[Owasp-board] [Governance] Stepping down from Project Reviews

johanna curiel curiel johanna.curiel at owasp.org
Wed Sep 2 17:05:10 UTC 2015


>I certainly cannot speak for all Projects, but every time I tried to get
the things I needed for a project, I got either a deny or a big silence. so
the first thing needed is, if there is money available, more communication
and an easy way to get to it[....] In summary, my experience in getting
money or support for OWASP projects is bad. IMHO, this is why so many
projects die.
[...]And lastly, I did not compare Chapters and Projects. I did compare the
treatment that they get from OWASP.

You are not the only one with the same issues. I have the same experience
too and as also many others.

Let's accept that we have a problem and no, I don't blame the Board for
that, but I'm asking your attention and we have to admit that we need to
work on this. And the person asking your attention is a volunteer who has
dedicated her time the last 3 years trying to improve a system and
contributing in multiple activities, I think I deserve a small
acknowledgement for that.

This is part of the evolution OWASP is having from small to bigger
organisation. A natural process. From US to Global.

What I mean with a good platform in place is more than money in the
community fund.

That money  feels like a banana hanging too high to reach and no stairs to
reach it for project leaders.

Platform means communication, managing resources , support and much more.
And money helps but a good plan is necessary.

It means having the stair (the platform) to make available those funds, so
they become available.

And I know that the problem is we have not work on creating the 'stair'.

This is where I want to dedicate my efforts so I will submit to form a
committee to create the stair for better development of OWASP projects. I
care about them, I use them I want to see fair opportunities for everyone.


On Wed, Sep 2, 2015 at 11:42 AM, Lucas Ferreira <lucas.ferreira at owasp.org>
wrote:

