[Owasp-board] [Owasp-leaders] Projects Vs Chapters

johanna curiel curiel johanna.curiel at owasp.org
Mon Sep 14 17:22:57 UTC 2015


For reference, the 2015 budget shows OWASP at a loss of around $105k for
the year.  Not an issue given the funds currently in reserves, but we did
budget to spend more than we brought in so there's not a ton of room to
work with there unless we add revenue or eliminate expenses.

Agree I also noticed this. The activities I'm proposing won't be that high
cost, especially compare to actual costs of setting events, but I think a
strategy where project leaders can generate pro-actively funds for their
own project is a step towards developing them better.


On Mon, Sep 14, 2015 at 12:37 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> The Board should be reviewing the budget for 2016 in the next few months
> so it is an excellent time to make such a proposal.  We just need to know
> what kinds of activities we are looking at and how much we need to make
> them happen.  We can then look at anticipated revenue vs expenses in order
> to determine if there is room in the budget to make it happen.  For
> reference, the 2015 budget shows OWASP at a loss of around $105k for the
> year.  Not an issue given the funds currently in reserves, but we did
> budget to spend more than we brought in so there's not a ton of room to
> work with there unless we add revenue or eliminate expenses.
>
> ~josh
>
> On Mon, Sep 14, 2015 at 11:20 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Hi Josh
>>
>> I have taken the work to extract from the budget of 2015 where are the
>> major OWASP costs :
>> Total revenue projected for 2015 is USD2,540,667.00
>>
>> From this :
>>
>> Cost Salaries and Contractors 2015 OWASPEmployees salaries342,237.82bonus
>> and commission38,600.00Contractors & Professional servicesVirtual fin fee
>> 32,000.00Accounting KPMG4,000.00Int Accountinh KPMG EU9,000.00Qtrly VAT
>> by COuntry14,489.00Virtual Executive Director/HR Contractor8,700.00Virtual
>> - HR Hosting & fees12,000.00IT Admin10,000.00Legal Contractor7,200.00Graphic
>> Designer7,200.00Events Manager72,000.00Total557,426.82Percentage from
>> total revenue21.94%Cost Conferences 2015 (in USD Dollars)APPSEC US
>> $935,557.00APPSEC EU$241,510.00APPSEC ASIA$25,000.00APPSEC LATAM7500Local
>> & Regional Events$115,000.00Total in events$1,209,567.00Perventage from
>> reveunue47.61%
>>
>> As I can see there are many expenses involved in operations and creating
>> events.(That will sum up around 70% of the OWASP expenses)
>>
>> >In respose to Paul:
>> For 2016 planning, I'm encouraged by all the interest demonstrated by
>> these emails, as we adjust our 2016 Budget to reflect the community
>> priorities.
>>
>> I would like to propose some fixed budget for certain activities, I
>> believe Claudia was busy also with that part for the Project summits, but
>> also for helping promoting projects and training for leaders.
>>
>> regards
>>
>> Johanna
>>
>> On Mon, Sep 14, 2015 at 11:41 AM, Josh Sokol <josh.sokol at owasp.org>
>> wrote:
>>
>>> Johanna,
>>>
>>> I was really hoping that Fabio, as current Treasurer, would wade into
>>> this conversation, but since he hasn't I will as Treasurer last year.
>>>
>>> The short answer to your questions is that OWASP receives money from
>>> many different sources.  Conferences, grants, donations, and yes,
>>> membership.  OWASP also has many expenses that aren't solely covered by
>>> "project expenses" or "chapter expenses".  Money that isn't pre-allocated
>>> to something specific like that ends up in the OWASP funds pool and gets
>>> budgeted to be used for other expenses.  Our paid staff is probably the top
>>> expense where that is concerned, but there are many other things that OWASP
>>> spends money on as well.  The OWASP budget should be publicly available and
>>> I know that the OWASP staff is currently working on the 2014 report which
>>> should be released any day now.
>>>
>>> ~josh
>>>
>>> On Mon, Sep 7, 2015 at 11:30 AM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>>> >How can we make the corporation more aware of this option?
