It’s an amazing time to be writing about software and social change. I am sat in my favorite Seattle coffee shop with nothing but my MacBook (plus a coffee and chocolate croissant of course). Using nothing but my free Wi-Fi connection I can spawn up a super-computer on the fly using Amazon Web Services. I was just chatting on my cell via Twitter to a guy in South Africa that I have known for years and would regard as a friend but have never met in person. The middle East is in violent protest, governments have been over-thrown, cyber spy novels are being played out online by hackers in the wake of Wiki-Leaks and Facebook is now worth an estimated $60B. Its a crazy, crazy, crazy world…and I love it.
When I started OWASP nearly a decade ago it was without a plan (or frankly even much thought) but it was with a premonition that the Internet was going to revolutionize the world, web technology would be at the forefront of the revolution and that security would be a critical attribute in the mix. I haven’t been actively involved in OWASP for a number of years but will always claim it as my baby and passionately watch it evolve. It is my social science lab. I had always hoped that the community would develop into a community of developers that were interested in security rather than a community of security people that were interested in software. I wanted to be part of a community that was driving WS* standards, deep in the guts of SAML and OAuth, framework (run-time) / language security and modern development practices like Agile and TDD rather than people seemingly obsessed by HTTP and web hacking techniques. Ask your average OWASP member how to federate identity across the Internet and reckon you will be met with a blank stare but ask them how to check for XSS and I bet you would be greeted with a smile. Thats a problem. That is not to say that people who live and breath HTTP security isn’t incredibly valuable but it wasn’t what I wanted or what I really care about. It like focusing on a patients cold sores when the patient has lung cancer. To someone with just cold sores they need research scientists developing medicine but I think there are bigger and more important problems in the world that I care about. Looking back in hind-sight it isn’t surprising that security people gravitated to the project. Lets face it the first call to action was sent out to a security mailing list that I was moderating at the time. Why would you expect anything different? When I look back to the early years it was when the likes of Ingo Struck, Zed Shaw, Steve Taylor and Alex Russell drifted away that the writing was on the wall for me and I walked away (well moved to the sidelines) shortly after. Those guys were hard-core developers. Over the years the project has grown to be the de-facto and de-jure online source for web security and I am very proud to have planted that seed (very proud indeed) but the desire to have a community for developers interested in the type of security I am interested in has never faded and as far as I am concerned no community exists today for people with this interest.
I have always believed that in order for security to become an inherent part of software development it must come from within the development community itself.
We can’t have security people who know development. We must have developers who know security. There is a fundamental difference and it is important.
Last week I noticed some tweets coming from the OWASP Summit in Portugal that got me very concerned about the state of OWASP. The summit is an awesome idea. OWASP gathers a bunch of bright people from around the world into a hotel on the Algarve once a year and they drive projects, ideas and have fun. The tweet that caught my eye was “Developers don’t know shit about security“. After a few mails to a few people and a few off-line discussions I started to wonder if actually OWASP is at a Tipping Point where it will either evolve to the project I had always originally hoped or a new project will emerge made up of “developers who know security”.
I hope it is the former and I certainly don’t want to encourage revolution (just evolution) but in order for this evolution to happen at OWASP rather than another community forming (which I am hearing mutterings of on the grapevine) I think OWASP needs to adapt pretty dramatically. Before you read my suggestions (which are very direct and generally negative) remember that I think OWASP rocks. I 100% get that some people will be offended and maybe hurt by these comments but they are not personal. Read to the end before firing of poop-o-grams to me!
1. Manage the Project Portfolio – When I look at the OWASP site today its hard to see it as anything else but a “bric-a-brac” shop of random projects. There are no doubt some absolute gems in there like ESAPI but the quality of those projects is totally undermined by projects like the Secure Web Application Framework Manifesto. When I first looked I honestly thought this project was a spoof or a joke. Its been created by people who in my opinion have no idea about what development frameworks do, how they are created and certainly no idea about how to get requirements into engineering teams developing them. If you really think an important thing a development framework should do is to provide support for pluggable anti-automation (whatever that really is) then seriously …… If you go to the engineering team of a major framework with that document you won’t get far. The OWASP Guide also hasn’t been updated since 2005 and the .NET guide is a bunch of broken links or seriously outdated advice! These are key documents that are integrated into many corporate application security policies yet the Guide hasn’t been updated for 5 years. Thats .NET 1.1 / 2.0 and Java 1.5 people!
OWASP has to put controls in place over project quality and develop a project portfolio strategy. It has to focus on quality and not quantity and has to kill a large number of projects that have been created today if it wants to remain credible. It has to focus its key resources on key projects.
2. Industry Engagement and Communications – Over the years I have had many frustrating dialogs with people at OWASP about the way they have engaged with me as a corporate sponsor (direct sponsor or behind the scenes). I have seen random email after email come in, many contradicting each other or written in a tone that frankly no company would want to partner with. I totally get that there is no one voice but when an active community member openly criticizes a company they are speaking on behalf of “OWASP” wether you like it or not. There have been so many cases I have heard about where the project seems to be biting the hand that they are asking to fed it. I don’t get it. Why ask and complain in the same hand. Take a stance cause. You can’t have your cake and eat it to. One year I heard grumblings that OWASP were very frustrated that they couldn’t navigate a big software company so offered to help. After two reminders of the offer the only time I then heard from them was a year later asking for money to renew membership. Serious partnership could be made with serious funding that could drive serious projects if it was approached in the right way. Hand-outs is not the way, partnership is.
