OWASP needs to evolve

An Open Letter to the OWASP Board

OWASP needs to evolve

To the OWASP Board of Directors and the Executive Director of the OWASP Foundation,

OWASP was first set up over two decades ago. The Internet, the way we build software, and the security industry, has changed so much that those days are hardly recognizable today.

As a group of OWASP flagship project leaders and lifelong contributors, we believe that OWASP hasn’t kept pace and evolved to support the needs of important parts of our community today, especially our flagship projects. What worked in the past simply isn’t working now and OWASP needs to change.

We have written and published this open letter, knowing that other parts of the community also support our concerns, and are asking the OWASP Board of Directors to take action. Year after year, concerns have been raised and there have been promises of change, but year after year it hasn’t happened. The gap between what our projects and the community around them want, and the support that OWASP provides, continues to grow wider.

Today, many projects operate independently, in some cases managing their own sponsorships, finance, websites, domains, communication platforms, and developer tools. Projects still operate on a best-efforts model that relies on a few individuals working in their spare time. While admirable, these are projects that, as they have grown, are now relied on by thousands of companies and hundreds of thousands of security professionals and that have many millions of downloads each year. We don’t want to become commercial open-core businesses, but do want to be able to create, and sustain commercial quality open-source projects.

Without active world class projects, OWASP doesn’t have a unique selling point and projects need constant guidance, mentoring, and investment for them to grow and keep the brand where it should be: First and foremost for all things application security.

There are five key areas that we feel if not addressed immediately, will result in important projects, like ours, leaving OWASP in search of, or creating a community that better meets their needs. We don’t want that to happen.

  1. The Foundation should publish and maintain a community plan that should include its prioritized key project initiatives, along with a suitable funding plan to support them. The OSSF plan is a useful example to reference.
  2. The Foundation’s governance structure should better reflect the needs of the entire security community, increasing access and participation for corporate practitioners, governments, major sponsors, and key technology providers. We believe this can be achieved with vendor independence and is particularly necessary to attract financial sponsorship and key industry partnerships.
  3. The Foundation’s funding should reflect the needs of our and other flagship projects to both sustain and improve them. We believe this would likely be in the region of five to ten million dollars per year for our projects alone. The money would be used to pay for dedicated developers, community managers, and other support staff. We would like to work with the foundation to develop project by project plans.
  4. The Foundation should provide improved infrastructure and services to the community so that projects can focus on the projects themselves.
  5. The Foundation should actively manage the project portfolio and local chapters, ensuring that the community is always reflected in the best possible light and that we are able to attract and retain the best talent for the community. A plan, leadership, active community management, mentoring, and better tooling are all needed.

This letter is written with positive intent and we believe is in the best interests of the OWASP community and those that rely on it. We appreciate that this is a change from how OWASP operates today, but have conviction that OWASP is at a tipping point and needs to evolve now.

We all want to be part of the OWASP community and for it to continue to be successful in the decades to come.

We ask that you respond within 30 days, with a plan of action to address the five points above.