>>>>
>>>> I would like to see first a clarification on *where* is the money
>>>> allocated right now from corporate memberships that have not made any
>>>> choices.
>>>>
>>>> Community funds is USD60,000 a year and this is not only for projects
>>>> but everything to do with the community.
>>>>
>>>> So far there is in memberships between corporate and individuals
>>>> memberships a total of
>>>>
>>>> Corporate memberships (foundation + Chapter) USD 350,000-
>>>> Individual membership    (foundation +chapter)   USD  90,000-
>>>> Total =                                                                 * USD
>>>> 440,000*
>>>>
>>>> Following the same sheet the following corporate memberships have not
>>>> been allocated by the sponsors. I would like to know how much money of the
>>>> USD 350,000 belongs to these unallocated
>>>>
>>>>    1. Autodesk, Inc.
>>>>    2. Blackhat US
>>>>    3. CA Technologies
>>>>    4. CDNetworks
>>>>    5. ClassDojo
>>>>    6. Coverity
>>>>    7. eLearn Security
>>>>    8. HERE North America, LLC.
>>>>    9. Johnson Controls, Inc.
>>>>    10. Rapid7
>>>>    11. Software Assurance Marketplace (SWAMP)
>>>>
>>>>
>>>> Each of these contribute with USD 5000 (following corporate categories
>>>> as the appear here:
>>>> https://www.owasp.org/index.php/Membership#tab=Corporate_Supporters)
>>>> 11 of them has not been allocated that makes USD 55,000-
>>>>
>>>> Big Corporate memberships from  4 companies which does not appear in
>>>> that Google sheet have contributed with==> 4 x USD 20,000 = USD 80,000 ==>
>>>> where is this money been allocated?
>>>>
>>>>    1. Adobe
>>>>    2. Qualys
>>>>    3. HP
>>>>    4. Contrast
>>>>
>>>>
>>>> I would like to have a clarification where exactly is the money
>>>> allocated from these corporate memberships which in total (following these
>>>> calculation accumulates a total of
>>>> USD 55,000 + 80,000 = USD 140,000 that none of the corporate members
>>>> have allocated.
>>>>
>>>> If it seems that part of the money goes to community fund then 140k
>>>> -60k = USD 80,000 still open where is this money being allocated to?
>>>>
>>>>
>>>>
>>>>
>>>> On Mon, Sep 7, 2015 at 9:07 AM, psiinon <psiinon at gmail.com> wrote:
>>>>
>>>>> Thanks Johanna, this is _really_ interesting.
>>>>> And thats a huge imbalance between the chapters and projects.
>>>>> Corporate members can obviously choose where their money goes, but
>>>>> maybe they are not aware they can choose projects (and if Eoin didnt know,
>>>>> that seems very likely!)
>>>>> How can we make the corporation more aware of this option?
>>>>> And how else can re redress this imbalance?
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Simon
>>>>>
>>>>>
>>>>> On Mon, Sep 7, 2015 at 1:14 PM, johanna curiel curiel <
>>>>> johanna.curiel at owasp.org> wrote:
>>>>>
>>>>>> In 2013 corporate membership represented 33% of total income for
>>>>>> OWASP  opposed to individual membership which represented only 13% of the
>>>>>> total income.
