[Owasp-board] [Governance] Stepping down from Project Reviews

psiinon psiinon at gmail.com
Thu Sep 3 08:52:05 UTC 2015

As you've probably seen I've just copied this email and started a new
thread on the Leaders list :)

On Thu, Sep 3, 2015 at 9:42 AM, psiinon <psiinon at gmail.com> wrote:

> First of all I'd like to thank Johanna for all the effort she's put into
> reviewing the projects.
> Its been a huge and mostly thankless task, and the projects as a whole
> have really benefited.
> Secondly, I'd like to wade into the Projects Vs Chapters debate :)
> I have a theory:
> People who are 'part' of OWASP tend to think that the Chapters are more
> important _to_them_ than the projects.
> Chapters are where we meet people, exchange ideas and learn things. They
> are social events.
> People outside OWASP think that the Projects are more important _to_them_
> than the Chapters.
> They dont go to chapter meetings, they might not even be aware of them.
> They use, or at least are aware of, the main OWASP projects, mostly the
> Flagship ones.
> Anyone agree or disagree?
> And yes, I'm conveniently ignoring conferences, the wiki etc etc ;)
> I think Chapters and Projects are fundamentally different 'beasts', and
> I've started and run both :)
> Chapters are relatively easy to start and maintain.
> You need to be based in a city with a thriving security and/or software
> industry.
> You need to spend time organising and publicising events, but its not hard
> - you dont need specialized skills.
> Its relatively easy to find people prepared to speak, arrange rooms and
> help with other organisational things.
> Its something you can do in your spare time.
> Projects are much harder.
> They are relatively easy to start - you 'just' need a good idea.
> They are _really_ hard to bring to fruition and maintain.
> I'll focus on software projects (as I know much more about those) but I
> have no doubt documentation projects can be just as difficult.
> A professional software project is the result of the hard work of
> managers, designers, developers, QA, support, technical authors, sales and
> marketing (and probably others I've forgotten;).
> Its a huge amount of effort, and is ongoing - it only lets up when you
> 'sunset' the project.
> Ok, so (non commercial) open source projects dont need sales staff, but
> they do need people doing all of the other roles. Its definitely _not_ just
> programming!
> Its way too much for one person (for a non trivial project).
> Luckily we have the open source community, but that means a project leader
> needs another skill: community building!
> And to be honest most volunteers are developers (and security people for
> OWASP projects), its very rare for people with other skills to get involved.
> I dont think its something you can do in your spare time, at least for
> long (I did for a while, and my wife described herself as a "ZAP widow";)
> So Chapters are relatively easy to maintain, projects _much_ harder.
> I suspect OWASP as an organisation supports Chapters more effectively, but
> even if it supports both equally Projects dont get as much support as they
> need.
> I think OWASP Chapters are thriving and the Projects are (as a whole)
> diminishing.
> If I'm right and people outside OWASP see the Projects as more important
> than the Chapters then this leads to the impression that OWASP is
> struggling.
> What to projects need?
> I dont think its possible to maintain a 'significant' open source project
> unless you are able to spend the majority of your working day on it.
> This means projects really have to be sponsored by someone.
> This is a significant investment for a company, and its often difficult to
> justify this sort of investment. Especially if its difficult to monetise
> OWASP projects.
> Does OWASP want to sponsor projects directly?
> I think thats what it would take to build a thriving set of Projects.
> Is that something that could be done?
> I'm lucky, Mozilla allows me to spend most of my time working on ZAP, and
> thats been invaluable.
> But I'd love to be able to employ some of the ZAP contributors to work
> full time on ZAP :)
> Would OWASP pay for that??
> It would require much more 'project management' - the kind of things that
> people _think_ OWASP is doing, but it doesnt.
> I often see posts from people asking "why the hell is OWASP developing X".
> They seem to think that theres an OWASP committee that meets and goes "We
> think we should have project X". Whereas its actually an individual coming
> to OWASP and saying "I'm doing X, could this be an OWASP project?".
> OWASP Projects are very much 'bottom up' rather than 'top down'.
> It may surprise people outside of OWASP that I get _no_ direction at all
> from OWASP as to how ZAP should move forward.
> note that I'm _really_ not complaining about that ;)
> OWASP does not really invest in projects. It does provide some support,
> but to be honest not a great deal.
> If we decided to invest significant amounts of money in projects then
> there would need to be real debate as to what we should invest in.
> And I realise that thats difficult, particularly as OWASP is supported by
> commercial organisations, and they wont want OWASP investing in projects
> that compete with their own offerings.
> There are other things that OWASP could do other than paying developers
> directly.
> We could spend much more effort encouraging companies to contribute to
> OWASP projects, especially by donating engineering effort.
> We could help projects with the 'non programming' aspects - documentation,
