As
the
OWASP
Foundation
navigates
its
third
decade
of
existence,
many
application
security
experts
and
OWASP
volunteer
contributors
say
it’s
time
for
the
organization
to
make
some
big
changes
to
stay
relevant.
This
week,
a
group
of
over
60
high-profile
OWASP
members
sent
an
open
letter
to
the
OWASP
Board
of
Directors
and
to
the
foundation’s
executive
director
demanding
significant
changes
to
the
foundation.
Many
of
these
co-signers
were
leaders
of
flagship
OWASP
projects,
lifetime
contributors,
and
former
OWASP
board
members.
“OWASP
simply
isn’t
driving
innovation
anymore,”
says
Contrast
Security
co-founder
and
CTO
Jeff
Williams,
author
of
the
first
OWASP
Top
Ten,
the
OWASP
chair
from
2001
through
2011,
and
one
of
the
co-signers.
“Open
source
has
changed,
and
OWASP
needs
to
keep
up
by
supporting
contributors
better.”
Among
the
signatories
were
also
two
current
board
members,
Glenn
ten
Cate
and
Mark
Curphey.
While
Curphey
says
the
letter
is
the
result
of
mutual
collaboration
within
the
group,
it
also
aligns
very
closely
with
a
manifesto
he
published
last
year
as
a
part
of
his
successful
bid
for
a
seat
on
the
2023
board.
As
the
founder
of
OWASP,
Curphey
hadn’t
been
directly
involved
with
the
organization
for
some
time,
but
had
always
been
a
supporter
and
advocate
for
OWASP
while
he
was
busy
being
a
security
practitioner,
security
product
leader,
and
entrepreneur
in
the
application
security
space.
Curphey
focused
on
the
following
three
major
points
during
his
campaign
for
the
board:
-
to
change
the
funding
model
of
OWASP
to
look
more
like
how
Linux
Foundation
and
its
Open
Software
Security
Foundation
works
with
donors
to
support
their
project, -
to
install
a
chief
product
officer
to
lead
the
charge
to
clean
up
projects
(and
prioritize
the
high-impact
ones)
as
well
as
renovate
the
OWASP
site
to
make
it
more
developer
friendly,
and -
to
change
the
culture
of
OWASP
to
eliminate
red
tape
and
to
add
more
transparency
in
how
vendors
are
(or
are
not)
involved
in
the
OWASP
mission.
The
open
letter
echoes
many
of
these
points,
while
calling
for
a
change
in
governance
that
could
fuel
a
drastic
effort
in
fundraising
that
they
feel
could
pull
in
millions
of
dollars
to
hire
dedicated
developers
and
project
leaders.
OWASP
Then
and
Now
When
OWASP
was
founded
way
back
in
2001,
it
was
a
scrappy
labor
of
love
founded
by
application
security
advocates
who
were
concerned
about
the
mounting
risk
to
the
Internet
posed
by
insecure
Web
applications.
They
wanted
to
boost
awareness
of
the
problem
outside
the
bubble
of
cybersecurity
insiders.
And
so
OWASP
was
born
to
help
deliver
education
and
resources
to
not
just
security
professionals,
but
also
developers
and
enterprise
stakeholders.
The
idea
was
to
give
organizations
technical
guidance
that
could
enable
developers
to
improve
their
coding
practices
and
reduce
the
risk
of
vulnerabilities
in
the
software
they
deployed.
This
was
the
genesis
of
the
OWASP
Top
10,
the
group’s
vaunted
list
of
the
10
riskiest
flaws
in
applications
that
was
first
published
in
2003
and
which
has
since
spawned
numerous
updates
and
sub-lists,
and
which
has
fueled
a
whole
host
of
security
open
source
projects,
commercial
products,
and
services.
Lots
of
things
have
changed
since
those
early
years.
The
awareness
piece
of
OWASP
has
certainly
hit
its
mark,
and
today
the
group
has
grown
to
support
over
240
chapters
and
tens
of
thousands
of
members
and
participants
around
the
world.
It
hosts
a
full
slate
of
local
and
global
events,
and
a
number
of
projects
like
the
Top
10,
the
Software
Assurance
Maturity
Model
(SAMM),
and
Zed
Attack
Proxy
(ZAP).
However,
the
scope
of
application
security
work
to
be
done
has
broadened
considerably
as
the
world
has
moved
way
beyond
Web
applications
and
is
now
awash
with
mobile
apps,
IoT
and
embedded
systems,
wearables,
and
everything
in
between
—
all
of
which
is
driven
by
software.
And
the
development
environment
has
radically
changed,
too.
