[Owasp-board] [Owasp-leaders] Projects Vs Chapters

johanna curiel curiel johanna.curiel at owasp.org
Mon Sep 7 12:14:00 UTC 2015


In 2013 corporate membership represented 33% of total income for OWASP
 opposed to individual membership which represented only 13% of the total
income.

In 2015 corporate membership(foundation+chapter) has a total  revenue of
USD350,000- opposed to USD90,000- from individual memberships(again
foundation+chapter)  which is quite considerate:
OWASP Foundation Budget - 2015
<https://drive.google.com/file/d/0BxjNZI6rYJRKbnBlaHM3LTU2ckk/view?usp=sharing>

[image: Inline image 1]

Basically all memberships are going to 'chapters'

*If more than half of these donations(corporate membership) which I
highlighted in green have not been specified for any purpose, then how does
the foundation decided into which account goes that money? I would like an
answer on this. What I miss here is a break down of the amount and into
which budget are these being set.*

*It seems that those memberships are going mostly to chapters and some to
some projects(highlighted in Yellow) (ZAP + SAMM)*

https://docs.google.com/spreadsheets/d/1nVyveCi7nmwYMKK4oWSsVGNvqE9aeUBhamQ7XsZvayU/edit?usp=sharing

Btw I cannot find the financial report of 2014, seems as it is quite behind
(since we are almost end of 2015)

[image: Inline image 1]

On Mon, Sep 7, 2015 at 6:17 AM, Colin Watson <colin.watson at owasp.org> wrote:

