[Owasp-board] Why it's ok to pay leaders

Jim Manico jim.manico at owasp.org
Thu Apr 12 03:25:00 UTC 2012

I've been watching the debate about paying leaders. And I for one want
to state that I feel it's ok to pay leaders to complete key projects.
"The mission" is way more important than an OWASP "social rule".

I think we have been thinking about this topic, way too much, from an
OWASP-centric perspective.

You all know, I hope, that I bleed OWASP and care for the
organization. But this "problem" of OWASP not meeting the obligation
of its mission around AppSec awareness is NOT ABOUT OWASP. It's about
the target of our mission; the many folks who are NOT aware of the
systemic security problems that face web applications and the
organizations that depend on them.

Think about this from a software manager, corporate supporter, or
other OWASP •consumer• point of view. Do they really care about some 3
year old "social rule" that states we cannot pay leaders (aka: web sec
experts)? Or do they care that that our guides are 5+ years out of
date, that our "flagship software projects" have 2 year old unfixed
bugs, that our project management has stagnated, or that our website
is very complex to navigate successfully?

Eoin has put forth a excellent plan to push funds directly into
projects, and I support it.

I feel we should stop blacklisting OWASP, it's not helpful to tell us
what we can't do in support of our mission.

Whitelist! Give us a powerful plan to serve "the mission" and make
OWASP relevant again. I for one am willing to consider paying serious
web security experts to help us update key projects, even if they are
OWASP leaders.

Jim Manico
OWASP Connections Committee Chair
(808) 652-3805

More information about the Owasp-board mailing list