[Owasp-board] [Governance] Stepping down from Project Reviews

Josh Sokol josh.sokol at owasp.org
Wed Sep 2 20:35:05 UTC 2015


There is a drop down when filling out the reimbursement request form that
specifies whether you would like a check or a wire transfer.  I've never
used the latter option, but I would imagine that would be the preferred
method for non-US people.

~josh

On Wed, Sep 2, 2015 at 2:48 PM, Lucas Ferreira <lucas.ferreira at owasp.org>
wrote:

> Josh,
>
> My involvement in OWASP has been extremely limited since 2012, so I cannot
> speak about the current process.
>
> Regarding reimbursement, how does it work for non-US people? A US check
> would be useless in most parts of the world. This has also been a big issue
> in the past for us.
>
> Regards,
>
> Lucas
>
> On Wed, Sep 2, 2015 at 9:07 PM Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> Lucas,
>>
>> OK, that's good to know.  Would it be fair to assume that conditions may
>> have changed a little bit since then given the process that is in place
>> now?  Have you had any experience either anecdotally or otherwise relating
>> to the current process?  My experience, even lately, is that I submit an
>> expense justification and receipt  and get a check in the mail within about
>> a week with no questions asked.  It's been so super simple that I told
>> other leaders the other day that I would use my personal credit card if
>> necessary to get them what they need and request the reimbursement myself.
>> Trust me, I wouldn't offer that if I didn't believe I would get the money
>> back.  I just posted another thought on the Governance list about
>> transparency in funding requests and approvals and would be curious to hear
>> your thoughts on it.
>>
>> ~josh
>>
>> On Wed, Sep 2, 2015 at 1:59 PM, Lucas Ferreira <lucas.ferreira at owasp.org>
>> wrote:
>>
>>> Josh,
>>>
>>> I was using my cases as examples, mainly because they are old cases,
>>> from 2012 and before. I could try to dig out a few emails if you really
>>> want them, but at least the 3rd case for the Portuguese project is well
>>> documented in the pages for the project reboot from 2012. The current
>>> process was not followed because it did not exist at the time.
>>>
>>> Also, my experience as a chapter leader (also pre 2012) was similar to
>>> yours.
>>>
>>> Regards,
>>>
>>> Lucas
>>>
>>> On Wed, Sep 2, 2015 at 8:37 PM Josh Sokol <josh.sokol at owasp.org> wrote:
>>>
>>>> Lucas,
>>>>
>>>> My experience when I ran the OWASP Austin Chapter was actually quite
>>>> different.  If I had a need, and asked for it, it usually was totally
>>>> within the realm of possibility.  Maybe it's because this was many years
>>>> ago and before we had an official Executive Director and most of the staff
>>>> and significant growth.  Maybe it was because it was a Chapter.  I don't
>>>> really know.  But, it saddens me to hear that you've had these experiences
>>>> with working with projects because that's not, at least to my
>>>> understanding, the way it's supposed to work.  I've witnessed significant
>>>> community funds on both the Chapter side and Project side go unused every
>>>> year.  So, to hear that your needs, ones that fall within the realm of
>>>> "reasonable" as I understand it, aren't being met makes me sad.  Are you
>>>> following the process outlined in the Community Engagement page (
>>>> https://www.owasp.org/index.php/Funding) when requesting the funds and
>>>> still being turned down?  Was the answer simply "No" or was there an
>>>> explanation for it?  One of the ideas that I've proposed is that anyone at
>>>> OWASP can budget for their ideas and as long as we can handle it as part of
>>>> our Foundation budgeting process, it would get approved as reserved funds
>>>> for that purpose.  Would that approach be reasonable or were all of these
>>>> activities things where there was an opportunity cost in not executing at
>>>> that time?  Can you send me the documentation (e-mails?  support tickets?
>>>> etc.) for the issues that you're referencing?  I've heard a lot of
>>>> "Projects can't get funding" talk in the past, but this is the first I've
>>>> seen someone point to a specific initiative that they asked for support on
>>>> and were told "no".  I would like to investigate it further and figure out
>>>> why that was.  If things are working as you describe, then that is not ok,
>>>> and I agree that things need to be changed.
>>>>
>>>> ~josh
>>>>
>>>> On Wed, Sep 2, 2015 at 10:42 AM, Lucas Ferreira <
>>>> lucas.ferreira at owasp.org> wrote:
>>>>
>>>>> Josh,
>>>>>
>>>>> I certainly cannot speak for all Projects, but every time I tried to
