[Owasp-leaders] How many projects does OWASP need?

psiinon psiinon at gmail.com
Fri Apr 4 09:01:03 UTC 2014

OK, its a provocative title, but bear with me ;)

There have been lots of discussions on various lists about project statuses.
There have also been some 'interesting' related /r/netsec threads which,
give an insight into what some people outside of OWASP think of us:


One comment on the latter thread I found very interesting: "From an
organizational perspective, I'd rather have a small group of well
maintained projects than a large group of random projects that have no
direct AppSec purpose".

I'd like to start a discussion around that, although I clearly have a
vested interest in this :)

I think we should come to an understanding as an organization as to what we
are trying to achieve with the OWASP projects.
Are OWASP projects all about changing the appsec world?
Are they testing grounds for new ideas and concepts?
Are they there to fill in the gaps commercial products miss?
Are they vanity projects??

I'm hoping that we want our projects to change the appsec world in some way
- to help make the online world a little bit safer and further our mission.

If thats the case then we do need to be very realistic about what it takes
to make a 'significant' project, a project that makes a real difference.
It takes a hell of a lot of effort!
I've not counted how many hours I've spent on ZAP, and have no idea how
many hours all of the ZAP contributors have spent either, although
according to Ohloh its an estimated 252 person
years<http://www.ohloh.net/p/zaproxy/estimated_cost>of effort!

I think there is a tendency for people to reinvent the wheel and to create
a new project when a more useful alternative would be to extend a more well
established project. Thats not always a bad thing, but its definitely not
always a good thing either.

This might sound like I'm saying that we should raise the bar for accepting
Incubator projects.
I'm not.
In 2010 a project was accepted that had only one contributor and at that
time was just a minor fork of another open source project that had been
abandoned years ago. It also overlapped with one of the main OWASP projects
of that time, WebScarab.
If ZAP hadnt been accepted at that point then I probably would not have
been invited to talk at AppSec EU in Dublin in 2011 which in my view was
pivotal in raising ZAPs profile. Things may well have turned out very

So I do think its important that we foster new projects. Even ones that
compete with existing projects.
But I think the mass of projects is very confusing to people outside of

I would like the flagship projects to be much more visible on the OWASP web
site - I'd actually like them all to be clearly listed on the front page.
And I'm not talking about the little links at the top, we should be making
much more of them. (OK, I also want a complete revamp of the homepage, but
thats another matter;)
We should identify flagship projects that are, er, flagging, and move to
support them if we can. If that fails then they should loose their flagship
status. I know thats what we try and do now, but I think we should do this
more aggressively.
We should definitely promote new projects to flagship status, but we have
to maintain a high bar to entry.
We should continue to accept new projects into the Incubator steam with a
very low bar of entry, but we should stress that making a project
successful takes a lot of work and should ask the contributor to provide
some justification as to why their project should not be part of one of the
more established projects.
And if a project doesnt progress, if it doesnt produce anything meaningful
within a reasonable period of time then it should be completely dropped. Do
not pass GO, do not go to Inactive state, just dropped.

What does everyone else think?



OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140404/1535a74f/attachment-0001.html>

More information about the OWASP-Leaders mailing list