The information security industry's top non-profit application security advocacy group is reeling amid the controversial handling of a former employee's disputed harassment claims. Observers say the incident has forced a long-overdue debate about the organization's mission, governance structure, and ultimately, its future.
Members of the Open Web Application Security Project (OWASP) Foundation, a 10-year-old group dedicated to improving software security through advocacy, education and standards, said the organization has long been a grassroots-led effort driven by the work of its hundreds of small chapters around the world. However, the group's central leadership -- particularly its board of directors -- has been the subject of a controversy that began about three weeks ago.
On June 3, OWASP Program Manager Samantha Groves sent out an email through the group's open mailing list stating she was resigning her post as of June 10. In the email, Groves noted that the timeframe for her departure had been hastened by months, vaguely referencing changing circumstances.
On June 16, Dinis Cruz, the London-based leader of the OWASP O2 Platform initiative and a former OWASP board member, publicly shared a follow-up email purportedly written by Groves, in which she accused several OWASP board members of "gross misconduct" against her.
Groves leveled the OWASP board for exhibiting "condescending" and "un-justifiably aggressive" behavior toward her and other paid OWASP staff, as well as failing to "set a strategic direction" for the organization. Groves said board member Jim Manico, in particular, had used sexist language and publicly berated her performance through the OWASP mailing lists.
The message went on to detail how Groves had decided to drop a civil lawsuit she had filed against OWASP after legal and personal consultations, but that charges against three OWASP board members -- Manico, Josh Sokol and Eoin Keary -- would proceed unless she received a formal apology from the board.
"I want an open, RESPECTFUL, discussion about what happened here between the OWASP board members, the OWASP community, and the OWASP staff," said the email attributed to Groves. "OWASP lost two staff members in the span of a week. That is a HUGE red flag to any organization with such a small operations team."
The reference to a second staff member is outgoing OWASP Executive Director Sara Baso, who resigned her post just days before Groves' resignation, citing personal reasons, though Baso has publicly refuted the suggestion that her departure was in any way related to Groves'. Neither Groves nor Baso responded to SearchSecurity's requests for comment.
OWASP board chairman Michael Coates, the director of product security with San Francisco-based vendor Shape Security, and most of the other board members also declined to comment on the situation, citing an ongoing legal matter. However, possible litigation hasn't stopped some board members from responding to Groves' accusations through the OWASP mailing list, which posts messages publicly on the Web.
"I consider these accusations to be very serious slander against me and [I] am taking the appropriate legal actions as well as respecting the OWASP process," said Manico in an email to the OWASP mailing list. "I have sent my reply to these complaints to the OWASP lawyer, as well as to our compliance officer, Martin. As much as I want to comment on these very serious accusations, I will hold off on further commentary (in public or in private) until that process is complete."
"Dinis, I'd recommend you start producing proof of these allegations or retract," said Keary via email. "I have decided to seek legal advice on this slander and lies."
Sokol, too, wrote a lengthy email in response to Groves' allegations where he virulently denied any wrongdoing and said he was willing to combat her "slander." In response to SearchSecurity's request for comment, Sokol provided the following statement:
I can't comment on the pending legal situation any more than I have already. I have personally apologized to Samantha for her misunderstanding my suggestion to modify her role as a 'demotion.' Considering that she was an individual contributor, with no formal leadership role in the organization, I don't believe a 'demotion' would have even been possible. All I suggested was a realignment of the role to fit her skills in order to make us a more efficient organization. Her response was completely disproportionate. As it relates to the other two board members that she has accused of various things, they, too, have steadfastly denied her accusations. This is a case of someone not getting what they wanted initially [money], so they are taking it to the masses as a public smear campaign against people who have volunteered thousands of hours to do extremely positive things for our community.
I miss the days when the OWASP Leaders list was used to discuss Web security: http://t.co/5qli3Gm5tB
— Jeremiah Grossman (@jeremiahg) June 16, 2014
Should OWASP further empower paid staff?
Current and former OWASP leaders who spoke to SearchSecurity agreed that leadership problems may exist within the organization, but offered disparate opinions over whether the board and paid staff should be more or less involved in guiding OWASP.
I think it's healthier for OWASP that at least we're talking about this and at least we're dealing with it rather than letting it brew.
former OWASP director
Cruz said he posted Groves' email to the public mailing list because she no longer had access to do so after leaving OWASP, but added that he supports dealing with such situations in the open. He hopes the incident will serve to foster further discussions around some of the broader issues within the organization.
"I view this as the growing pains of OWASP," Cruz said. "I think it's healthier for OWASP that at least we're talking about this and at least we're dealing with it rather than letting it brew."
Cruz said that instead of playing away from OWASP's strengths and growing the board's power, more responsibilities should instead be shifted to the group's paid staff while the board focuses on community empowerment.
John Steven, the former leader of the OWASP Northern Virginia chapter and a speaker at several OWASP events, said many of the problems plaguing the organization stem from its lack of true top-down leadership.
For example, Steven said that when he first took the reins of his local chapter, events were only being scheduled on a quarterly basis at most, and members often avoided the events that were conducted because vendors had been allowed to market their products at them.
I haven't participated in @owasp since the early days, when my genius co-founder was pushed aside to make way for vendor sales guy.
— Alex Stamos (@alexstamos) June 17, 2014
Steven said the situation with vendors originally surfaced due to the fact that no one at OWASP was getting paid and there was a lack of a clear mission. As a result, many of the leaders within the organization sought to gain personally by marketing their own companies, capabilities or products. He said even the most functional aspect of OWASP -- its conferences -- was pervaded by members vying for speaking slots for their own personal benefit.
The addition of paid staff was meant to help alleviate those issues, but despite the new OWASP employees being well-intentioned and passionate, Steven said they mostly lacked both the management and fundraising experience one would expect at non-profit organizations of similar statures.
When combined with what the community was requesting from the OWASP employees and the lack of a clear mission, Steven said the staff largely ended up doing project management -- a task he equated to "cat herding" -- while the organization's problems persisted.
"The elected officials at the time and the new paid employees decided to keep the very bottom-up, chaotic, organic approach and feel. And that's fine, but I think what we are seeing is the result of that," Steven said. "When you have that bottom-up, chaotic structure, and when your management is the same way, people are still allowed to use it and take advantage of it for their own benefit."
"I really do think that this was the natural consequence of the way that OWASP is organized," Steven continued, "and the way it has kind of frankly rejected specific missions beyond making software more secure."
The case against 'top-down' OWASP leadership
Some within OWASP, however, bristle at the idea of further empowering paid staff, as well as more direction in general.
According to one OWASP chapter leader who preferred to remain anonymous, OWASP has already undergone major schisms as the result of changes to its organizational hierarchy.
The chapter leader said that despite OWASP's long-standing need for more dedicated leadership, particularly to oversee issues like money management, the decision to bring on several full-time employees in recent years -- OWASP was previously run entirely by volunteers -- has already left some members rankled.
Specifically, some long-time former leaders that were accustomed to a grass roots-style management approach have taken issue with what's seen as "unilateral decision making" by both paid staff and board members, as well as the perception that the board and staff are overstepping their authority.
Ideally, the anonymous chapter leader said, the OWASP board would be focused on the macro situation while chapter and project leaders would be focused on the micro. For instance, if the board were to dictate that vendors are barred from local chapter events, the OWASP chapter leader said he would follow that mandate because it is the board's job to focus on raising awareness of OWASP, a task that includes taking such measures to avoid alienating members.
Conversely, as a chapter leader, he wants his focus to be on grass roots tasks like establishing ties with local coding groups and other measures to generate support and interest in his area.
"Now, does this always happen? Hell no, it doesn't," said the OWASP chapter leader. "In OWASP, traditionally, there's too much 'What do you think? What do you think? What do you think?' And that's kind of our Achilles' heel."
Recalling his own experience on the OWASP board and the reason he left, Cruz said one of the most pressing issues facing the organization is whether board members should guide the group's strategy and operations, or if that impetus should come from local chapter leaders.
In the group's early days when it was still small, Cruz said the structure of OWASP -- which featured the board, chapter leaders and project leaders -- largely worked well, but as the organization's member tally grew, board members were increasingly being placed in an "impossible situation" where they were expected to lead, even when local chapter leaders would ignore any proposed directions.
"There's this interesting idea that there should be an OWASP 'vision,' an OWASP direction, and somebody should lead the troops," said Cruz," but the problem is that everybody at OWASP is a contributor, so you can say, 'Well, let's all go left,' but if most people want to go right, it's not going to happen."
The ongoing OWASP debacle is sad in so many ways. Energy misdirected. But I guess it's a sign of growth. OWASP needs HR these days.
— John Wilander (@johnwilander) June 16, 2014
Where does OWASP go from here?
While the controversy surrounding Samantha Groves will likely subside in due course, a larger question remains: Will OWASP change as a result?
Ming Chow, a computer science lecturer at Tufts University and a speaker at several OWASP Boston events, said the Groves incident is another black eye on the tech industry following the suspension of a co-founder at GitHub for similar harassment claims.
If you are losing faith in OWASP, please don’t. Focus your energy on local chapters and events where your effort makes the biggest impact.
— Jack Daniel (@jack_daniel) June 17, 2014
Still, echoing the sentiments expressed in a Twitter post by respected security veteran Jack Daniel, Chow said the issues facing OWASP leadership at the national and international level do not affect his work with the local Boston chapter.
"In light of everything that [has] been going on, I'm not going to walk away," Chow said. "We need to move forward, and the security community can't afford to stand still or move backwards."
This is a self-inflicted wound and it's one that will be ultimately [be] very damaging to OWASP's credibility.
former chapter leader, OWASP Northern Virginia
Indeed, the anonymous OWASP chapter leader said the controversy has not been a topic of conversation for his membership and he will not personally be discussing the situation at chapter meetings.
The more pressing concern, according to the OWASP chapter leader, is how the situation playing out publically will affect the organization's public image, particularly when it comes to recruiting future OWASP leaders.
"Some of the leaders are going to Twitter and ranting about this, and it's affecting the ability for us to portray and to recruit leaders that have a passion in Web application security and to take the helm at a macro level," said the OWASP chapter leader. "I might think twice about it because this is just a lot of drama."
Steven agreed that leadership recruitment will likely suffer as a result of the Groves incident and its aftermath. He said he has received at least a half-dozen responses from OWASP members to a Google+ post he wrote regarding the situation, and all of them said they would now be more averse to taking a leadership position or even donating to projects after such a public spectacle.
Steven said the "radical openness" of OWASP's communication model -- any member can contribute to the mailing list or edit pages on OWASP's website -- was always likely to lead to this kind of firestorm.
"It's hard for me to see any positive value coming out of this, unless it's truly creative destruction. Even if the organization comes out of this with a mission and a renewed drive and vigor, any outsider looking at this really has to question the maturity, the mission and the intentions of the organization," Steven said. "This is a self-inflicted wound and it's one that will be ultimately [be] very damaging to OWASP's credibility."
One change that OWASP seems likely to make is placing some restrictions on its open communication. Board member Josh Sokol said a volunteer is writing a transparency policy for OWASP which, among other action items, seeks to limit discussions on matters involving pending legal action to staff and board members only.
A broader OWASP transformation though seems unlikely. Steven said he had been contacted in recent weeks about the possibility of establishing offshoot organizations apart from OWASP, but noted that such maneuvers would be unlikely to succeed given the name-brand and recognition of OWASP within the security community.
I wonder if @dguido is seeing the OWASP saga unfold. I’m recalling his plea last Fall to “Fork OWASP"
— Joshua Corman (@joshcorman) June 17, 2014
The anonymous chapter leader said an OWASP-esque organization, the Web Application Security Consortium, already exists, but has so far lacked the same driving force and membership to grow awareness. Hence, despite its faults, OWASP may still be the best place for application security-focused professionals to invest their time and support.
"The Internet is a big place and appsec is something people really need help with. If you have tools or techniques that you think the community needs, you should put them out there," Steven said. "Whether or not you want to donate those things to the OWASP community and use that as your megaphone, you have to decide whether or not the various costs -- drama and otherwise -- are worth what you are going to get out of it."