OWASP – Has it Reached a Tipping Point ?

By , February 19, 2011

It’s an amazing time to be writing about software and social change. I am sat in my favorite Seattle coffee shop with nothing but my MacBook (plus a coffee and chocolate croissant of course). Using nothing but my free Wi-Fi connection I can spawn up  a super-computer on the fly using Amazon Web Services. I was just chatting on my cell via Twitter to a guy in South Africa that I have known for years and would regard as a friend but have never met in person. The middle East is in violent protest, governments have been over-thrown, cyber spy novels are being played out online by hackers in the wake of Wiki-Leaks and Facebook is now worth an estimated $60B. Its a crazy, crazy, crazy world…and I love it.

When I started OWASP nearly a decade ago it was without a plan (or frankly even much thought) but it was with a premonition that the Internet was going to revolutionize the world, web technology would be at the forefront of the revolution and that security would be a critical attribute in the mix. I haven’t been actively involved in OWASP for a number of years but will always claim it as my baby and passionately watch it evolve. It is my social science lab. I had always hoped that the community would develop into a community of developers that were interested in security rather than a community of security people that were interested in software. I wanted to be part of a community that was driving WS* standards, deep in the guts of SAML and OAuth, framework (run-time) / language security and modern development practices like Agile and TDD rather than people seemingly obsessed by HTTP and web hacking techniques. Ask your average OWASP member how to federate identity across the Internet and reckon you will be met with a blank stare but ask them how to check for XSS and I bet you would be greeted with a smile. Thats a problem. That is not to say that people who live and breath HTTP security isn’t incredibly valuable but it wasn’t what I wanted or what I really care about. It like focusing on a patients cold sores when the patient has lung cancer. To someone with just cold sores they need research scientists developing medicine but I think there are bigger and more important problems in the world that I care about. Looking back in hind-sight it isn’t surprising that security people gravitated to the project. Lets face it the first call to action was sent out to a security mailing list that I was moderating at the time. Why would you expect anything different? When I look back to the early years it was when the likes of Ingo Struck, Zed Shaw, Steve Taylor and Alex Russell drifted away that the writing was on the wall for me and I walked away (well moved to the sidelines) shortly after. Those guys were hard-core developers. Over the years the project has grown to be the de-facto and de-jure online source for web security and I am very proud to have planted that seed (very proud indeed) but the desire to have a community for developers interested in the type of security I am interested in has never faded and as far as I am concerned no community exists today for people with this interest.

I have always believed that in order for security to become an inherent part of software development it must come from within the development community itself.

We can’t have security people who know development. We must have developers who know security. There is a fundamental difference and it is important.

Last week I noticed some tweets coming from the OWASP Summit in Portugal that got me very concerned about the state of OWASP. The summit is an awesome idea. OWASP gathers a bunch of bright people from around the world into a hotel on the Algarve once a year and they drive projects, ideas and have fun. The tweet that caught my eye was “Developers don’t know shit about security“. After a few mails to a few people and a few off-line discussions I started to wonder if actually OWASP is at a Tipping Point where it will either evolve to the project I had always originally hoped or a new project will emerge made up of “developers who know security”.

I hope it is the former and I certainly don’t want to encourage revolution (just evolution) but in order for this evolution to happen at OWASP rather than another community forming (which I am hearing mutterings of on the grapevine) I think OWASP needs to adapt pretty dramatically. Before you read my suggestions (which are very direct and generally negative) remember that I think OWASP rocks. I 100% get that some people will be offended and maybe hurt by these comments but they are not personal. Read to the end before firing of poop-o-grams to me!

1. Manage the Project Portfolio – When I look at the OWASP site today its hard to see it as anything else but a “bric-a-brac” shop of random projects. There are no doubt some absolute gems in there like ESAPI but the quality of those projects is totally undermined by projects like the Secure Web Application Framework Manifesto. When I first looked I honestly thought this project was a spoof or a joke. Its been created by people who in my opinion have no idea about what development frameworks do, how they are created and certainly no idea about how to get requirements into engineering teams developing them. If you really think an important thing a development framework should do is to provide support for pluggable anti-automation (whatever that really is) then seriously …… If you go to the engineering team of a major framework with that document you won’t get far. The OWASP Guide also hasn’t been updated since 2005 and the .NET guide is a bunch of broken links or seriously outdated advice! These are key documents that are integrated into many corporate application security policies yet the Guide hasn’t been updated for 5 years. Thats .NET 1.1 / 2.0 and Java 1.5 people!