> Josh,
>
> I certainly cannot speak for all Projects, but every time I tried to get
> the things I needed for a project, I got either a deny or a big silence. so
> the first thing needed is, if there is money available, more communication
> and an easy way to get to it.
>
> I will put here my experience. Others can say if they face similar issues
> or not.
>
> First, as part of the
> https://www.owasp.org/index.php/OWASP_Brasil_Manifesto, I tried to get
> money to pay for a professional public relations person/company to help us
> promote the manifesto to the Brazilian congress. I learnt the hard way
> (from organizing AppSec conferences) that a good PR person can make a real
> difference. At the time, I asked for USD 2600 to pay the PR but could not
> get the money.
>
> Second, as part of
> https://www.owasp.org/index.php/OWASP_File_Hash_Repository, I needed a
> server to use to deploy the initial code and help collecting data. I also
> needed a DNS entry. I ended up paying for the VM myself and used my own
> private domain for the DNS because I could not get it from OWASP.
>
> Lastly, as part of
> https://www.owasp.org/index.php/OWASP_Portuguese_Language_Project, we
> tried to get money to hire translators and professional writers to work
> with the more tech oriented volunteers with no luck.
>
> In summary, my experience in getting money or support for OWASP projects
> is bad. IMHO, this is why so many projects die.
>
> And just to be sure, unlike Johanna, I think money is a big issue as it
> could be used to remove some of the load from volunteers. An example is the
> translation projects: we could leverage the knowledge of our network of
> volunteers, without requiring them to do all the work, by relying on
> professional services. So, the issue is to have money to buy the services
> needed by the projects, from VMs to professional services.
>
> And lastly, I did not compare Chapters and Projects. I did compare the
> treatment that they get from OWASP.
>
> Regards,
>
> Lucas
>
>
> On Wed, Sep 2, 2015 at 5:06 PM Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> I believe Johanna said "It's not about money".  Every time I hear someone
>> say that it is, I cringe a little because I know that we allocated $50,000
>> in Community Engagement Funding this year to projects alone and have
>> $15,650 of that remaining (
>> https://owasp.org/index.php/Community_Engagement_-_Payments).  I also
>> know that if there's a need that goes beyond what is budgeted, we have ways
>> to make that happen outside of this channel.  For example, when Dinis asked
>> for $100,000 for a Project Summit, we said "Give us a plan and we'll
>> discuss."
>>
>> I also cringe when I hear people compare the Projects to the Chapters or
>> vice versa.  They are both unique and important to OWASP.  Both have needs
>> that we need to satisfy.  Chapters have historically been more successful
>> in fundraising because of the large volume of people involved with them,
>> but that doesn't make them better or worse.  Just different.  Let's be
>> honest, the Chapter model of fundraising doesn't really work for Projects.
>> That's ok...we just need to find other ways.
>>
>> So, let's assume that money is not an issue.  What are the needs that our
>> Projects have that OWASP is not currently fulfilling.  I don't claim to be
>> an expert on Projects.  I don't routinely work with them and the one
>> project that I tried to start at OWASP died a very quick death.  It was an
>> issue with time and volunteerism, though, and had nothing to do with the
>> OWASP platform.  I understand and agree that it's not about things you can
>> get for free like GitHub or wiki pages.  So, what is it?  What do you
>> need?  We have an in-house graphic designer.  We have companies that we
>> work with for publishing.  We hired a full-time person to help with
>> projects.  If there are needs that aren't being met here, then what are
>> they?  What can OWASP do to make Projects more successful?
>>
>> ~josh
>>
>> On Wed, Sep 2, 2015 at 9:39 AM, Lucas Ferreira <lucas.ferreira at owasp.org>
>> wrote:
>>
>>> Dear Johanna,
>>>
>>> it is very sad that you are stepping down, but you nailed it when you
>>> said:
>>>
>>> "I hope that in the future there is a clear perspective how to help
>>> projects develop better. So far I have not seen major initiatives directed
>>> on improving a platform. A platform is not a wiki page, not a github
>>> account, these things are already free without OWASP support."
>>>
>>> For a long time already, I have the same feeling that OWASP is always
>>> discussing about chapters and their bank accounts and never about projects.
>>> I just hope one day OWASP will be able to see that projects are what makes
>>> OWASP known and respected.
>>>
>>> I have talked to a few leaders of open-source projects about bringing
>>> their projects to OWASP and, in the end, the feeling is that all they would
>>> get is the ability to benefit from the OWASP "brand". We should offer
>>> project leaders more than the opportunity to beg chapters for money.
>>>
>>> Regards and good luck,
>>>
>>> Lucas
>>>
>>> On Wed, Sep 2, 2015 at 4:19 PM johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>>> Members of the board ,
>>>>
>>>> I have decided to step down from the project reviews activities.
>>>>
>>>> I have been doing continues reviews the last 2 years, especially the
>>>> last year I was quite involved in a major clean up in the project
>>>> inventory, together with other members that participated in and on/off
>>>> basis.
>>>>
>>>> That does not mean I'll step down from every activity I have been
>>>> working on the last years at OWASP. Indeed, now I'll focus my attention in
>>>> those activities that I feel have provided me with higher level of reward
>>>> and a grateful feeling.
>>>>
>>>> Unfortunately,  I cannot say the same for reviewing projects. The
>>>> greatest reward I had from that activity is what I learned from many
>>>> project for the last 2 years, not just looking, but download , testing and
>>>> using them and volunteering on their activities.
>>>>
>>>>  It is a ticklish activity that have provided me very little
>>>> satisfaction but disappointment. Never seems to be enough even when people
>>>> have little idea how much time is needed to use an open source project ,
>>>> let alone understand it. I'm a volunteer , not an OWASP employee. Lets
>>>> clarify that for people that might read this.
>>>>
>>>> I think Claudia  , as her predecessor, Kait-Disney did, can surely help
>>>> maintain inactive/active projects monitoring. Another ticklish activity
>>>> that we hear many complains regarding inactive projects wanted to keep
>>>> alive. Political driven necessities to have wiki pages of empty projects,
>>>> thats what we finished and hope you can continue for the sake of users.
>>>>
>>>> The actual situation is that Project leaders are definitely on their
>>>> own, and they should understand that: when it comes to having a platform at
>>>> OWASP for developing projects, they have very little support on this.
>>>>
>>>> It's not about money, is about a platform, a process and a way to be
>>>> able to make a project a reality no matter if you are in India, Pakistan,
>>>> or Africa. The inequality between these worlds is very obvious when we look
>>>> at  projects in US or EU compare to 'developing countries'. Big security
>>>> companies are not behind these leaders  to support them with time or
>>>> resources.
>>>>
>>>> I hope that in the future there is a clear perspective how to help
>>>> projects develop better. So far I have not seen major initiatives directed
>>>> on improving a platform. A platform is not a wiki page, not a github
>>>> account, these things are already free without OWASP support.
>>>>
>>>> I think people hoping to secure their web applications using OWASP
>>>> tools, can have better ways for doing it if more energy is directed towards
>>>> supporting a better structure for developing OWASP projects.
>>>>
>>>> This is where my energy will be from now on. Hopefully with the right
>>>> support.
>>>>
>>>>
>>>> Regards
>>>>
>>>> Johanna
>>>> _______________________________________________
>>>> Governance mailing list
>>>> Governance at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/governance
>>>>
>>>
>>> _______________________________________________
>>> Governance mailing list
>>> Governance at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/governance
>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150902/8e8dab40/attachment-0001.html>


More information about the Owasp-board mailing list