To the OWASP Board of Directors and the Executive Director of the OWASP Foundation,

OWASP was first set up over two decades ago. The Internet, the way we build software, and the security industry, has changed so much that those days are hardly recognizable today.

As a group of OWASP flagship project leaders and lifelong contributors, we believe that OWASP hasn’t kept pace and evolved to support the needs of important parts of our community today, especially our flagship projects. What worked in the past simply isn’t working now and OWASP needs to change.

We have written and published this open letter, knowing that other parts of the community also support our concerns, and are asking the OWASP Board of Directors to take action. Year after year, concerns have been raised and there have been promises of change, but year after year it hasn’t happened. The gap between what our projects and the community around them want, and the support that OWASP provides, continues to grow wider.

Today, many projects operate independently, in some cases managing their own sponsorships, finance, websites, domains, communication platforms, and developer tools. Projects still operate on a best-efforts model that relies on a few individuals working in their spare time. While admirable, these are projects that, as they have grown, are now relied on by thousands of companies and hundreds of thousands of security professionals and that have many millions of downloads each year. We don’t want to become commercial open-core businesses, but do want to be able to create, and sustain commercial quality open-source projects.

Without active world class projects, OWASP doesn’t have a unique selling point and projects need constant guidance, mentoring, and investment for them to grow and keep the brand where it should be: First and foremost for all things application security.

There are five key areas that we feel if not addressed immediately, will result in important projects, like ours, leaving OWASP in search of, or creating a community that better meets their needs. We don’t want that to happen.

  1. The Foundation should publish and maintain a community plan that should include its prioritized key project initiatives, along with a suitable funding plan to support them. The OSSF plan is a useful example to reference.
  2. The Foundation’s governance structure should better reflect the needs of the entire security community, increasing access and participation for corporate practitioners, governments, major sponsors, and key technology providers. We believe this can be achieved with vendor independence and is particularly necessary to attract financial sponsorship and key industry partnerships.
  3. The Foundation’s funding should reflect the needs of our and other flagship projects to both sustain and improve them. We believe this would likely be in the region of five to ten million dollars per year for our projects alone. The money would be used to pay for dedicated developers, community managers, and other support staff. We would like to work with the foundation to develop project by project plans.
  4. The Foundation should provide improved infrastructure and services to the community so that projects can focus on the projects themselves.
  5. The Foundation should actively manage the project portfolio and local chapters, ensuring that the community is always reflected in the best possible light and that we are able to attract and retain the best talent for the community. A plan, leadership, active community management, mentoring, and better tooling are all needed.

This letter is written with positive intent and we believe is in the best interests of the OWASP community and those that rely on it. We appreciate that this is a change from how OWASP operates today, but have conviction that OWASP is at a tipping point and needs to evolve now.

We all want to be part of the OWASP community and for it to continue to be successful in the decades to come.

We ask that you respond within 30 days, with a plan of action to address the five points above.

Yours truly,

Simon Bennetts, OWASP ZAP founder and co-project leader, OWASP VWAD co-project leader


Ricardo Pereira, OWASP ZAP co-project leader


Glenn ten Cate, Security Knowledge Framework founder and co-project leader & OWASP Board Member


Akshath Kothari, OWASP ZAP core team member


Mark Curphey, OWASP founder and 2023 board member


Daniel Cuthbert, OWASP ASVS


Sebastien Deleersnyder, OWASP SAMM co-project leader and OWASP Threat Modeling Playbook (OTMP) founder and project leader


Bart De Win, OWASP SAMM co-project leader


Maxim Baele, OWASP SAMM core team member


Rick Mitchell, OWASP ZAP co-project leader, OWASP Web Security Testing Guide co-project leader, OWASP VWAD co-project leader


Steve Springett, OWASP CycloneDX and OWASP Dependency-Track founder and co-project leader


Patrick Dwyer, OWASP CycloneDX co-project leader


Björn Kimminich, OWASP Juice Shop founder and project leader


Niklas Düster, OWASP Dependency-Track co-project leader


Jeroen Willemsen, OWASP WrongSecrets project leader


Jeremy Long, OWASP dependency-check founder and project lead and OWASP Java Encoder contributor


Cole Cornford, OWASP Code Review Guide project lead and OWASP XSS Prevention CheatSheet author


Ben Gittins, OWASP Member and Contributor


Erwin Geirnaert, Creator of the first OWASP WebGoat Solutions Guide, first OWASP Top 10 for Java and part of the OWASP Community since 2000


Robin Wood, OWASP contributor and supporter


Rob Grant, OWASP contributor


Arkaprabha Chakraborty, OWASP contributor and OWASP ZAP extended team member


Curtis Koenig, Founding member OWASP Louisville, Former Chapter Leader OWASP Louisville, OWASP Member


