Profile: The Open Web Application Security Project (OWASP)

Authors

• Michael Tubinis (mtubinis)
• Brian Escriche (Pharas)

Rationale

There are so many subjects you could choose to profile, so why did you choose this one? What drew you into wanting to know more about the organization? How did you/your group decide on and agree?

We simply never heard of OWASP, so why not find out more about it?

Organizational Details

Is the subject of your profile a corporate entity?

Yes it is.

What type?

A 501(c)(3) “Worldwide non-for-profit charitable organization”.

When was it founded?

It was founded on April 21, 2004.

By whom?

Founded by Mark Curphey.

Original founder(s) still active?

The original founder is still active.

Publicly Traded? Since when? Initial Stock Price? Current stock price?

It is not publicly traded.

Has the company made any acquisitions? If yes, which companies, and what were their core products?

The company has made 0 acquisitions.

Has the company made any investments in other companies? If yes, which ones.

The company has made 0 investments.

Number of Employees?

The company has 7 Global Board Members and 8 Employees / Contractors.

Where is HQ?

OWASP Foundation (US)
 1200-C Agora Drive, #232
 Bel Air, MD 21014
 US
 +1 951-692-7703 (tel)
 +1 443-283-4021(fax)

Does it have any other offices or locations?

OWASP Europe VZW (EU)
 Leinstraat 104A
 B-9660 Opbrakel
 Belgium
 +1 951-692-7703 (tel)

Website?

OWASP.org

Wikipedia?

Wikipedia: OWASP

Does your organization file any annual reports? Please include links to any relevant documents (i.e. 990, Annual Report, Year in Review, etc...)

The Fiscal Year 2013 Annual Report for OWASP

Communications

Social media for OWASP

Does your subject participate in social media? If yes, please list a URL for each account, and reach within that community.

• Facebook - 8,900 likes.
• Twitter - 41,600 followers.
• Google+ - 2293 members.
• LinkedIn

Communications channels for OWASP

What communication channels does your subject use to reach their public? Briefly describe and include a URL for each.

• OWASP has a Blog that contains up to date posts about generic OWASP/Internet security news and development progress on the various OWASP projects.

OWASP Conference Participation

Does your subject organize or participate in any conferences? If so, list them here, and provide links to any relevant sessions, keynotes, or content.

• OWASP does participate in their own AppSec conferences, both in the EU and in the US.
  • OWASP AppSecEU (2015)
  • OWASP AppSecUSA (2015)

Community Architecture

Your subject likely runs or contributes to one or more Open Source products or projects. Choose one (or more) of these and answer the following questions (provide links is applicable).

OWASP does not have a source code repository itself as it is a coalition of projects. For this section we decided to write about one of their flagship projects in review called "Dependency Check"

The project's IRC Channel

The project does not have an IRC channel.

Source Code repository

Source Code repository

Mail list archive

Mailing list

Documentation

Documentation

Other communication channels

Issue Tracker

Project Website and/or Blog

Website

Describe the software project, its purpose and goals.

Dependency-check is an open source solution the OWASP Top 10 2013 entry: A9 - Using Components with Known Vulnerabilities. Dependency-check can currently be used to scan Java applications (and their dependent libraries) to identify known vulnerable components.

Give brief history of the project. When was the Initial Commit? The latest commit?

Initial commit was on September 6th, 2012. Latest commit was on May 6th, 2015.

Who approves patches? How many people?

Jeremy Long is the only one who can approve patches.

Who has commit access, or has had patches accepted? How many total?

There have been 12 contributors to the project overall. Anyone seems to be able to submit pull requests, but only Jeremy Long can approve them.

Has there been any turnover in the Core Team? (i.e. has the top 20% of contributors stayed the same over time? If not, how has it changed?)

There has been no change in the core team since there really is no core team, just the BDFL, who has stayed active for the entire duration of the project's history.

Does the project have a BDFL, or Lead Developer? (BDFL == Benevolent Dictator for Life)

Jeremy Long is the BDFL.

Are the front and back end developers the same people? What is the proportion of each?

Since Jeremy Long is the main developer by an overwhelming majority, the front and back end developers are the same people (or rather the same person, the BDFL).

What have been some of the major bugs/problems/issues that have arisen during development? Who is responsible for quality control and bug repair?

There have been no major bugs or problems within the project code wise, and there is no clear indication as to who is in charge of problems. We assume it is the BDFL.

How is the project's participation trending and why?

The project's participation trending is fairly consistent with Jeremy Long committing most of the code.

In your opinion, does the project pass "The Raptor Test?" (i.e. Would the project survive if the BDFL, or most active contributor were eaten by a Velociraptor?) Why or why not?

The project would not survive the Raptor test since only one person has really contributed to the project.

In your opinion, would the project survive if the core team, or most active 20% of contributors, were hit by a bus? Why or why not?

The project would not survive the Git by a bus test since only one person has really contributed to the project.

Does the project have an official "on-boarding" process in place? (new contributor guides, quickstarts, communication leads who focus specifically on newbies, etc...)

There is no clear indication of an on-boarding process.

Does the project have Documentation available? Is it extensive? Does it include code examples?

For documentation, http://jeremylong.github.io/DependencyCheck/ has a large amount of information about the project, but nothing as far as code.

If you were going to contribute to this project, but ran into trouble or hit blockers, who would you contact, and how?

Contributing to the project will most likely need to be started by contacting the BDFL Jeremy Long on the mailing list via Subscribe or Post

Based on these answers, how would you describe the decision making structure/process of this group? Is it hierarchical, consensus building, ruled by a small group, barely contained chaos, or ruled by a single or pair of individuals?

It is no doubt ruled by a single individual, the BDFL Jeremy Long

Is this the kind of structure you would enjoy working in? Why, or why not?

Since there is no real structure to the project's community, I would personally not enjoy working on this project.

Technology/Product

Section adapted from EFF Worksheet

This section is not applicable as OWASP does not distribute a sole product or technology, but rather organizes several individuals, companies, and groups that produce various technologies and products (non-commercialized) that relate to internet security.

Who invented, created, or sponsored the technology?

N/A

What is the technology designed to do? How is it used?

N/A

Who would benefit from using this technology?

N/A

What kinds of companies or organizations (stakeholders) might have been concerned about the development of this technology? Why?

N/A

Does/Did an aspect of copyright law play a role in controversies about the technology? How?

N/A

Business and Revenue Model

How was this organization funded originally?

There is no specific answer. We assume it was originally funded simply out of pocket and through donations.

How does this organization make revenue?

Through Donations

Which specific Open Source Revenue Models are utilized?

Voluntary Donations

What investments/acquisitions has the organization made?

None that we can find.