Counterpoint from Josh Sokol, former OWASP board member: <a href="https://www.linkedin.com/feed/update/urn:li:activity:7031305273990389760/" rel="nofollow">https://www.linkedin.com/feed/update/urn:li:activity:7031305...</a><p>The OWASP nonprofit isn’t like the well-funded Linux Foundation; it runs on a shoestring budget made worse by the loss of conference revenue during the pandemic. OWASP charters events, local meetups, training content and OSS projects - the authors of this memo focus only on the OSS project needs. The OWASP board sees itself as community first and foremost; projects should seek their own sponsorships.
I have a very poor opinion of OWASP <i>content</i>, because the couple of areas I’ve paid any attention to have never been any better than mediocre, clearly written by amateurs long ago and largely unmaintained ever since, with <i>known</i> errors and heavily misleading statements hanging around for over a decade on no or unsound justification, among many other problems obvious to any that actually know the field. (See <a href="https://hn.algolia.com/?query=chrismorgan%20owasp&type=comment" rel="nofollow">https://hn.algolia.com/?query=chrismorgan%20owasp&type=comme...</a> for a few comments with somewhat more detail, but things have historically been just <i>so</i> bad and so <i>obviously</i> bad that I haven’t bothered enumerating more than the issue that has annoyed me the most.)<p>(Sigh. I see that as part of fixing a lot of the obvious unsuitability of <a href="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html" rel="nofollow">https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Sc...</a> some time in the past two years—and it <i>is</i> much better now, though there are still a few dodgy things about it in both content and presentation—they <i>reintroduced</i> the erroneous advice to entity-encode /, which was only <i>finally</i> removed two years ago. Feel free to try to get that fixed, anyone; for my part, I have no interest in trying to work with OWASP.)
> <i>Today, many projects operate independently, in some cases managing their own sponsorships, finance, websites, domains, communication platforms, and developer tools.</i>"<p>This is quite noticeably when you look at the difference between Dependency-Track and DefectDojo. Both are OWASP projects, but one seems to be modern up-to-date software the other looks like straight from the early 2000s.
In other words, they’re asking for funding and a clear plan per project. OWASP does the Maven dependency scanner, which relies on the NIST db.<p>As a small software vendor, buying other security scanning solutions is very expensive, and they still aren’t as accurate as a pentester investigating our code.<p>Would it be a good idea if OWASP had a paid service where companies would pay for the verification of OSS libraries (hi NPM!)? and that would innocent you in front of EU’s diligence requirements?
One of the reason we started to work on my own startup was to provide a credible alternative to Burpsuite as Zap was not evolving in that direction. If we had funding in the amount this letter wants per year it would easy to build it open source and free, but where do they think this money will come from? This is not like the Linux foundation which produces something businesses can use to produce massive amount of money on top. This is competing with commercial products in the space and potentially reducing their revenue.
Reading between the lines, sounds like they want control handed over to large corporations with everything controlled by a CoC, enforced by representatives of those corporations, directly or covertly.
I’m not familiar with the work that OWASP does, other than the cheat sheet series.<p>The cheat sheet series is amazing - a great resource to defer to when you don’t know or want to think about how to do <x>, you just want to look up and implement the industry standard.<p>It’s a great reference, and I use it lot. <3 to the folks working on that :)