Cláudio André, OWASP MASTG Top Contributer


István Albert-Tóth, OWASP CSRFGuard project co-lead


Katie Paxton-Fear, educational web security YouTuber


Jakub Maćkowski, OWASP contributor and OWASP Cheat Sheet Series co-project leader


Somdev Sangwan, Open Source Security Tools Developer


Edoardo Ottavianelli, Open Source Security Tools Developer


Aram Hovsepyan, OWASP SAMM core team member


Brian Glas, OWASP Top 10 Co-Lead, OWASP SAMM Core team member, OWASP SAMM Benchmark Co-Lead


Jeff Williams, OWASP Chair from 2001-2011, Creator of OWASP Top Ten, WebGoat, ESAPI, ASVS, XSS Prevention Cheatsheet, OWASP Legal, Chapters Program, OWASP Foundation, the OWASP Wiki, and more


Dimitar Raichev, OWASP SAMM contributor & tool developer


Dinis Cruz, Past OWASP Board member, organiser of multiple OWASP Conferences and Summits, lead multiple OWASP projects and chapters


Sachin Kumar Dhaka, OWASP Jaipur Member and Budding Security Researcher


Jessy Ayala, OWASP Member and Contributor


Paul McCann, OWASP Security Shepherd maintainer and contributor


Karan Preet Singh Sasan, Owasp VulnerableApp project leader and OWASP ZAP extended team member


Daniel Wood, OWASP Lifetime Member


Bharath, OWASP (Bangalore Chapter) Member and Contributor


John Viega, original OWASP advisory board member, OWASP Lifetime Member


Carol Valencia, Security cloud-native and open-source enthusiast


Jimmy Mesta, OWASP Kubernetes Top Ten Project Leader and Cheatsheet Contributor


Lewis Ardern, OWASP Bay Area Chapter Leader (2019-2022), and created the What is OWASP? Video


Alvin Smith, OWASP Juice Shop Contributor


Sven Schleier, OWASP Mobile Application Security, Co-Project Leader of OWASP MASVS and MASTG


Carlos Holguera, OWASP Mobile Application Security, Co-Project Leader of OWASP MASVS and MASTG


Jeroen Beckers, OWASP Mobile Application Security, Co-Author of OWASP MASVS and MASTG


Shubham Palriwala, OWASP Juice Shop Core Team member


Pinaki Mondal, Open Source Security Tools Developer


Zsolt Imre, CTO at private company


Eoin Keary, Former OWASP Global Board Vice Chair (2010-2015), Former Testing and Code Review Guide lead


Deepayan Chanda, Principal Cybersecurity Architect


Martín Marsicano, OWASP Lifetime Member, Former Chapter Leader OWASP Uruguay and several projects contributor


Paul Schwarzenberger, OWASP Domain Protect creator and project leader


Abraham Aranguren, OWASP OWTF Project creator and project leader


Viyat Bhalodia, OWASP OWTF Project project leader


Dave Ferguson, Project contributor and former chapter leader


Josh Larsen, OWASP Lifetime Member


Sergey Pronin, Principal Security Architect, OWASP Lifetime Member


James, BugBounter, Pentester and OWASP passionate


Kevin W. Wall, OWASP ESAPI project co-lead, OWASP Lifetime Member, and OWASP ZAP and OWASP Cheat Sheets Series contributor


Cesar Kohl, OWASP ASVS and OWASP Cheat Sheets Series contributor


Simon Whittaker, OWASP Lifetime Member


Frank Catucci, CTO and Head of Security Research at Invicti, OWASP Member and former OWASP Chapter Leader


Ingo Struck, Former OWASP Leader, creator of the name WebGoat, OWASP Lifetime Member


Francesco Maria Ferazza, Director of IT, security lecturer and researcher


Antonio Montillo, OWASP enthusiast


Daniel Neagaru, OWASP Raider project leader


Rejah Rehim, OWASP Kerala Chapter leader


Grant Ongers, OWASP Lifetime Member, OWASP Cornucopia and OWASP Application Security Curriculum project co-lead


Tom Brennan, OWASP Lifetime Member, Former Board Member (10) Years (https://owasp.org/www-board/board_history/), Former NYC Chapter Leader (15) Years (https://owasp.org/www-chapter-new-york-city/), and project contributor to many efforts including OWASP RFP Criteria (https://owasp.org/www-pdf-archive/OWASP_RFP_Best_Pract.pdf), OWASP Virtual Village (https://github.com/OWASP/VirtualVillage) etc.


Patrick Reijnders, CISO, OWASP enthusiast; started using the Top Ten as a developer in 2004, now using it as a guideline for pentesting.


Published on 2023/02/13


Submit a PR to README.md to add your name.

Read More