https://github.com/owasp-change/owasp-change.github.io Skip to content Toggle navigation Sign up * Product + Actions Automate any workflow + Packages Host and manage packages + Security Find and fix vulnerabilities + Codespaces Instant dev environments + Copilot Write better code with AI + Code review Manage code changes + Issues Plan and track work + Discussions Collaborate outside of code + Explore + All features + Documentation + GitHub Skills + Blog * Solutions + For + Enterprise + Teams + Startups + Education + By Solution + CI/CD & Automation + DevOps + DevSecOps + Case Studies + Customer Stories + Resources * Open Source + GitHub Sponsors Fund open source developers + The ReadME Project GitHub community articles + Repositories + Topics + Trending + Collections * Pricing [ ] * # In this repository All GitHub | Jump to | * No suggested jump to results * # In this repository All GitHub | Jump to | * # In this organization All GitHub | Jump to | * # In this repository All GitHub | Jump to | Sign in Sign up {{ message }} owasp-change / owasp-change.github.io Public * Notifications * Fork 77 * Star 67 An Open Letter to the OWASP Board owasp-change.github.io/ License Apache-2.0 license 67 stars 77 forks Star Notifications * Code * Issues 2 * Pull requests 0 * Actions * Security * Insights More * Code * Issues * Pull requests * Actions * Security * Insights owasp-change/owasp-change.github.io This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. main Switch branches/tags [ ] Branches Tags Could not load branches Nothing to show {{ refName }} default View all branches Could not load tags Nothing to show {{ refName }} default View all tags Name already in use A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch? Cancel Create 1 branch 0 tags Code * Local * Codespaces * Clone HTTPS GitHub CLI [https://github.com/o] Use Git or checkout with SVN using the web URL. [gh repo clone owasp-] Work fast with our official CLI. Learn more. * Open with GitHub Desktop * Download ZIP Sign In Required Please sign in to use Codespaces. Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Launching Xcode If nothing happens, download Xcode and try again. Launching Visual Studio Code Your codespace will open once ready. There was a problem preparing your codespace, please try again. Latest commit @computersarebad @kingthorin computersarebad and kingthorin Update README.md (#82) ... f01668b Feb 18, 2023 Update README.md (#82) * Update README.md add name * Update README.md --------- Co-authored-by: Rick M f01668b Git stats * 164 commits Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time .gitignore Signed February 10, 2023 07:49 LICENSE Initial commit February 10, 2023 09:33 README.md Update README.md (#82) February 18, 2023 12:47 _config.yml Create _config.yml February 10, 2023 09:33 View code README.md OWASP needs to evolve To the OWASP Board of Directors and the Executive Director of the OWASP Foundation, OWASP was first set up over two decades ago. The Internet, the way we build software, and the security industry, has changed so much that those days are hardly recognizable today. As a group of OWASP flagship project leaders and lifelong contributors, we believe that OWASP hasn't kept pace and evolved to support the needs of important parts of our community today, especially our flagship projects. What worked in the past simply isn't working now and OWASP needs to change. We have written and published this open letter, knowing that other parts of the community also support our concerns, and are asking the OWASP Board of Directors to take action. Year after year, concerns have been raised and there have been promises of change, but year after year it hasn't happened. The gap between what our projects and the community around them want, and the support that OWASP provides, continues to grow wider. Today, many projects operate independently, in some cases managing their own sponsorships, finance, websites, domains, communication platforms, and developer tools. Projects still operate on a best-efforts model that relies on a few individuals working in their spare time. While admirable, these are projects that, as they have grown, are now relied on by thousands of companies and hundreds of thousands of security professionals and that