>>>>>>
>>>>>> In 2015 corporate membership(foundation+chapter) has a total  revenue
>>>>>> of USD350,000- opposed to USD90,000- from individual memberships(again
>>>>>> foundation+chapter)  which is quite considerate:
>>>>>> OWASP Foundation Budget - 2015
>>>>>> <https://drive.google.com/file/d/0BxjNZI6rYJRKbnBlaHM3LTU2ckk/view?usp=sharing>
>>>>>>
>>>>>> [image: Inline image 1]
>>>>>>
>>>>>> Basically all memberships are going to 'chapters'
>>>>>>
>>>>>> *If more than half of these donations(corporate membership) which I
>>>>>> highlighted in green have not been specified for any purpose, then how does
>>>>>> the foundation decided into which account goes that money? I would like an
>>>>>> answer on this. What I miss here is a break down of the amount and into
>>>>>> which budget are these being set.*
>>>>>>
>>>>>> *It seems that those memberships are going mostly to chapters and
>>>>>> some to some projects(highlighted in Yellow) (ZAP + SAMM)*
>>>>>>
>>>>>>
>>>>>> https://docs.google.com/spreadsheets/d/1nVyveCi7nmwYMKK4oWSsVGNvqE9aeUBhamQ7XsZvayU/edit?usp=sharing
>>>>>>
>>>>>> Btw I cannot find the financial report of 2014, seems as it is quite
>>>>>> behind (since we are almost end of 2015)
>>>>>>
>>>>>> [image: Inline image 1]
>>>>>>
>>>>>> On Mon, Sep 7, 2015 at 6:17 AM, Colin Watson <colin.watson at owasp.org>
>>>>>> wrote:
>>>>>>
>>>>>>> One thing about membership donations to projects. Last week, the list
>>>>>>> of members was posted to the leaders list for the elections:
>>>>>>>
>>>>>>>
>>>>>>> https://docs.google.com/spreadsheets/d/1Tu2MAdu1xNq8RTaqHWMSb_0qM_OE6aaVgKB54q_fQIs/edit#gid=1075228884
>>>>>>>
>>>>>>> It shows that out of 2336 individual members only 2 have allocated
>>>>>>> their donation to project - in this case "mobile". I agree that at
>>>>>>> the
>>>>>>> point of joining that many people might select a chapter at that
>>>>>>> time,
>>>>>>> but I am wondering if this is actually accurate? It doesn't feel
>>>>>>> correct that less than 0.1% select a project.
>>>>>>>
>>>>>>> Last time I renewed, I changed my allocation from a chapter to a
>>>>>>> project. But the membership list still shows the allocation as a
>>>>>>> chapter, and the chosen project didn't receive any of my membership
>>>>>>> money.
>>>>>>>
>>>>>>>
>>>>>>> https://docs.google.com/a/owasp.org/spreadsheets/d/11acTOmtmBGq6-5CIGsjlEByU8POSGqda0r23VNnhEGQ/pub?hl=en_US&hl=en_US&output=html#
>>>>>>>
>>>>>>> Is this a fault, and which members and projects have been affected by
>>>>>>> this? I wonder if it applies to all project allocation selections, or
>>>>>>> only after a change is requested? Why are there so many "blanks" and
>>>>>>> "none" in the list of membership, and what's the difference? How long
>>>>>>> has it been occurring?
>>>>>>>
>>>>>>> Colin
>>>>>>>
>>>>>>> On 6 September 2015 at 21:47, Kevin W. Wall <kevin.w.wall at gmail.com>
>>>>>>> wrote:
>>>>>>> > Jumping in late to this thread. I already told Simon from day
>>>>>>> > one, when he first posted this on the Board and Governance list
>>>>>>> that
>>>>>>> > I agreed with him 100%, but I just wanted to add some things.
>>>>>>> >
>>>>>>> > On Thu, Sep 3, 2015 at 4:50 AM, psiinon <psiinon at gmail.com> wrote:
>>>>>>> >> Didnt realise this thread wasnt on the leaders list ;)
>>>>>>> >> So starting a new one here as I think its important for us to
>>>>>>> discuss.
>>>>>>> >> For background see:
>>>>>>> >>
>>>>>>> http://lists.owasp.org/pipermail/governance/2015-September/000697.html
>>>>>>> >> This is a copy of the email I sent to that thread..
>>>>>>> >>
>>>>>>> >>
>>>>>>> >> First of all I'd like to thank Johanna for all the effort she's
>>>>>>> put into
>>>>>>> >> reviewing the projects.
>>>>>>> >> Its been a huge and mostly thankless task, and the projects as a
>>>>>>> whole have
>>>>>>> >> really benefited.