OWASP has to put controls in place over project quality and develop a project portfolio strategy. It has to focus on quality and not quantity and has to kill a large number of projects that have been created today if it wants to remain credible. It has to focus its key resources on key projects.

2. Industry Engagement  and Communications – Over the years I have had many frustrating dialogs with people at OWASP about the way they have engaged with me as a corporate sponsor (direct sponsor or behind the scenes). I have seen random email after email come in, many contradicting each other or written in a tone that frankly no company would want to partner with. I totally get that there is no one voice but when an active community member openly criticizes a company they are speaking on behalf of “OWASP” wether you like it or not. There have been so many cases I have heard about where the project seems to be biting the hand that they are asking to fed it. I don’t get it. Why ask and complain in the same hand. Take a stance cause. You can’t have your cake and eat it to. One year I heard grumblings that OWASP were very frustrated that they couldn’t navigate a big software company so offered to help. After two reminders of the offer the only time I then heard from them was a year later asking for money to renew membership. Serious partnership could be made with serious funding  that could drive serious projects if it was approached in the right way. Hand-outs is not the way, partnership is.

OWASP has to re-think its engagement and communication model to get to the next stage in it’s evolution.

3. Ethics / Code of Conduct – The O in OWASP is for Open. Open + Source, Open + Respectful and Open WhatEverIsAppropriate. That was a cornerstone of the project from day one. In the early days I fought with a few individuals who in my opinion were trying to circumvent the power of the project for their own personal agenda. It was a fight I was happy to make and would do so again in a heart-beat. An individual who shall remain nameless wanted OWASP to recommend a specific tool that wasn’t licensed with an OSI license. I dug in and refused; in fact I doubled-down and set guidelines on vendors abusing the brand project. That person banded together with a few other lily-livered sheep and tried to have me banned from moderating a mailing list I ran. They probably don’t know it but I have the copy of the mail they sent complaining to the company that hosted the list. I know who they were and exactly what they said. The same people later decided to form their own project that they controlled. I have a copy of a private email between a few of them in which they talk about “…..beating OWASP at its own game so we can influence the messaging that app scanning really is effective” (for completeness that mail forwarded to me by someone on the thread in disgust is in an archive somewhere and so I am paraphrasing). It was a set of douche-bag moves by people with douche-bag standards but the blood and guts have and will remain private as they have no possible positive part to play on the project. There is clearly a balance in ensuring that people who contribute to the project are rewarded. They should be and should be allowed to get something back for their hard work but the mechanism in how that happens is important and will always be a gray area. I have been amply rewarded in my career by my association with OWASP. I have been invited to speak all over the world, been asked to contribute to books and been able to talk to an incredible set of people. I have had jobs as a direct result of OWASP. When I formally transferred OWASP to it new leadership I was compensated for money I had spent in the initial years on hosting, significant personal travel and other things. In those days we never had sponsorship and I funded it all from my own pocket. I still don’t know if I feel 100% good about that but I do feel good that I only got back what I had put in (my wife tracked it meticulously) and I turned down a more than six figure offer at the time to turn over the project to a security firm that I know didn’t have the communities interest at heart. I feel very good about that! OWASP was never mine to sell but that didn’t stop other OSS projects like Nessus.

