As the OWASP Foundation navigates its third decade of existence, many utility safety consultants and OWASP volunteer contributors say it is time for the group to make some massive modifications to remain related. This week, a gaggle of over 60 high-profile OWASP members despatched an open letter to the OWASP Board of Directors and to the muse’s government director demanding vital modifications to the muse. Many of those co-signers had been leaders of flagship OWASP initiatives, lifetime contributors, and former OWASP board members.
“OWASP merely is not driving innovation anymore,” says Contrast Security co-founder and CTO Jeff Williams, creator of the primary OWASP Top Ten, the OWASP chair from 2001 by means of 2011, and one of many co-signers. “Open supply has modified, and OWASP must sustain by supporting contributors higher.”
Among the signatories had been additionally two present board members, Glenn ten Cate and Mark Curphey. While Curphey says the letter is the results of mutual collaboration throughout the group, it additionally aligns very carefully with a manifesto he printed final yr as part of his profitable bid for a seat on the 2023 board. As the founding father of OWASP, Curphey hadn’t been immediately concerned with the group for a while, however had all the time been a supporter and advocate for OWASP whereas he was busy being a safety practitioner, safety product chief, and entrepreneur within the utility safety area.
Curphey targeted on the next three main factors throughout his marketing campaign for the board:
- to alter the funding mannequin of OWASP to look extra like how Linux Foundation and its Open Software Security Foundation works with donors to help their challenge,
- to put in a chief product officer to steer the cost to wash up initiatives (and prioritize the high-impact ones) in addition to renovate the OWASP website to make it extra developer pleasant, and
- to alter the tradition of OWASP to get rid of crimson tape and so as to add extra transparency in how distributors are (or will not be) concerned within the OWASP mission.
The open letter echoes many of those factors, whereas calling for a change in governance that would gas a drastic effort in fundraising that they really feel may pull in thousands and thousands of {dollars} to rent devoted builders and challenge leaders.
OWASP Then and Now
When OWASP was based method again in 2001, it was a scrappy labor of affection based by utility safety advocates who had been involved in regards to the mounting danger to the Internet posed by insecure Web functions. They wished to spice up consciousness of the issue exterior the bubble of cybersecurity insiders. And so OWASP was born to assist ship schooling and sources to not simply safety professionals, but additionally builders and enterprise stakeholders.
The thought was to offer organizations technical steering that would allow builders to enhance their coding practices and scale back the danger of vulnerabilities within the software program they deployed. This was the genesis of the OWASP Top 10, the group’s vaunted record of the 10 riskiest flaws in functions that was first printed in 2003 and which has since spawned quite a few updates and sub-lists, and which has fueled a complete host of safety open supply initiatives, industrial merchandise, and providers.
Lots of issues have modified since these early years. The consciousness piece of OWASP has definitely hit its mark, and immediately the group has grown to help over 240 chapters and tens of 1000’s of members and contributors world wide. It hosts a full slate of native and international occasions, and a variety of initiatives just like the Top 10, the Software Assurance Maturity Model (SAMM), and Zed Attack Proxy (ZAP).
However, the scope of utility safety work to be accomplished has broadened significantly because the world has moved method past Web functions and is now awash with cell apps, IoT and embedded programs, wearables, and the whole lot in between — all of which is pushed by software program.
And the event atmosphere has radically modified, too. Modern growth practices have coopted strategies like steady integration/steady supply (CI/CD), DevOps, and Agile growth to take over from conventional waterfall growth patterns. Developers lean closely on microservices architectures and mix-and-match open supply elements to construct out their software program.
Unfortunately, within the face of all that change, some issues have additionally stayed the identical. Many of the problems on that first OWASP Top 10 are simply as problematic immediately and nonetheless on the record, together with injection flaws, misconfigurations, and authentication failures. Now, although, these nagging issues which have by no means gone away are solely exacerbated by the expanded scope, the velocity of growth, and the tangle of software program provide chain dependencies which were added to the combo over time.
Clamoring for Change
In the context of those components, many OWASP insiders argue that the nonprofit has not stored up with the tempo of change throughout the software program growth world. They say the muse is not supporting the wants of the OWASP group, particularly in regard to the muse’s flagship initiatives, which incorporates over a dozen initiatives amongst OWASP’s 274 different initiatives.
“What labored prior to now merely isn’t working now and OWASP wants to alter. Year after yr, considerations have been raised and there have been guarantees of change, however yr after yr it hasn’t occurred,” stated the open letter to the OWASP Board of Directors and to the muse’s government director. “The hole between what our initiatives and the group round them need, and the help that OWASP supplies, continues to develop wider.”
With the publication of this newest missive, the letter’s cosigners say that a few of OWASP’s most impactful initiatives — ones which are relied upon by many enterprises and by merchandise enterprises use immediately — are left to “function independently, in some instances managing their very own sponsorships, finance, web sites, domains, communication platforms, and developer instruments.”
