[Owasp-board] Projects

johanna curiel curiel johanna.curiel at owasp.org
Wed Sep 9 16:45:30 UTC 2015


>I'm also a big fan of expanding on the "Seasons of Code" so that we can
pay students and others modest stipends to work on specific tasks for OWASP
projects. I received significant feedback at how successful this years
program was.

Definitely, what we need is a better structure/platform so all projects can
benefit as much as possible for every initiative available.

For this part , to support a Summer of Code, I think we need to build our
own melange : https://code.google.com/p/soc/wiki/MelangeIntro
Which is open source and will allow us to have an infrastructure for
Proposals of students and Mentors registering in the system.

I think this is will be one of my first projects to improve the platform.
We already have a Google Cloud which Dinis acquired. Melange is a Google
Engine app so that will be quite easy to integrate and place the code here.



On Wed, Sep 9, 2015 at 12:38 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Johanna,
>
> Excellent. :)
>
> I think it's super important to capture the ideas stated from Simon and
> others about project funding and management at OWASP.  I'm fond of the idea
> of a mentor program and how OWASP can promote projects more. These seem
> pretty high on the "critical things for projects" list.
>
> I'm also a big fan of expanding on the "Seasons of Code" so that we can
> pay students and others modest stipends to work on specific tasks for OWASP
> projects. I received significant feedback at how successful this years
> program was.
>
> I think it's important to capture all community suggestions about
> projects, even conflicting ideas, so everyones perspective get's
> represented.
>
> Cool?
>
> Aloha,
> --
> Jim Manico
> Global Board Member
> OWASP Foundation
> https://www.owasp.org
> Join me at AppSecUSA <http://appsecusa.org/> 2015!
>
> On Sep 8, 2015, at 10:52 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
> >I think the concerns here are very just. I will be happy to assist in
> forming a proposal to the board as soon as I return. Stating concerns on
> the leaders list is a good place to start but I think it will help if we
> combine and mature these ideas into a more formal proposal. (And it should
> not take long to do so).
>
> Hi Jim,
>
> Glad you joined the discussion :)
>
> Like I mentioned , my objective right now is to help support a platform to
> help OWASP projects develop to the next level.
>
> Based on the survey results I did in conduction with the output generated
> in this discussion, I will setup a wiki proposal plan that you and the
> board members can discuss on allocation of budget for projects.
>
> Also where the project leaders can contribute with concrete ideas
>
> The proposal platform will provide some suggestions on:
>
>    - How to gather grant funds through different initiatives so project
>    leaders have the option to work full time on their projects for a period of
>    time or contract some one to help them with specific tasks
>    - Looking for sponsors
>    - A budget for project promotion (assisting to conferences when
>    accepted, perks, t-shirts, layout and design)
>    - A training plan to avoid failure as Open Source Project leaders
>
> Cheers
>
> Johanna
>
>
> On Tue, Sep 8, 2015 at 12:37 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> Folks,
>>
>> I'm the board liaison for OWASP projects. I am away for two weeks but
>> when I return I will:
>>
>> 1) Gather all of these suggestions (and more) in one document
>> 2) Form a temporary committee to review these and form a proposal to the
>> board
>>
>> This can happen over the course of weeks, not months.
>>
>> I think the concerns here are very just. I will be happy to assist in
>> forming a proposal to the board as soon as I return. Stating concerns on
>> the leaders list is a good place to start but I think it will help if we
>> combine and mature these ideas into a more formal proposal. (And it should
>> not take long to do so).
>>
>> Of course others can drive this immediately if you like, I'm not needed.
>> But I'm very glad to help in two weeks.
>>
>> Aloha,
>> --
>> Jim Manico
>> Global Board Member
>> OWASP Foundation
>> https://www.owasp.org
>> Join me at AppSecUSA <http://appsecusa.org/> 2015!
>>
>> On Sep 8, 2015, at 12:50 AM, John Patrick Lita <
>> john.patrick.lita at owasp.org> wrote:
>>
>> This is a great Conversation Thanks to Simon for opening this Topic.