Ethics is a tough topic and riddled with subjective opinions. It’s a minefield. From an individual perspective its probably easy. Can you look at yourself in the mirror and feel good about what you have done? What pains me today is that I see people riding the OWASP band-wagon that I struggle to understand how they look at themselves and answer that question with a “yes”. Let’s take Cenzic as an example. This is a firm that was founded by the same people that founded HB Gary. Yes the same firm that has been exposed to have been plotting a campaign to discredit wiki-leaks. Cenzic also have a patent for web fuzzing. Now I am not a lawyer but this patent appears that it could be applied against OWASP projects like WebScarab at any time. This is the same firm that used to claim in their marketing that they scan for the OWASP Top Ten. Thats right using HTTP they scanned for insecure crypto! These are my personal opinion but this is not a firm with good ethics yet is actively involved in OWASP.

When I was at OWASP EU in Amsterdam earlier in the year I hears stories about a firm in the far east that was using the OWASP name to organize very well attended chapter meetings and essentially turning them into sales events for their technology. I heard several OWASP community members tell me that they felt that OWASP has lost its way and been hi-jacked by people who are serving their own interests (personal or company) and not those of the project.

For several years I have been concerned that the people speaking at conferences are not the same people that are actively working hard on projects and in some cases have been the very same people who wanted to “beat OWASP at it’s own game”. This is not a good thing for the community. Its rewarding the wrong behavior and the wrong people. So how does an open project rationalize those things and let them sponsor events yet alone contribute to projects? How can you trust that their contribution will be impartial or ethical? Its a tough one and I don’t claim to have any magic answers but I do know that the current ethics and code of conduct appear to be broken.

OWASP has to re-think its ethics policy and code of conduct.

4. Engaging Developers – If you have gotten this far then you will want to know the guy who pricked my conscious to write this post in the first place is called Jon Wilander. I have never met him but I know we would get on well. He gets on well with people I like (Dinis) and from what I can tell from his writing we are very similar. He has recently taken a job with a bank in the development team. I once moved my office from the security building to the development building to sit with the developers. Good patterns are timeless! His post talks about how to engage with developers and given a number of twitter comments and emails I am hearing about a growing tidal wave of people that think OWASP needs to be by developers for developers. My original vision. Maybe its coming full circle ?

There are huge gaps in OWASP today for developers. Where is the advice on writing security related BDD tests, integrating security into Agile, tools that plug into CI servers and IDE’s ?

I can see several ways of doing this but am adamant that this is not a matter of trying to heard the security people to develop content and projects for developers. The definition of insanity is to do the same things twice and expect a different result and while OWASP has made  amazing strides in the security industry I think we need to acknowledge that security is not a Pri0 agenda item in the development culture after a decade of the project.

I think a different approach is needed and it is time for a change.

The good news I think is that I think there is room for both approaches and I think OWASP could play a leading role in both camps. Maybe Software Security is for developers and Application Security is for security people. The first persona is the builder and the second persona the breaker. One is concerned with assessing security posture and the other architecting and creating secure software. OWASP could easily pivot its work (and web site) around those two key personas. Developers best understand what they need and want, security people best understand what they need and want. Maybe the Security Web Application Framework Manifesto that I think is not well conceived (as a builder) is really useful for breakers.

I genuinely hope that what I see as a Tipping Point means OWASP will evolve rather than break apart. It’s an awesome project with awesome people.

- Mark

 

 

 

 

 

