Evaluate OWASP Membership by GitLab
OWASP (Open Web Application Security Project) is an organization that provides unbiased and practical, cost-effective information about computer and Internet applications.
It's a central organization in the security space, providing guidelines, organizing or sponsoring security events, and also supporting opensource software. OWASP is notorious for its TOP-10 security risks.
A number of OWASP projects are directly used by GitLab:
- ZAP for our DAST feature
- FindSecbugs for our Java SAST analyzer
- OWASP ruleset for ModSecurity
Officially sponsoring this organization might a good way to ensure our customers we don't just use uncontrolled opensource tools, but we also support them. It also may help to increase GitLab's security industry awareness and also indirectly help us in recruiting security experts.
There are probably multiple ways to sponsor OWASP, I think we should explore:
- Cash contribution
- Code contribution (dedicate GitLab developers to contribute to these projects).
This issue is to evaluate our appetite for this initiative, and see if it can be an OKR for Q2. It's confidential for now, we can make this issue public once we agree on continuing this evaluation.