> One thing about membership donations to projects. Last week, the list
> of members was posted to the leaders list for the elections:
>
>
> https://docs.google.com/spreadsheets/d/1Tu2MAdu1xNq8RTaqHWMSb_0qM_OE6aaVgKB54q_fQIs/edit#gid=1075228884
>
> It shows that out of 2336 individual members only 2 have allocated
> their donation to project - in this case "mobile". I agree that at the
> point of joining that many people might select a chapter at that time,
> but I am wondering if this is actually accurate? It doesn't feel
> correct that less than 0.1% select a project.
>
> Last time I renewed, I changed my allocation from a chapter to a
> project. But the membership list still shows the allocation as a
> chapter, and the chosen project didn't receive any of my membership
> money.
>
>
> https://docs.google.com/a/owasp.org/spreadsheets/d/11acTOmtmBGq6-5CIGsjlEByU8POSGqda0r23VNnhEGQ/pub?hl=en_US&hl=en_US&output=html#
>
> Is this a fault, and which members and projects have been affected by
> this? I wonder if it applies to all project allocation selections, or
> only after a change is requested? Why are there so many "blanks" and
> "none" in the list of membership, and what's the difference? How long
> has it been occurring?
>
> Colin
>
> On 6 September 2015 at 21:47, Kevin W. Wall <kevin.w.wall at gmail.com>
> wrote:
> > Jumping in late to this thread. I already told Simon from day
> > one, when he first posted this on the Board and Governance list that
> > I agreed with him 100%, but I just wanted to add some things.
> >
> > On Thu, Sep 3, 2015 at 4:50 AM, psiinon <psiinon at gmail.com> wrote:
> >> Didnt realise this thread wasnt on the leaders list ;)
> >> So starting a new one here as I think its important for us to discuss.
> >> For background see:
> >> http://lists.owasp.org/pipermail/governance/2015-September/000697.html
> >> This is a copy of the email I sent to that thread..
> >>
> >>
> >> First of all I'd like to thank Johanna for all the effort she's put into
> >> reviewing the projects.
> >> Its been a huge and mostly thankless task, and the projects as a whole
> have
> >> really benefited.
> >
> > Amen to that. And having been involved in one of the projects (ESAPI)
> > that was demoted from Flagship to Lab status, I know it's not always
> > an easy thing to receive the assessments that she and her team had
> > been doing, but we need to be professional about this and not shoot
> > the messenger. Certainly when it came to ESAPI, while I was
> > disappointed, I pretty much agreed with the project review
> > conclusions.
> >
> >> Secondly, I'd like to wade into the Projects Vs Chapters debate :)
> >>
> >> I have a theory:
> >>
> >> People who are 'part' of OWASP tend to think that the Chapters are more
> >> important _to_them_ than the projects.
> >> Chapters are where we meet people, exchange ideas and learn things.
> They are
> >> social events.
> >
> > The exception might be for those of us who attend our local OWASP
> > chapter meetings but who are also actively involved with one or more
> > OWASP projects.
> >
> >> People outside OWASP think that the Projects are more important
> _to_them_
> >> than the Chapters.
> >> They dont go to chapter meetings, they might not even be aware of them.
> >> They use, or at least are aware of, the main OWASP projects, mostly the
> >> Flagship ones.
> >>
> >> Anyone agree or disagree?
> >
> > I think you're analysis is pretty much spot on with few exceptions
> > like the edge case I mentioned above.
> >
> >> And yes, I'm conveniently ignoring conferences, the wiki etc etc ;)
> >>
> >> I think Chapters and Projects are fundamentally different 'beasts', and
> I've
> >> started and run both :)
> >>
> >> Chapters are relatively easy to start and maintain.
> >> You need to be based in a city with a thriving security and/or software
> >> industry.
> >> You need to spend time organising and publicising events, but its not
> hard -
> >> you dont need specialized skills.
> >> Its relatively easy to find people prepared to speak, arrange rooms and
> help
> >> with other organisational things.
> >> Its something you can do in your spare time.
> >
> > One thing I'll add here. The fact that people can use their time spent
> > attending OWASP chapter meetings as CPEs toward some security
> > certification is also a big draw I think. In the past, we've even
> > attracted quite a few non-OWASP members because of this, or at least
> > that appeared to be their primary motivation as some of them would ask
> > about for our chapter leads to provide evidence of attendance for
> > their CPEs and we'd then discover that some of them were not OWASP
> > members (not that we made a big deal about that).
> >
> > While it's true that one can earn CPEs working on a projects, the
> > evidence bar seems to be a bit higher and a lot harder to measure.
> >
> >> Projects are much harder.
> >> They are relatively easy to start - you 'just' need a good idea.
> >> They are _really_ hard to bring to fruition and maintain.
> >> I'll focus on software projects (as I know much more about those) but I
> have
> >> no doubt documentation projects can be just as difficult.
> >> A professional software project is the result of the hard work of
> managers,
> >> designers, developers, QA, support, technical authors, sales and
> marketing
> >> (and probably others I've forgotten;).
> >> Its a huge amount of effort, and is ongoing - it only lets up when you
> >> 'sunset' the project.
> >> Ok, so (non commercial) open source projects dont need sales staff, but
> they
> >> do need people doing all of the other roles. Its definitely _not_ just
> >> programming!
> >
> > If anything, usually people are not that keen on doing those other
> > needed roles, such as project documentation, QA, buildmeister, etc.
> >
> > Also, the more successful a project becomes (i.e., as measured in
> > terms of the number of users) the harder it is to maintain. For
> > example, long ago, I've noticed that people see to ask more questions
> > on Stack Exchange about ESAPI than the do on either the ESAPI-Users or
> > ESAPI-Dev mailing lists. I suspect that there are other forums