Share on TwitterSubmit to reddit

categories Software Security

  • Pingback: Tweets that mention Curphey 2.0 Mark Curphey -- Topsy.com

  • Rohit Sethi

    Hi Mark,
    I’m the project lead of the Secure Web Application Framework Manifesto. First of all, I want to thank you for your candid comments. I have a great deal of respect for you and what you’ve done for application security. If the manifesto project is pathetic and discrediting the quality of OWASP as-a-whole, then I appreciate that you have the guts to say that. Since I’m the project lead, I’m going to take full responsibility for anything that’s wrong with the project.
    I could spend some time disagreeing with think the assumptions you have made about our backgrounds; however, I think that that’s a waste of time – your mind is clearly made up. I want to make one thing clear: the manifesto project was born out of working as developers and with other developers on what makes application security challenging for them. I admit that we have never developed frameworks before although we all have or are currently developing applications as full-time jobs. We had two major options: 1) Try and do something ourselves even if the first few drafts were far from perfect; or 2) Sit back, do nothing about framework security. It seems from your post that you believe 1) was more damaging than 2). I have to respectfully disagree. As we’ve stated publicly, we put together a first draft of requirements and we’re going to try and weave these into the Django framework to see what’s practical and what’s not. We can then go back and fix the requirement list. Perhaps “pluggable anti-automation” is a horrible requirement – or perhaps it’s actionable. We’ll only know once we try.
    I invite you to tell us directly what it is that is so pathetic about the project. Is it because the requirements are too vague? Not focused? Not practical? Maybe it’s because we’re genetically flawed and don’t have the intellectual brain power to handle the mission we’ve sought out and we should just stop the bleeding. You can do this publicly, in an effort to embarrass and discredit us, you can let me know individually, or you can post to our list (https://lists.owasp.org/mailman/listinfo/owasp-swaf-manifesto).
    In the meantime, we will continue to move forward trying to help builders in application security. If it turns out we’re wasting our time, then we will be happy we tried. If it turns out our project is so horribly-wrong that it can’t be changed and we’re discrediting OWASP as a whole, then we will pull out.
    Once again, I thank you for your feedback.
    Regards,
    Rohit Sethi

  • awhitehatter

    Hi Mark,

    Thanks for your thoughts. I got tossed into a security role coming from sys admin background. My dev knowledge consisted of .vbs, bash and some html. Recent interactions with OWASP have encouraged me to learn development, not just enough that I can speak the lingo, but to the point where I can aide in the evolution. I have started to learn on my own, as well as invite my developer friends, not the security friends, to the chapter meetings. Pruning is needed for growth, I look forward to the future!

  • anonymouse

    Excellent post, nice to see your passion coming through. If people are upset by things in the post they need to look past their personal feelings and look at what they have contributed and whether it is actually any good.

    I’ve only been involved with OWASP since around 2007 but since the middle of 2009 I’ve attended 0 chapter meetings and 0 conferences because of a lot of the issues you have included in this blog. I used to encourage my company to sponsor events and we did sponsor more than one conference but because I think certain companies and individuals are profiting far more from these events than the developers we should be helping I’ve withdrawn it all.

    When I get proposals from consulting companies who are proposing to use things like SAMM to assess my SDLC and they aren’t actually corporate members of OWASP I lose respect immediately – you profit from the communities work so you damn well better support it or I will go elsewhere (and have done).

    There are way too many OWASP projects nowadays, plenty of projects that are just plain rubbish and add nothing to the OWASP brand – in fact the only thing some of the projects add is a line to the creators CV. General quality of projects is low with the very rare exception such as ESAPI and as you have pointed out even the ones with the potential to be good are out of date.

    I think in some ways OWASP has attracted, and sadly supports people who just turn up and speak at the conferences and like to have OWASP on their CV’s. I think things like the Summits are a good idea in some ways but in others I think they are a waste of time and money, get back to basics and fix the basic problems and then go away to summits when things are a lot better – the problems right now are obvious and didn’t need a jolly to the Algarve to figure out.

    My top three issues to address:

    1) Weed out those individuals and companies using OWASP for their own gain. If you talk at the conferences etc make sure you are a member, if you are a company profiting from using OWASP projects make sure you are a member. Encourage people in the industry to name and shame those who aren’t doing this.

    2) Developer engagement is, as you pointed out almost non existent currently and I’ve been to chapter meetings and OWASP conferences where there have been almost no developers. I think this is kind of linked to point 1, too many security dudes chucking out any old crap to associate themselves with OWASP. Get back to basics and deliver what developers need and want – libraries, API’s and tools that actually help them (and work!).

    3) OWASP needs to work out how to take constructive criticism on board rather than reacting like “how dare you question OWASP or suggest an approach different to what OWASP recommends”.

    Time to put on the flame retardant suit.

  • http://theagileadmin.com Ernest Mueller

    I have to agree with the sentiment behind this post. As a founding member of Austin, TX’s OWASP chapter, we even hold the meetings at our company HQ and have a hard time getting our developers to attend. Our security guys attend, and some interested sysadmins attend, but actual dev attendance is very spotty. They go from time to time if the topic seems really tempting, but most of the time they look at it and think “eh, not really for us developers.” And as the goal is to get secure web applications, that’s a warning signal that there’s something very wrong.

