/owasp-change.github.io

An Open Letter to the OWASP Board

Apache License 2.0Apache-2.0

OWASP needs to evolve

To the OWASP Board of Directors and the Executive Director of the OWASP Foundation,

OWASP was first set up over two decades ago. The Internet, the way we build software, and the security industry, has changed so much that those days are hardly recognizable today.

As a group of OWASP flagship project leaders and lifelong contributors, we believe that OWASP hasn't kept pace and evolved to support the needs of important parts of our community today, especially our flagship projects. What worked in the past simply isn’t working now and OWASP needs to change.

We have written and published this open letter, knowing that other parts of the community also support our concerns, and are asking the OWASP Board of Directors to take action. Year after year, concerns have been raised and there have been promises of change, but year after year it hasn't happened. The gap between what our projects and the community around them want, and the support that OWASP provides, continues to grow wider.

Today, many projects operate independently, in some cases managing their own sponsorships, finance, websites, domains, communication platforms, and developer tools. Projects still operate on a best-efforts model that relies on a few individuals working in their spare time. While admirable, these are projects that, as they have grown, are now relied on by thousands of companies and hundreds of thousands of security professionals and that have many millions of downloads each year. We don’t want to become commercial open-core businesses, but do want to be able to create, and sustain commercial quality open-source projects.

Without active world class projects, OWASP doesn’t have a unique selling point and projects need constant guidance, mentoring, and investment for them to grow and keep the brand where it should be: First and foremost for all things application security.

There are five key areas that we feel if not addressed immediately, will result in important projects, like ours, leaving OWASP in search of, or creating a community that better meets their needs. We don’t want that to happen.

  1. The Foundation should publish and maintain a community plan that should include its prioritized key project initiatives, along with a suitable funding plan to support them. The OSSF plan is a useful example to reference.
  2. The Foundation’s governance structure should better reflect the needs of the entire security community, increasing access and participation for corporate practitioners, governments, major sponsors, and key technology providers. We believe this can be achieved with vendor independence and is particularly necessary to attract financial sponsorship and key industry partnerships.
  3. The Foundation’s funding should reflect the needs of our and other flagship projects to both sustain and improve them. We believe this would likely be in the region of five to ten million dollars per year for our projects alone. The money would be used to pay for dedicated developers, community managers, and other support staff. We would like to work with the foundation to develop project by project plans.
  4. The Foundation should provide improved infrastructure and services to the community so that projects can focus on the projects themselves.
  5. The Foundation should actively manage the project portfolio and local chapters, ensuring that the community is always reflected in the best possible light and that we are able to attract and retain the best talent for the community. A plan, leadership, active community management, mentoring, and better tooling are all needed.

This letter is written with positive intent and we believe is in the best interests of the OWASP community and those that rely on it. We appreciate that this is a change from how OWASP operates today, but have conviction that OWASP is at a tipping point and needs to evolve now.

We all want to be part of the OWASP community and for it to continue to be successful in the decades to come.

We ask that you respond within 30 days, with a plan of action to address the five points above.

Yours truly,

Simon Bennetts, OWASP ZAP founder and co-project leader, OWASP VWAD co-project leader
Ricardo Pereira, OWASP ZAP co-project leader
Glenn ten Cate, Security Knowledge Framework founder and co-project leader & OWASP Board Member
Akshath Kothari, OWASP ZAP core team member
Mark Curphey, OWASP founder and 2023 board member
Daniel Cuthbert, OWASP ASVS
Sebastien Deleersnyder, OWASP SAMM co-project leader
Bart De Win, OWASP SAMM co-project leader
Maxim Baele, OWASP SAMM core team member
Rick Mitchell, OWASP ZAP co-project leader, OWASP Web Security Testing Guide co-project leader, OWASP VWAD co-project leader
Steve Springett, OWASP CycloneDX and OWASP Dependency-Track founder and co-project leader
Björn Kimminich, OWASP Juice Shop founder and project leader

Published on YYYY/MM/DD (not officially published yet)


Submit a PR to README.md to add your name.