[Owasp-board] A New Projects Model

Jim Manico jim.manico at owasp.org
Fri Apr 11 22:48:46 UTC 2014

My concern is that "official" OWASP projects should need to be updated,
documented, maintained with good email list support, and not have critical
security bugs in them in order to be an "official" OWASP project of any
kind. That's it.

I don't think many people realize how much we undermine our mission when
developers try to use three of our code flagship projects that have major
security bugs, are no longer supported, or are built from incredibly weak
concepts or architectures.

What I have done to counter balance this is to support the construction of
several hard core production quality and perfromant secure coding
components that could have a major impact on the world if supported by the
foundation. I don't care about titles really, I just want developers to be
able to visit OWASP, grab clear guides and tools to help them write secure
code. I am not trying to tout myself here. "I don't need money, don't need
fame, dont need no credit card to ride this train."

I'm trying to serve the mission. In a very production quality way that few
other code projects meet. And it's hard work over several years by very
senior developers building this stuff. It should not be an uphill battle,
it should be a water-slide. Instead, every time I've approached "projects"
I'm told I'm having a tantrum and all my counsel is ignored.

The reason I'm so loud lately is because I'm on the verge of walking away.
OWASP is not serving the mission, it's a conference circuit with slap-dash
project management, and I feel we have struggles with several staff issues.

Any another thing, I was grinding at the podcast for years, and then
someone took it over, added a commercial to it and started getting paid to
do so, and no one batted an eye. This is not cool and it's against the
vendor neutrality we are supposed to stand for.

So yea, screw this and the general lack of integrity that makes up the
organization. I might make mistakes in communication but I'll put my OWASP
work ethic and integrity up against anyone and stand proud.

Anyone can dump some shitty college project at OWASP and call themselves a
project leader and walk away. That's bullshit. It takes a real man (or
woman) to deeply support a project over time, and they should be recognized
and supported for those efforts.

Jim Manico
(808) 652-3805

On Apr 11, 2014, at 3:22 PM, Josh Sokol <josh.sokol at owasp.org> wrote:


It's clear that our current model for OWASP Projects isn't working.  I
don't think that you can place blame on any one person or entity.  Do the
math for a second.

40 hrs in a week x 60 minutes in an hour / 177 projects = <14 mins per
project per week

Do you really think that any project manager can make headway on 177
projects given less than 14 minutes a week of time to spend on any one
project?  Most of the e-mails that I write take more time than that.  And
that's in addition to everything else that we've assigned to that role.  As
we grow this problem is going to get worse and worse.  We need to address
this issue head on by evolving our projects model.  Now, I can't claim to
have been intimately involved in projects as many of you have in the past
and present.  I also can't claim to have all of the answers.  But I do feel
strongly that the current model will not scale and we've felt the pain for
quite a while.  Hiring Samantha to manage projects was a temporary bandage,
but we need a change in direction to ultimately stop the bleeding.

Far be it from me to present a problem without a solution so I'm going to
give it my best.  It's just an idea at this point and it's not fully
vetted, but hey, that's what a Board is for, right?  To work together,
create a new vision, and hand off to our staff to execute.

*The Proposal:*
We forget about trying to classify projects into buckets based on a level
of maturity.  Instead, projects are effectively one of two things:

1) An OWASP Project: This is a project owned and maintained by OWASP.
Features should be directed by the community via a up/down voting system a
la reddit.  Work on the project can be paid or unpaid.  These should be
projects of massive value not only to OWASP, but to the security community
and even the world.  We should spend 95% of our project time and resources
here because this is where the rubber meets the road.  We should be pimping
the shit out of these.

2) Everything Else: These are cool ideas that OWASP supports.  When they
submit, we give them some basic classification questions to figure out why
a security professional would want to use them.  We create a system to
search and sort these tools.  We help to pimp them when possible, but
direction, vision, etc is driven by the individual project leads.  The only
real requirement here is that the project is open source.  It doesn't even
have to live on our servers.  We're effectively an index for these and do
little more than that.  Maybe we track a last update or level of activity
or something, but nothing more.

All a project needs to do is submit a simple form and be verified as having
the proper licensing/source availability to be listed on our site.  This
should be easily manageable and scalable as we're just managing new
submissions, not existing projects.  If one of those #2 projects ever
decides that they are done running by themselves and wants #1 status, they
can donate their code to OWASP and a technical council would give it a
thumbs up or down as to whether it belongs in #1 project bucket.  The
question ultimately being whether it's a project that is visionary and
benefits the world at large or something solving some smaller corner case

Under this model we can certainly have stakeholders, but the true owners of
any OWASP project is the community.  The model provides recognition to all,
but allows us to put our eggs in the basket with the tools that matter the
most.  It helps to prioritize resources and allows the community to set the
vision and direction of OWASP.

So, what do you think?  I realize that this is a big time change in
direction, but it's well in line with our mission and builds on our
strengths rather than allowing us to skate along with our weaknesses.  I'm
interested in your feedback.


Owasp-board mailing list
Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140411/0d4a69c3/attachment-0001.html>

More information about the Owasp-board mailing list