>>>>>>> >
>>>>>>> > Amen to that. And having been involved in one of the projects
>>>>>>> (ESAPI)
>>>>>>> > that was demoted from Flagship to Lab status, I know it's not
>>>>>>> always
>>>>>>> > an easy thing to receive the assessments that she and her team had
>>>>>>> > been doing, but we need to be professional about this and not shoot
>>>>>>> > the messenger. Certainly when it came to ESAPI, while I was
>>>>>>> > disappointed, I pretty much agreed with the project review
>>>>>>> > conclusions.
>>>>>>> >
>>>>>>> >> Secondly, I'd like to wade into the Projects Vs Chapters debate :)
>>>>>>> >>
>>>>>>> >> I have a theory:
>>>>>>> >>
>>>>>>> >> People who are 'part' of OWASP tend to think that the Chapters
>>>>>>> are more
>>>>>>> >> important _to_them_ than the projects.
>>>>>>> >> Chapters are where we meet people, exchange ideas and learn
>>>>>>> things. They are
>>>>>>> >> social events.
>>>>>>> >
>>>>>>> > The exception might be for those of us who attend our local OWASP
>>>>>>> > chapter meetings but who are also actively involved with one or
>>>>>>> more
>>>>>>> > OWASP projects.
>>>>>>> >
>>>>>>> >> People outside OWASP think that the Projects are more important
>>>>>>> _to_them_
>>>>>>> >> than the Chapters.
>>>>>>> >> They dont go to chapter meetings, they might not even be aware of
>>>>>>> them.
>>>>>>> >> They use, or at least are aware of, the main OWASP projects,
>>>>>>> mostly the
>>>>>>> >> Flagship ones.
>>>>>>> >>
>>>>>>> >> Anyone agree or disagree?
>>>>>>> >
>>>>>>> > I think you're analysis is pretty much spot on with few exceptions
>>>>>>> > like the edge case I mentioned above.
>>>>>>> >
>>>>>>> >> And yes, I'm conveniently ignoring conferences, the wiki etc etc
>>>>>>> ;)
>>>>>>> >>
>>>>>>> >> I think Chapters and Projects are fundamentally different
>>>>>>> 'beasts', and I've
>>>>>>> >> started and run both :)
>>>>>>> >>
>>>>>>> >> Chapters are relatively easy to start and maintain.
>>>>>>> >> You need to be based in a city with a thriving security and/or
>>>>>>> software
>>>>>>> >> industry.
>>>>>>> >> You need to spend time organising and publicising events, but its
>>>>>>> not hard -
>>>>>>> >> you dont need specialized skills.
>>>>>>> >> Its relatively easy to find people prepared to speak, arrange
>>>>>>> rooms and help
>>>>>>> >> with other organisational things.
>>>>>>> >> Its something you can do in your spare time.
>>>>>>> >
>>>>>>> > One thing I'll add here. The fact that people can use their time
>>>>>>> spent
>>>>>>> > attending OWASP chapter meetings as CPEs toward some security
>>>>>>> > certification is also a big draw I think. In the past, we've even
>>>>>>> > attracted quite a few non-OWASP members because of this, or at
>>>>>>> least
>>>>>>> > that appeared to be their primary motivation as some of them would
>>>>>>> ask
>>>>>>> > about for our chapter leads to provide evidence of attendance for
>>>>>>> > their CPEs and we'd then discover that some of them were not OWASP
>>>>>>> > members (not that we made a big deal about that).
>>>>>>> >
>>>>>>> > While it's true that one can earn CPEs working on a projects, the
>>>>>>> > evidence bar seems to be a bit higher and a lot harder to measure.
>>>>>>> >
>>>>>>> >> Projects are much harder.
>>>>>>> >> They are relatively easy to start - you 'just' need a good idea.
>>>>>>> >> They are _really_ hard to bring to fruition and maintain.
>>>>>>> >> I'll focus on software projects (as I know much more about those)
>>>>>>> but I have
>>>>>>> >> no doubt documentation projects can be just as difficult.
>>>>>>> >> A professional software project is the result of the hard work of
>>>>>>> managers,
>>>>>>> >> designers, developers, QA, support, technical authors, sales and
>>>>>>> marketing
>>>>>>> >> (and probably others I've forgotten;).
