Open letter demands OWASP overhaul, warns of mass project exodus

For more than two decades, the Open Worldwide Application Security Project (OWASP) has provided free and open resources for improving the security of software. Led by the non-profit OWASP Foundation, OWASP has brought together community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and educational and training conferences for developers and technologists to secure the web.

However, an open letter signed by dozens of OWASP members, contributors, and supporters questioned OWASP’s viability for the modern internet, the way software is now built, and today’s security industry, casting a damning light on its ability to keep pace and evolve to support the needs of the community and its projects.

The letter, published on February 13, 2023, was addressed to the OWASP board of directors and the executive director of the OWASP Foundation. It stated that significant change is needed in how the project operates to avoid a potential mass exodus that could force the OWASP community to seek or create alternatives that better meet its needs. The authors outlined their “positive intent” to protect the “best interests of the OWASP community and those that rely on it,” and asked for a response within 30 days. The day after the letter was published, the proposals were presented at the Foundation’s monthly board meeting.

OWASP concerns raised “year after year,” changes haven’t occurred

“Year after year, concerns have been raised and there have been promises of change, but year after year it hasn’t happened,” the letter read. “The gap between what our projects and the community around them want, and the support that OWASP provides, continues to grow wider.”

Many projects operate independently, in some cases managing their own sponsorships, finance, websites, domains, communication platforms, and developer tools, the letter continued. “Projects still operate on a best-efforts model that relies on a few individuals working in their spare time. While admirable, these are projects that, as they have grown, are now relied on by thousands of companies and hundreds of thousands of security professionals and that have many millions of downloads each year. We don’t want to become commercial open-core businesses, but do want to be able to create, and sustain commercial quality open-source projects.”

Without active, world-class projects, OWASP doesn’t have a unique selling point and projects need constant guidance, mentoring, and investment for them to grow and keep the brand where it should be – for all things application security, the letter added. “There are five key areas that we feel if not addressed immediately, will result in important projects, like ours, leaving OWASP in search of, or creating a community that better meets their needs.”

OWASP has proved to be effective at raising security awareness, and it has also been a good environment for fostering open-source security tools, Simon Bennetts, the open letter creator and founder of the OWASP project ZAP, tells CSO. “However, so far it has not been able to support those tools as they grow. The successful OWASP tools have all been driven by dedicated and motivated teams – OWASP as an organization has not really provided much support for them.That did not look like it was going to change, hence our open letter. The successful tools need more support and crucially funding. Is OWASP the best place for such tools? We shall see.”

Five changes needed to ensure OSWAP’s viability

The changes listed in the letter relate to key issues including funding, project portfolio/local chapter management, and governance structure. The five changes put forward are:

1. The OWASP Foundation should publish and maintain a community plan that includes its prioritized key project initiatives, along with a suitable funding plan to support them. The OpenSSF plan is a useful example to reference.
2. The OWASP Foundation’s governance structure should better reflect the needs of the entire security community, increasing access and participation for corporate practitioners, governments, major sponsors, and key technology providers. “We believe this can be achieved with vendor independence and is particularly necessary to attract financial sponsorship and key industry partnerships,” the letter read.
3. The OWASP Foundation’s funding should reflect the needs of projects to both sustain and improve them. “We believe this would likely be in the region of five to ten million dollars per year for our projects alone. The money would be used to pay for dedicated developers, community managers, and other support staff.”
4. The Foundation should provide improved infrastructure and services to the community so that projects can focus on the projects themselves.
5. The Foundation should actively manage the project portfolio and local chapters, ensuring that the community is always reflected in the best possible light and is able to attract and retain talent. “A plan, leadership, active community management, mentoring, and better tooling are all needed.”

Former OWASP board member calls open letter “tone deaf”

A former OWASP board member called the open letter “tone deaf” to OWASP’s current situation. “I half took it as some sort of a joke at first. But given the number of names who have signed onto it, they’re dead serious,” wrote Josh Sokol in a LinkedIn post. “OWASP nearly went bankrupt during the global pandemic because the majority of its revenue comes from conferences. With the primary source of revenue gone, essentially overnight, the OWASP Foundation essentially tapped every remaining account that it could just to keep the lights on.”

The part of the letter Sokol cited as particularly unbelievable are the five key areas it outlines for immediate change. “The OWASP Foundation’s budgeted income for 2022 was $2,155,000,” he added. “These people are saying that they will move their projects somewhere else if OWASP doesn’t pony up two to four times its annual revenue for them to hire dedicated developers, community managers, and other support staff. Forget about supporting all of OWASP’s other initiatives including chapters and events. Forget about the existing OWASP staff. To me, this letter is very clearly stating that they believe that projects are the single most important thing for OWASP to support and everything else should take a back seat to them. And the kicker…you have 30 days to respond with a plan of action or else.”

What could OWASP changes mean for CISOs?

With the OWASP Foundation yet to officially respond to the letter at the time of writing, the prospect of significant changes and restructuring in how OWASP operates is uncertain. However, the decisions and actions taken could have long-term ripple effects for CISOs and the wider security sector. For example, a greater vulnerability management approach to vulnerability prioritization could provide better options surrounding developer-focused technologies and software security, but changes will require notable effort and support from the community.

“For OWASP, change is needed. The organization is behind some of the critical IT tooling projects that professionals use every day, but they have been slow to release changes recently and don’t seem to be keeping up with the changing trends in technology that are moving faster than ever,” Paul Baird, chief technical security officer UK at Qualys, tells CSO. “For the security industry as a whole, this won’t have a short-term impact on the security community. However, OWASP has a choice – to concentrate on specific areas and work with other foundations and organizations outside those areas or look at the long-term future to expand what it can work on. The alternative is to fall between those two stools and not be able to carry on the great work it has done in the past.”

Maintaining a better governance around OWASP is essential for developers, security professionals, and organizations to understand the most common web application vulnerabilities and take necessary measures to prevent them, adds Leo Cunningham, CISO at health tracking app Flo. “New types of attacks and vulnerabilities emerge frequently, and existing ones may become more prevalent or more severe. Overall, these changes are a positive move for OWASP and crucial for maintaining the security of web applications and protecting against the latest threats.”