have many millions of downloads each year. We don't want to become commercial open-core businesses, but do want to be able to create, and sustain commercial quality open-source projects. Without active world class projects, OWASP doesn't have a unique selling point and projects need constant guidance, mentoring, and investment for them to grow and keep the brand where it should be: First and foremost for all things application security. There are five key areas that we feel if not addressed immediately, will result in important projects, like ours, leaving OWASP in search of, or creating a community that better meets their needs. We don't want that to happen. 1. The Foundation should publish and maintain a community plan that should include its prioritized key project initiatives, along with a suitable funding plan to support them. The OSSF plan is a useful example to reference. 2. The Foundation's governance structure should better reflect the needs of the entire security community, increasing access and participation for corporate practitioners, governments, major sponsors, and key technology providers. We believe this can be achieved with vendor independence and is particularly necessary to attract financial sponsorship and key industry partnerships. 3. The Foundation's funding should reflect the needs of our and other flagship projects to both sustain and improve them. We believe this would likely be in the region of five to ten million dollars per year for our projects alone. The money would be used to pay for dedicated developers, community managers, and other support staff. We would like to work with the foundation to develop project by project plans. 4. The Foundation should provide improved infrastructure and services to the community so that projects can focus on the projects themselves. 5. The Foundation should actively manage the project portfolio and local chapters, ensuring that the community is always reflected in the best possible light and that we are able to attract and retain the best talent for the community. A plan, leadership, active community management, mentoring, and better tooling are all needed. This letter is written with positive intent and we believe is in the best interests of the OWASP community and those that rely on it. We appreciate that this is a change from how OWASP operates today, but have conviction that OWASP is at a tipping point and needs to evolve now. We all want to be part of the OWASP community and for it to continue to be successful in the decades to come. We ask that you respond within 30 days, with a plan of action to address the five points above. Yours truly, Simon Bennetts, OWASP ZAP founder and co-project leader, OWASP VWAD co-project leader Ricardo Pereira, OWASP ZAP co-project leader Glenn ten Cate, Security Knowledge Framework founder and co-project leader & OWASP Board Member Akshath Kothari, OWASP ZAP core team member Mark Curphey, OWASP founder and 2023 board member Daniel Cuthbert, OWASP ASVS Sebastien Deleersnyder, OWASP SAMM co-project leader and OWASP Threat Modeling Playbook (OTMP) founder and project leader Bart De Win, OWASP SAMM co-project leader Maxim Baele, OWASP SAMM core team member Rick Mitchell, OWASP ZAP co-project leader, OWASP Web Security Testing Guide co-project leader, OWASP VWAD co-project leader Steve Springett, OWASP CycloneDX and OWASP Dependency-Track founder and co-project leader Patrick Dwyer, OWASP CycloneDX co-project leader Bjorn Kimminich, OWASP Juice Shop founder and project leader Niklas Duster, OWASP Dependency-Track co-project leader Jeroen Willemsen, OWASP WrongSecrets project leader Jeremy Long, OWASP dependency-check founder and project lead and OWASP Java Encoder contributor Cole Cornford, OWASP Code Review Guide project lead and OWASP XSS Prevention CheatSheet author Ben Gittins, OWASP Member and Contributor Erwin Geirnaert, Creator of the first OWASP WebGoat Solutions Guide, first OWASP Top 10 for Java and part of the OWASP Community since 2000 Robin Wood, OWASP contributor and supporter Rob Grant, OWASP contributor Arkaprabha Chakraborty, OWASP contributor and OWASP ZAP extended team member Curtis Koenig, Founding member OWASP Louisville, Former Chapter Leader OWASP Louisville, OWASP Member Claudio Andre, OWASP MASTG Top