Modern
development
practices
have
coopted
methods
like
continuous
integration/continuous
delivery
(CI/CD),
DevOps,
and
Agile
development
to
take
over
from
traditional
waterfall
development
patterns.
Developers
lean
heavily
on
microservices
architectures
and
mix-and-match
open
source
components
to
build
out
their
software.
Unfortunately,
in
the
face
of
all
that
change,
some
things
have
also
stayed
the
same.
Many
of
the
issues
on
that
first
OWASP
Top
10
are
just
as
problematic
today
and
still
on
the
list,
including
injection
flaws,
misconfigurations,
and
authentication
failures.
Now,
though,
these
nagging
problems
that
have
never
gone
away
are
only
exacerbated
by
the
expanded
scope,
the
speed
of
development,
and
the
tangle
of
software
supply
chain
dependencies
that
have
been
added
to
the
mix
over
the
years.
Clamoring
for
Change
In
the
context
of
these
factors,
many
OWASP
insiders
argue
that
the
nonprofit
has
not
kept
up
with
the
pace
of
change
within
the
software
development
world.
They
say
the
foundation
isn’t
supporting
the
needs
of
the
OWASP
community,
especially
in
regard
to
the
foundation’s
flagship
projects,
which
includes
over
a
dozen
projects
among
OWASP’s
274
other
projects.
“What
worked
in
the
past
simply
isn’t
working
now
and
OWASP
needs
to
change.
Year
after
year,
concerns
have
been
raised
and
there
have
been
promises
of
change,
but
year
after
year
it
hasn’t
happened,”
said
the
open
letter
to
the
OWASP
Board
of
Directors
and
to
the
foundation’s
executive
director.
“The
gap
between
what
our
projects
and
the
community
around
them
want,
and
the
support
that
OWASP
provides,
continues
to
grow
wider.”
With
the
publication
of
this
latest
missive,
the
letter’s
cosigners
say
that
some
of
OWASP’s
most
impactful
projects
—
ones
that
are
relied
upon
by
many
enterprises
and
by
products
enterprises
use
today
—
are
left
to
“operate
independently,
in
some
cases
managing
their
own
sponsorships,
finance,
websites,
domains,
communication
platforms,
and
developer
tools.”
The
signatories
are
clamoring
for
some
drastic
changes
in
funding
models
and
governance
to
get
the
group
back
to
serving
the
needs
of
developers
in
the
context
of
modern
software
delivery
models.
They
developed
an
action
list
consists
of
five
major
points,
calling
the
foundation
and
board
to:
-
develop
a
community
plan
that
prioritizes
key
initiatives,
pointing
to
the
OSSF
plan
as
a
reference -
change
the
foundation’s
governance
structure
to
“better
reflect
the
need
of
the
entire
security
community” -
establish
an
aggressive
funding
campaign
to
raise
$5
million
to
$10
million
to
pay
for
dedicated
developers,
community
managers,
and
support
staff -
improve
centralized
infrastructure
and
services
for
the
community
to
take
the
heat
off
the
projects -
take
a
more
centralized
hand
in
managing
the
product
portfolio
and
what
goes
on
in
local
chapters
Williams
says
he
signed
because
he
felt
that
the
changes
the
group
called
for
are
“unfortunately
necessary.”
“OWASP
has
a
glaring
hole
in
not
having
a
financial
plan
built
from
the
bottom
up
based
on
project
needs,”
he
says.
“Without
that,
it’s
impossible
to
fundraise
effectively.
Writing
down
an
aggressive
funding
plan,
going
after
some
big
funding
increments,
and
taking
on
more
aggressive
projects
is
the
only
way
to
keep
OWASP
moving
quickly.”
Next-Step
Realities
The
question
is
whether
the
foundation
and
the
OWASP
community
is
willing
and
able
to
make
some
of
these
changes.
According
to
Chenxi
Wang,
a
former
OWASP
board
member,
there
are
many
items
in
the
proposal
that
are
“much
needed”
since
she
believes
OWASP
has
devolved
into
an
organization
that
doesn’t
do
much
more
than
run
events.
“But
some
of
the
other
items
seem
to
be
too
ambitious
for
OWASP,
which
has
a
volunteer
board
and
a
small
operating
staff.
For
example,
the
item
to
‘actively
manage
the
project
portfolio
and
chapters’
would
require
a
substantial
effort
going
forward,
which
may
not
be
something
the
foundation
can
do
with
today’s
resources,”
she
says.
“Also,
the
proposal
about
funding
prioritized
projects
would
require
a
change
to
today’s
model
and
may
disenfranchise
newer
projects.”