>>
>> Project:
>>
>> Project is also a very difficult one to start, even you have a great
>> idea, if you don't have Budget, Skillful team etc.. Creating a project is
>> very impossible, and you need to dedicate much of your time to start a
>> project. in my experience for project development is quite good "Maybe",
>> because we started the project OWASP ACADEMY www.owaspacademy.com, we
>> are still developing the course materials, we are focusing to introduce all
>> the tools of OWASP, and this is very impossible but the team is still focus
>> to continue and develop the platform. With or Without Funding Assistance
>> from OWASP.
>>
>> Chapter:
>>
>> Putting up an OWASP Chapter is it easy?
>> For me i think i depends on the situation, condition and the economy of
>> the country, for us we live in the third world country. if you compare the
>> achievement of the previous Chapter Leader of OWASP Manila, we have a big
>> difference when it coming in outreach program (
>> https://www.owasp.org/index.php/Manila#Archives ) to increase the
>> Software Security Awareness and Introduce the Foundation. it's a huge
>> challenge for me and to my team to Conduct this kind of Project like the
>> "OWASP Software Security Outreach Project".
>>
>> I don't have a car to use for my transportation, so that i need to travel
>> 3-5 hours of traveling time just to visit a School, College or a University.
>>
>> Like for example Yesterday we Conducted a Seminar in CAVITE STATE
>> UNIVERSITY, if you Google the CAVITE to ANITPOLO were i live. i leave the
>> house 4:30 AM then i arrive at Cavite University 9:15 AM how cool is that?
>> then i spent Money for Transportation, When you Ride a Jeepney here in
>> Philippines they don't Issue Receipt, even riding a Tricycle, UV express
>> and Bus this is the main transportation we have here in Philippines then
>> you need to add the "FATAL TRAFFIC".
>>
>> To introduce the Foundation Here in Our Country is not easy. and maybe it
>> depends how determine the chapter leader is.
>>
>>
>> On Tue, Sep 8, 2015 at 12:30 AM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> >How can we make the corporation more aware of this option?
>>>
>>> I would like to see first a clarification on *where* is the money
>>> allocated right now from corporate memberships that have not made any
>>> choices.
>>>
>>> Community funds is USD60,000 a year and this is not only for projects
>>> but everything to do with the community.
>>>
>>> So far there is in memberships between corporate and individuals
>>> memberships a total of
>>>
>>> Corporate memberships (foundation + Chapter) USD 350,000-
>>> Individual membership    (foundation +chapter)   USD  90,000-
>>> Total =                                                                 * USD
>>> 440,000*
>>>
>>> Following the same sheet the following corporate memberships have not
>>> been allocated by the sponsors. I would like to know how much money of the
>>> USD 350,000 belongs to these unallocated
>>>
>>>    1. Autodesk, Inc.
>>>    2. Blackhat US
>>>    3. CA Technologies
>>>    4. CDNetworks
>>>    5. ClassDojo
>>>    6. Coverity
>>>    7. eLearn Security
>>>    8. HERE North America, LLC.
>>>    9. Johnson Controls, Inc.
>>>    10. Rapid7
>>>    11. Software Assurance Marketplace (SWAMP)
>>>
>>>
>>> Each of these contribute with USD 5000 (following corporate categories
>>> as the appear here:
>>> https://www.owasp.org/index.php/Membership#tab=Corporate_Supporters)
>>> 11 of them has not been allocated that makes USD 55,000-
>>>
>>> Big Corporate memberships from  4 companies which does not appear in
>>> that Google sheet have contributed with==> 4 x USD 20,000 = USD 80,000 ==>
>>> where is this money been allocated?
>>>
>>>    1. Adobe
>>>    2. Qualys
>>>    3. HP
>>>    4. Contrast
>>>
>>>
>>> I would like to have a clarification where exactly is the money
>>> allocated from these corporate memberships which in total (following these
>>> calculation accumulates a total of
>>> USD 55,000 + 80,000 = USD 140,000 that none of the corporate members
>>> have allocated.
>>>
>>> If it seems that part of the money goes to community fund then 140k -60k
>>> = USD 80,000 still open where is this money being allocated to?