>>>>> get the things I needed for a project, I got either a deny or a big
>>>>> silence. so the first thing needed is, if there is money available, more
>>>>> communication and an easy way to get to it.
>>>>>
>>>>> I will put here my experience. Others can say if they face similar
>>>>> issues or not.
>>>>>
>>>>> First, as part of the
>>>>> https://www.owasp.org/index.php/OWASP_Brasil_Manifesto, I tried to
>>>>> get money to pay for a professional public relations person/company to help
>>>>> us promote the manifesto to the Brazilian congress. I learnt the hard way
>>>>> (from organizing AppSec conferences) that a good PR person can make a real
>>>>> difference. At the time, I asked for USD 2600 to pay the PR but could not
>>>>> get the money.
>>>>>
>>>>> Second, as part of
>>>>> https://www.owasp.org/index.php/OWASP_File_Hash_Repository, I needed
>>>>> a server to use to deploy the initial code and help collecting data. I also
>>>>> needed a DNS entry. I ended up paying for the VM myself and used my own
>>>>> private domain for the DNS because I could not get it from OWASP.
>>>>>
>>>>> Lastly, as part of
>>>>> https://www.owasp.org/index.php/OWASP_Portuguese_Language_Project, we
>>>>> tried to get money to hire translators and professional writers to work
>>>>> with the more tech oriented volunteers with no luck.
>>>>>
>>>>> In summary, my experience in getting money or support for OWASP
>>>>> projects is bad. IMHO, this is why so many projects die.
>>>>>
>>>>> And just to be sure, unlike Johanna, I think money is a big issue as
>>>>> it could be used to remove some of the load from volunteers. An example is
>>>>> the translation projects: we could leverage the knowledge of our network of
>>>>> volunteers, without requiring them to do all the work, by relying on
>>>>> professional services. So, the issue is to have money to buy the services
>>>>> needed by the projects, from VMs to professional services.
>>>>>
>>>>> And lastly, I did not compare Chapters and Projects. I did compare the
>>>>> treatment that they get from OWASP.
>>>>>
>>>>> Regards,
>>>>>
>>>>> Lucas
>>>>>
>>>>>
>>>>> On Wed, Sep 2, 2015 at 5:06 PM Josh Sokol <josh.sokol at owasp.org>
>>>>> wrote:
>>>>>
>>>>>> I believe Johanna said "It's not about money".  Every time I hear
>>>>>> someone say that it is, I cringe a little because I know that we allocated
>>>>>> $50,000 in Community Engagement Funding this year to projects alone and
>>>>>> have $15,650 of that remaining (
>>>>>> https://owasp.org/index.php/Community_Engagement_-_Payments).  I
>>>>>> also know that if there's a need that goes beyond what is budgeted, we have
>>>>>> ways to make that happen outside of this channel.  For example, when Dinis
>>>>>> asked for $100,000 for a Project Summit, we said "Give us a plan and we'll
>>>>>> discuss."
>>>>>>
>>>>>> I also cringe when I hear people compare the Projects to the Chapters
>>>>>> or vice versa.  They are both unique and important to OWASP.  Both have
>>>>>> needs that we need to satisfy.  Chapters have historically been more
>>>>>> successful in fundraising because of the large volume of people involved
>>>>>> with them, but that doesn't make them better or worse.  Just different.
>>>>>> Let's be honest, the Chapter model of fundraising doesn't really work for
>>>>>> Projects.  That's ok...we just need to find other ways.
>>>>>>
>>>>>> So, let's assume that money is not an issue.  What are the needs that
>>>>>> our Projects have that OWASP is not currently fulfilling.  I don't claim to
>>>>>> be an expert on Projects.  I don't routinely work with them and the one
>>>>>> project that I tried to start at OWASP died a very quick death.  It was an
>>>>>> issue with time and volunteerism, though, and had nothing to do with the
>>>>>> OWASP platform.  I understand and agree that it's not about things you can
>>>>>> get for free like GitHub or wiki pages.  So, what is it?  What do you
>>>>>> need?  We have an in-house graphic designer.  We have companies that we
>>>>>> work with for publishing.  We hired a full-time person to help with
>>>>>> projects.  If there are needs that aren't being met here, then what are
>>>>>> they?  What can OWASP do to make Projects more successful?
>>>>>>
>>>>>> ~josh
>>>>>>
>>>>>> On Wed, Sep 2, 2015 at 9:39 AM, Lucas Ferreira <
>>>>>> lucas.ferreira at owasp.org> wrote:
>>>>>>
>>>>>>> Dear Johanna,
>>>>>>>
>>>>>>> it is very sad that you are stepping down, but you nailed it when
>>>>>>> you said:
>>>>>>>
>>>>>>> "I hope that in the future there is a clear perspective how to help
>>>>>>> projects develop better. So far I have not seen major initiatives directed
