[Owasp-board] OWASP Summer of Code Sprint Proposal

Kevin W. Wall kevin.w.wall at gmail.com
Sun Apr 26 22:24:41 UTC 2015

On Sat, Apr 25, 2015 at 2:47 PM, Jim Manico <jim.manico at owasp.org> wrote:
> Another note is that if you look at all the projects this 250,000k$ funded
> in 2008...
> https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008
> ...most are now dead projects.
> We do good at getting projects started but do poorly in bringing these
> projects to maturity.

Unless this was a list of all the projects what actually received funds for
the OWASP SoC 2008, I think this is an unfair characterization.

Instead, I think it is likely that this list of projects at
was just a list complete list of projects at the time. I think it is doubtful
that they all received funds, especially since there are two *inactive*
projects on that list.

Secondly, even if all of those projects received funds, almost 7 years
have passed since that time. While you may think that projects have
at OWASP have a lower success rate than than normal unfunded FOSS
projects, I'm not sure that conjecture is true and am not willing to
believe it based without some hard data to back it up. I suspect that
if we looked at FOSS overall, OWASP is probably about average. I
think it just seems worse because we are all more intimately aware of
all the OWASP projects that seem to fall by the wayside but in general
most failed FOSS projects go completely unnoticed by us.

Not only that, but compare the success rate of OWASP projects
to VC funded tech start ups and I'll bet that OWASP looks pretty
good in comparison, especially if you take into account that the
start-ups usually have full-time, paid staff while we are working
almost exclusively using volunteer hours.

> I really want us to make a big impact. I suggest we focus in on our flagship
> and lab projects with big potential. I'd hate to fund dozens of projects
> (again) that just die on the view a few years after getting funding.

Having said all that, I am by no means endorsing spending $30k in
funds without fully counting the costs and I just don't mean in money.
2008 was before I got involved again with OWASP, but I'm guessing
that time was spent to make it a success whatever <season> of code
was run. I am just as much concerned that jumping into this in some
hasty manner will have much more negative effects than just possibly
not bring a significant ROI on the money decided to fund it.

Blog: http://off-the-wall-security.blogspot.com/
NSA: All your crypto bit are belong to us.

More information about the Owasp-board mailing list