>>>
>>>
>>>
>>>
>>> On Mon, Sep 7, 2015 at 9:07 AM, psiinon <psiinon at gmail.com> wrote:
>>>
>>>> Thanks Johanna, this is _really_ interesting.
>>>> And thats a huge imbalance between the chapters and projects.
>>>> Corporate members can obviously choose where their money goes, but
>>>> maybe they are not aware they can choose projects (and if Eoin didnt know,
>>>> that seems very likely!)
>>>> How can we make the corporation more aware of this option?
>>>> And how else can re redress this imbalance?
>>>>
>>>> Cheers,
>>>>
>>>> Simon
>>>>
>>>>
>>>> On Mon, Sep 7, 2015 at 1:14 PM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>>> In 2013 corporate membership represented 33% of total income for OWASP
>>>>>  opposed to individual membership which represented only 13% of the total
>>>>> income.
>>>>>
>>>>> In 2015 corporate membership(foundation+chapter) has a total  revenue
>>>>> of USD350,000- opposed to USD90,000- from individual memberships(again
>>>>> foundation+chapter)  which is quite considerate:
>>>>> OWASP Foundation Budget - 2015
>>>>> <https://drive.google.com/file/d/0BxjNZI6rYJRKbnBlaHM3LTU2ckk/view?usp=sharing>
>>>>>
>>>>> <Screenshot 2015-09-07 08.07.40.png>
>>>>>
>>>>> Basically all memberships are going to 'chapters'
>>>>>
>>>>> *If more than half of these donations(corporate membership) which I
>>>>> highlighted in green have not been specified for any purpose, then how does
>>>>> the foundation decided into which account goes that money? I would like an
>>>>> answer on this. What I miss here is a break down of the amount and into
>>>>> which budget are these being set.*
>>>>>
>>>>> *It seems that those memberships are going mostly to chapters and some
>>>>> to some projects(highlighted in Yellow) (ZAP + SAMM)*
>>>>>
>>>>>
>>>>> https://docs.google.com/spreadsheets/d/1nVyveCi7nmwYMKK4oWSsVGNvqE9aeUBhamQ7XsZvayU/edit?usp=sharing
>>>>>
>>>>> Btw I cannot find the financial report of 2014, seems as it is quite
>>>>> behind (since we are almost end of 2015)
>>>>>
>>>>> <Screenshot 2015-08-21 10.19.54.png>
>>>>>
>>>>> On Mon, Sep 7, 2015 at 6:17 AM, Colin Watson <colin.watson at owasp.org>
>>>>> wrote:
>>>>>
>>>>>> One thing about membership donations to projects. Last week, the list
>>>>>> of members was posted to the leaders list for the elections:
>>>>>>
>>>>>>
>>>>>> https://docs.google.com/spreadsheets/d/1Tu2MAdu1xNq8RTaqHWMSb_0qM_OE6aaVgKB54q_fQIs/edit#gid=1075228884
>>>>>>
>>>>>> It shows that out of 2336 individual members only 2 have allocated
>>>>>> their donation to project - in this case "mobile". I agree that at the
>>>>>> point of joining that many people might select a chapter at that time,
>>>>>> but I am wondering if this is actually accurate? It doesn't feel
>>>>>> correct that less than 0.1% select a project.
>>>>>>
>>>>>> Last time I renewed, I changed my allocation from a chapter to a
>>>>>> project. But the membership list still shows the allocation as a
>>>>>> chapter, and the chosen project didn't receive any of my membership
>>>>>> money.
>>>>>>
>>>>>>
>>>>>> https://docs.google.com/a/owasp.org/spreadsheets/d/11acTOmtmBGq6-5CIGsjlEByU8POSGqda0r23VNnhEGQ/pub?hl=en_US&hl=en_US&output=html#
>>>>>>
>>>>>> Is this a fault, and which members and projects have been affected by
>>>>>> this? I wonder if it applies to all project allocation selections, or
>>>>>> only after a change is requested? Why are there so many "blanks" and
>>>>>> "none" in the list of membership, and what's the difference? How long
>>>>>> has it been occurring?
