several countries but there no one from Latam and it is a growing market but with very different culture and it is also very different across it countries.

I´ve been travelling across almost all the Latam countries and understanding their cultures apart from several years of experience in the Information Security field and I think that I can be able to help on the board in order to improve OWASP footprint in Latin America.

There´s a lot of potential with the Latam and spanish speaker which sometimes is not recognized or accounted by OWASP because of languages and cultural issues and I can be the hub for that in order to get Latam people shining in OWASP. :)

I´m a passionate AppSec professional providing free trainings and talks across the region and an OWASP Chapter Leader since 2010 when I founded OWASP Uruguay.

I hope to help in the board if there are people interested in this kind of help and support that I can provide to the organisation.
Nigel PhairNigel is a senior professional with a background in law enforcement, technology, academia and consulting. He has widely diversified skills across the banking & finance and telecommunications sectors.

He brings senior management experience combined with knowledge and experience as a non-executive director. Nigel has established strong global professional, government and community links and well established networks in relevant sectors and industry groupings.

He has demonstrated experience in strategic planning and policy development within a public sector context – with specific experience in organisational change and communications, combined with established experience in governing and monitoring organisational performance.

Nigel has published two books on the international impact arising from the misuse of technology, writes regularly for industry and academic journals and is a frequent media commentator.

His current directorships include:

Australian Institute of Company Directors – ACT Division - Divisional Councillor of the ACT Division, AICD. Contributes to issues surrounding governance, risk and legal implications facing Directors and organisations.

Centre for Internet Safety Pty Ltd - Managing Director. The Centre for Internet Safety was created to foster a safer, more trusted Internet by providing thought leadership and policy advice on the social, legal, political and economic impacts of cybercrime and threats to cyber security.

CREST - Non-Executive Chairman. CREST is a not for profit organisation representing the Information Security Testing Industry, offering a demonstrable level of assurance of the processes and procedures of member organisations and validates the competence of information security testers.
I am an experienced company director who focuses on organisational governance, strategy and risk management. The importance of good governance is critical for not-for-profit organisations such as OWASP. Governance is key for good stakeholder engagement and member relations.

The basic precepts of good governance are fundamental to all organisations – I would like to be elected to the Global OWASP Foundation Board of Directors to ensure the organisation has a solid board charter, well defined roles and responsibilities for board members, appropriate financial rigour, accountability and transparency to members and stakeholders.

I would like to work with fellow Directors to achieve the following for OWASP:

- Clearly defining the purpose and strategic direction of the organisation with goals and objectives and these are communicated to all relevant stakeholders;
- Ensuring the board is aware of its duties and responsibilities and has appropriate documentation of policies and procedures;
- Managing the financial responsibilities – establish policies and delegations, set criteria/indicators of good financial health and ensure management reports on this to each board meeting, determine financial priorities, etc.;

I politely seek your support.
Andrew van der StockAndrew has been deeply involved with OWASP since 2002, to indulge his passion for information sharing by participating in and then leading the OWASP Developer Guide project. He lead the OWASP Top 10 2007 project, initiated and led the OWASP ESAPI for PHP effort, currently leads the OWASP Developer Guide and is a key contributor to the OWASP Application Security Verification Standard 2.0 and OWASP Proactive Controls projects. Andrew has previously held the Executive Director position at OWASP, and was a member of the OWASP Global Chapters Committee.

Andrew was awarded the SC Magazine / AusCERT Award for Individual Excellence in Information Security 2013. He was nominated for an OWASP WASPY Award 2013 for best project leader. Andrew is a regular speaker and trainer at industry conferences, including BlackHat, linux.conf.au, AusCERT, and OWASP AppSec USA. He is the long time moderator of the Symantec SecurityFocus webappsec mailing list.
Over the last few years, I've realised that OWASP needs to focus on its core mission of tight integration with developers, and get back to the basic principles of openness and integrity. OWASP materials are often significantly out of date or irrelevant to modern developers. We war over minor things, when we should be pushing forward, building the next generation of materials and helping students and developers who don't know anything about security - yet - to be OWASP's best supporters and future contributors.

We have many, many projects of varying quality. If elected to the Board, I will be pushing for content creators and project leaders to submit proposals to develop their content to be more relevant to developers and development teams, and funding successful proposals with micro investments to allow content creators and project leads to finish projects. Today's OWASP is not the shoestring organisation of 2002, it can and must fund the materials we want to be famous for.