>>>>>>> >> Its a huge amount of effort, and is ongoing - it only lets up
>>>>>>> when you
>>>>>>> >> 'sunset' the project.
>>>>>>> >> Ok, so (non commercial) open source projects dont need sales
>>>>>>> staff, but they
>>>>>>> >> do need people doing all of the other roles. Its definitely _not_
>>>>>>> just
>>>>>>> >> programming!
>>>>>>> >
>>>>>>> > If anything, usually people are not that keen on doing those other
>>>>>>> > needed roles, such as project documentation, QA, buildmeister, etc.
>>>>>>> >
>>>>>>> > Also, the more successful a project becomes (i.e., as measured in
>>>>>>> > terms of the number of users) the harder it is to maintain. For
>>>>>>> > example, long ago, I've noticed that people see to ask more
>>>>>>> questions
>>>>>>> > on Stack Exchange about ESAPI than the do on either the
>>>>>>> ESAPI-Users or
>>>>>>> > ESAPI-Dev mailing lists. I suspect that there are other forums
>>>>>>> > elsewhere that these things get discussed.
>>>>>>> >
>>>>>>> >> Its way too much for one person (for a non trivial project).
>>>>>>> >> Luckily we have the open source community, but that means a
>>>>>>> project leader
>>>>>>> >> needs another skill: community building!
>>>>>>> >
>>>>>>> > Indeed that's one where I feel that I've failed miserably. I'm not
>>>>>>> > particularly a people person nor do I have a lot of contacts beyond
>>>>>>> > the immediate colleagues that I work with, so when the current
>>>>>>> > volunteer pool dries up and stops contributing, the project tends
>>>>>>> to
>>>>>>> > die because of (at least in my case) the inability to find new
>>>>>>> > volunteers to help carry the project forward.
>>>>>>> >
>>>>>>> >> And to be honest most volunteers are developers (and security
>>>>>>> people for
>>>>>>> >> OWASP projects), its very rare for people with other skills to
>>>>>>> get involved.
>>>>>>> >
>>>>>>> > 100% agree. Also, I personally think that we do a disservice
>>>>>>> > sometimes in our industry in that there's an unspoken perception
>>>>>>> of a
>>>>>>> > pecking order within the security community so that some of these
>>>>>>> very
>>>>>>> > important roles are greatly devalued (e.g., those who write
>>>>>>> > documentation or manage releases or do QA testing or provide
>>>>>>> project
>>>>>>> > management or other infrastructure support). And while we generally
>>>>>>> > don't come right out and express it, I think it's there and those
>>>>>>> who
>>>>>>> > might otherwise step up and fill those roles avoid the security
>>>>>>> > community for some other FOSS projects because they feel
>>>>>>> under-appreciated.
>>>>>>> >
>>>>>>> >> I dont think its something you can do in your spare time, at
>>>>>>> least for long
>>>>>>> >> (I did for a while, and my wife described herself as a "ZAP
>>>>>>> widow";)
>>>>>>> >
>>>>>>> > :D
>>>>>>> >
>>>>>>> >> So Chapters are relatively easy to maintain, projects _much_
>>>>>>> harder.
>>>>>>> >
>>>>>>> > Making free pizza and beer available at chapter meetings doesn't
>>>>>>> hurt!  :)
>>>>>>> >
>>>>>>> > We've also tried holding mini-hackathons at our local OWASP
>>>>>>> meetings
>>>>>>> > maybe once a year. It was interesting, but I can't say it was a
>>>>>>> > resounding success, because many there did not know the programming
>>>>>>> > language the project was written in and it took us an undue amount
>>>>>>> of
>>>>>>> > time just to get to the point where people got their IDE of choice
>>>>>>> > configured to pull the project from GitHub. Also probably about 1/2
>>>>>>> > of the regular attenders don't really program to any great extent
>>>>>>> at
>>>>>>> > all but rather consider themselves more of pen testers, so holding
>>>>>>> > these mini-hackathons effectively leaves out almost half of our
>>>>>>> > regular attendees so that's not going to be something that works
>>>>>>> as a
>>>>>>> > long term strategy.