>>>>>>
>>>>>> Colin
>>>>>>
>>>>>> On 6 September 2015 at 21:47, Kevin W. Wall <kevin.w.wall at gmail.com>
>>>>>> wrote:
>>>>>> > Jumping in late to this thread. I already told Simon from day
>>>>>> > one, when he first posted this on the Board and Governance list that
>>>>>> > I agreed with him 100%, but I just wanted to add some things.
>>>>>> >
>>>>>> > On Thu, Sep 3, 2015 at 4:50 AM, psiinon <psiinon at gmail.com> wrote:
>>>>>> >> Didnt realise this thread wasnt on the leaders list ;)
>>>>>> >> So starting a new one here as I think its important for us to
>>>>>> discuss.
>>>>>> >> For background see:
>>>>>> >>
>>>>>> http://lists.owasp.org/pipermail/governance/2015-September/000697.html
>>>>>> >> This is a copy of the email I sent to that thread..
>>>>>> >>
>>>>>> >>
>>>>>> >> First of all I'd like to thank Johanna for all the effort she's
>>>>>> put into
>>>>>> >> reviewing the projects.
>>>>>> >> Its been a huge and mostly thankless task, and the projects as a
>>>>>> whole have
>>>>>> >> really benefited.
>>>>>> >
>>>>>> > Amen to that. And having been involved in one of the projects
>>>>>> (ESAPI)
>>>>>> > that was demoted from Flagship to Lab status, I know it's not always
>>>>>> > an easy thing to receive the assessments that she and her team had
>>>>>> > been doing, but we need to be professional about this and not shoot
>>>>>> > the messenger. Certainly when it came to ESAPI, while I was
>>>>>> > disappointed, I pretty much agreed with the project review
>>>>>> > conclusions.
>>>>>> >
>>>>>> >> Secondly, I'd like to wade into the Projects Vs Chapters debate :)
>>>>>> >>
>>>>>> >> I have a theory:
>>>>>> >>
>>>>>> >> People who are 'part' of OWASP tend to think that the Chapters are
>>>>>> more
>>>>>> >> important _to_them_ than the projects.
>>>>>> >> Chapters are where we meet people, exchange ideas and learn
>>>>>> things. They are
>>>>>> >> social events.
>>>>>> >
>>>>>> > The exception might be for those of us who attend our local OWASP
>>>>>> > chapter meetings but who are also actively involved with one or more
>>>>>> > OWASP projects.
>>>>>> >
>>>>>> >> People outside OWASP think that the Projects are more important
>>>>>> _to_them_
>>>>>> >> than the Chapters.
>>>>>> >> They dont go to chapter meetings, they might not even be aware of
>>>>>> them.
>>>>>> >> They use, or at least are aware of, the main OWASP projects,
>>>>>> mostly the
>>>>>> >> Flagship ones.
>>>>>> >>
>>>>>> >> Anyone agree or disagree?
>>>>>> >
>>>>>> > I think you're analysis is pretty much spot on with few exceptions
>>>>>> > like the edge case I mentioned above.
>>>>>> >
>>>>>> >> And yes, I'm conveniently ignoring conferences, the wiki etc etc ;)
>>>>>> >>
>>>>>> >> I think Chapters and Projects are fundamentally different
>>>>>> 'beasts', and I've
>>>>>> >> started and run both :)
>>>>>> >>
>>>>>> >> Chapters are relatively easy to start and maintain.
>>>>>> >> You need to be based in a city with a thriving security and/or
>>>>>> software
>>>>>> >> industry.
>>>>>> >> You need to spend time organising and publicising events, but its
>>>>>> not hard -
>>>>>> >> you dont need specialized skills.
>>>>>> >> Its relatively easy to find people prepared to speak, arrange
>>>>>> rooms and help
>>>>>> >> with other organisational things.
>>>>>> >> Its something you can do in your spare time.
