The Start of OWASP – A True Story

On January 15, 2002, at 5:22 p.m. PST, Bill Gates sent a memo —subject: “Trustworthy computing”—to everyone at Microsoft and its subsidiaries. “Trustworthy computing,” he wrote, “is the highest priority for all the work we are doing.” It launched the SDL (Security Development Lifecycle) initiative and generally shook up the industry.

On September 24, 2001, some four months before the Gates memo, we announced OWASP (Open Web Application Security Project). Our concern was to make software security visible, so that developers everywhere could make truly informed decisions about the risks and the solutions. Bill Gates’s phrase—had he written it four months earlier than he did—could have applied to OWASP. Our objective was “trustworthy computing.”

The product of the application security community, OWASP today has more than 36,000 participants in local chapters everywhere on the planet.

No wonder so many have stepped forward to claim credit for having been present at the creation. At least one, quite recently, declared himself a cofounder. No need to name names—and, without question, he, like many others, was an early contributor to OWASP. But a founder? Well, sometimes I think there are almost as many Gen Xers claiming to have founded or cofounded OWASP as there are Baby Boomers who can tell long tales about being at Woodstock.

I once sat in a Manhattan conference room with the CSO of a major bank who claimed that he and his team had written OWASP’s very first project, the The Guide—under pseudonyms, of course.

Now, I happened to know this wasn’t the case, because, in point of fact, I wrote it over a weekend in the tiny East Bay apartment I shared with my wife and new baby at the time. To be sure, a lot of others subsequently contributed to it. Collaboration is the DNA of open source. But I wrote the first draft, just as I created the “first draft” of OWASP itself.

It came about, in 2001, this way.

I was running software security for Charles Schwab in San Francisco, and I had long been wrestling with the paucity of information on the Web or anywhere else about how to build a software security program. At the time, I moderated a mailing list called WebAppSec, which drew thousands of subscribers—including a lot of vendors, who had joined not to share knowledge and insight, but to flog their wares with steaming heaps of vintage marketing FUD (fear, uncertainty, doubt).

Nowhere on the supremely vulnerable Internet of 2001 was there a great defensive project, vendor-independent, FUD-free but information-heavy. After socializing this issue with others, I was convinced of the urgent need for a collaborative project to document developers’ experience with and knowledge of web application security—no commercial marketers need apply.

I used the WebAppSec mailing list to announce OWASP, I registered the domain OWASP.org, I paid $20 for a hosting account, and I asked people to come help.

And come they did. Legions of them. In the early days (much like today), lots of people volunteered—though few actually contributed. Such is the darker side of web-based collaborative enterprises. On the other hand, those who did contribute, people like Kevin Jeong, Robert Rodger, Alex Russell, Sverre Huseby, Martin Eizner, Bill Pennington, Jeremiah Grossman, Daniel Cuthbert, David Zimmer, Steve Taylor,Kevin Wall, Stan Guzik, Andrew VanDeStock, David Endler, Ingo Struck, Dennis Groves, Dinis Cruz, Gabriel Lawrence, David Seaver, Jason Childers, Tim Smith, Jeff Williams, Dave Wichers and Bill Hau, gave mightily of their time and talent. I am sure I have forgotten valuable contributions for which I apologize although the CVS logs and mailing list remains a great source of truth. Please write to me and I will happily add important names to this post.

I cannot say I had a strategic plan. People joined OWASP and immediately started working on whatever concerned them most. Yet when I look at the earliest projects we slated for 2002 alone, I’m still impressed by their ambition, scope, and focus: “Application Security Attack Components,” “Web Application Security Testing Framework,” “Web Application Security XML Data Exchange Format.”

Maybe it was best that we weren’t hampered by a “strategic plan,” because, from the get-go, we collected, discussed, and pushed information and insight available nowhere else. We attracted security people across a host of interests and companies. Inevitably, we also attracted individuals and enterprises who invited us to adopt their security solutions and promote them. It was flattering—until we actually read some of the “open source” licenses attached to these products. Most gave the vendor the right to shift from open to closed source at any point. In effect, the pseudo-open source offers preyed upon the goodwill of the community, harvesting valuable user feedback while promoting adoption. Once critical mass had been reached and x number of members had been hooked, the conversion from open to closed source would likely come.

I decided to condition OWASP support of software on its coming with an OSI-approved license. OWASP would simply not discuss any other software for the simple reason that it was a commercial product, and we were not a marketing team.

Predictably, there were cries for my removal as moderator of the WebAppSec list. CEOs and PR flacks came at me like villagers brandishing torches. But I would happily do it all again. Opening to open source while closing to closed source has kept OWASP honest.

Another tough call was my decision to resist adopting a wiki to handle the flood of material soon shared on OWASP. We were already getting very much very fast, and the quality of those contributions was—well, the politically correct term is “variable.” I protested that, by encouraging quantity, the wiki would inevitably throttle quality.

I was, however, overruled. Jeff Williams championed the wiki, and, with that, OWASP really took off. Impressed, I was also deeply concerned at how the sheer volume was producing a good many beginnings of projects doomed to go nowhere. I was also unhappy with the influx of general security people and not developers, a trend, I feared, that would rob OWASP of its original focus on helping developers.

Instead of continuing to push back, I decided, in 2005, to step aside—not out of discouragement, let alone anger, but because I felt that the time had come for our community to find its own balance. This has proven to be a dynamic process—which is fortunate, since striving for an elusive balance keeps the community alive and lively. OWASP has become much bigger than my vision for it. And that is great (mostly). In the process, it has made “trustworthy computing” the “highest priority” for developers as well as those who employ them. And that is great (totally).

Mark Curphey