The signatories are clamoring for some drastic modifications in funding fashions and governance to get the group again to serving the wants of builders within the context of recent software program supply fashions. They developed an motion record consists of 5 main factors, calling the muse and board to:
- develop a group plan that prioritizes key initiatives, pointing to the OSSF plan as a reference
- change the muse’s governance construction to “higher mirror the necessity of all the safety group”
- set up an aggressive funding marketing campaign to boost $5 million to $10 million to pay for devoted builders, group managers, and help employees
- enhance centralized infrastructure and providers for the group to take the warmth off the initiatives
- take a extra centralized hand in managing the product portfolio and what goes on in native chapters
Williams says he signed as a result of he felt that the modifications the group referred to as for are “sadly needed.”
“OWASP has a obtrusive gap in not having a monetary plan constructed from the underside up based mostly on challenge wants,” he says. “Without that, it is unattainable to fundraise successfully. Writing down an aggressive funding plan, going after some massive funding increments, and taking up extra aggressive initiatives is the one approach to maintain OWASP shifting rapidly.”
Next-Step Realities
The query is whether or not the muse and the OWASP group is keen and in a position to make a few of these modifications. According to Chenxi Wang, a former OWASP board member, there are a lot of gadgets within the proposal which are “a lot wanted” since she believes OWASP has devolved into a company that does not do way more than run occasions.
“But among the different gadgets appear to be too formidable for OWASP, which has a volunteer board and a small working employees. For instance, the merchandise to ‘actively handle the challenge portfolio and chapters’ would require a considerable effort going ahead, which will not be one thing the muse can do with immediately’s sources,” she says. “Also, the proposal about funding prioritized initiatives would require a change to immediately’s mannequin and will disenfranchise newer initiatives.”
As she sees it, the proposal goes to require drastic modifications to the funding mannequin, the group mannequin, and the way in which funds are distributed.
“To do all of this in a single swoop goes to be too disruptive,” Wang says. “A phased method is the one approach to make this occur.”
For his half, OWASP Foundation government director Andrew van der Stock says he additionally agrees with most of the factors within the letter. The day after the letter was printed, the proposals had been offered on the basis’s month-to-month board assembly. He says the assembly went properly, and he agrees that the board must set a prioritized plan anyway as part of their fiduciary obligation.
“Beyond the way in which it was offered, there’s nothing in there that we disagree with,” he says of the letter. “I believe making a plan inside 30 days is unquestionably doable. My main concern is actually round if we do not handle to realize the entire 5 objectives in a timeframe that the initiatives need us to realize it in.”
He additionally does wonder if the board’s present bylaws and the desire of the OWASP group’s paying members will permit for the sort of governance and funding modifications the co-signers need. For instance, OWASP is not arrange the way in which the OSSF group is, which presently has a board that consists of members that purchase their seats by means of company membership and pay considerably to retain these seats. OWASP presently has about 7,000 monetary members along with the 80,000 individuals who take part in the neighborhood by means of occasions, chapter conferences, and initiatives. That paying membership contains people who pay $50 a yr, lifetime members who pay $500, and company sponsors who pay $5,000 and up, relying on the extent of help they wish to give.
“I do not suppose our group would help that change. It’s a type of issues that I believe goes to be a bit of bit unrealistic,” says van der Stock, who provides that these sorts of modifications would require a change in OWASP bylaws, that are already within the final phases of being overhauled to a set of “pretty customary” nonprofit bylaws in response to a discovery a few yr in the past that the unique bylaws had been invalid in response to Delaware General Corporate Law. That routine process alone required an intensive course of that included a vote by the overall membership.
Nevertheless, van der Stock says that OWASP may undoubtedly flourish if the board can discover a approach to pull in additional funding.
“If we may get between $5 million and $10 million a yr, we may get quite a bit accomplished. If we may get individuals to work on initiatives full-time, this stuff would seem a lot faster and doubtless with a lot larger high quality,” he says, noting that the muse presently solely has 5 staffers on its roster. “I believe the one friction actually, and the one factor that is perhaps contested, is the governance mannequin. I believe our group would have quite a bit to say about that.”
This is the priority from Williams as properly.
“I’m anxious that OWASP will not have the ability to reply to the letter, given the present governance constructions,” he says.
But in response to Curphey, the board assembly was an excellent begin to laying out the change-makers’ proposal and contemplating subsequent steps.
“The board assembly was optimistic,” he says. “There’s nonetheless a protracted approach to go, however we’ll see. I did have to depart early to attend one other board assembly, however once I left was very happy with progress and need from present board to adapt and alter.”
Why Should CISOs Care?
The massive query for CISOs and safety practitioners is whether or not any of this inside jockeying at OWASP actually issues to them. According to Wang, the choices and actions the muse makes immediately might not essentially immediately impression CISOs proper now. But it may have a long-term ripple impact that influences the sort of know-how choices they will have for serving to builders in the long term.
“This may lead to higher help of emergent applied sciences, which down the road may impression the way in which practitioners undertake these applied sciences,” she says.