> testing, marketing etc.
> We could provide more advice and guidance - I dont want people to dictate
> where ZAP should be headed, but I'd love constructive feedback :)
> Ok, thats ended up being a pretty rambling email ;)
> I'll end there and see what responses I get :D
> Cheers,
> Simon
> On Wed, Sep 2, 2015 at 6:05 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>> >I certainly cannot speak for all Projects, but every time I tried to get
>> the things I needed for a project, I got either a deny or a big silence. so
>> the first thing needed is, if there is money available, more communication
>> and an easy way to get to it[....] In summary, my experience in getting
>> money or support for OWASP projects is bad. IMHO, this is why so many
>> projects die.
>> [...]And lastly, I did not compare Chapters and Projects. I did compare
>> the treatment that they get from OWASP.
>> You are not the only one with the same issues. I have the same experience
>> too and as also many others.
>> Let's accept that we have a problem and no, I don't blame the Board for
>> that, but I'm asking your attention and we have to admit that we need to
>> work on this. And the person asking your attention is a volunteer who has
>> dedicated her time the last 3 years trying to improve a system and
>> contributing in multiple activities, I think I deserve a small
>> acknowledgement for that.
>> This is part of the evolution OWASP is having from small to bigger
>> organisation. A natural process. From US to Global.
>> What I mean with a good platform in place is more than money in the
>> community fund.
>> That money  feels like a banana hanging too high to reach and no stairs
>> to reach it for project leaders.
>> Platform means communication, managing resources , support and much more.
>> And money helps but a good plan is necessary.
>> It means having the stair (the platform) to make available those funds,
>> so they become available.
>> And I know that the problem is we have not work on creating the 'stair'.
>> This is where I want to dedicate my efforts so I will submit to form a
>> committee to create the stair for better development of OWASP projects. I
>> care about them, I use them I want to see fair opportunities for everyone.
>> On Wed, Sep 2, 2015 at 11:42 AM, Lucas Ferreira <lucas.ferreira at owasp.org
>> > wrote:
>>> Josh,
>>> I certainly cannot speak for all Projects, but every time I tried to get
>>> the things I needed for a project, I got either a deny or a big silence. so
>>> the first thing needed is, if there is money available, more communication
>>> and an easy way to get to it.
>>> I will put here my experience. Others can say if they face similar
>>> issues or not.
>>> First, as part of the
>>> https://www.owasp.org/index.php/OWASP_Brasil_Manifesto, I tried to get
>>> money to pay for a professional public relations person/company to help us
>>> promote the manifesto to the Brazilian congress. I learnt the hard way
>>> (from organizing AppSec conferences) that a good PR person can make a real
>>> difference. At the time, I asked for USD 2600 to pay the PR but could not
>>> get the money.
>>> Second, as part of
>>> https://www.owasp.org/index.php/OWASP_File_Hash_Repository, I needed a
>>> server to use to deploy the initial code and help collecting data. I also
>>> needed a DNS entry. I ended up paying for the VM myself and used my own
>>> private domain for the DNS because I could not get it from OWASP.
>>> Lastly, as part of
>>> https://www.owasp.org/index.php/OWASP_Portuguese_Language_Project, we
>>> tried to get money to hire translators and professional writers to work
>>> with the more tech oriented volunteers with no luck.
>>> In summary, my experience in getting money or support for OWASP projects
>>> is bad. IMHO, this is why so many projects die.
>>> And just to be sure, unlike Johanna, I think money is a big issue as it
>>> could be used to remove some of the load from volunteers. An example is the
>>> translation projects: we could leverage the knowledge of our network of
>>> volunteers, without requiring them to do all the work, by relying on
>>> professional services. So, the issue is to have money to buy the services
>>> needed by the projects, from VMs to professional services.
>>> And lastly, I did not compare Chapters and Projects. I did compare the
>>> treatment that they get from OWASP.
>>> Regards,
>>> Lucas
>>> On Wed, Sep 2, 2015 at 5:06 PM Josh Sokol <josh.sokol at owasp.org> wrote:
>>>> I believe Johanna said "It's not about money".  Every time I hear
>>>> someone say that it is, I cringe a little because I know that we allocated
>>>> $50,000 in Community Engagement Funding this year to projects alone and
>>>> have $15,650 of that remaining (
>>>> https://owasp.org/index.php/Community_Engagement_-_Payments).  I also
>>>> know that if there's a need that goes beyond what is budgeted, we have ways
>>>> to make that happen outside of this channel.  For example, when Dinis asked
>>>> for $100,000 for a Project Summit, we said "Give us a plan and we'll
>>>> discuss."
>>>> I also cringe when I hear people compare the Projects to the Chapters
>>>> or vice versa.  They are both unique and important to OWASP.  Both have
>>>> needs that we need to satisfy.  Chapters have historically been more
>>>> successful in fundraising because of the large volume of people involved
>>>> with them, but that doesn't make them better or worse.  Just different.
>>>> Let's be honest, the Chapter model of fundraising doesn't really work for
>>>> Projects.  That's ok...we just need to find other ways.
