The Open Worldwide Application Security Project (OWASP) has been providing free and open resources to improve software security for over two decades. The non-profit OWASP Foundation has led community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and educational and training conferences for developers and technologists to secure the web. However, an open letter signed by dozens of OWASP members, contributors, and supporters questions OWASP’s viability for the modern internet and the way software is built today, casting a damning light on its ability to keep pace and evolve to support the needs of the community and its projects. The letter, addressed to the OWASP board of directors and the executive director of the OWASP Foundation and published on February 13, 2023, states that significant change is needed in how the project operates to avoid a potential mass exodus that could force the OWASP community to seek or create alternatives that better meet its needs. The authors express their positive intent to protect the best interests of the OWASP community and those that rely on it and request a response within 30 days. The proposals were presented at the Foundation’s monthly board meeting the day after the letter was published.
OWASP concerns raised “year after year,” changes haven’t occurred
According to the letter, year after year, concerns have been raised about the gap between what the community wants and the support that OWASP provides. While promises of change have been made, nothing has been done to address the issue. Many projects operate independently, managing their own finances, websites, and communication platforms, which can be challenging for individuals working in their spare time. These projects are relied upon by thousands of companies and hundreds of thousands of security professionals, and have many millions of downloads each year. The letter acknowledges that they do not want to become commercial open-core businesses but do want to create and sustain commercial quality open-source projects. OWASP needs active, world-class projects to remain relevant, and these projects require constant guidance, mentoring, and investment. If five key areas are not addressed immediately, important projects like theirs may leave OWASP in search of a community that better meets their needs.
Five changes needed to ensure OSWAP’s viability
The letter outlines several key issues, including funding, project management, and governance. It proposes five changes that need to be made:
- The OWASP Foundation should publish and maintain a community plan that prioritizes key project initiatives and includes a funding plan to support them. The OpenSSF plan can be used as an example.
- The Foundation’s governance structure should better reflect the needs of the entire security community, with increased access and participation for corporate practitioners, governments, major sponsors, and key technology providers. The letter emphasizes the importance of vendor independence to attract financial sponsorship and industry partnerships.
- The Foundation’s funding should reflect the needs of projects to sustain and improve themselves. The letter suggests that the amount needed for their projects alone would be around five to ten million dollars per year, which would be used to pay for dedicated developers, community managers, and other support staff.
- The Foundation should provide improved infrastructure and services to the community, allowing projects to focus on their work.
- The Foundation should actively manage the project portfolio and local chapters, ensuring that the community is always presented in the best possible light and can attract and retain talent. The letter stresses the need for a plan, leadership, active community management, mentoring, and better tooling.
Former OWASP board member calls open letter “tone deaf”
According to a former OWASP board member, Josh Sokol, the open letter was “tone deaf” to OWASP’s current situation. Sokol initially took the letter as a joke but realized that the signatories were serious given the number of names on it. He noted that OWASP nearly went bankrupt during the pandemic because most of its revenue came from conferences. The organization had to tap into all remaining accounts to keep the lights on. Sokol cited the letter’s five key areas for immediate change as particularly unbelievable, especially considering that OWASP’s budgeted income for 2022 was only $2,155,000. The signatories demanded that OWASP pony up two to four times its annual revenue to hire dedicated developers, community managers, and support staff. They threatened to move their projects elsewhere if their demands were not met. Sokol believed that the letter was stating that the projects were the single most important thing for OWASP to support, and everything else should take a back seat. He also pointed out that there was a 30-day deadline for OWASP to respond with a plan of action.
What could OWASP changes mean for CISOs?
At the time of writing, the OWASP Foundation has not yet provided an official response to the open letter, leaving the potential for significant changes and restructuring in how OWASP operates uncertain. However, the decisions made and actions taken could have long-term ripple effects for CISOs and the broader security sector. While a greater emphasis on vulnerability management and prioritization could lead to improved developer-focused technologies and software security, implementing such changes will require significant effort and community support.
According to Paul Baird, Chief Technical Security Officer UK at Qualys, change is necessary for OWASP as the organization has been slow to release changes recently and doesn’t seem to be keeping up with the changing trends in technology. While this won’t have an immediate impact on the security community, OWASP must decide whether to concentrate on specific areas and work with other organizations outside those areas or expand what it can work on for the long-term future. Failing to make a choice risks compromising the great work OWASP has done in the past.
Maintaining better governance around OWASP is crucial for developers, security professionals, and organizations to understand the most common web application vulnerabilities and take necessary measures to prevent them, as Leo Cunningham, CISO at health tracking app Flo, notes. As new types of attacks and vulnerabilities frequently emerge, and existing ones may become more severe or prevalent, these changes are a positive move for OWASP and essential for maintaining the security of web applications and protecting against the latest threats.
Go to Source
Author:
