Q&A with Johanna Curiel of OWASP
Johanna is an OWASP volunteer for the technical setup of the OWASP bounty projects, helping to define clear bounty scopes and working with the project leaders to make this a reality.
What unique appsec challenges do open source projects like OWASP face?
One of our constant challenges is to get people to review and verify the quality of our projects, especially to verify the security of them. As you know, OWASP is a non-profit foundation and has limited resources regarding these activities.
As the authority on appsec, what does that mean for people using your projects?
Many developers and companies looking to improve their application security are turning towards OWASP to use defender libraries. They implement these libraries to secure their critical applications.There is a certain level of implied trust in OWASP, and many users of these projects might forget or not be aware that many of them are Open Source and lack an expected security assurance review, which at the moment is not done by OWASP.
How can a bug bounty help alleviate that?
Testing web applications for security can be a challenging task. But testing that security control libraries are robust in the face of attack is an even more difficult challenge for even the most sophisticated assessment professionals. A while ago I proposed the idea of launching a bug bounty for defender libraries to test those security controls. That idea grew to encompass projects, such as ZAP, which that are being installed on clients.
How did you go about implementing that idea?
As an open source organization, we turned to our community of volunteers, and some project leaders to set the guidelines for OWASP bug bounties, including the project qualifications and scope. You can read more of this here. We went through the process of looking into different service providers at the beginning of this year. After that process, Bugcrowd was selected as the platform to be utilized for stable and mature defender projects as a form of quality assurance.