The OWASP nonprofit isn’t like the well-funded Linux Foundation; it runs on a shoestring budget made worse by the loss of conference revenue during the pandemic. OWASP charters events, local meetups, training content and OSS projects - the authors of this memo focus only on the OSS project needs. The OWASP board sees itself as community first and foremost; projects should seek their own sponsorships.
If OWASP wants to focus on chapters and events, why do they have projects under their umbrella at all? We had a similar problem in the .NET ecosystem with the .NET Foundation. It turned out they don't really do that much for the projects they oversee after all, so what's the point? Why be part of an organization that isn't providing the support you need?
Perhaps, indeed, they should not be. Given this response, it sounds to me like the projects should leave. What they need is simply different than what OWASP wants or is financially able to provide. The projects have outgrown the organization, and the organization doesn't see itself as being primarily about the projects. Sounds, to me, like it's time to make a clean break that unburdens OWASP and frees the projects.
The projects should leave. I don't think they are a critical component of OWASP compared to the educational material provided through their documentation and conferences.
Two of the major projects in the list of cosigners on this are the OWASP Top 10 project and ASVS, which are the two big educational projects at OWASP.
I don't especially love either of those projects, but they're arguably the two most important things OWASP works on outside of the conferences. The Top 10 project can't really leave OWASP (ASVS could).
ZAP is the only other project there that I think is all that important to the identity of OWASP itself, but it should just go find its own sponsorship anyways. People like ZAP, but the industry standard is Burp Suite; Burp is Microsoft Office to ZAP's... LibreOffice? Like all the software freedom stuff aside, if you're a professional, you use Word.
Even OWASP Top 10 often seems to be most interesting in the vein of "That thing that was a problem 10 years ago? Yep still a problem." That's a bit unfair. Stuff does move around a bit over time and some new categories come in. But it often mostly seems to document how relatively little things change.
I don't think the OWASP Top 10 is especially good, and in general think it mostly serves as a tool to raise the salience of application security, rather than as a guide to implementing it. It almost doesn't matter what the Top 10 is.
Back when I was attending DevOps Days fairly regularly that's pretty consistent with how I saw the OWASP Top 10 being used--to highlight security in general as opposed to any specific categories.
Josh Sokol would appear to agree. A response on his LinkedIn post:
> Honestly, if they can get $5-10M from "somewhere else", I say go for it. Then maybe the Foundation resources can be hyper focused on catering to Chapters and Events.
I have a very poor opinion of OWASP content, because the couple of areas I’ve paid any attention to have never been any better than mediocre, clearly written by amateurs long ago and largely unmaintained ever since, with known errors and heavily misleading statements hanging around for over a decade on no or unsound justification, among many other problems obvious to any that actually know the field. (See https://hn.algolia.com/?query=chrismorgan%20owasp&type=comme... for a few comments with somewhat more detail, but things have historically been just so bad and so obviously bad that I haven’t bothered enumerating more than the issue that has annoyed me the most.)
(Sigh. I see that as part of fixing a lot of the obvious unsuitability of https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Sc... some time in the past two years—and it is much better now, though there are still a few dodgy things about it in both content and presentation—they reintroduced the erroneous advice to entity-encode /, which was only finally removed two years ago. Feel free to try to get that fixed, anyone; for my part, I have no interest in trying to work with OWASP.)
wow, I have not seen much of the errors that you have come across! That is good to know about.
In regards to freely available information about security, are there other resources you can recommend? Something that I find myself constantly being asked is “how should I protect my code” from engineers. I really fail to find much better freely accessible content in one place than the content available on OWASP.
Not that this would help the quality of the content, but maybe ML can help here? I know a lot of very skilled security people who post on various places around the Internet and an ML search engine to help you find relevant security material might be helpful?
At the company I work for, we are building an ML chat bot that would allow you to ask questions about security vulnerabilities and get linked to the relevant material to help you make your own determination about relevancy.
This is exactly the subject matter that using a chat bot is incredibly dangerous for. The difference between "looks good but fundamentally broken" and "logically sound" in security arguments is very small. The consumer of the content is likely to have little to no developed taste on the matter (or they would seek out more specific resources).
If you have some authoritative curation of the resources it may have promise, but the question becomes, why not have the product of the curation be directly consumable, rather than feed it through an opaque layer?
