The OWASP nonprofit isn’t like the well-funded Linux Foundation; it runs on a shoestring budget made worse by the loss of conference revenue during the pandemic. OWASP charters events, local meetups, training content and OSS projects - the authors of this memo focus only on the OSS project needs. The OWASP board sees itself as community first and foremost; projects should seek their own sponsorships.
If OWASP wants to focus on chapters and events, why do they have projects under their umbrella at all? We had a similar problem in the .NET ecosystem with the .NET Foundation. It turned out they don't really do that much for the projects they oversee after all, so what's the point? Why be part of an organization that isn't providing the support you need?
Perhaps, indeed, they should not be. Given this response, it sounds to me like the projects should leave. What they need is simply different than what OWASP wants or is financially able to provide. The projects have outgrown the organization, and the organization doesn't see itself as being primarily about the projects. Sounds, to me, like it's time to make a clean break that unburdens OWASP and frees the projects.
The projects should leave. I don't think they are a critical component of OWASP compared to the educational material provided through their documentation and conferences.
Two of the major projects in the list of cosigners on this are the OWASP Top 10 project and ASVS, which are the two big educational projects at OWASP.
I don't especially love either of those projects, but they're arguably the two most important things OWASP works on outside of the conferences. The Top 10 project can't really leave OWASP (ASVS could).
ZAP is the only other project there that I think is all that important to the identity of OWASP itself, but it should just go find its own sponsorship anyways. People like ZAP, but the industry standard is Burp Suite; Burp is Microsoft Office to ZAP's... LibreOffice? Like all the software freedom stuff aside, if you're a professional, you use Word.
Even OWASP Top 10 often seems to be most interesting in the vein of "That thing that was a problem 10 years ago? Yep still a problem." That's a bit unfair. Stuff does move around a bit over time and some new categories come in. But it often mostly seems to document how relatively little things change.
I don't think the OWASP Top 10 is especially good, and in general think it mostly serves as a tool to raise the salience of application security, rather than as a guide to implementing it. It almost doesn't matter what the Top 10 is.
Back when I was attending DevOps Days fairly regularly that's pretty consistent with how I saw the OWASP Top 10 being used--to highlight security in general as opposed to any specific categories.
Josh Sokol would appear to agree. A response on his LinkedIn post:
> Honestly, if they can get $5-10M from "somewhere else", I say go for it. Then maybe the Foundation resources can be hyper focused on catering to Chapters and Events.
The OWASP nonprofit isn’t like the well-funded Linux Foundation; it runs on a shoestring budget made worse by the loss of conference revenue during the pandemic. OWASP charters events, local meetups, training content and OSS projects - the authors of this memo focus only on the OSS project needs. The OWASP board sees itself as community first and foremost; projects should seek their own sponsorships.