After two decades of raising awareness about the big problems in application security, the Open Web Application Security Project (OWASP) stands at a crossroads. So warns OWASP's founder Mark Curphey, who believes that if the OWASP Foundation continues to do business as usual, it risks dissipating into irrelevancy in the not-so-distant future. After many years removed from the day-to-day operations and leadership of the group, Curphey is on a crusade to return to a leadership spot and modernize OWASP.
He's doing it with guns blazing in a status quo-busting campaign for the OWASP board (for which voting concludes in a few days) in which he promises to push for radical changes in the way the organization governs, funds, and runs its open source software security projects.
Curphey believes the changes he's got in mind are the surest way OWASP can reinvent itself to keep up with the risks and realities of the way software is now delivered in this cloud-native, DevSecOps world.
The relevancy problem with OWASP in 2022
Back in 2001, Curphey led the first charge for OWASP's inception. At the time he was running application security at a big financial services firm and already very tapped into the appsec community as the moderator of the WebAppSec mailing list, which was a hotbed of conversation among the software security cognoscenti, but full of plenty of vendor fear, uncertainty and doubt (FUD), too.
Frustrated with the lack of a neutral forum for collaboration between the security world and the developer community, he took action. He authored the first draft of the OWASP's earliest philosophical and technical precepts, he registered the owasp.org domain, and he gathered some of the finest minds in appsec to work together on projects designed to guide and help website operators shore up the security of the internet in the heady days of the dot-com bubble.
He was heavily involved with the group as it came together to develop the first iteration of the OWASP Top 10 Project, an open source project for which the group is best known. Detailing the top 10 most dangerous flaws that developers should be aware of when developing software for the web, the project continues to be updated to this day —alongside many, many other projects, including Software Assurance Maturity Model, Software Component Verification Standard, and Dependency-Track.
Herein lies the rub, according to Curphey. He explains that many years after stepping aside from the group's leadership, OWASP has grown into something much bigger than he ever dreamed during those early days. With the flood of contributors and countless projects tackled by OWASP over the years, he believes the group has gotten so caught up in bureaucracy and security navel gazing that it's failed to keep up with the way developers work today. Even just the name hints at this lack of modernization, he says.
Curphey said he would push to rebrand the OWASP acronym to the Open Worldwide Application Security Project.
"When the project was created, it was called the Open Web Application Security Project. It's not about web now, it's about cloud, IoT, APIs, and everything else. It was just a fundamentally different era. Cloud native development is fundamentally different from what we built before. And the OWASP mission hasn't been updated, the scope of the project hasn't been updated. And there's just a lot of things that are huge missed opportunities."
Since he left the group he's crusaded for app sec in his own way, working for Microsoft, founding three different security companies, and working the speaker circuit tirelessly — all while keeping an eye on OWASP's progression.
As he explains in his Manifesto for OWASP in 2022, he's been simultaneously proud of many OWASP achievements over the years and frustrated with what OWASP has become, as it has not moved fast or effectively enough to help developers deliver more secure software up and down the software supply chain that stretches well beyond web apps.
"Modern software is an intersection of code development, software supply chains, cloud computing, DevOps..."
While developers today are out seeking more democratized security tools and detailed technical guidance, so they can weave secure coding principles into their work on the daily, he argues that OWASP remains an "organization that operates for the lowest common denominator by trying to keep everyone happy." As a result, OWASP doesn't offer enough tooling or clear technical guidelines that can be easily found and implemented by developers or DevOps teams into their deployment pipelines, he said.
Technical focus areas for modern development teams
Some of the technical areas his manifesto says OWASP should be focusing on to add value for modern development shops include, per Curphey's manifesto:
- Language analysis and improvement
- Runtime analysis and improvement
- DevSecOps automation
"OWASP doesn't even have a credible SAST project today, probably the most widely accepted and understood application security analysis technology. Let's fix that fast."
The changes needed for OWASP
As he sees it, one of the big problems right now is that "there's no mechanism to vote for radical change" in the OWASP community model. His goal is to step into the board and make waves with some big moves to the governance of the group
"Currently, there's no referendums that can happen. All you can do is join the board. But what I laid out in that manifesto was, this is not just a play to join the board and debate what changes we can make--I'm asking for a mandate for change," he says.
His drive will be to change the group in three major ways.
1. Change the culture
Changing the culture of OWASP is priority one. "One of the first ones is to change the culture and remove the bureaucracy. Until you do that, you're not going to get anything done."
As a part of that, he's advocating for more transparency in how vendors are or are not involved in the OWASP mission, and cleaving more closely to the vendor-neutral roots in which OWASP was first founded.
"Supposedly, OWASP's vendor neutral, but in reality, it's just not. I mean, you have vendors that are in positions running chapters; they all have a vested interest," he says. "I attended a chapter meeting recently and essentially it was just a set of vendors pitching their products and pitching what their products do."
"The vendors are probably the ones that stand there lose the most out of all of this. And the internet and the community a whole are the ones who stand to gain the most, for sure."
The process of shifting the culture also means bringing new blood into the group, including bringing the voices of developers more firmly into the fold, as well as deeply technical people in the security community who have sat on the sidelines for too long.
2. Establish a different funding model
Curphey isn't shy in his admiration of the way that Jim Zemlin has raised funds as Executive Director of Linux Foundation, bolstering the group's war chest for community-wide software security initiatives.
"For instance, when OpenSSL and Heartbleed came out, Jim Zemlin literally raised $6 million bucks over 48 hours and went and gave it to the OpenSSL team to go fix the problem," he says. "He runs it like a teaching hospital or Gates Foundation. But it's not run like a community workshop, which is unfortunately what OWASP is."
Curphey's vision is for OWASP to dump the community funding model and to take lessons — and help — from Linux Foundation funding efforts to support projects like OpenSSF. "The OWASP funding model has to change in order to attract the right talent," he says. "Jim Zemlin is offering to help me figure out how to go raise money. And he's a huge supporter."
3. Clean up the projects and the OWASP site
Curphey says there are currently "hundreds and hundreds" of projects hosted by OWASP, and that the site is a byzantine mess that only serves to confuse developers rather than actually helping them develop more secure code. His mission is to pare down and clean up the projects and the site itself so that it's serving the right audience.
Curphey outlines in his manifesto that he wants to install a Chief Product Officer and a product management team that cleans up the group's portfolio:
"It has to be externally focused so that you can give the right help."
Uncertainties lie ahead
With under a week left in OWASP voting for the board (last day of voting is Oct. 30th), it's still all up in the air whether Curphey will even get his shot to make these sweeping changes. He says he's got the support of many on the current board, and his "LinkedIn alerts are going off left, right, and center with people who have left the project or people that didn’t' participate that are saying 'Great, I want in.'"
But he recognizes that there will be detractors there and that it will take significant effort to change what's grown up from a spunky grassroots effort he spearheaded 21 years go to the huge organization it is today.
"The hope is that mandate [for changing OWASP] is proven in a vote and then we'll go affect the change. But yeah, it's perfectly possible that the same bureaucracy that's hit the rest of the project hits me and we can't make it happen. But I will be very vocal if that's the case. And forceful."