> > elsewhere that these things get discussed.
> >
> >> Its way too much for one person (for a non trivial project).
> >> Luckily we have the open source community, but that means a project
> leader
> >> needs another skill: community building!
> >
> > Indeed that's one where I feel that I've failed miserably. I'm not
> > particularly a people person nor do I have a lot of contacts beyond
> > the immediate colleagues that I work with, so when the current
> > volunteer pool dries up and stops contributing, the project tends to
> > die because of (at least in my case) the inability to find new
> > volunteers to help carry the project forward.
> >
> >> And to be honest most volunteers are developers (and security people for
> >> OWASP projects), its very rare for people with other skills to get
> involved.
> >
> > 100% agree. Also, I personally think that we do a disservice
> > sometimes in our industry in that there's an unspoken perception of a
> > pecking order within the security community so that some of these very
> > important roles are greatly devalued (e.g., those who write
> > documentation or manage releases or do QA testing or provide project
> > management or other infrastructure support). And while we generally
> > don't come right out and express it, I think it's there and those who
> > might otherwise step up and fill those roles avoid the security
> > community for some other FOSS projects because they feel
> under-appreciated.
> >
> >> I dont think its something you can do in your spare time, at least for
> long
> >> (I did for a while, and my wife described herself as a "ZAP widow";)
> >
> > :D
> >
> >> So Chapters are relatively easy to maintain, projects _much_ harder.
> >
> > Making free pizza and beer available at chapter meetings doesn't hurt!
> :)
> >
> > We've also tried holding mini-hackathons at our local OWASP meetings
> > maybe once a year. It was interesting, but I can't say it was a
> > resounding success, because many there did not know the programming
> > language the project was written in and it took us an undue amount of
> > time just to get to the point where people got their IDE of choice
> > configured to pull the project from GitHub. Also probably about 1/2
> > of the regular attenders don't really program to any great extent at
> > all but rather consider themselves more of pen testers, so holding
> > these mini-hackathons effectively leaves out almost half of our
> > regular attendees so that's not going to be something that works as a
> > long term strategy.
> >
> >> I suspect OWASP as an organisation supports Chapters more effectively,
> but
> >> even if it supports both equally Projects dont get as much support as
> they
> >> need.
> >> I think OWASP Chapters are thriving and the Projects are (as a whole)
> >> diminishing.
> >> If I'm right and people outside OWASP see the Projects as more important
> >> than the Chapters then this leads to the impression that OWASP is
> >> struggling.
> >>
> >> What to projects need?
> >> I dont think its possible to maintain a 'significant' open source
> project
> >> unless you are able to spend the majority of your working day on it.
> >> This means projects really have to be sponsored by someone.
> >> This is a significant investment for a company, and its often difficult
> to
> >> justify this sort of investment. Especially if its difficult to monetise
> >> OWASP projects.
> >
> > Indeed, back in the day when I was still on an AppSec team for a
> > previous company, I tried to convince my management to allocate about
> > eight hours a week from our entire team to contribute to ESAPI bug
> > fixing. It seemed a logical extension of our internal proprietary
> > security components class library which was not nearly as complete.
> > I was unable to convince my management and shortly afterwards, I
> > left that team (for unrelated reasons) and starting working with a
> > team that had security experience that wouldn't easily translate to
> > ESAPI needs.  In fact, my experience was worse than that. None of my
> > colleagues ever decided to help out individually either. Not a big
> > deal; maybe it just wasn't their cup of tea or they had other
> > passions that they wanted to contribute to. But gathering recruits
> > willing to participate clearly takes skills and contacts that I
> > apparently do not possess in sufficient quantities. (Sometimes I
> > feel like I'm trying to sell screen doors for submarines. Sigh.)
> >
> > All I'm saying is that getting volunteers is hard. Each sizeable
> > project really needs someone willing to fulfill the project
> > evangelist role to keep looking for new contributors. For one
> > reason (at least it's been my experience) is that KEEPING volunteers
> > for extended periods is even harder and by and large, I think if
> > we looked at the historical data of contributors across all OWASP
> > projects (say, based on commit history), that the data would bear
> > that out. In fact, I'd bet this phenomena goes well beyond OWASP and
> > is experienced by many FOSS projects.
> >
> >> Does OWASP want to sponsor projects directly?
> >> I think thats what it would take to build a thriving set of Projects.
> >> Is that something that could be done?
> >
> > _COULD_ it be done? Yes. Should it be done is another matter.
> > I'd rather not see it become necessary as I really don't want OWASP
> > to turn into a political organization where the project leaders are
> > forced to lobby for funding, and I fear that's what would happen. I
> > think also it would stifle innovation because new incubator projects
> > would likely all dry up (unless a certain amount of funds were
> > pre-allocated to them) as they likely couldn't compete against more
> > established projects.
> >
> > I had thought of proposing allowing individual OWASP projects to
> > somehow sell their own project-related schwag at conferences and such
> > and keep a percentage of the profits to use for their projects so that
> > they could then use that money however they saw fit (e.g., hiring a
> > technical writer to write project documentation for instance). But that
> > probably would not make a major impact in funding to a project,