Yours truly,

Simon Bennetts, OWASP ZAP founder and co-project leader, OWASP VWAD co-project leader
Ricardo Pereira, OWASP ZAP co-project leader
Glenn ten Cate, Security Knowledge Framework founder and co-project leader & OWASP Board Member
Akshath Kothari, OWASP ZAP core team member
Mark Curphey, OWASP founder and 2023 board member
Daniel Cuthbert, OWASP ASVS
Sebastien Deleersnyder, OWASP SAMM co-project leader and OWASP Threat Modeling Playbook (OTMP) founder and project leader
Bart De Win, OWASP SAMM co-project leader
Maxim Baele, OWASP SAMM core team member
Rick Mitchell, OWASP ZAP co-project leader, OWASP Web Security Testing Guide co-project leader, OWASP VWAD co-project leader
Steve Springett, OWASP CycloneDX and OWASP Dependency-Track founder and co-project leader
Patrick Dwyer, OWASP CycloneDX co-project leader
Björn Kimminich, OWASP Juice Shop founder and project leader
Niklas Düster, OWASP Dependency-Track co-project leader
Jeroen Willemsen, OWASP WrongSecrets project leader
Jeremy Long, OWASP dependency-check founder and project lead and OWASP Java Encoder contributor
Cole Cornford, OWASP Code Review Guide project lead and OWASP XSS Prevention CheatSheet author
Ben Gittins, OWASP Member and Contributor
Erwin Geirnaert, Creator of the first OWASP WebGoat Solutions Guide, first OWASP Top 10 for Java and part of the OWASP Community since 2000
Robin Wood, OWASP contributor and supporter
Rob Grant, OWASP contributor
Arkaprabha Chakraborty, OWASP contributor and OWASP ZAP extended team member
Curtis Koenig, Founding member OWASP Louisville, Former Chapter Leader OWASP Louisville, OWASP Member
Cláudio André, OWASP MASTG Top Contributer
István Albert-Tóth, OWASP CSRFGuard project co-lead
Katie Paxton-Fear, educational web security YouTuber
Jakub Maćkowski, OWASP contributor and OWASP Cheat Sheet Series co-project leader
Somdev Sangwan, Open Source Security Tools Developer
Edoardo Ottavianelli, Open Source Security Tools Developer
Aram Hovsepyan, OWASP SAMM core team member
Brian Glas, OWASP Top 10 Co-Lead, OWASP SAMM Core team member, OWASP SAMM Benchmark Co-Lead
Jeff Williams, OWASP Chair from 2001-2011, Creator of OWASP Top Ten, WebGoat, ESAPI, ASVS, XSS Prevention Cheatsheet, OWASP Legal, Chapters Program, OWASP Foundation, the OWASP Wiki, and more
Dimitar Raichev, OWASP SAMM contributor & tool developer
Dinis Cruz, Past OWASP Board member, organiser of multiple OWASP Conferences and Summits, lead multiple OWASP projects and chapters
Sachin Kumar Dhaka, OWASP Jaipur Member and Budding Security Researcher
Jessy Ayala, OWASP Member and Contributor
Paul McCann, OWASP Security Shepherd maintainer and contributor
Karan Preet Singh Sasan, Owasp VulnerableApp project leader and OWASP ZAP extended team member
Daniel Wood, OWASP Lifetime Member
Bharath, OWASP (Bangalore Chapter) Member and Contributor
John Viega, original OWASP advisory board member, OWASP Lifetime Member
Carol Valencia, Security cloud-native and open-source enthusiast
Jimmy Mesta, OWASP Kubernetes Top Ten Project Leader and Cheatsheet Contributor
Lewis Ardern, OWASP Bay Area Chapter Leader (2019-2022), and created the What is OWASP? Video
Alvin Smith, OWASP Juice Shop Contributor
Sven Schleier, OWASP Mobile Application Security, Co-Project Leader of OWASP MASVS and MASTG
Carlos Holguera, OWASP Mobile Application Security, Co-Project Leader of OWASP MASVS and MASTG
Jeroen Beckers, OWASP Mobile Application Security, Co-Author of OWASP MASVS and MASTG
Shubham Palriwala, OWASP Juice Shop Core Team member
Pinaki Mondal, Open Source Security Tools Developer
Zsolt Imre, CTO at private company
Eoin Keary, Former OWASP Global Board Vice Chair (2010-2015), Former Testing and Code Review Guide lead
Deepayan Chanda, Principal Cybersecurity Architect
Martín Marsicano, OWASP Lifetime Member, Former Chapter Leader OWASP Uruguay and several projects contributor
Paul Schwarzenberger, OWASP Domain Protect creator and project leader
Abraham Aranguren, OWASP OWTF Project creator and project leader
Viyat Bhalodia, OWASP OWTF Project project leader
Dave Ferguson, Project contributor and former chapter leader
Josh Larsen, OWASP Lifetime Member
Sergey Pronin, Principal Security Architect, OWASP Lifetime Member
James, BugBounter, Pentester and OWASP passionate
Kevin W. Wall, OWASP ESAPI project co-lead, OWASP Lifetime Member, and OWASP ZAP and OWASP Cheat Sheets Series contributor
Cesar Kohl, OWASP ASVS and OWASP Cheat Sheets Series contributor
Simon Whittaker, OWASP Lifetime Member
Frank Catucci, CTO and Head of Security Research at Invicti, OWASP Member and former OWASP Chapter Leader
Ingo Struck, Former OWASP Leader, creator of the name WebGoat, OWASP Lifetime Member
Francesco Maria Ferazza, Director of IT, security lecturer and researcher
Antonio Montillo, OWASP enthusiast
Daniel Neagaru, OWASP Raider project leader
Rejah Rehim, OWASP Kerala Chapter leader
Grant Ongers, OWASP Lifetime Member, OWASP Cornucopia and OWASP Application Security Curriculum project co-lead
Patrick Reijnders, CISO, OWASP enthusiast; started using the Top Ten as a developer in 2004, now using it as a guideline for pentesting.
Jordan Pike, OWASP Member
Riotaro Okada, OWASP Lifetime member, OWASP Projects contributer, an OWASP Japan chapter lead
Magno Logan, OWASP Member since 2011, former OWASP Paraiba Chapter Leader 2011-2016, OWASP Paraiba Day 2012 Organizer, OWASP Portuguese Language Project contributor and OWASP Top 10 Java EE translator
Steven van der Baan, OWASP Member and OWASP Cambridge co-lead
David Hunt, OWASP Member and OWASP Columbus co-lead
Mauricio Harley, OWASP Member, former OWASP Fortaleza chapter founder and leader, OWASP MSTG/MASVS contributor
Wael Ghandour, OWASP Member
Yevgeniy Goncharov, Open Source Security Tools Developer

Published on 2023/02/13

This “Open Letter to the OWASP Board” is no longer accepting any changes.