As
she
sees
it,
the
proposal
is
going
to
require
drastic
changes
to
the
funding
model,
the
community
model,
and
the
way
funds
are
distributed.
“To
do
all
of
this
in
one
swoop
is
going
to
be
too
disruptive,”
Wang
says.
“A
phased
approach
is
the
only
way
to
make
this
happen.”
For
his
part,
OWASP
Foundation
executive
director
Andrew
van
der
Stock
says
he
also
agrees
with
many
of
the
points
in
the
letter.
The
day
after
the
letter
was
published,
the
proposals
were
presented
at
the
foundation’s
monthly
board
meeting.
He
says
the
meeting
went
well,
and
he
agrees
that
the
board
needs
to
set
a
prioritized
plan
anyway
as
a
part
of
their
fiduciary
duty.
“Beyond
the
way
it
was
presented,
there’s
nothing
in
there
that
we
disagree
with,”
he
says
of
the
letter.
“I
think
creating
a
plan
within
30
days
is
definitely
doable.
My
major
concern
is
really
around
if
we
don’t
manage
to
achieve
all
of
the
five
goals
in
a
timeframe
that
the
projects
want
us
to
achieve
it
in.”
He
also
does
wonder
whether
the
board’s
current
bylaws
and
the
will
of
the
OWASP
community’s
paying
members
will
allow
for
the
kind
of
governance
and
funding
changes
the
co-signers
want.
For
example,
OWASP
isn’t
set
up
the
way
the
OSSF
organization
is,
which
currently
has
a
board
that
consists
of
members
that
buy
their
seats
through
corporate
membership
and
pay
significantly
to
retain
those
seats.
OWASP
currently
has
about
7,000
financial
members
in
addition
to
the
80,000
people
who
participate
in
the
community
through
events,
chapter
meetings,
and
projects.
That
paying
membership
includes
individuals
who
pay
$50
a
year,
lifetime
members
who
pay
$500,
and
corporate
sponsors
who
pay
$5,000
and
up,
depending
on
the
level
of
support
they
want
to
give.
“I
don’t
think
our
community
would
support
that
change.
It’s
one
of
those
things
that
I
think
is
going
to
be
a
little
bit
unrealistic,”
says
van
der
Stock,
who
adds
that
these
kinds
of
changes
would
require
a
change
in
OWASP
bylaws,
which
are
already
in
the
last
stages
of
being
overhauled
to
a
set
of
“fairly
standard”
nonprofit
bylaws
in
response
to
a
discovery
about
a
year
ago
that
the
original
bylaws
were
invalid
according
to
Delaware
General
Corporate
Law.
That
routine
procedure
alone
required
an
extensive
process
that
included
a
vote
by
the
general
membership.
Nevertheless,
van
der
Stock
says
that
OWASP
could
definitely
flourish
if
the
board
can
find
a
way
to
pull
in
more
funding.
“If
we
could
get
between
$5
million
and
$10
million
a
year,
we
could
get
a
lot
done.
If
we
could
get
people
to
work
on
projects
full-time,
these
things
would
appear
much
quicker
and
probably
with
much
higher
quality,”
he
says,
noting
that
the
foundation
currently
only
has
five
staffers
on
its
roster.
“I
think
the
only
friction
really,
and
the
only
thing
that
might
be
contested,
is
the
governance
model.
I
think
our
community
would
have
a
lot
to
say
about
that.”
This
is
the
concern
from
Williams
as
well.
“I’m
worried
that
OWASP
won’t
be
able
to
respond
to
the
letter,
given
the
current
governance
structures,”
he
says.
But
according
to
Curphey,
the
board
meeting
was
a
good
start
to
laying
out
the
change-makers’
proposal
and
considering
next
steps.
“The
board
meeting
was
positive,”
he
says.
“There’s
still
a
long
way
to
go,
but
we’ll
see.
I
did
have
to
leave
early
to
attend
another
board
meeting,
but
when
I
left
was
very
pleased
with
progress
and
desire
from
current
board
to
adapt
and
change.”
Why
Should
CISOs
Care?
The
big
question
for
CISOs
and
security
practitioners
is
whether
any
of
this
internal
jockeying
at
OWASP
really
matters
to
them.
According
to
Wang,
the
decisions
and
actions
the
foundation
makes
today
may
not
necessarily
directly
impact
CISOs
right
now.
But
it
could
have
a
long-term
ripple
effect
that
influences
the
kind
of
technology
options
they’ll
have
for
helping
developers
in
the
long
run.
“This
could
result
in
better
support
of
emergent
technologies,
which
down
the
line
could
impact
the
way
practitioners
adopt
these
technologies,”
she
says.
About Author