>>>>>>> >
>>>>>>> >> I suspect OWASP as an organisation supports Chapters more
>>>>>>> effectively, but
>>>>>>> >> even if it supports both equally Projects dont get as much
>>>>>>> support as they
>>>>>>> >> need.
>>>>>>> >> I think OWASP Chapters are thriving and the Projects are (as a
>>>>>>> whole)
>>>>>>> >> diminishing.
>>>>>>> >> If I'm right and people outside OWASP see the Projects as more
>>>>>>> important
>>>>>>> >> than the Chapters then this leads to the impression that OWASP is
>>>>>>> >> struggling.
>>>>>>> >>
>>>>>>> >> What to projects need?
>>>>>>> >> I dont think its possible to maintain a 'significant' open source
>>>>>>> project
>>>>>>> >> unless you are able to spend the majority of your working day on
>>>>>>> it.
>>>>>>> >> This means projects really have to be sponsored by someone.
>>>>>>> >> This is a significant investment for a company, and its often
>>>>>>> difficult to
>>>>>>> >> justify this sort of investment. Especially if its difficult to
>>>>>>> monetise
>>>>>>> >> OWASP projects.
>>>>>>> >
>>>>>>> > Indeed, back in the day when I was still on an AppSec team for a
>>>>>>> > previous company, I tried to convince my management to allocate
>>>>>>> about
>>>>>>> > eight hours a week from our entire team to contribute to ESAPI bug
>>>>>>> > fixing. It seemed a logical extension of our internal proprietary
>>>>>>> > security components class library which was not nearly as complete.
>>>>>>> > I was unable to convince my management and shortly afterwards, I
>>>>>>> > left that team (for unrelated reasons) and starting working with a
>>>>>>> > team that had security experience that wouldn't easily translate to
>>>>>>> > ESAPI needs.  In fact, my experience was worse than that. None of
>>>>>>> my
>>>>>>> > colleagues ever decided to help out individually either. Not a big
>>>>>>> > deal; maybe it just wasn't their cup of tea or they had other
>>>>>>> > passions that they wanted to contribute to. But gathering recruits
>>>>>>> > willing to participate clearly takes skills and contacts that I
>>>>>>> > apparently do not possess in sufficient quantities. (Sometimes I
>>>>>>> > feel like I'm trying to sell screen doors for submarines. Sigh.)
>>>>>>> >
>>>>>>> > All I'm saying is that getting volunteers is hard. Each sizeable
>>>>>>> > project really needs someone willing to fulfill the project
>>>>>>> > evangelist role to keep looking for new contributors. For one
>>>>>>> > reason (at least it's been my experience) is that KEEPING
>>>>>>> volunteers
>>>>>>> > for extended periods is even harder and by and large, I think if
>>>>>>> > we looked at the historical data of contributors across all OWASP
>>>>>>> > projects (say, based on commit history), that the data would bear
>>>>>>> > that out. In fact, I'd bet this phenomena goes well beyond OWASP
>>>>>>> and
>>>>>>> > is experienced by many FOSS projects.
>>>>>>> >
>>>>>>> >> Does OWASP want to sponsor projects directly?
>>>>>>> >> I think thats what it would take to build a thriving set of
>>>>>>> Projects.
>>>>>>> >> Is that something that could be done?
>>>>>>> >
>>>>>>> > _COULD_ it be done? Yes. Should it be done is another matter.
>>>>>>> > I'd rather not see it become necessary as I really don't want OWASP
>>>>>>> > to turn into a political organization where the project leaders are
>>>>>>> > forced to lobby for funding, and I fear that's what would happen. I
>>>>>>> > think also it would stifle innovation because new incubator
>>>>>>> projects
>>>>>>> > would likely all dry up (unless a certain amount of funds were
>>>>>>> > pre-allocated to them) as they likely couldn't compete against more
>>>>>>> > established projects.