>>>> So, let's assume that money is not an issue.  What are the needs that
>>>> our Projects have that OWASP is not currently fulfilling.  I don't claim to
>>>> be an expert on Projects.  I don't routinely work with them and the one
>>>> project that I tried to start at OWASP died a very quick death.  It was an
>>>> issue with time and volunteerism, though, and had nothing to do with the
>>>> OWASP platform.  I understand and agree that it's not about things you can
>>>> get for free like GitHub or wiki pages.  So, what is it?  What do you
>>>> need?  We have an in-house graphic designer.  We have companies that we
>>>> work with for publishing.  We hired a full-time person to help with
>>>> projects.  If there are needs that aren't being met here, then what are
>>>> they?  What can OWASP do to make Projects more successful?
>>>> ~josh
>>>> On Wed, Sep 2, 2015 at 9:39 AM, Lucas Ferreira <
>>>> lucas.ferreira at owasp.org> wrote:
>>>>> Dear Johanna,
>>>>> it is very sad that you are stepping down, but you nailed it when you
>>>>> said:
>>>>> "I hope that in the future there is a clear perspective how to help
>>>>> projects develop better. So far I have not seen major initiatives directed
>>>>> on improving a platform. A platform is not a wiki page, not a github
>>>>> account, these things are already free without OWASP support."
>>>>> For a long time already, I have the same feeling that OWASP is always
>>>>> discussing about chapters and their bank accounts and never about projects.
>>>>> I just hope one day OWASP will be able to see that projects are what makes
>>>>> OWASP known and respected.
>>>>> I have talked to a few leaders of open-source projects about bringing
>>>>> their projects to OWASP and, in the end, the feeling is that all they would
>>>>> get is the ability to benefit from the OWASP "brand". We should offer
>>>>> project leaders more than the opportunity to beg chapters for money.
>>>>> Regards and good luck,
>>>>> Lucas
>>>>> On Wed, Sep 2, 2015 at 4:19 PM johanna curiel curiel <
>>>>> johanna.curiel at owasp.org> wrote:
>>>>>> Members of the board ,
>>>>>> I have decided to step down from the project reviews activities.
>>>>>> I have been doing continues reviews the last 2 years, especially the
>>>>>> last year I was quite involved in a major clean up in the project
>>>>>> inventory, together with other members that participated in and on/off
>>>>>> basis.
>>>>>> That does not mean I'll step down from every activity I have been
>>>>>> working on the last years at OWASP. Indeed, now I'll focus my attention in
>>>>>> those activities that I feel have provided me with higher level of reward
>>>>>> and a grateful feeling.
>>>>>> Unfortunately,  I cannot say the same for reviewing projects. The
>>>>>> greatest reward I had from that activity is what I learned from many
>>>>>> project for the last 2 years, not just looking, but download , testing and
>>>>>> using them and volunteering on their activities.
>>>>>>  It is a ticklish activity that have provided me very little
>>>>>> satisfaction but disappointment. Never seems to be enough even when people
>>>>>> have little idea how much time is needed to use an open source project ,
>>>>>> let alone understand it. I'm a volunteer , not an OWASP employee. Lets
>>>>>> clarify that for people that might read this.
>>>>>> I think Claudia  , as her predecessor, Kait-Disney did, can surely
>>>>>> help maintain inactive/active projects monitoring. Another ticklish
>>>>>> activity that we hear many complains regarding inactive projects wanted to
>>>>>> keep alive. Political driven necessities to have wiki pages of empty
>>>>>> projects, thats what we finished and hope you can continue for the sake of
>>>>>> users.
>>>>>> The actual situation is that Project leaders are definitely on their
>>>>>> own, and they should understand that: when it comes to having a platform at
>>>>>> OWASP for developing projects, they have very little support on this.
>>>>>> It's not about money, is about a platform, a process and a way to be
>>>>>> able to make a project a reality no matter if you are in India, Pakistan,
>>>>>> or Africa. The inequality between these worlds is very obvious when we look
>>>>>> at  projects in US or EU compare to 'developing countries'. Big security
>>>>>> companies are not behind these leaders  to support them with time or
>>>>>> resources.
>>>>>> I hope that in the future there is a clear perspective how to help
>>>>>> projects develop better. So far I have not seen major initiatives directed
>>>>>> on improving a platform. A platform is not a wiki page, not a github
>>>>>> account, these things are already free without OWASP support.
>>>>>> I think people hoping to secure their web applications using OWASP
>>>>>> tools, can have better ways for doing it if more energy is directed towards
>>>>>> supporting a better structure for developing OWASP projects.
>>>>>> This is where my energy will be from now on. Hopefully with the right
>>>>>> support.
>>>>>> Regards
>>>>>> Johanna
>>>>>> _______________________________________________
>>>>>> Governance mailing list
>>>>>> Governance at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/governance
>>>>> _______________________________________________
>>>>> Governance mailing list
>>>>> Governance at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/governance
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader

OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150903/e8ebb8a1/attachment-0001.html>

More information about the Owasp-board mailing list