How OWASP Works

Revision as of 05:35, 18 January 2007 by Dinis.cruz (Talk | contribs)

Jump to: navigation, search

How OWASP Works

The Open Web Application Security Project (OWASP) is the name for all the activities of the OWASP Foundation. The OWASP Foundation is a 501(c)3 non-profit organization incorporated in the United States of America. OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards. The OWASP community facilitates conferences, local chapters, articles, and message forums. Participation in OWASP is free and open to all, as are all the materials we produce.


OWASP projects are managed using a collaborative, consensus-based process. We do not have a hierarchical structure. Rather, different groups of contributors have different rights and responsibilities in the organization. OWASP is a meritocracy where these rights and responsibilities follow from the skills and contributions of participants. This document outlines our general structure. Individual projects define their own rules to add additional structure to their development processes.


The most important participants are the people who use our documentation, tools, and standards. The majority of our participants start out as users and guide their participation from the user's perspective. Users contribute to the OWASP projects by providing feedback to project members in the form of bug reports and feature suggestions. Users participate in the OWASP community by helping other users on mailing lists and user support forums.

Project Members

A user who contributes to a project in the form of code or documentation becomes a project member. They take extra steps to participate in a project, are active on the project mailing list, participate in discussions, provide comments, enhancements, documentation, suggestions, and criticism. Project members are noted in project credits. Project and Chapter Leaders The OWASP Leaders is the group of individuals who take responsibility for the long-term direction of the projects in their area. There is a single Project Leader for each project which is commissioned directly by the OWASP Foundation Board of Directors. The OWASP Leaders are responsible for making decisions about technical direction, project priorities, schedule, and releases. Collectively, the OWASP Leaders can be thought of as the management of the OWASP Foundation.


The OWASP Board provides guidance to the OWASP Leaders on market direction, fundraising, strategic direction, and vision.

The board is currently made up of:

  • Jeff Williams (Chair)
  • Dave Wichers (Conference Chair and holder of the OWASP books)
  • Dinis Cruz (Chief Evangelist)
  • Andrew van der Stock (Executive Director)

In coming months we will be adopting a proper constitution that allows member involvement in the technical direction for OWASP.

As part of that, the OWASP board and project leaders of 'release quality' projects will become directly elected (rather than the current appointments / meritocracy model).

Constitution / Foundation Models we are looking at:

  • Wikipedia Foundation (works, stable, but a little tumultuous)
  • BSD (Such as the NetBSD Foundation) (stable and seems to work long term)
  • Apache Foundation (modelled directly from NetBSD's model)

The goals are to ensure that we have governance and technical direction separated as this provides continuity of the Foundation and means that no one person can directly "overlord" the entire community, and the community has a direct say at least annually to change things.