>>>>>> >
>>>>>> > One thing I'll add here. The fact that people can use their time
>>>>>> spent
>>>>>> > attending OWASP chapter meetings as CPEs toward some security
>>>>>> > certification is also a big draw I think. In the past, we've even
>>>>>> > attracted quite a few non-OWASP members because of this, or at least
>>>>>> > that appeared to be their primary motivation as some of them would
>>>>>> ask
>>>>>> > about for our chapter leads to provide evidence of attendance for
>>>>>> > their CPEs and we'd then discover that some of them were not OWASP
>>>>>> > members (not that we made a big deal about that).
>>>>>> >
>>>>>> > While it's true that one can earn CPEs working on a projects, the
>>>>>> > evidence bar seems to be a bit higher and a lot harder to measure.
>>>>>> >
>>>>>> >> Projects are much harder.
>>>>>> >> They are relatively easy to start - you 'just' need a good idea.
>>>>>> >> They are _really_ hard to bring to fruition and maintain.
>>>>>> >> I'll focus on software projects (as I know much more about those)
>>>>>> but I have
>>>>>> >> no doubt documentation projects can be just as difficult.
>>>>>> >> A professional software project is the result of the hard work of
>>>>>> managers,
>>>>>> >> designers, developers, QA, support, technical authors, sales and
>>>>>> marketing
>>>>>> >> (and probably others I've forgotten;).
>>>>>> >> Its a huge amount of effort, and is ongoing - it only lets up when
>>>>>> you
>>>>>> >> 'sunset' the project.
>>>>>> >> Ok, so (non commercial) open source projects dont need sales
>>>>>> staff, but they
>>>>>> >> do need people doing all of the other roles. Its definitely _not_
>>>>>> just
>>>>>> >> programming!
>>>>>> >
>>>>>> > If anything, usually people are not that keen on doing those other
>>>>>> > needed roles, such as project documentation, QA, buildmeister, etc.
>>>>>> >
>>>>>> > Also, the more successful a project becomes (i.e., as measured in
>>>>>> > terms of the number of users) the harder it is to maintain. For
>>>>>> > example, long ago, I've noticed that people see to ask more
>>>>>> questions
>>>>>> > on Stack Exchange about ESAPI than the do on either the ESAPI-Users
>>>>>> or
>>>>>> > ESAPI-Dev mailing lists. I suspect that there are other forums
>>>>>> > elsewhere that these things get discussed.
>>>>>> >
>>>>>> >> Its way too much for one person (for a non trivial project).
>>>>>> >> Luckily we have the open source community, but that means a
>>>>>> project leader
>>>>>> >> needs another skill: community building!
>>>>>> >
>>>>>> > Indeed that's one where I feel that I've failed miserably. I'm not
>>>>>> > particularly a people person nor do I have a lot of contacts beyond
>>>>>> > the immediate colleagues that I work with, so when the current
>>>>>> > volunteer pool dries up and stops contributing, the project tends to
>>>>>> > die because of (at least in my case) the inability to find new
>>>>>> > volunteers to help carry the project forward.
>>>>>> >
>>>>>> >> And to be honest most volunteers are developers (and security
>>>>>> people for
>>>>>> >> OWASP projects), its very rare for people with other skills to get
>>>>>> involved.
>>>>>> >
>>>>>> > 100% agree. Also, I personally think that we do a disservice
>>>>>> > sometimes in our industry in that there's an unspoken perception of
>>>>>> a
>>>>>> > pecking order within the security community so that some of these
>>>>>> very
>>>>>> > important roles are greatly devalued (e.g., those who write
>>>>>> > documentation or manage releases or do QA testing or provide project
>>>>>> > management or other infrastructure support). And while we generally
>>>>>> > don't come right out and express it, I think it's there and those
>>>>>> who
>>>>>> > might otherwise step up and fill those roles avoid the security
>>>>>> > community for some other FOSS projects because they feel
>>>>>> under-appreciated.
>>>>>> >
>>>>>> >> I dont think its something you can do in your spare time, at least
>>>>>> for long
>>>>>> >> (I did for a while, and my wife described herself as a "ZAP
>>>>>> widow";)
>>>>>> >
>>>>>> > :D
>>>>>> >
>>>>>> >> So Chapters are relatively easy to maintain, projects _much_
>>>>>> harder.
