[Owasp-board] Rethinking startegy regarding projects

psiinon psiinon at gmail.com
Thu Nov 26 10:00:44 UTC 2015

I agree that this is a good time to rethink OWASP's project strategy.
Creating and maintaining high quality open source projects takes a lot of
time and effort, and can only be done in ones 'spare time' for a relatively
short period.
Successful projects need sponsorship and people who are able to dedicate a
significant part of their working week to them.
Abandoned or poorly maintained projects only damage OWASP's reputation.

Should we effectively ditch all but the flagship projects? Only taking on
new projects when they reach that level of quality?
Would a tool that becomes successful in its own right _want_ to be adopted
Should OWASP ditch project altogether??
Or maybe just ditch all but the documentation projects?
Maybe we should just recommend open source projects, a sort of 'OWASP
approved' badge?

If we do keep some projects (and I think we should;) then what purpose
should they serve?

   - Providing high quality tools that help make the internet more secure?
   - Helping people learn about security?
   - Driving awareness of OWASP? (How would people learn about OWASP if not
   via projects like the Top 10 and ZAP?)
   - Provide tools and features that commercial companies are not currently
   providing (effectively, or for a reasonable price)?

Interested to see what other people think.



On Thu, Nov 26, 2015 at 9:19 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Leaders and members of the board
> As former member of the project review team, I have been observing the
> increasing issues related with projects
> Fact is, we do not have enough volunteers nor staff to support and watch
> quality of projects, do reviews and have a supervison on them.
> More than often, projects become dormant or inactive.
> Recently The misuse of owasp brand have been an issue with projects like
> Benchmark and recent  complains of users from The PHPSEC project. But this
> is an on going issue.
> I think is time that OWASP rethink its strategy regarding projects
> Maybe instead of trying to offer a platform that is not sustainable, owasp
> should adopt and sponsor projects  that already have established a name on
> their own
> Nothing stops a dedicated individual to start an open source project on
> his own. In The past when owasp was a small organization ran by dedicated
> volunteers, it worked for these couple of projects, but right now is out of
> hand. Take a look how many active projects are actually being mantained.
> Mantaining a project takes a lot of dedication and this is what People
> need to realize when starting an open source project
> What I see quite often is People wanting to misuse Owasp brand instead of
> willing to pull a project
> Major reason I quit from reviewing and the fact that we do not have
> feasible resources to produce projects that are sustainable in the long
> term.
> I'm also cancelling the proposal with regards of bounty source program.
> Reality is that without dedicated efforts and resources , it wont be
> sustainable.
> Regards
> Johanna
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151126/e51b731c/attachment-0001.html>

More information about the Owasp-board mailing list