To the OWASP Board of Directors and the Executive Director of the OWASP Foundation,
OWASP was first set up over two decades ago. The Internet, the way we build software, and the security industry, has changed so much that those days are hardly recognizable today.
As a group of OWASP flagship project leaders and lifelong contributors, we believe that OWASP hasn't kept pace and evolved to support the needs of important parts of our community today, especially our flagship projects. What worked in the past simply isn’t working now and OWASP needs to change.
We have written and published this open letter, knowing that other parts of the community also support our concerns, and are asking the OWASP Board of Directors to take action. Year after year, concerns have been raised and there have been promises of change, but year after year it hasn't happened. The gap between what our projects and the community around them want, and the support that OWASP provides, continues to grow wider.
Today, many projects operate independently, in some cases managing their own sponsorships, finance, websites, domains, communication platforms, and developer tools. Projects still operate on a best-efforts model that relies on a few individuals working in their spare time. While admirable, these are projects that, as they have grown, are now relied on by thousands of companies and hundreds of thousands of security professionals and that have many millions of downloads each year. We don’t want to become commercial open-core businesses, but do want to be able to create, and sustain commercial quality open-source projects.
Without active world class projects, OWASP doesn’t have a unique selling point and projects need constant guidance, mentoring, and investment for them to grow and keep the brand where it should be: First and foremost for all things application security.
There are five key areas that we feel if not addressed immediately, will result in important projects, like ours, leaving OWASP in search of, or creating a community that better meets their needs. We don’t want that to happen.
- The Foundation should publish and maintain a community plan that should include its prioritized key project initiatives, along with a suitable funding plan to support them. The OSSF plan is a useful example to reference.
- The Foundation’s governance structure should better reflect the needs of the entire security community, increasing access and participation for corporate practitioners, governments, major sponsors, and key technology providers. We believe this can be achieved with vendor independence and is particularly necessary to attract financial sponsorship and key industry partnerships.
- The Foundation’s funding should reflect the needs of our and other flagship projects to both sustain and improve them. We believe this would likely be in the region of five to ten million dollars per year for our projects alone. The money would be used to pay for dedicated developers, community managers, and other support staff. We would like to work with the foundation to develop project by project plans.
- The Foundation should provide improved infrastructure and services to the community so that projects can focus on the projects themselves.
- The Foundation should actively manage the project portfolio and local chapters, ensuring that the community is always reflected in the best possible light and that we are able to attract and retain the best talent for the community. A plan, leadership, active community management, mentoring, and better tooling are all needed.
This letter is written with positive intent and we believe is in the best interests of the OWASP community and those that rely on it. We appreciate that this is a change from how OWASP operates today, but have conviction that OWASP is at a tipping point and needs to evolve now.
We all want to be part of the OWASP community and for it to continue to be successful in the decades to come.
We ask that you respond within 30 days, with a plan of action to address the five points above.
Yours truly,
Simon Bennetts, OWASP ZAP founder and co-project leader, OWASP VWAD co-project leader
Ricardo Pereira, OWASP ZAP co-project leader
Glenn ten Cate, Security Knowledge Framework founder and co-project leader & OWASP Board Member
Akshath Kothari, OWASP ZAP core team member
Mark Curphey, OWASP founder and 2023 board member
Daniel Cuthbert, OWASP ASVS
Sebastien Deleersnyder, OWASP SAMM co-project leader and OWASP Threat Modeling Playbook (OTMP) founder and project leader
Bart De Win, OWASP SAMM co-project leader
Maxim Baele, OWASP SAMM core team member
Rick Mitchell, OWASP ZAP co-project leader, OWASP Web Security Testing Guide co-project leader, OWASP VWAD co-project leader
Steve Springett, OWASP CycloneDX and OWASP Dependency-Track founder and co-project leader
Björn Kimminich, OWASP Juice Shop founder and project leader
Niklas Düster, OWASP Dependency-Track co-project leader
Jeroen Willemsen, OWASP WrongSecrets project leader
Jeremy Long, OWASP dependency-check founder and project lead and OWASP Java Encoder contributor
Cole Cornford, OWASP Code Review Guide project lead and OWASP XSS Prevention CheatSheet author
Ben Gittins, OWASP Member and Contributor
Erwin Geirnaert, Creator of the first OWASP WebGoat Solutions Guide, first OWASP Top 10 for Java and part of the OWASP Community since 2000
Robin Wood, OWASP contributor and supporter
Rob Grant, OWASP contributor
Arkaprabha Chakraborty, OWASP contributor and OWASP ZAP extended team member
Curtis Koenig, Founding member OWASP Louisville, Former Chapter Leader OWASP Louisville, OWASP Member
Cláudio André, OWASP MASTG Top Contributer
István Albert-Tóth, OWASP CSRFGuard project co-lead
Katie Paxton-Fear, educational web security YouTuber
Jakub Maćkowski, OWASP contributor and OWASP Cheat Sheet Series co-project leader
Somdev Sangwan, Open Source Security Tools Developer
Edoardo Ottavianelli, Open Source Security Tools Developer
Aram Hovsepyan, OWASP SAMM core team member
Brian Glas, OWASP Top 10 Co-Lead, OWASP SAMM Core team member, OWASP SAMM Benchmark Co-Lead
Jeff Williams, OWASP Chair from 2001-2011, Creator of OWASP Top Ten, WebGoat, ESAPI, ASVS, XSS Prevention Cheatsheet, OWASP Legal, Chapters Program, OWASP Foundation, the OWASP Wiki, and more
Dimitar Raichev, OWASP SAMM contributor & tool developer
Dinis Cruz, Past OWASP Board member, organiser of multiple OWASP Conferences and Summits, lead multiple OWASP projects and chapters
Sachin Kumar Dhaka, OWASP Jaipur Member and Budding Security Researcher
Jessy Ayala, OWASP Member and Contributor
Paul McCann, OWASP Security Shepherd maintainer and contributor
Karan Preet Singh Sasan, Owasp VulnerableApp project leader and OWASP ZAP extended team member
Daniel Wood, OWASP Lifetime Member
Bharath, OWASP (Bangalore Chapter) Member and Contributor
John Viega, original OWASP advisory board member, OWASP Lifetime Member
Carol Valencia, Security cloud-native and open-source enthusiast
Published on 2023/02/13
Submit a PR to README.md to add your name.