>>>>>>> >
>>>>>>> > I had thought of proposing allowing individual OWASP projects to
>>>>>>> > somehow sell their own project-related schwag at conferences and
>>>>>>> such
>>>>>>> > and keep a percentage of the profits to use for their projects so
>>>>>>> that
>>>>>>> > they could then use that money however they saw fit (e.g., hiring a
>>>>>>> > technical writer to write project documentation for instance). But
>>>>>>> that
>>>>>>> > probably would not make a major impact in funding to a project,
>>>>>>> > especially if all the OWASP projects started doing it.
>>>>>>> >
>>>>>>> >> I'm lucky, Mozilla allows me to spend most of my time working on
>>>>>>> ZAP, and
>>>>>>> >> thats been invaluable.
>>>>>>> >
>>>>>>> > I suppose that starts with a company that has a culture of strongly
>>>>>>> > contributing to FOSS. Most of us do not work for such companies.
>>>>>>> Most
>>>>>>> > work for companies who extensively rely on such software, but
>>>>>>> rarely
>>>>>>> > allow their companies to contribute to such things on company time
>>>>>>> > because they don't really see it as contributing directly to their
>>>>>>> > bottom line. (NOTE: I want to make clear that this is strictly my
>>>>>>> > personal opinion based of a [likely] biased observation and in no
>>>>>>> > way represents the official position of either my current nor any
>>>>>>> > of my previous employers. And they didn't even make me say that! :)
>>>>>>> >
>>>>>>> >> But I'd love to be able to employ some of the ZAP contributors to
>>>>>>> work full
>>>>>>> >> time on ZAP :)
>>>>>>> >> Would OWASP pay for that??
>>>>>>> >
>>>>>>> > Great question and I think you're not the only project that might
>>>>>>> > benefit from that. Although, if that means lobbying for funds by
>>>>>>> > competing against other OWASP projects, them I'm out because I
>>>>>>> > just don't have the stomach for that. It gets bad enough competing
>>>>>>> > for resources at Google Summer of Code and various OWASP code
>>>>>>> sprints,
>>>>>>> > and I fear if we increased OWASP funding to amounts needed to
>>>>>>> sustain
>>>>>>> > OWASP projects, it could lead to divisions in OWASP as people
>>>>>>> aligned
>>>>>>> > themselves with one project or another.
>>>>>>> >
>>>>>>> >> It would require much more 'project management' - the kind of
>>>>>>> things that
>>>>>>> >> people _think_ OWASP is doing, but it doesnt.
>>>>>>> >> I often see posts from people asking "why the hell is OWASP
>>>>>>> developing X".
>>>>>>> >> They seem to think that theres an OWASP committee that meets and
>>>>>>> goes "We
>>>>>>> >> think we should have project X". Whereas its actually an
>>>>>>> individual coming
>>>>>>> >> to OWASP and saying "I'm doing X, could this be an OWASP
>>>>>>> project?".
>>>>>>> >> OWASP Projects are very much 'bottom up' rather than 'top down'.
>>>>>>> >
>>>>>>> > Well, their perception could also be more of a notion of "why
>>>>>>> aren't
>>>>>>> > they doing Y instead?" or even "wouldn't make more sense if it were
>>>>>>> > a {Apache,Spring,<insert-your-favorite-FOSS-brand-here>} project
>>>>>>> > instead?" And truth be told, I've also asked that question myself,
>>>>>>> but
>>>>>>> > more because it was like "OWASP already has a project Z that does
>>>>>>> > almost exactly what project X is proposing. Why don't they just
>>>>>>> join
>>>>>>> > project Z instead of spinning of a similar project?".
>>>>>>> >
>>>>>>> > I think any of those, as well as your conjecture, are possible
>>>>>>> reasons
>>>>>>> > for them asking that question.
>>>>>>> >
>>>>>>> >> It may surprise people outside of OWASP that I get _no_ direction
>>>>>>> at all
>>>>>>> >> from OWASP as to how ZAP should move forward.
>>>>>>> >> note that I'm _really_ not complaining about that ;)
>>>>>>> >
>>>>>>> > Hmmm...well, THAT would explain some things!
