[Owasp-board] [Owasp-leaders] Projects Vs Chapters

Eoin Keary eoin.keary at owasp.org
Mon Sep 7 12:56:28 UTC 2015


I'd like our corporate membership % to go towards Security Shepherd, I was not aware this was possible.

Eoin.


Eoin Keary
OWASP Volunteer
@eoinkeary



> On 7 Sep 2015, at 13:14, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
> 
> In 2013 corporate membership represented 33% of total income for OWASP  opposed to individual membership which represented only 13% of the total income.
> 
> In 2015 corporate membership(foundation+chapter) has a total  revenue of USD350,000- opposed to USD90,000- from individual memberships(again foundation+chapter)  which is quite considerate:
> OWASP Foundation Budget - 2015
>  
> <Screenshot 2015-09-07 08.07.40.png>
> 
> Basically all memberships are going to 'chapters'
> 
> If more than half of these donations(corporate membership) which I highlighted in green have not been specified for any purpose, then how does the foundation decided into which account goes that money? I would like an answer on this. What I miss here is a break down of the amount and into which budget are these being set.
> 
> It seems that those memberships are going mostly to chapters and some to some projects(highlighted in Yellow) (ZAP + SAMM)
> 
> https://docs.google.com/spreadsheets/d/1nVyveCi7nmwYMKK4oWSsVGNvqE9aeUBhamQ7XsZvayU/edit?usp=sharing
> 
> Btw I cannot find the financial report of 2014, seems as it is quite behind (since we are almost end of 2015)
> 
> 
> 
>> On Mon, Sep 7, 2015 at 6:17 AM, Colin Watson <colin.watson at owasp.org> wrote:
>> One thing about membership donations to projects. Last week, the list
>> of members was posted to the leaders list for the elections:
>> 
>>    https://docs.google.com/spreadsheets/d/1Tu2MAdu1xNq8RTaqHWMSb_0qM_OE6aaVgKB54q_fQIs/edit#gid=1075228884
>> 
>> It shows that out of 2336 individual members only 2 have allocated
>> their donation to project - in this case "mobile". I agree that at the
>> point of joining that many people might select a chapter at that time,
>> but I am wondering if this is actually accurate? It doesn't feel
>> correct that less than 0.1% select a project.
>> 
>> Last time I renewed, I changed my allocation from a chapter to a
>> project. But the membership list still shows the allocation as a
>> chapter, and the chosen project didn't receive any of my membership
>> money.
>> 
>>     https://docs.google.com/a/owasp.org/spreadsheets/d/11acTOmtmBGq6-5CIGsjlEByU8POSGqda0r23VNnhEGQ/pub?hl=en_US&hl=en_US&output=html#
>> 
>> Is this a fault, and which members and projects have been affected by
>> this? I wonder if it applies to all project allocation selections, or
>> only after a change is requested? Why are there so many "blanks" and
>> "none" in the list of membership, and what's the difference? How long
>> has it been occurring?
>> 
>> Colin
>> 
>> On 6 September 2015 at 21:47, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:
>> > Jumping in late to this thread. I already told Simon from day
>> > one, when he first posted this on the Board and Governance list that
>> > I agreed with him 100%, but I just wanted to add some things.
>> >
>> > On Thu, Sep 3, 2015 at 4:50 AM, psiinon <psiinon at gmail.com> wrote:
>> >> Didnt realise this thread wasnt on the leaders list ;)
>> >> So starting a new one here as I think its important for us to discuss.
>> >> For background see:
>> >> http://lists.owasp.org/pipermail/governance/2015-September/000697.html
>> >> This is a copy of the email I sent to that thread..
>> >>
>> >>
>> >> First of all I'd like to thank Johanna for all the effort she's put into
>> >> reviewing the projects.
>> >> Its been a huge and mostly thankless task, and the projects as a whole have
>> >> really benefited.
>> >
>> > Amen to that. And having been involved in one of the projects (ESAPI)
>> > that was demoted from Flagship to Lab status, I know it's not always
>> > an easy thing to receive the assessments that she and her team had
>> > been doing, but we need to be professional about this and not shoot
>> > the messenger. Certainly when it came to ESAPI, while I was
>> > disappointed, I pretty much agreed with the project review
>> > conclusions.
>> >
>> >> Secondly, I'd like to wade into the Projects Vs Chapters debate :)
>> >>
>> >> I have a theory:
>> >>
>> >> People who are 'part' of OWASP tend to think that the Chapters are more
>> >> important _to_them_ than the projects.
>> >> Chapters are where we meet people, exchange ideas and learn things. They are
>> >> social events.