Inventing problems here, people. It was a nice society while it lasted.
To me, the value of an ML tool would be in the step after we run things through static analysis (e.g. linters for bad coding practices, SCA scans for known CVEs) and before we send this off to our security team for an internal audit and pen test. It would be a tool that we add to our existing tool set, so that we can catch issues earlier, rather than something to replace our pen testers.
Even if you do have some authoritative curation of resources, it's difficult for dev teams to consume it. And even for those who do understand security, it requires a lot of tedious work to check through. I wish it weren't the case, but the reality is that most teams don't have the specialist skills or the motivation to grind away at this for a significant chunk of their time.
I agree with you, and further would say that this has been the case with OWASP for at least a decade.
My take about OWASP on HN has generally been: they're effective at producing communication tools that raise the salience of application security, especially within large companies. And that's about it.
Agreed, that matches my experience too, it's the clueless leading the clueless. I actively steer people away from OWASP regarding training and reference materials.
This doesn't exactly answer your question, but if you want a basic course for software developers in how to develop secure software, check out this free course from the OpenSSF:
https://openssf.org/training/courses/
There is a big difference between cheatsheets and an educational course. That isn't at all to say that the course isn't valuable, but if I want to know what the current best practices for hashing a password are (what algorithm with what parameters, etc.) I want a quick reference that is kept up to date.
> Today, many projects operate independently, in some cases managing their own sponsorships, finance, websites, domains, communication platforms, and developer tools."
This is quite noticeably when you look at the difference between Dependency-Track and DefectDojo. Both are OWASP projects, but one seems to be modern up-to-date software the other looks like straight from the early 2000s.
In other words, they’re asking for funding and a clear plan per project. OWASP does the Maven dependency scanner, which relies on the NIST db.
As a small software vendor, buying other security scanning solutions is very expensive, and they still aren’t as accurate as a pentester investigating our code.
Would it be a good idea if OWASP had a paid service where companies would pay for the verification of OSS libraries (hi NPM!)? and that would innocent you in front of EU’s diligence requirements?
any security standards today and legislations such as radio equipment directive (RED) for IoT piggy-backs on the work done by OWASP. maybe it's time for these standards bodies, ETSI, ISO, UL, IoXT, ... to give back and help with some of the funding.
One of the reason we started to work on my own startup was to provide a credible alternative to Burpsuite as Zap was not evolving in that direction. If we had funding in the amount this letter wants per year it would easy to build it open source and free, but where do they think this money will come from? This is not like the Linux foundation which produces something businesses can use to produce massive amount of money on top. This is competing with commercial products in the space and potentially reducing their revenue.
I understand the visceral reaction there, but OWASP is a nonprofit foundation, and conferences cost money to host. They were attempting to make the conference as cheap as possible by getting volunteers instead of paying people for whatever work they could, I'm sure.
If this was a for-profit company, I'd completely agree with you, but it's not.
Reading between the lines, sounds like they want control handed over to large corporations with everything controlled by a CoC, enforced by representatives of those corporations, directly or covertly.
I’m not familiar with the work that OWASP does, other than the cheat sheet series.
The cheat sheet series is amazing - a great resource to defer to when you don’t know or want to think about how to do <x>, you just want to look up and implement the industry standard.
It’s a great reference, and I use it lot. <3 to the folks working on that :)
The main cheat sheet I’ve looked closely at is the XSS one, and it’s never been better than mediocre, with (for over a decade, despite it being known about; only recently has it been redone to be tolerable, though still not excellent) awful framing, grossly misleading structure (seriously, almost every citations I’ve seen of it has misapplied it because of this), irrelevant and excessive content in some areas and critical missing content in other areas.
Therefore my recommendation is: use it for general awareness, perhaps, but do not trust it. Because there probably isn’t anyone really working on it—you’re probably actually looking at something that was written well over 10 years ago by an amateur, and has received almost no maintenance since then.
The OWASP nonprofit isn’t like the well-funded Linux Foundation; it runs on a shoestring budget made worse by the loss of conference revenue during the pandemic. OWASP charters events, local meetups, training content and OSS projects - the authors of this memo focus only on the OSS project needs. The OWASP board sees itself as community first and foremost; projects should seek their own sponsorships.