  • http://www.linkedin.com/in/ChristianHeinrich cmlh

    @Mark,

    “OWASP EU in Amsterdam” – Do you mean http://conference.hackinthebox.org/hitbsecconf2010ams/ ?

  • http://www.curphey.com Mark Curphey

    Oops, yeah.

  • The Ghost

    Hi Mark,

    I am so glad my friend pointed me to this article last night. It’s people like you being open, honest and sharing your opinions that make people think. There is something seriously wrong with OWASP and it saddens me because I have been involved since 2004. The past few years it has been on a downward decline. I think the Summit proved that when Dinis Cruz, another long time member and leader, stepped down from his leadership role within the organization.

    OWASP projects would be so much more robust, have friendlier UI’s and be a lot more effective if they were developed by developers, not security professionals.

    I know the developer attendance was always spotty because know one knew how to reach out to developers. When you look at the commitees for OWASP they fail because of the lack of diversity.

  • http://www.linkedin.com/in/ChristianHeinrich cmlh

    Rohit Sethi has closed the “Secure Web Application Framework Manifesto” i.e. http://labs.securitycompass.com/index.php/2011/03/11/closing-the-secure-web-application-framework-manifesto-project/

  • http://off-the-wall-security.blogspot.com/ Kevin W. Wall

    @anonymous: While I agree with much of what you say and defend your right to privacy via anonymity, I disagree in a few ways. First, I think that some companies believe that becoming an OWASP sponsor is akin to painting a target on their back. While I doubt this is true today, 8-10 years ago when script kiddies were king (or so they thought), it might have been. But I do think this may explain in part the lack of company sponsorship. (But personally, I prefer than than if they contribute for the wrong reasons, for instance, to hawk their products.)

    Secondly, I think there are two ways to provide feedback. One is constructive criticism which is best given when you roll up your sleeves and volunteer to help. The other is where you sit back–as I did for way too many years–and shout out from the sidelines “hey, you’re doing that wrong”, generally without even providing suggestions as to how to make things better. IMHO, your criticism of OWASP in this reply borders on the latter. Obviously, because of your choice to remain anonymous, I cannot judge your personal contributions to OWASP, but I see nothing *constructive* in your comments. You state that “OWASP needs to work out how to take *constructive* criticism…”. OK, fair enough. I think you also need to learn how to *give* constructive criticism. I have provided criticism to OWASP leadership, and while they have not always agreed, they have always been respective and at least considered what I had to say. I have never had to put on a flame retardant suit with them, but then again, during the times when my criticism has been harsh, I have scolded them in private rather than in public. Pretty much all of us get defensive when we have to face criticism in public, so if you do that (such as in this public forum), then don’t expect those comments to have any lasting positive effects.

    Thirdly, if you would have had the courage to provide a way to track you down by using your real name or providing an email address (even on on mailinator.com) I would have made this reply privately only to you. But because you posted privately, I had no choice but to leave a reply here in hope that you will be back to read it. If you believe in what you are saying, then have the balls to stand behind it with your name. I encourage you to read more of my thoughts or Mark’s excellent post on my blog at http://off-the-wall-security.blogspot.com/ where I have tried to make some _constructive_ criticism regarding OWASP. I read it and compare its approach to yours here and see a difference.

    Finally, if you wish to carry forward this conversation privately, I am willing to listen and I have fairly thick skin. I can’t promise you any changes (most things are beyond my control anyway), but I will promise to listen. My email address is below.
    Regards,
    -kevin . w . wall AT gmail . com / OWASP ESAPI contributor & project co-owner

  • Pingback: Security and the Rise (and Fall?) of DevOps « the agile admin

  • Pingback: OWASP ¿hasta dónde? « Mbpfernand0's Blog

  • Pingback: SecCom Labs » Closing the Secure Web Application Framework Manifesto Project

Panorama Theme by Themocracy