>> >
>> > The exception might be for those of us who attend our local OWASP
>> > chapter meetings but who are also actively involved with one or more
>> > OWASP projects.
>> >
>> >> People outside OWASP think that the Projects are more important _to_them_
>> >> than the Chapters.
>> >> They dont go to chapter meetings, they might not even be aware of them.
>> >> They use, or at least are aware of, the main OWASP projects, mostly the
>> >> Flagship ones.
>> >>
>> >> Anyone agree or disagree?
>> >
>> > I think you're analysis is pretty much spot on with few exceptions
>> > like the edge case I mentioned above.
>> >
>> >> And yes, I'm conveniently ignoring conferences, the wiki etc etc ;)
>> >>
>> >> I think Chapters and Projects are fundamentally different 'beasts', and I've
>> >> started and run both :)
>> >>
>> >> Chapters are relatively easy to start and maintain.
>> >> You need to be based in a city with a thriving security and/or software
>> >> industry.
>> >> You need to spend time organising and publicising events, but its not hard -
>> >> you dont need specialized skills.
>> >> Its relatively easy to find people prepared to speak, arrange rooms and help
>> >> with other organisational things.
>> >> Its something you can do in your spare time.
>> >
>> > One thing I'll add here. The fact that people can use their time spent
>> > attending OWASP chapter meetings as CPEs toward some security
>> > certification is also a big draw I think. In the past, we've even
>> > attracted quite a few non-OWASP members because of this, or at least
>> > that appeared to be their primary motivation as some of them would ask
>> > about for our chapter leads to provide evidence of attendance for
>> > their CPEs and we'd then discover that some of them were not OWASP
>> > members (not that we made a big deal about that).
>> >
>> > While it's true that one can earn CPEs working on a projects, the
>> > evidence bar seems to be a bit higher and a lot harder to measure.
>> >
>> >> Projects are much harder.
>> >> They are relatively easy to start - you 'just' need a good idea.
>> >> They are _really_ hard to bring to fruition and maintain.
>> >> I'll focus on software projects (as I know much more about those) but I have
>> >> no doubt documentation projects can be just as difficult.
>> >> A professional software project is the result of the hard work of managers,
>> >> designers, developers, QA, support, technical authors, sales and marketing
>> >> (and probably others I've forgotten;).
>> >> Its a huge amount of effort, and is ongoing - it only lets up when you
>> >> 'sunset' the project.
>> >> Ok, so (non commercial) open source projects dont need sales staff, but they
>> >> do need people doing all of the other roles. Its definitely _not_ just
>> >> programming!
>> >
>> > If anything, usually people are not that keen on doing those other
>> > needed roles, such as project documentation, QA, buildmeister, etc.
>> >
>> > Also, the more successful a project becomes (i.e., as measured in
>> > terms of the number of users) the harder it is to maintain. For
>> > example, long ago, I've noticed that people see to ask more questions
>> > on Stack Exchange about ESAPI than the do on either the ESAPI-Users or
>> > ESAPI-Dev mailing lists. I suspect that there are other forums
>> > elsewhere that these things get discussed.
>> >
>> >> Its way too much for one person (for a non trivial project).
>> >> Luckily we have the open source community, but that means a project leader
>> >> needs another skill: community building!
>> >
>> > Indeed that's one where I feel that I've failed miserably. I'm not
>> > particularly a people person nor do I have a lot of contacts beyond
>> > the immediate colleagues that I work with, so when the current
>> > volunteer pool dries up and stops contributing, the project tends to
>> > die because of (at least in my case) the inability to find new
>> > volunteers to help carry the project forward.
>> >
>> >> And to be honest most volunteers are developers (and security people for
>> >> OWASP projects), its very rare for people with other skills to get involved.
>> >
>> > 100% agree. Also, I personally think that we do a disservice
>> > sometimes in our industry in that there's an unspoken perception of a
>> > pecking order within the security community so that some of these very
>> > important roles are greatly devalued (e.g., those who write
>> > documentation or manage releases or do QA testing or provide project
>> > management or other infrastructure support). And while we generally
>> > don't come right out and express it, I think it's there and those who
>> > might otherwise step up and fill those roles avoid the security
>> > community for some other FOSS projects because they feel under-appreciated.
>> >
>> >> I dont think its something you can do in your spare time, at least for long
>> >> (I did for a while, and my wife described herself as a "ZAP widow";)
>> >
>> > :D
>> >
>> >> So Chapters are relatively easy to maintain, projects _much_ harder.
