July 17, 2024
Is OWASP at Danger of Irrelevance?

Because the OWASP Basis navigates its third decade of existence, many software safety specialists and OWASP volunteer contributors say it is time for the group to make some large modifications to remain related. This week, a bunch of over 60 high-profile OWASP members despatched an open letter to the OWASP Board of Administrators and to the muse’s govt director demanding vital modifications to the muse. Many of those co-signers had been leaders of flagship OWASP tasks, lifetime contributors, and former OWASP board members.

“OWASP merely is not driving innovation anymore,” says Distinction Safety co-founder and CTO Jeff Williams, writer of the primary OWASP High Ten, the OWASP chair from 2001 via 2011, and one of many co-signers. “Open supply has modified, and OWASP must sustain by supporting contributors higher.”

Among the many signatories had been additionally two present board members, Glenn ten Cate and Mark Curphey. Whereas Curphey says the letter is the results of mutual collaboration inside the group, it additionally aligns very intently with a manifesto he published last year as part of his profitable bid for a seat on the 2023 board. Because the founding father of OWASP, Curphey hadn’t been immediately concerned with the group for a while, however had all the time been a supporter and advocate for OWASP whereas he was busy being a safety practitioner, safety product chief, and entrepreneur within the software safety area.

Curphey centered on the next three main factors throughout his marketing campaign for the board:

  • to vary the funding mannequin of OWASP to look extra like how Linux Basis and its Open Software program Safety Basis works with donors to help their challenge,
  • to put in a chief product officer to steer the cost to wash up tasks (and prioritize the high-impact ones) in addition to renovate the OWASP web site to make it extra developer pleasant, and
  • to vary the tradition of OWASP to remove pink tape and so as to add extra transparency in how distributors are (or usually are not) concerned within the OWASP mission.

The open letter echoes many of these points, whereas calling for a change in governance that might gasoline a drastic effort in fundraising that they really feel may pull in thousands and thousands of {dollars} to rent devoted builders and challenge leaders.

OWASP Then and Now

When OWASP was based approach again in 2001, it was a scrappy labor of affection based by software safety advocates who had been involved in regards to the mounting danger to the Web posed by insecure Internet functions. They wished to spice up consciousness of the issue outdoors the bubble of cybersecurity insiders. And so OWASP was born to assist ship schooling and sources to not simply safety professionals, but additionally builders and enterprise stakeholders.

The concept was to present organizations technical steering that might allow builders to enhance their coding practices and scale back the danger of vulnerabilities within the software program they deployed. This was the genesis of the OWASP High 10, the group’s vaunted listing of the ten riskiest flaws in functions that was first printed in 2003 and which has since spawned quite a few updates and sub-lists, and which has fueled a complete host of safety open supply tasks, business merchandise, and companies.

A lot of issues have modified since these early years. The attention piece of OWASP has actually hit its mark, and at the moment the group has grown to help over 240 chapters and tens of hundreds of members and contributors world wide. It hosts a full slate of native and international occasions, and numerous tasks just like the High 10, the Software program Assurance Maturity Mannequin (SAMM), and Zed Assault Proxy (ZAP).

Nonetheless, the scope of software safety work to be accomplished has broadened significantly because the world has moved approach past Internet functions and is now awash with cell apps, IoT and embedded programs, wearables, and the whole lot in between — all of which is pushed by software program.

And the event surroundings has radically modified, too. Fashionable improvement practices have coopted strategies like steady integration/steady supply (CI/CD), DevOps, and Agile improvement to take over from conventional waterfall improvement patterns. Builders lean closely on microservices architectures and mix-and-match open supply parts to construct out their software program.

Sadly, within the face of all that change, some issues have additionally stayed the identical. Lots of the points on that first OWASP High 10 are simply as problematic at the moment and nonetheless on the listing, together with injection flaws, misconfigurations, and authentication failures. Now, although, these nagging issues which have by no means gone away are solely exacerbated by the expanded scope, the pace of improvement, and the tangle of software program provide chain dependencies which have been added to the combination through the years.

Clamoring for Change

Within the context of those components, many OWASP insiders argue that the nonprofit has not saved up with the tempo of change inside the software program improvement world. They are saying the muse is not supporting the wants of the OWASP group, particularly in regard to the muse’s flagship projects, which incorporates over a dozen tasks amongst OWASP’s 274 different tasks.

“What labored up to now merely isn’t working now and OWASP wants to vary. Yr after 12 months, issues have been raised and there have been guarantees of change, however 12 months after 12 months it hasn’t occurred,” stated the open letter to the OWASP Board of Administrators and to the muse’s govt director. “The hole between what our tasks and the group round them need, and the help that OWASP offers, continues to develop wider.”

With the publication of this newest missive, the letter’s cosigners say that a few of OWASP’s most impactful tasks — ones which might be relied upon by many enterprises and by merchandise enterprises use at the moment — are left to “function independently, in some circumstances managing their very own sponsorships, finance, web sites, domains, communication platforms, and developer instruments.”

