Is a Project Exodus From OWASP Looming?
If you have spent any time in the cybersecurity world, you have likely encountered the OWASP Top Ten. This list–an up-to-date evaluation of the top ten most impactful security vulnerabilities–is recognized as a common starting point to secure web applications. The list is created by its namesake, The Open Worldwide Application Security Project (OWASP). Under that foundation’s watch, the organization provides much more than just the OWASP Top Ten, consisting of 274 projects that provide tools, resources, education and talks on application security topics. Projects like ZAP rival commercial offerings, while others offer industry-recognized standards to help organizations verify the security of their applications. In addition to these resources, OWASP global and regional events are held frequently, sharing the latest ideas in the AppSec world.
Takeaways From the Open Letter to OWASP
For over two decades, the OWASP community has thrived, proving invaluable to technology organizations across the globe. Despite this growth, notable contributors demand more from the organization. In February, an open letter raised five key issues preventing OWASP and its myriad of projects from reaching their true potential.
A quick overview of the requests included in the letter:
● A community plan that financially supports key projects, including Top Ten, MAS, ZAP, Dependency-Track
● A governance structure that encourages industry, government and community engagement, with an emphasis on vendor independence
● Increased funding dedicated to maintaining and improving projects
● Improved services and infrastructure for the community to maintain focus on the actual projects, not management duties
● Better local chapter and project portfolio management that is actively managed by the foundation to attract and retain the best talent
The letter demanded a reply from the board of directors within 30 days of publication, accompanied by a plan of action to address the above points or be at risk of the letter’s writers creating a better-suited community.
For those making use of OWASP resources and tools, the existence of this letter may not come as a surprise. After all, many readers have noticed that projects like the Top Ten see a release only every four years or so, a pace that lags far behind that of today’s cyberspace. Additionally, other projects frequently miss release schedules due to a lack of funding and sponsorship, which stands in stark contrast to the latest OWASP financial narrative detailing cash balances of nearly $3 million but only $5,368 of income generated for “flagship” projects.
The Response
In early March, OWASP responded to this open letter. Much of Andrew van der Stock’s points are light on details with a theme of “more to come” on points such as OWASP’s governance structure, management of projects and community plans. The response letter also noted that the foundation reformed the funding of projects and 2022 marked a year of spending that was twofold for projects compared to chapters.
In reality, this response leaves a lot to be desired and in no way has cemented the future direction of OWASP as a foundation. So is it just lip service being paid by OWASP?
It’s clear that much more is required.
One of the most vocal OWASP members leading the charge for change is Mark Curphey, founder of OWASP. He has proposed four potential options for how the foundation can stay relevant, reform its governance structure and potentially help projects reach a higher level of quality. Curphey said that the only “win-win” outcome will focus on bettering the existing community by supporting an independent, centrally-organized, funded community that is focused on creating commercial-grade, open-source application security tooling and resources.
If this proposed strategic solution is executed, the likelihood of existing flagship projects sticking around seems smaller than ever. Most, if not all, projects have recently struggled with contribution and funding despite the improvements of the last two years. It would be difficult to argue that the grass doesn’t look greener if this new community can reinvigorate and present a streamlined vision to garner renewed interest from technology corporations to fund and contribute to some truly world-class projects.
It’s likely an exodus is coming, but that’s not always a bad thing. And for the wider application security community, this could be the start of a new era with a symbiotic relationship between new and old communities that both flourish in their respective missions. Growth comes from change, and as an interested party, I hope we don’t lose this opportunity to make the AppSec space even stronger.