>>>>>> >
>>>>>> > Making free pizza and beer available at chapter meetings doesn't
>>>>>> hurt!  :)
>>>>>> >
>>>>>> > We've also tried holding mini-hackathons at our local OWASP meetings
>>>>>> > maybe once a year. It was interesting, but I can't say it was a
>>>>>> > resounding success, because many there did not know the programming
>>>>>> > language the project was written in and it took us an undue amount
>>>>>> of
>>>>>> > time just to get to the point where people got their IDE of choice
>>>>>> > configured to pull the project from GitHub. Also probably about 1/2
>>>>>> > of the regular attenders don't really program to any great extent at
>>>>>> > all but rather consider themselves more of pen testers, so holding
>>>>>> > these mini-hackathons effectively leaves out almost half of our
>>>>>> > regular attendees so that's not going to be something that works as
>>>>>> a
>>>>>> > long term strategy.
>>>>>> >
>>>>>> >> I suspect OWASP as an organisation supports Chapters more
>>>>>> effectively, but
>>>>>> >> even if it supports both equally Projects dont get as much support
>>>>>> as they
>>>>>> >> need.
>>>>>> >> I think OWASP Chapters are thriving and the Projects are (as a
>>>>>> whole)
>>>>>> >> diminishing.
>>>>>> >> If I'm right and people outside OWASP see the Projects as more
>>>>>> important
>>>>>> >> than the Chapters then this leads to the impression that OWASP is
>>>>>> >> struggling.
>>>>>> >>
>>>>>> >> What to projects need?
>>>>>> >> I dont think its possible to maintain a 'significant' open source
>>>>>> project
>>>>>> >> unless you are able to spend the majority of your working day on
>>>>>> it.
>>>>>> >> This means projects really have to be sponsored by someone.
>>>>>> >> This is a significant investment for a company, and its often
>>>>>> difficult to
>>>>>> >> justify this sort of investment. Especially if its difficult to
>>>>>> monetise
>>>>>> >> OWASP projects.
>>>>>> >
>>>>>> > Indeed, back in the day when I was still on an AppSec team for a
>>>>>> > previous company, I tried to convince my management to allocate
>>>>>> about
>>>>>> > eight hours a week from our entire team to contribute to ESAPI bug
>>>>>> > fixing. It seemed a logical extension of our internal proprietary
>>>>>> > security components class library which was not nearly as complete.
>>>>>> > I was unable to convince my management and shortly afterwards, I
>>>>>> > left that team (for unrelated reasons) and starting working with a
>>>>>> > team that had security experience that wouldn't easily translate to
>>>>>> > ESAPI needs.  In fact, my experience was worse than that. None of my
>>>>>> > colleagues ever decided to help out individually either. Not a big
>>>>>> > deal; maybe it just wasn't their cup of tea or they had other
>>>>>> > passions that they wanted to contribute to. But gathering recruits
>>>>>> > willing to participate clearly takes skills and contacts that I
>>>>>> > apparently do not possess in sufficient quantities. (Sometimes I
>>>>>> > feel like I'm trying to sell screen doors for submarines. Sigh.)
>>>>>> >
>>>>>> > All I'm saying is that getting volunteers is hard. Each sizeable
>>>>>> > project really needs someone willing to fulfill the project
>>>>>> > evangelist role to keep looking for new contributors. For one
>>>>>> > reason (at least it's been my experience) is that KEEPING volunteers
>>>>>> > for extended periods is even harder and by and large, I think if
>>>>>> > we looked at the historical data of contributors across all OWASP
>>>>>> > projects (say, based on commit history), that the data would bear
>>>>>> > that out. In fact, I'd bet this phenomena goes well beyond OWASP and
>>>>>> > is experienced by many FOSS projects.
>>>>>> >
>>>>>> >> Does OWASP want to sponsor projects directly?
>>>>>> >> I think thats what it would take to build a thriving set of
>>>>>> Projects.
>>>>>> >> Is that something that could be done?
>>>>>> >
>>>>>> > _COULD_ it be done? Yes. Should it be done is another matter.
