The Open Web Application Security Project (OWASP) has been a mainstay in the cybersecurity community for over two decades. Its mission is to provide unbiased and practical information about application security. However, recent developments have brought the organization’s governance and funding model into question.
What is OWASP?
OWASP was founded in 2001 as a non-profit organization focused on improving software security. The group aims to provide free and open resources for developers, security professionals, and organizations to build more secure software. Their work includes developing secure coding practices, maintaining a list of the top 10 web application security risks (the famous OWASP Top 10), and publishing guidelines for secure software development.
The Open Letter
In February 2023, a group of 73 OWASP project leaders, contributors, and supporters published an open letter to the OWASP board of directors. The letter detailed concerns about the organization’s governance and funding model, specifically the lack of a prioritized plan for addressing the most critical vulnerabilities and the need for more funding to support projects.
The letter called for a prioritized plan for addressing the most critical vulnerabilities based on a risk-based vulnerability management approach. This means that vulnerabilities would be prioritized based on their likelihood and potential impact, rather than just their severity score. The group also called for a new funding model, which would provide more resources to OWASP to support projects, such as hiring full-time staff, supporting travel expenses for project leads, and funding security research.
Response from OWASP
OWASP’s board of directors responded positively to the letter, acknowledging that the organization needs a prioritized plan and more funding to support projects. However, there are concerns about the feasibility of implementing the proposed changes. Andrew van der Stock, the executive director of OWASP, stated that a change in the organization’s bylaws would be required to implement the proposed changes, and he is unsure if the community would support such changes.
The debate over OWASP’s governance and funding may not have an immediate impact on CISOs and security practitioners. However, the decisions and actions that OWASP makes now could have a long-term ripple effect that influences the kind of technology options they will have for helping developers in the long run. For example, a more risk-based approach to vulnerability prioritization could result in better support for emergent technologies, which could impact the way practitioners adopt these technologies.
The future of OWASP is uncertain, but the recent debate about governance and funding shows the importance of transparency and community involvement in non-profit organizations. A risk-based vulnerability management approach to vulnerability prioritization could provide better support for emergent technologies and result in higher quality software security. However, implementing these changes will require significant effort and support from the community.