>> >
>> > Making free pizza and beer available at chapter meetings doesn't hurt!  :)
>> >
>> > We've also tried holding mini-hackathons at our local OWASP meetings
>> > maybe once a year. It was interesting, but I can't say it was a
>> > resounding success, because many there did not know the programming
>> > language the project was written in and it took us an undue amount of
>> > time just to get to the point where people got their IDE of choice
>> > configured to pull the project from GitHub. Also probably about 1/2
>> > of the regular attenders don't really program to any great extent at
>> > all but rather consider themselves more of pen testers, so holding
>> > these mini-hackathons effectively leaves out almost half of our
>> > regular attendees so that's not going to be something that works as a
>> > long term strategy.
>> >
>> >> I suspect OWASP as an organisation supports Chapters more effectively, but
>> >> even if it supports both equally Projects dont get as much support as they
>> >> need.
>> >> I think OWASP Chapters are thriving and the Projects are (as a whole)
>> >> diminishing.
>> >> If I'm right and people outside OWASP see the Projects as more important
>> >> than the Chapters then this leads to the impression that OWASP is
>> >> struggling.
>> >>
>> >> What to projects need?
>> >> I dont think its possible to maintain a 'significant' open source project
>> >> unless you are able to spend the majority of your working day on it.
>> >> This means projects really have to be sponsored by someone.
>> >> This is a significant investment for a company, and its often difficult to
>> >> justify this sort of investment. Especially if its difficult to monetise
>> >> OWASP projects.
>> >
>> > Indeed, back in the day when I was still on an AppSec team for a
>> > previous company, I tried to convince my management to allocate about
>> > eight hours a week from our entire team to contribute to ESAPI bug
>> > fixing. It seemed a logical extension of our internal proprietary
>> > security components class library which was not nearly as complete.
>> > I was unable to convince my management and shortly afterwards, I
>> > left that team (for unrelated reasons) and starting working with a
>> > team that had security experience that wouldn't easily translate to
>> > ESAPI needs.  In fact, my experience was worse than that. None of my
>> > colleagues ever decided to help out individually either. Not a big
>> > deal; maybe it just wasn't their cup of tea or they had other
>> > passions that they wanted to contribute to. But gathering recruits
>> > willing to participate clearly takes skills and contacts that I
>> > apparently do not possess in sufficient quantities. (Sometimes I
>> > feel like I'm trying to sell screen doors for submarines. Sigh.)
>> >
>> > All I'm saying is that getting volunteers is hard. Each sizeable
>> > project really needs someone willing to fulfill the project
>> > evangelist role to keep looking for new contributors. For one
>> > reason (at least it's been my experience) is that KEEPING volunteers
>> > for extended periods is even harder and by and large, I think if
>> > we looked at the historical data of contributors across all OWASP
>> > projects (say, based on commit history), that the data would bear
>> > that out. In fact, I'd bet this phenomena goes well beyond OWASP and
>> > is experienced by many FOSS projects.
>> >
>> >> Does OWASP want to sponsor projects directly?
>> >> I think thats what it would take to build a thriving set of Projects.
>> >> Is that something that could be done?
>> >
>> > _COULD_ it be done? Yes. Should it be done is another matter.
>> > I'd rather not see it become necessary as I really don't want OWASP
>> > to turn into a political organization where the project leaders are
>> > forced to lobby for funding, and I fear that's what would happen. I
>> > think also it would stifle innovation because new incubator projects
>> > would likely all dry up (unless a certain amount of funds were
>> > pre-allocated to them) as they likely couldn't compete against more
>> > established projects.
>> >
>> > I had thought of proposing allowing individual OWASP projects to
>> > somehow sell their own project-related schwag at conferences and such
>> > and keep a percentage of the profits to use for their projects so that
>> > they could then use that money however they saw fit (e.g., hiring a
>> > technical writer to write project documentation for instance). But that
>> > probably would not make a major impact in funding to a project,
>> > especially if all the OWASP projects started doing it.
>> >
>> >> I'm lucky, Mozilla allows me to spend most of my time working on ZAP, and
>> >> thats been invaluable.
>> >
>> > I suppose that starts with a company that has a culture of strongly
>> > contributing to FOSS. Most of us do not work for such companies. Most
>> > work for companies who extensively rely on such software, but rarely
>> > allow their companies to contribute to such things on company time
>> > because they don't really see it as contributing directly to their
>> > bottom line. (NOTE: I want to make clear that this is strictly my
>> > personal opinion based of a [likely] biased observation and in no
>> > way represents the official position of either my current nor any
>> > of my previous employers. And they didn't even make me say that! :)
>> >
>> >> But I'd love to be able to employ some of the ZAP contributors to work full
>> >> time on ZAP :)
>> >> Would OWASP pay for that??