>>>>>>> on improving a platform. A platform is not a wiki page, not a github
>>>>>>> account, these things are already free without OWASP support."
>>>>>>>
>>>>>>> For a long time already, I have the same feeling that OWASP is
>>>>>>> always discussing about chapters and their bank accounts and never about
>>>>>>> projects. I just hope one day OWASP will be able to see that projects are
>>>>>>> what makes OWASP known and respected.
>>>>>>>
>>>>>>> I have talked to a few leaders of open-source projects about
>>>>>>> bringing their projects to OWASP and, in the end, the feeling is that all
>>>>>>> they would get is the ability to benefit from the OWASP "brand". We should
>>>>>>> offer project leaders more than the opportunity to beg chapters for money.
>>>>>>>
>>>>>>> Regards and good luck,
>>>>>>>
>>>>>>> Lucas
>>>>>>>
>>>>>>> On Wed, Sep 2, 2015 at 4:19 PM johanna curiel curiel <
>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>
>>>>>>>> Members of the board ,
>>>>>>>>
>>>>>>>> I have decided to step down from the project reviews activities.
>>>>>>>>
>>>>>>>> I have been doing continues reviews the last 2 years, especially
>>>>>>>> the last year I was quite involved in a major clean up in the project
>>>>>>>> inventory, together with other members that participated in and on/off
>>>>>>>> basis.
>>>>>>>>
>>>>>>>> That does not mean I'll step down from every activity I have been
>>>>>>>> working on the last years at OWASP. Indeed, now I'll focus my attention in
>>>>>>>> those activities that I feel have provided me with higher level of reward
>>>>>>>> and a grateful feeling.
>>>>>>>>
>>>>>>>> Unfortunately,  I cannot say the same for reviewing projects. The
>>>>>>>> greatest reward I had from that activity is what I learned from many
>>>>>>>> project for the last 2 years, not just looking, but download , testing and
>>>>>>>> using them and volunteering on their activities.
>>>>>>>>
>>>>>>>>  It is a ticklish activity that have provided me very little
>>>>>>>> satisfaction but disappointment. Never seems to be enough even when people
>>>>>>>> have little idea how much time is needed to use an open source project ,
>>>>>>>> let alone understand it. I'm a volunteer , not an OWASP employee. Lets
>>>>>>>> clarify that for people that might read this.
>>>>>>>>
>>>>>>>> I think Claudia  , as her predecessor, Kait-Disney did, can surely
>>>>>>>> help maintain inactive/active projects monitoring. Another ticklish
>>>>>>>> activity that we hear many complains regarding inactive projects wanted to
>>>>>>>> keep alive. Political driven necessities to have wiki pages of empty
>>>>>>>> projects, thats what we finished and hope you can continue for the sake of
>>>>>>>> users.
>>>>>>>>
>>>>>>>> The actual situation is that Project leaders are definitely on
>>>>>>>> their own, and they should understand that: when it comes to having a
>>>>>>>> platform at OWASP for developing projects, they have very little support on
>>>>>>>> this.
>>>>>>>>
>>>>>>>> It's not about money, is about a platform, a process and a way to
>>>>>>>> be able to make a project a reality no matter if you are in India,
>>>>>>>> Pakistan, or Africa. The inequality between these worlds is very obvious
>>>>>>>> when we look at  projects in US or EU compare to 'developing countries'.
>>>>>>>> Big security companies are not behind these leaders  to support them with
>>>>>>>> time or resources.
>>>>>>>>
>>>>>>>> I hope that in the future there is a clear perspective how to help
>>>>>>>> projects develop better. So far I have not seen major initiatives directed
>>>>>>>> on improving a platform. A platform is not a wiki page, not a github
>>>>>>>> account, these things are already free without OWASP support.
>>>>>>>>
>>>>>>>> I think people hoping to secure their web applications using OWASP
>>>>>>>> tools, can have better ways for doing it if more energy is directed towards
>>>>>>>> supporting a better structure for developing OWASP projects.
>>>>>>>>
>>>>>>>> This is where my energy will be from now on. Hopefully with the
>>>>>>>> right support.
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards
>>>>>>>>
>>>>>>>> Johanna
>>>>>>>> _______________________________________________
>>>>>>>> Governance mailing list
>>>>>>>> Governance at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/governance
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Governance mailing list
>>>>>>> Governance at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/governance
>>>>>>>
>>>>>>>
>>>>>>
>>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150902/dd5f2884/attachment-0001.html>


More information about the Owasp-board mailing list