>>>>>> > I'd rather not see it become necessary as I really don't want OWASP
>>>>>> > to turn into a political organization where the project leaders are
>>>>>> > forced to lobby for funding, and I fear that's what would happen. I
>>>>>> > think also it would stifle innovation because new incubator projects
>>>>>> > would likely all dry up (unless a certain amount of funds were
>>>>>> > pre-allocated to them) as they likely couldn't compete against more
>>>>>> > established projects.
>>>>>> >
>>>>>> > I had thought of proposing allowing individual OWASP projects to
>>>>>> > somehow sell their own project-related schwag at conferences and
>>>>>> such
>>>>>> > and keep a percentage of the profits to use for their projects so
>>>>>> that
>>>>>> > they could then use that money however they saw fit (e.g., hiring a
>>>>>> > technical writer to write project documentation for instance). But
>>>>>> that
>>>>>> > probably would not make a major impact in funding to a project,
>>>>>> > especially if all the OWASP projects started doing it.
>>>>>> >
>>>>>> >> I'm lucky, Mozilla allows me to spend most of my time working on
>>>>>> ZAP, and
>>>>>> >> thats been invaluable.
>>>>>> >
>>>>>> > I suppose that starts with a company that has a culture of strongly
>>>>>> > contributing to FOSS. Most of us do not work for such companies.
>>>>>> Most
>>>>>> > work for companies who extensively rely on such software, but rarely
>>>>>> > allow their companies to contribute to such things on company time
>>>>>> > because they don't really see it as contributing directly to their
>>>>>> > bottom line. (NOTE: I want to make clear that this is strictly my
>>>>>> > personal opinion based of a [likely] biased observation and in no
>>>>>> > way represents the official position of either my current nor any
>>>>>> > of my previous employers. And they didn't even make me say that! :)
>>>>>> >
>>>>>> >> But I'd love to be able to employ some of the ZAP contributors to
>>>>>> work full
>>>>>> >> time on ZAP :)
>>>>>> >> Would OWASP pay for that??
>>>>>> >
>>>>>> > Great question and I think you're not the only project that might
>>>>>> > benefit from that. Although, if that means lobbying for funds by
>>>>>> > competing against other OWASP projects, them I'm out because I
>>>>>> > just don't have the stomach for that. It gets bad enough competing
>>>>>> > for resources at Google Summer of Code and various OWASP code
>>>>>> sprints,
>>>>>> > and I fear if we increased OWASP funding to amounts needed to
>>>>>> sustain
>>>>>> > OWASP projects, it could lead to divisions in OWASP as people
>>>>>> aligned
>>>>>> > themselves with one project or another.
>>>>>> >
>>>>>> >> It would require much more 'project management' - the kind of
>>>>>> things that
>>>>>> >> people _think_ OWASP is doing, but it doesnt.
>>>>>> >> I often see posts from people asking "why the hell is OWASP
>>>>>> developing X".
>>>>>> >> They seem to think that theres an OWASP committee that meets and
>>>>>> goes "We
>>>>>> >> think we should have project X". Whereas its actually an
>>>>>> individual coming
>>>>>> >> to OWASP and saying "I'm doing X, could this be an OWASP project?".
>>>>>> >> OWASP Projects are very much 'bottom up' rather than 'top down'.
>>>>>> >
>>>>>> > Well, their perception could also be more of a notion of "why aren't
>>>>>> > they doing Y instead?" or even "wouldn't make more sense if it were
>>>>>> > a {Apache,Spring,<insert-your-favorite-FOSS-brand-here>} project
>>>>>> > instead?" And truth be told, I've also asked that question myself,
>>>>>> but
>>>>>> > more because it was like "OWASP already has a project Z that does
>>>>>> > almost exactly what project X is proposing. Why don't they just join
>>>>>> > project Z instead of spinning of a similar project?".
>>>>>> >
>>>>>> > I think any of those, as well as your conjecture, are possible
>>>>>> reasons
>>>>>> > for them asking that question.
>>>>>> >
>>>>>> >> It may surprise people outside of OWASP that I get _no_ direction
>>>>>> at all
>>>>>> >> from OWASP as to how ZAP should move forward.