Contributer Istvan Albert-Toth, OWASP CSRFGuard project co-lead Katie Paxton-Fear, educational web security YouTuber Jakub Mackowski, OWASP contributor and OWASP Cheat Sheet Series co-project leader Somdev Sangwan, Open Source Security Tools Developer Edoardo Ottavianelli, Open Source Security Tools Developer Aram Hovsepyan, OWASP SAMM core team member Brian Glas, OWASP Top 10 Co-Lead, OWASP SAMM Core team member, OWASP SAMM Benchmark Co-Lead Jeff Williams, OWASP Chair from 2001-2011, Creator of OWASP Top Ten, WebGoat, ESAPI, ASVS, XSS Prevention Cheatsheet, OWASP Legal, Chapters Program, OWASP Foundation, the OWASP Wiki, and more Dimitar Raichev, OWASP SAMM contributor & tool developer Dinis Cruz, Past OWASP Board member, organiser of multiple OWASP Conferences and Summits, lead multiple OWASP projects and chapters Sachin Kumar Dhaka, OWASP Jaipur Member and Budding Security Researcher Jessy Ayala, OWASP Member and Contributor Paul McCann, OWASP Security Shepherd maintainer and contributor Karan Preet Singh Sasan, Owasp VulnerableApp project leader and OWASP ZAP extended team member Daniel Wood, OWASP Lifetime Member Bharath, OWASP (Bangalore Chapter) Member and Contributor John Viega, original OWASP advisory board member, OWASP Lifetime Member Carol Valencia, Security cloud-native and open-source enthusiast Jimmy Mesta, OWASP Kubernetes Top Ten Project Leader and Cheatsheet Contributor Lewis Ardern, OWASP Bay Area Chapter Leader (2019-2022), and created the What is OWASP? Video Alvin Smith, OWASP Juice Shop Contributor Sven Schleier, OWASP Mobile Application Security, Co-Project Leader of OWASP MASVS and MASTG Carlos Holguera, OWASP Mobile Application Security, Co-Project Leader of OWASP MASVS and MASTG Jeroen Beckers, OWASP Mobile Application Security, Co-Author of OWASP MASVS and MASTG Shubham Palriwala, OWASP Juice Shop Core Team member Pinaki Mondal, Open Source Security Tools Developer Zsolt Imre, CTO at private company Eoin Keary, Former OWASP Global Board Vice Chair (2010-2015), Former Testing and Code Review Guide lead Deepayan Chanda, Principal Cybersecurity Architect Martin Marsicano, OWASP Lifetime Member, Former Chapter Leader OWASP Uruguay and several projects contributor Paul Schwarzenberger, OWASP Domain Protect creator and project leader Abraham Aranguren, OWASP OWTF Project creator and project leader Viyat Bhalodia, OWASP OWTF Project project leader Dave Ferguson, Project contributor and former chapter leader Josh Larsen, OWASP Lifetime Member Sergey Pronin, Principal Security Architect, OWASP Lifetime Member James, BugBounter, Pentester and OWASP passionate Kevin W. Wall, OWASP ESAPI project co-lead, OWASP Lifetime Member, and OWASP ZAP and OWASP Cheat Sheets Series contributor Cesar Kohl, OWASP ASVS and OWASP Cheat Sheets Series contributor Simon Whittaker, OWASP Lifetime Member Frank Catucci, CTO and Head of Security Research at Invicti, OWASP Member and former OWASP Chapter Leader Ingo Struck, Former OWASP Leader, creator of the name WebGoat, OWASP Lifetime Member Francesco Maria Ferazza, Director of IT, security lecturer and researcher Antonio Montillo, OWASP enthusiast Daniel Neagaru, OWASP Raider project leader Rejah Rehim, OWASP Kerala Chapter leader Grant Ongers, OWASP Lifetime Member, OWASP Cornucopia and OWASP Application Security Curriculum project co-lead Patrick Reijnders, CISO, OWASP enthusiast; started using the Top Ten as a developer in 2004, now using it as a guideline for pentesting. Jordan Pike, OWASP Member --------------------------------------------------------------------- Published on 2023/02/13 --------------------------------------------------------------------- Submit a PR to README.md to add your name. About An Open Letter to the OWASP Board owasp-change.github.io/ Resources Readme License Apache-2.0 license Stars 67 stars Watchers 11 watching Forks 77 forks Contributors 72 * @psiinon * @thc202 * @kingthorin * @blabla1337 * @brennantom * @SebaDele * @maximbaele * @digininja * @curphey * @szlwzl * @slicedpan + 61 contributors Footer (c) 2023 GitHub, Inc. Footer navigation * Terms * Privacy * Security * Status * Docs * Contact GitHub * Pricing * API * Training * Blog * About You can't perform that action at this time. You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.