>>>>>>> >
>>>>>>> > JK. ;-)
>>>>>>> >
>>>>>>> >> OWASP does not really invest in projects. It does provide some
>>>>>>> support, but
>>>>>>> >> to be honest not a great deal.
>>>>>>> >> If we decided to invest significant amounts of money in projects
>>>>>>> then there
>>>>>>> >> would need to be real debate as to what we should invest in.
>>>>>>> >> And I realise that thats difficult, particularly as OWASP is
>>>>>>> supported by
>>>>>>> >> commercial organisations, and they wont want OWASP investing in
>>>>>>> projects
>>>>>>> >> that compete with their own offerings.
>>>>>>> >>
>>>>>>> >> There are other things that OWASP could do other than paying
>>>>>>> developers
>>>>>>> >> directly.
>>>>>>> >> We could spend much more effort encouraging companies to
>>>>>>> contribute to OWASP
>>>>>>> >> projects, especially by donating engineering effort.
>>>>>>> >> We could help projects with the 'non programming' aspects -
>>>>>>> documentation,
>>>>>>> >> testing, marketing etc.
>>>>>>> >> We could provide more advice and guidance - I dont want people to
>>>>>>> dictate
>>>>>>> >> where ZAP should be headed, but I'd love constructive feedback :)
>>>>>>> >
>>>>>>> > Well, being a project lead of a much less successful project, I've
>>>>>>> > thought long and hard about the obstacles that I've faced.
>>>>>>> >
>>>>>>> > Most of that has been around getting people to help with the
>>>>>>> following
>>>>>>> > types of things:
>>>>>>> >     * Project documentation, most notably overall user manuals and
>>>>>>> FAQs
>>>>>>> >       and wiki entries.
>>>>>>> >     * Help with maven / pom.xml issue and release management in
>>>>>>> general
>>>>>>> >     * Assistance with version control, most notably git and GitHub
>>>>>>> >     * Someone willing to be a sounding board for proposed design
>>>>>>> changes
>>>>>>> >
>>>>>>> > As I've reflected about it, one of the things that I've noted is
>>>>>>> that
>>>>>>> > many of these are specialities that are cross-cutting across many
>>>>>>> > OWASP projects.
>>>>>>> >
>>>>>>> > I think one way that we might be able to address these some of
>>>>>>> these
>>>>>>> > concerns is to create a Subject Matter Expert list of people who
>>>>>>> would
>>>>>>> > be willing to volunteer to help out projects by contributing a few
>>>>>>> > hours here or there. For starters, I am than willing to put my name
>>>>>>> > into the hat an be willing to contribute as an applied cryptography
>>>>>>> > SME for any projects that have crypto related questions or maybe
>>>>>>> need
>>>>>>> > some crypto code reviewed by a fresh pair of eyes (at least as
>>>>>>> long as
>>>>>>> > it's written in a programming language I've familiar with). Of
>>>>>>> course,
>>>>>>> > the irony of it is that likely would require a new OWASP project to
>>>>>>> > maintain that OWASP SME list. (Not it! :)
>>>>>>> >
>>>>>>> >> Ok, thats ended up being a pretty rambling email ;)
>>>>>>> >
>>>>>>> > Trust me, I've written more than my share!
>>>>>>> >
>>>>>>> >> I'll end there and see what responses I get :D
>>>>>>> >
>>>>>>> > Here's one. Thanks for listening OWASP!
>>>>>>> >
>>>>>>> > -kevin
>>>>>>> > --
>>>>>>> > Blog: http://off-the-wall-security.blogspot.com/
>>>>>>> > NSA: All your crypto bit are belong to us.
>>>>>>> > _______________________________________________
>>>>>>> > OWASP-Leaders mailing list
>>>>>>> > OWASP-Leaders at lists.owasp.org
>>>>>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Owasp-board mailing list
>>>>>> Owasp-board at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150914/0994eeb4/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot 2015-08-21 10.19.54.png
Type: image/png
Size: 84176 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150914/0994eeb4/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot 2015-09-07 08.07.40.png
Type: image/png
Size: 117046 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150914/0994eeb4/attachment-0003.png>


More information about the Owasp-board mailing list