>>>>>> >> note that I'm _really_ not complaining about that ;)
>>>>>> >
>>>>>> > Hmmm...well, THAT would explain some things!
>>>>>> >
>>>>>> > JK. ;-)
>>>>>> >
>>>>>> >> OWASP does not really invest in projects. It does provide some
>>>>>> support, but
>>>>>> >> to be honest not a great deal.
>>>>>> >> If we decided to invest significant amounts of money in projects
>>>>>> then there
>>>>>> >> would need to be real debate as to what we should invest in.
>>>>>> >> And I realise that thats difficult, particularly as OWASP is
>>>>>> supported by
>>>>>> >> commercial organisations, and they wont want OWASP investing in
>>>>>> projects
>>>>>> >> that compete with their own offerings.
>>>>>> >>
>>>>>> >> There are other things that OWASP could do other than paying
>>>>>> developers
>>>>>> >> directly.
>>>>>> >> We could spend much more effort encouraging companies to
>>>>>> contribute to OWASP
>>>>>> >> projects, especially by donating engineering effort.
>>>>>> >> We could help projects with the 'non programming' aspects -
>>>>>> documentation,
>>>>>> >> testing, marketing etc.
>>>>>> >> We could provide more advice and guidance - I dont want people to
>>>>>> dictate
>>>>>> >> where ZAP should be headed, but I'd love constructive feedback :)
>>>>>> >
>>>>>> > Well, being a project lead of a much less successful project, I've
>>>>>> > thought long and hard about the obstacles that I've faced.
>>>>>> >
>>>>>> > Most of that has been around getting people to help with the
>>>>>> following
>>>>>> > types of things:
>>>>>> >     * Project documentation, most notably overall user manuals and
>>>>>> FAQs
>>>>>> >       and wiki entries.
>>>>>> >     * Help with maven / pom.xml issue and release management in
>>>>>> general
>>>>>> >     * Assistance with version control, most notably git and GitHub
>>>>>> >     * Someone willing to be a sounding board for proposed design
>>>>>> changes
>>>>>> >
>>>>>> > As I've reflected about it, one of the things that I've noted is
>>>>>> that
>>>>>> > many of these are specialities that are cross-cutting across many
>>>>>> > OWASP projects.
>>>>>> >
>>>>>> > I think one way that we might be able to address these some of these
>>>>>> > concerns is to create a Subject Matter Expert list of people who
>>>>>> would
>>>>>> > be willing to volunteer to help out projects by contributing a few
>>>>>> > hours here or there. For starters, I am than willing to put my name
>>>>>> > into the hat an be willing to contribute as an applied cryptography
>>>>>> > SME for any projects that have crypto related questions or maybe
>>>>>> need
>>>>>> > some crypto code reviewed by a fresh pair of eyes (at least as long
>>>>>> as
>>>>>> > it's written in a programming language I've familiar with). Of
>>>>>> course,
>>>>>> > the irony of it is that likely would require a new OWASP project to
>>>>>> > maintain that OWASP SME list. (Not it! :)
>>>>>> >
>>>>>> >> Ok, thats ended up being a pretty rambling email ;)
>>>>>> >
>>>>>> > Trust me, I've written more than my share!
>>>>>> >
>>>>>> >> I'll end there and see what responses I get :D
>>>>>> >
>>>>>> > Here's one. Thanks for listening OWASP!
>>>>>> >
>>>>>> > -kevin
>>>>>> > --
>>>>>> > Blog: http://off-the-wall-security.blogspot.com/
>>>>>> > NSA: All your crypto bit are belong to us.
>>>>>> > _______________________________________________
>>>>>> > OWASP-Leaders mailing list
>>>>>> > OWASP-Leaders at lists.owasp.org
>>>>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>>
>> --
>> Best Regrads
>> John Patrick Lita
>> *Chapter Leader OWASP Manila*
>> FB Page @OwaspManila <https://www.facebook.com/OwaspManila>
>> https://www.owasp.org/index.php/Manila
>> <https://lists.owasp.org/mailman/listinfo/owasp-manila>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150909/086f527f/attachment-0001.html>


More information about the Owasp-board mailing list