Dinis Cruz Blog

Hi, today I would like to make an announcement about a change in my
professional live which should have very positive site effects on my
contributions to the community (and hopefully to the state of the
security of the applications we all use.

I basically decided to accept a very generous (and flexible) offer by
OunceLabs (http://www.ouncelabs.com) to (as a contractor and special
advisor) help with the development of their product and on their
technical consultancy services.

As you know I value my independence and integrity very highly and am
happy to say that the contract with Ounce will still allow me to work on
other projects (i.e. I am only committed to Ounce a certain number of
days per month). Basically I am replacing my current recurring contact
with a global bank with a recurring contract with source code security
scanner vendor.

This changes nothing on my current OWASP responsibilities and
commitment. If anything it will increase it since Ounce benefits
enormously with OWASP’s growth, maturity and reach.

I am still 100% committed to OWASP values, and please let me know (and
hit me on the head) if I go off on weird tangents.

One of the reasons I chose to accept Ounce’s proposal was the
opportunity to work and help to develop the next generation of source
code scanners (especially in the .NET area). As you know I do have
strong views on how they should work, what they should do and where they
should be used, and it is my plans to document and blog about it as much
as possible.

Of course that when I speak with my OWASP hat I will have to be
independent which means that I will not make those posts ‘under-
cover marketing messages’ or anti-Fortify (the main competitor) rants.

This will also be an opportunity to start defining better how OWASP
materials should be referenced since OunceLabs is one of the companies
that currently ‘abuses’ OWASP’s top 10 (them and every other web app
scanner). So I view as one of my responsibilities to sort this mess out
and really clarify what (using the Top 10 as an example) can and can’t
be detected using XYZ tool/technique.

This means that OWASP’s board will now be made of 1 member from a vendor
organization (me) and 3 from a training/consulting company (Jeff, Andrew
and Dave (all from Aspect)). Side Note, it would be interesting to do a
similar analysis about our project and chapter leaders.

As committed as always to OWASP,

Dinis Cruz
Chief OWASP Evangelist
http://www.owasp.org