> > especially if all the OWASP projects started doing it.
> >
> >> I'm lucky, Mozilla allows me to spend most of my time working on ZAP,
> and
> >> thats been invaluable.
> >
> > I suppose that starts with a company that has a culture of strongly
> > contributing to FOSS. Most of us do not work for such companies. Most
> > work for companies who extensively rely on such software, but rarely
> > allow their companies to contribute to such things on company time
> > because they don't really see it as contributing directly to their
> > bottom line. (NOTE: I want to make clear that this is strictly my
> > personal opinion based of a [likely] biased observation and in no
> > way represents the official position of either my current nor any
> > of my previous employers. And they didn't even make me say that! :)
> >
> >> But I'd love to be able to employ some of the ZAP contributors to work
> full
> >> time on ZAP :)
> >> Would OWASP pay for that??
> >
> > Great question and I think you're not the only project that might
> > benefit from that. Although, if that means lobbying for funds by
> > competing against other OWASP projects, them I'm out because I
> > just don't have the stomach for that. It gets bad enough competing
> > for resources at Google Summer of Code and various OWASP code sprints,
> > and I fear if we increased OWASP funding to amounts needed to sustain
> > OWASP projects, it could lead to divisions in OWASP as people aligned
> > themselves with one project or another.
> >
> >> It would require much more 'project management' - the kind of things
> that
> >> people _think_ OWASP is doing, but it doesnt.
> >> I often see posts from people asking "why the hell is OWASP developing
> X".
> >> They seem to think that theres an OWASP committee that meets and goes
> "We
> >> think we should have project X". Whereas its actually an individual
> coming
> >> to OWASP and saying "I'm doing X, could this be an OWASP project?".
> >> OWASP Projects are very much 'bottom up' rather than 'top down'.
> >
> > Well, their perception could also be more of a notion of "why aren't
> > they doing Y instead?" or even "wouldn't make more sense if it were
> > a {Apache,Spring,<insert-your-favorite-FOSS-brand-here>} project
> > instead?" And truth be told, I've also asked that question myself, but
> > more because it was like "OWASP already has a project Z that does
> > almost exactly what project X is proposing. Why don't they just join
> > project Z instead of spinning of a similar project?".
> >
> > I think any of those, as well as your conjecture, are possible reasons
> > for them asking that question.
> >
> >> It may surprise people outside of OWASP that I get _no_ direction at all
> >> from OWASP as to how ZAP should move forward.
> >> note that I'm _really_ not complaining about that ;)
> >
> > Hmmm...well, THAT would explain some things!
> >
> > JK. ;-)
> >
> >> OWASP does not really invest in projects. It does provide some support,
> but
> >> to be honest not a great deal.
> >> If we decided to invest significant amounts of money in projects then
> there
> >> would need to be real debate as to what we should invest in.
> >> And I realise that thats difficult, particularly as OWASP is supported
> by
> >> commercial organisations, and they wont want OWASP investing in projects
> >> that compete with their own offerings.
> >>
> >> There are other things that OWASP could do other than paying developers
> >> directly.
> >> We could spend much more effort encouraging companies to contribute to
> OWASP
> >> projects, especially by donating engineering effort.
> >> We could help projects with the 'non programming' aspects -
> documentation,
> >> testing, marketing etc.
> >> We could provide more advice and guidance - I dont want people to
> dictate
> >> where ZAP should be headed, but I'd love constructive feedback :)
> >
> > Well, being a project lead of a much less successful project, I've
> > thought long and hard about the obstacles that I've faced.
> >
> > Most of that has been around getting people to help with the following
> > types of things:
> >     * Project documentation, most notably overall user manuals and FAQs
> >       and wiki entries.
> >     * Help with maven / pom.xml issue and release management in general
> >     * Assistance with version control, most notably git and GitHub
> >     * Someone willing to be a sounding board for proposed design changes
> >
> > As I've reflected about it, one of the things that I've noted is that
> > many of these are specialities that are cross-cutting across many
> > OWASP projects.
> >
> > I think one way that we might be able to address these some of these
> > concerns is to create a Subject Matter Expert list of people who would
> > be willing to volunteer to help out projects by contributing a few
> > hours here or there. For starters, I am than willing to put my name
> > into the hat an be willing to contribute as an applied cryptography
> > SME for any projects that have crypto related questions or maybe need
> > some crypto code reviewed by a fresh pair of eyes (at least as long as
> > it's written in a programming language I've familiar with). Of course,
> > the irony of it is that likely would require a new OWASP project to
> > maintain that OWASP SME list. (Not it! :)
> >
> >> Ok, thats ended up being a pretty rambling email ;)
> >
> > Trust me, I've written more than my share!
> >
> >> I'll end there and see what responses I get :D
> >
> > Here's one. Thanks for listening OWASP!
> >
> > -kevin
> > --
> > Blog: http://off-the-wall-security.blogspot.com/
> > NSA: All your crypto bit are belong to us.
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150907/a125fa13/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot 2015-09-07 08.07.40.png
Type: image/png
Size: 117046 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150907/a125fa13/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot 2015-08-21 10.19.54.png
Type: image/png
Size: 84176 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150907/a125fa13/attachment-0003.png>


More information about the Owasp-board mailing list