The signatories are clamoring for some drastic modifications in funding fashions and governance to get the group again to serving the wants of builders within the context of recent software program supply fashions. They developed an motion listing consists of 5 main factors, calling the muse and board to:

  1. develop a group plan that prioritizes key initiatives, pointing to the OSSF plan as a reference
  2. change the muse’s governance construction to “higher mirror the necessity of all the safety group”
  3. set up an aggressive funding marketing campaign to boost $5 million to $10 million to pay for devoted builders, group managers, and help workers
  4. enhance centralized infrastructure and companies for the group to take the warmth off the tasks
  5. take a extra centralized hand in managing the product portfolio and what goes on in native chapters

Williams says he signed as a result of he felt that the modifications the group known as for are “sadly essential.”

“OWASP has a evident gap in not having a monetary plan constructed from the underside up based mostly on challenge wants,” he says. “With out that, it is unimaginable to fundraise successfully. Writing down an aggressive funding plan, going after some large funding increments, and taking over extra aggressive tasks is the one approach to hold OWASP shifting shortly.”

Subsequent-Step Realities

The query is whether or not the muse and the OWASP group is prepared and in a position to make a few of these modifications. Based on Chenxi Wang, a former OWASP board member, there are numerous gadgets within the proposal which might be “a lot wanted” since she believes OWASP has devolved into a corporation that does not do rather more than run occasions.

“However among the different gadgets appear to be too bold for OWASP, which has a volunteer board and a small working workers. For instance, the merchandise to ‘actively handle the challenge portfolio and chapters’ would require a considerable effort going ahead, which is probably not one thing the muse can do with at the moment’s sources,” she says. “Additionally, the proposal about funding prioritized tasks would require a change to at the moment’s mannequin and will disenfranchise newer tasks.”

As she sees it, the proposal goes to require drastic modifications to the funding mannequin, the group mannequin, and the way in which funds are distributed.

“To do all of this in a single swoop goes to be too disruptive,” Wang says. “A phased strategy is the one approach to make this occur.”

For his half, OWASP Basis govt director Andrew van der Inventory says he additionally agrees with most of the factors within the letter. The day after the letter was printed, the proposals had been offered on the basis’s month-to-month board assembly. He says the assembly went nicely, and he agrees that the board must set a prioritized plan anyway as part of their fiduciary obligation.

“Past the way in which it was offered, there’s nothing in there that we disagree with,” he says of the letter. “I believe making a plan inside 30 days is certainly doable. My main concern is absolutely round if we do not handle to attain the entire 5 targets in a timeframe that the tasks need us to attain it in.”

He additionally does ponder whether the board’s present bylaws and the need of the OWASP group’s paying members will permit for the form of governance and funding modifications the co-signers need. For instance, OWASP is not arrange the way in which the OSSF group is, which presently has a board that consists of members that purchase their seats via company membership and pay considerably to retain these seats. OWASP presently has about 7,000 monetary members along with the 80,000 individuals who take part in the neighborhood via occasions, chapter conferences, and tasks. That paying membership contains people who pay $50 a 12 months, lifetime members who pay $500, and company sponsors who pay $5,000 and up, relying on the extent of help they wish to give.

“I do not suppose our group would help that change. It is a type of issues that I believe goes to be a little bit bit unrealistic,” says van der Inventory, who provides that these sorts of modifications would require a change in OWASP bylaws, that are already within the final phases of being overhauled to a set of “pretty commonplace” nonprofit bylaws in response to a discovery a couple of 12 months in the past that the unique bylaws had been invalid in keeping with Delaware Basic Company Legislation. That routine process alone required an intensive course of that included a vote by the final membership.

Nonetheless, van der Inventory says that OWASP may undoubtedly flourish if the board can discover a approach to pull in additional funding.

“If we may get between $5 million and $10 million a 12 months, we may get so much accomplished. If we may get individuals to work on tasks full-time, this stuff would seem a lot faster and possibly with a lot increased high quality,” he says, noting that the muse presently solely has 5 staffers on its roster. “I believe the one friction actually, and the one factor that may be contested, is the governance mannequin. I believe our group would have so much to say about that.”

That is the priority from Williams as nicely.

“I am apprehensive that OWASP will not be capable to reply to the letter, given the present governance constructions,” he says.

However in keeping with Curphey, the board assembly was begin to laying out the change-makers’ proposal and contemplating subsequent steps.

“The board assembly was constructive,” he says. “There’s nonetheless an extended approach to go, however we’ll see. I did have to go away early to attend one other board assembly, however once I left was very happy with progress and need from present board to adapt and alter.”

Why Ought to CISOs Care?

The large query for CISOs and safety practitioners is whether or not any of this inside jockeying at OWASP actually issues to them. Based on Wang, the selections and actions the muse makes at the moment might not essentially immediately affect CISOs proper now. However it may have a long-term ripple impact that influences the form of expertise choices they’re going to have for serving to builders in the long term.

“This might end in higher help of emergent applied sciences, which down the road may affect the way in which practitioners undertake these applied sciences,” she says.