[Owasp-board] ESAPI for Javascript Review

Dave Wichers dave.wichers at owasp.org
Fri Apr 15 02:20:47 UTC 2011

This contributor was not the project leader, and I thought this small
investment (paid after the quality of the work was reviewed) was a prudent
investment to try to see if we could get some of Mario's students to start
contributing to OWASP. I don't intend to set this as a precedent that all
his students can expect to get paid. I'm hoping (maybe naively), that we can
get some of them involved in OWASP and hope that the recognition and
experience they gain is worth their contributions.


In fact, this student indicated that the payment would be nice, but wasn't
required and did all the work with no actual expectation or guarantee of
payment. He did the work because he wanted to, not for the money. They money
I decided to pay was an added bonus given the quality of the work. And the
amount was decided (by me) after the fact, not before.


So, I'm not trying to derail what we decided back in 2009 re seasons of
code. And I don't think we should revisit that decision right now.


I'm interested if my experiment will work and we can get more of them
involved, including the student who did this work.


We'll see.




From: Jason Li [mailto:jason.li at owasp.org] 
Sent: Thursday, April 14, 2011 6:04 PM
To: Dave Wichers
Cc: OWASP Foundation Board List
Subject: Re: [Owasp-board] ESAPI for Javascript Review


Well, this certainly conflicts directly with what I just said yesterday on
the GPC mailing list in response to a request for funding to further develop


The Board made a very deliberate decision back in 2009, one that I did not
initially support but now actually agree with, that OWASP should *not* be in
the business of paying project leaders to work on projects (as we have in
previous Seasons of Code). The reasons for this are many and I don't want
this email thread to be derailed in a philosophical debate on the merits of
such a strategy.
I'd rather focus on what we *can* do.
The direction of project funding is to provide support for projects to be
better exposed, promoted and received. To that end, we can certainly send
out messages to the OWASP community and highlight the project through all
our normal means (Podcast, Newsletter, etc) to gain help it gain some
visibility (which in turn may generate some interest). Long term, we're
working out plans to have resources available for graphic design and
technical writing review, but we do not yet have rules of engagement for
such resources (let alone the actual human resources identified to provide
those services). We're also working on getting a limited number of
conference speaking slots reserved for OWASP project leaders to highlight
their projects, but this effort is still underway (we are currently
targeting AppSecUSA 2011).
If there's something specific that you guys have in mind to support the
project along similar lines of project support, we can review the request.

(see full thread

It's great to hear the output for the ESAPI JavaScript project, and I agree
that $500 is a relatively small amount in comparison to the time and effort
put in by the authors. But there's a reason why the Board wanted to move
away from Seasons of Code and paying for OWASP work of this nature.


Does the Board want to reverse that policy?  I'm certain that there would be
a ton of interest if we re-opened that door, but I don't think OWASP is in a
financial position to go down that path right now.


-Jason, GPC Chair

Board mailing list lurker


On Thu, Apr 14, 2011 at 5:17 PM, Dave Wichers <dave.wichers at owasp.org>



In the interests of full disclosure, I met with Mario Heiderich at the OWASP
summit and we got to talking about getting some of his students to work on
OWASP projects. He found a student (Marcus Niemietz) that was interested in
reviewing the ESAPI for Javascript project and he (the student) was
wondering whether we were willing to provide him a small payment for his
effort and I agreed (using my board member budget). The amount was to be
determined after he did the work.


He has produced the attached paper and Chris Schmidt's (the project lead)
initial review was very positive. As such, I have agreed to pay him $500. He
spent 100 hours on this effort from what I understand, and so this seems
small compensation for his good work.


I'm also hoping we can find some more of Marios' students to work as either
volunteers or low cost interns on more OWASP projects but I'm still working
on that.


Anyway, since I spent $500 of OWASP's money I figured I would let you all
know. I think this is the first of my board member discretionary budget that
I have ever spent.




p.s. I'm wondering if this discretionary budget will be going away and
delegated to the committees from now on??


From: schafos at googlemail.com [mailto:schafos at googlemail.com] On Behalf Of
Marcus Niemietz
Sent: Thursday, April 14, 2011 2:50 PM
To: Dave Wichers
Cc: Mario Heiderich; Chris Schmidt; Jeff Williams
Subject: Re: College students or others working on OWASP projects like ESAPI


Hi Dave, Chris, and Jeff,


In addition to the mail of Mario I send you my paper "JavaScript-based
ESAPI: An In-Depth Overview" (attachment).



Marcus Niemietz



Owasp-board mailing list
Owasp-board at lists.owasp.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20110414/747d900a/attachment-0002.html>

More information about the Owasp-board mailing list