I will be encouraging the Board to develop initiatives to be the standards body of relevance for all applications - web applications, mobile applications, cloud applications, system applications, and bring us firmly into the 21st century. I will encourage us to work with PCI and ISO and NIST and other standards bodies to ensure that we are the source of trusted advice, and indeed set the agenda for the next decade or more.

Lastly, I am a candidate to reform the OWASP Board. I was extremely disappointed in the past twelve months with the approach of the Board in responding to both staffing and dispute resolution. I will bring strong focus on adopting global leading practice to the Board, changing the way we integrate with the Foundation to be an independent board with strong governance. I will be pushing that all current and future Board members are inducted through the Institute of Company Directors program to understand their responsibilities and duties to the Foundation, and to exercise better judgement, high ethical standards, and strong independence. I will immediately move to implement a dispute resolution process that is fair and responds to the needs of members on a global scale, from chapters all the way through Board disputes.

I realise I am only one of many candidates, but I hope that you will support my candidacy for the Board, based upon my long history at OWASP, and the need to reform us back to our roots - our core mission must be to serve the development community with high quality open access education, standards, secure coding, and libraries and tools to support our mission.
Tom BrennanAs listed here: https://www.owasp.org/index.php/User:Brennan

Tom Brennan is the founder of proactiveRISK and veteran of the United States Marines Corps. Tom is a long time volunteer to the Open Web Application Security Project (OWASP) serving as the Global Vice Chairman and contributes to many other not-for-profit technical committees including the (ISC)2 Application Security Advisory Council (ASAC), the International Legal and Technology Association (ILTA) LegalSEC and Council of Cyber Security, Roles & Controls Panel that all have a global scope committed to the security of the open Internet.
He founded the OWASP New Jersey Chapter after serving on the Board of Directors for the FBI Infragard program. The NJ OWASP Chapter later merged with the New York City Chapter in 2006 creating OWASP NYC Metro Chapter. Tom was appointed to the Global Board of Directors in 2007 by his peers and was re-elected by the membership for another term.
During his leadership of OWASP Foundation he has led many global and local initiatives for OWASP
- Written recommendations from 60+ industry leaders: ONLINE - OWASP interview at AppSecUSA 2013 - Video - Interview with PenTest Magazine about OWASP Foundation. - 2012 OWASP Board Candidate Interview: Audio / Transcript - Video Interview about OWASP with Tom Brennan, 2008 - Video 1, Video 2 - Thousands of wiki commits to OWASP.ORG since 2004 see: Wiki Edits
Tom holds many industry certifications since he began his technical journey in 1983 including the (ISC)²® CBK / CISSP and many others
Contributor and champion to many OWASP projects including:
-- OWASP RFQ Criteria, Software Security
-- OWASP HTTP Post DoS Tool
-- OWASP Testing Guide
-- OWASP Mod_Security Core Rule Set
-- Incident Response Top 10 Project
Continuing to provide guidance and input with historical knowledge from 2007' on the OWASP Board of Directors without the bullshit.

- Reducing the email flames and associated drama by adding keyword moderation to all mailing lists to stop the (Shit, Fuck, Asshole, Motherfucker etc.etc...) this simple moderation would grab the low hanging fruit of acceptable use.

- Having a FIRM policy on professionalism of elected leadership. You breach it found valid your gone per bylaws: 2.04 https://www.owasp.org/images/9/92/April2014OWASPFoundationByLaws.pdf

- Continue to support OWASP committees helping the empower the community regionally (APAC, LAC, NA, EMEA) to grow efforts that are open and regionally

- Outsource and empower a 3rd party organization to run the back-office operations of the organization that is paid to run project management, conferences, membership management. This is a OPEX expense not being a CAPEX. Hire 3rd parties from around the world based on GDP to establish the best value for the organization.

- Provide volunteers with the support they commonly request in support of the mission.

- Host regional project summits focused on OWASP projects.

I will only be available for scheduled board meetings in the future.

** I will withdraw from the election and endorse a *NEW* candidate that shares similar values in running a professional association. To date as a active board member I am NOT aware of who the candidates are and look forward to reviewing and endorsing a candidate publicly and withdrawing my self-nomination.
Withdrawn Candidacy
Main menu