OWASP has to re-think its engagement and communication model to get to the next stage in it’s evolution.
3. Ethics / Code of Conduct – The O in OWASP is for Open. Open + Source, Open + Respectful and Open WhatEverIsAppropriate. That was a cornerstone of the project from day one. In the early days I fought with a few individuals who in my opinion were trying to circumvent the power of the project for their own personal agenda. It was a fight I was happy to make and would do so again in a heart-beat. An individual who shall remain nameless wanted OWASP to recommend a specific tool that wasn’t licensed with an OSI license. I dug in and refused; in fact I doubled-down and set guidelines on vendors abusing the brand project. That person banded together with a few other lily-livered sheep and tried to have me banned from moderating a mailing list I ran. They probably don’t know it but I have the copy of the mail they sent complaining to the company that hosted the list. I know who they were and exactly what they said. The same people later decided to form their own project that they controlled. I have a copy of a private email between a few of them in which they talk about “…..beating OWASP at its own game so we can influence the messaging that app scanning really is effective” (for completeness that mail forwarded to me by someone on the thread in disgust is in an archive somewhere and so I am paraphrasing). It was a set of douche-bag moves by people with douche-bag standards but the blood and guts have and will remain private as they have no possible positive part to play on the project. There is clearly a balance in ensuring that people who contribute to the project are rewarded. They should be and should be allowed to get something back for their hard work but the mechanism in how that happens is important and will always be a gray area. I have been amply rewarded in my career by my association with OWASP. I have been invited to speak all over the world, been asked to contribute to books and been able to talk to an incredible set of people. I have had jobs as a direct result of OWASP. When I formally transferred OWASP to it new leadership I was compensated for money I had spent in the initial years on hosting, significant personal travel and other things. In those days we never had sponsorship and I funded it all from my own pocket. I still don’t know if I feel 100% good about that but I do feel good that I only got back what I had put in (my wife tracked it meticulously) and I turned down a more than six figure offer at the time to turn over the project to a security firm that I know didn’t have the communities interest at heart. I feel very good about that! OWASP was never mine to sell but that didn’t stop other OSS projects like Nessus.
Ethics is a tough topic and riddled with subjective opinions. It’s a minefield. From an individual perspective its probably easy. Can you look at yourself in the mirror and feel good about what you have done? What pains me today is that I see people riding the OWASP band-wagon that I struggle to understand how they look at themselves and answer that question with a “yes”. Let’s take Cenzic as an example. This is a firm that was founded by the same people that founded HB Gary. Yes the same firm that has been exposed to have been plotting a campaign to discredit wiki-leaks. Cenzic also have a patent for web fuzzing. Now I am not a lawyer but this patent appears that it could be applied against OWASP projects like WebScarab at any time. This is the same firm that used to claim in their marketing that they scan for the OWASP Top Ten. Thats right using HTTP they scanned for insecure crypto! These are my personal opinion but this is not a firm with good ethics yet is actively involved in OWASP.
When I was at OWASP EU in Amsterdam earlier in the year I hears stories about a firm in the far east that was using the OWASP name to organize very well attended chapter meetings and essentially turning them into sales events for their technology. I heard several OWASP community members tell me that they felt that OWASP has lost its way and been hi-jacked by people who are serving their own interests (personal or company) and not those of the project.
For several years I have been concerned that the people speaking at conferences are not the same people that are actively working hard on projects and in some cases have been the very same people who wanted to “beat OWASP at it’s own game”. This is not a good thing for the community. Its rewarding the wrong behavior and the wrong people. So how does an open project rationalize those things and let them sponsor events yet alone contribute to projects? How can you trust that their contribution will be impartial or ethical? Its a tough one and I don’t claim to have any magic answers but I do know that the current ethics and code of conduct appear to be broken.
OWASP has to re-think its ethics policy and code of conduct.
4. Engaging Developers – If you have gotten this far then you will want to know the guy who pricked my conscious to write this post in the first place is called Jon Wilander. I have never met him but I know we would get on well. He gets on well with people I like (Dinis) and from what I can tell from his writing we are very similar. He has recently taken a job with a bank in the development team. I once moved my office from the security building to the development building to sit with the developers. Good patterns are timeless! His post talks about how to engage with developers and given a number of twitter comments and emails I am hearing about a growing tidal wave of people that think OWASP needs to be by developers for developers. My original vision. Maybe its coming full circle ?
There are huge gaps in OWASP today for developers. Where is the advice on writing security related BDD tests, integrating security into Agile, tools that plug into CI servers and IDE’s ?
I can see several ways of doing this but am adamant that this is not a matter of trying to heard the security people to develop content and projects for developers. The definition of insanity is to do the same things twice and expect a different result and while OWASP has made amazing strides in the security industry I think we need to acknowledge that security is not a Pri0 agenda item in the development culture after a decade of the project.
I think a different approach is needed and it is time for a change.
The good news I think is that I think there is room for both approaches and I think OWASP could play a leading role in both camps. Maybe Software Security is for developers and Application Security is for security people. The first persona is the builder and the second persona the breaker. One is concerned with assessing security posture and the other architecting and creating secure software. OWASP could easily pivot its work (and web site) around those two key personas. Developers best understand what they need and want, security people best understand what they need and want. Maybe the Security Web Application Framework Manifesto that I think is not well conceived (as a builder) is really useful for breakers.
I genuinely hope that what I see as a Tipping Point means OWASP will evolve rather than break apart. It’s an awesome project with awesome people.
– Mark
Mark Curphey 