>> >
>> > Great question and I think you're not the only project that might
>> > benefit from that. Although, if that means lobbying for funds by
>> > competing against other OWASP projects, them I'm out because I
>> > just don't have the stomach for that. It gets bad enough competing
>> > for resources at Google Summer of Code and various OWASP code sprints,
>> > and I fear if we increased OWASP funding to amounts needed to sustain
>> > OWASP projects, it could lead to divisions in OWASP as people aligned
>> > themselves with one project or another.
>> >
>> >> It would require much more 'project management' - the kind of things that
>> >> people _think_ OWASP is doing, but it doesnt.
>> >> I often see posts from people asking "why the hell is OWASP developing X".
>> >> They seem to think that theres an OWASP committee that meets and goes "We
>> >> think we should have project X". Whereas its actually an individual coming
>> >> to OWASP and saying "I'm doing X, could this be an OWASP project?".
>> >> OWASP Projects are very much 'bottom up' rather than 'top down'.
>> >
>> > Well, their perception could also be more of a notion of "why aren't
>> > they doing Y instead?" or even "wouldn't make more sense if it were
>> > a {Apache,Spring,<insert-your-favorite-FOSS-brand-here>} project
>> > instead?" And truth be told, I've also asked that question myself, but
>> > more because it was like "OWASP already has a project Z that does
>> > almost exactly what project X is proposing. Why don't they just join
>> > project Z instead of spinning of a similar project?".
>> >
>> > I think any of those, as well as your conjecture, are possible reasons
>> > for them asking that question.
>> >
>> >> It may surprise people outside of OWASP that I get _no_ direction at all
>> >> from OWASP as to how ZAP should move forward.
>> >> note that I'm _really_ not complaining about that ;)
>> >
>> > Hmmm...well, THAT would explain some things!
>> >
>> > JK. ;-)
>> >
>> >> OWASP does not really invest in projects. It does provide some support, but
>> >> to be honest not a great deal.
>> >> If we decided to invest significant amounts of money in projects then there
>> >> would need to be real debate as to what we should invest in.
>> >> And I realise that thats difficult, particularly as OWASP is supported by
>> >> commercial organisations, and they wont want OWASP investing in projects
>> >> that compete with their own offerings.
>> >>
>> >> There are other things that OWASP could do other than paying developers
>> >> directly.
>> >> We could spend much more effort encouraging companies to contribute to OWASP
>> >> projects, especially by donating engineering effort.
>> >> We could help projects with the 'non programming' aspects - documentation,
>> >> testing, marketing etc.
>> >> We could provide more advice and guidance - I dont want people to dictate
>> >> where ZAP should be headed, but I'd love constructive feedback :)
>> >
>> > Well, being a project lead of a much less successful project, I've
>> > thought long and hard about the obstacles that I've faced.
>> >
>> > Most of that has been around getting people to help with the following
>> > types of things:
>> >     * Project documentation, most notably overall user manuals and FAQs
>> >       and wiki entries.
>> >     * Help with maven / pom.xml issue and release management in general
>> >     * Assistance with version control, most notably git and GitHub
>> >     * Someone willing to be a sounding board for proposed design changes
>> >
>> > As I've reflected about it, one of the things that I've noted is that
>> > many of these are specialities that are cross-cutting across many
>> > OWASP projects.
>> >
>> > I think one way that we might be able to address these some of these
>> > concerns is to create a Subject Matter Expert list of people who would
>> > be willing to volunteer to help out projects by contributing a few
>> > hours here or there. For starters, I am than willing to put my name
>> > into the hat an be willing to contribute as an applied cryptography
>> > SME for any projects that have crypto related questions or maybe need
>> > some crypto code reviewed by a fresh pair of eyes (at least as long as
>> > it's written in a programming language I've familiar with). Of course,
>> > the irony of it is that likely would require a new OWASP project to
>> > maintain that OWASP SME list. (Not it! :)
>> >
>> >> Ok, thats ended up being a pretty rambling email ;)
>> >
>> > Trust me, I've written more than my share!
>> >
>> >> I'll end there and see what responses I get :D
>> >
>> > Here's one. Thanks for listening OWASP!
>> >
>> > -kevin
>> > --
>> > Blog: http://off-the-wall-security.blogspot.com/
>> > NSA: All your crypto bit are belong to us.
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150907/1c9f28d5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot 2015-08-21 10.19.54.png
Type: image/png
Size: 84176 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150907/1c9f28d5/attachment-0001.png>


More information about the Owasp-board mailing list