[Owasp-board] [Owasp-leaders] Projects Vs Chapters

Josh Sokol josh.sokol at owasp.org
Tue Sep 15 15:49:45 UTC 2015


Maybe this is a stupid question, but has anyone considered experimenting
with a funding model using the project itself?  Maybe try to raise
additional funds by having a paid support option or say if you can raise $X
in donations you'll develop Y feature(s)?  The devil is in the details, but
that might be a project-centric way to raise money that a chapter wouldn't
even have the option to do.

~josh

On Mon, Sep 14, 2015 at 12:22 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> For reference, the 2015 budget shows OWASP at a loss of around $105k for
> the year.  Not an issue given the funds currently in reserves, but we did
> budget to spend more than we brought in so there's not a ton of room to
> work with there unless we add revenue or eliminate expenses.
>
> Agree I also noticed this. The activities I'm proposing won't be that
> high cost, especially compare to actual costs of setting events, but I
> think a strategy where project leaders can generate pro-actively funds for
> their own project is a step towards developing them better.
>
>
> On Mon, Sep 14, 2015 at 12:37 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> The Board should be reviewing the budget for 2016 in the next few months
>> so it is an excellent time to make such a proposal.  We just need to know
>> what kinds of activities we are looking at and how much we need to make
>> them happen.  We can then look at anticipated revenue vs expenses in order
>> to determine if there is room in the budget to make it happen.  For
>> reference, the 2015 budget shows OWASP at a loss of around $105k for the
>> year.  Not an issue given the funds currently in reserves, but we did
>> budget to spend more than we brought in so there's not a ton of room to
>> work with there unless we add revenue or eliminate expenses.
>>
>> ~josh
>>
>> On Mon, Sep 14, 2015 at 11:20 AM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Hi Josh
>>>
>>> I have taken the work to extract from the budget of 2015 where are the
>>> major OWASP costs :
>>> Total revenue projected for 2015 is USD2,540,667.00
>>>
>>> From this :
>>>
>>> Cost Salaries and Contractors 2015 OWASPEmployees salaries342,237.82bonus
>>> and commission38,600.00Contractors & Professional servicesVirtual fin
>>> fee32,000.00Accounting KPMG4,000.00Int Accountinh KPMG EU9,000.00Qtrly
>>> VAT by COuntry14,489.00Virtual Executive Director/HR Contractor8,700.00Virtual
>>> - HR Hosting & fees12,000.00IT Admin10,000.00Legal Contractor7,200.00Graphic
>>> Designer7,200.00Events Manager72,000.00Total557,426.82Percentage from
>>> total revenue21.94%Cost Conferences 2015 (in USD Dollars)APPSEC US
>>> $935,557.00APPSEC EU$241,510.00APPSEC ASIA$25,000.00APPSEC LATAM7500Local
>>> & Regional Events$115,000.00Total in events$1,209,567.00Perventage from
>>> reveunue47.61%
>>>
>>> As I can see there are many expenses involved in operations and creating
>>> events.(That will sum up around 70% of the OWASP expenses)
>>>
>>> >In respose to Paul:
>>> For 2016 planning, I'm encouraged by all the interest demonstrated by
>>> these emails, as we adjust our 2016 Budget to reflect the community
>>> priorities.
>>>
>>> I would like to propose some fixed budget for certain activities, I
>>> believe Claudia was busy also with that part for the Project summits, but
>>> also for helping promoting projects and training for leaders.
>>>
>>> regards
>>>
>>> Johanna
>>>
>>> On Mon, Sep 14, 2015 at 11:41 AM, Josh Sokol <josh.sokol at owasp.org>
>>> wrote:
>>>
>>>> Johanna,
>>>>
>>>> I was really hoping that Fabio, as current Treasurer, would wade into
>>>> this conversation, but since he hasn't I will as Treasurer last year.
>>>>
>>>> The short answer to your questions is that OWASP receives money from
>>>> many different sources.  Conferences, grants, donations, and yes,
>>>> membership.  OWASP also has many expenses that aren't solely covered by
>>>> "project expenses" or "chapter expenses".  Money that isn't pre-allocated
>>>> to something specific like that ends up in the OWASP funds pool and gets
>>>> budgeted to be used for other expenses.  Our paid staff is probably the top
>>>> expense where that is concerned, but there are many other things that OWASP
>>>> spends money on as well.  The OWASP budget should be publicly available and
>>>> I know that the OWASP staff is currently working on the 2014 report which
>>>> should be released any day now.
>>>>
>>>> ~josh
>>>>
>>>> On Mon, Sep 7, 2015 at 11:30 AM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>>> >How can we make the corporation more aware of this option?
>>>>>
>>>>> I would like to see first a clarification on *where* is the money
>>>>> allocated right now from corporate memberships that have not made any
>>>>> choices.
>>>>>
>>>>> Community funds is USD60,000 a year and this is not only for projects
>>>>> but everything to do with the community.
>>>>>
>>>>> So far there is in memberships between corporate and individuals
>>>>> memberships a total of
>>>>>
>>>>> Corporate memberships (foundation + Chapter) USD 350,000-
>>>>> Individual membership    (foundation +chapter)   USD  90,000-
>>>>> Total =
>>>>>   * USD 440,000*
>>>>>
>>>>> Following the same sheet the following corporate memberships have not
>>>>> been allocated by the sponsors. I would like to know how much money of the
>>>>> USD 350,000 belongs to these unallocated
>>>>>
>>>>>    1. Autodesk, Inc.
>>>>>    2. Blackhat US
>>>>>    3. CA Technologies
>>>>>    4. CDNetworks
>>>>>    5. ClassDojo
>>>>>    6. Coverity
>>>>>    7. eLearn Security
>>>>>    8. HERE North America, LLC.
>>>>>    9. Johnson Controls, Inc.
>>>>>    10. Rapid7
>>>>>    11. Software Assurance Marketplace (SWAMP)
>>>>>
>>>>>
>>>>> Each of these contribute with USD 5000 (following corporate categories
>>>>> as the appear here:
>>>>> https://www.owasp.org/index.php/Membership#tab=Corporate_Supporters)
>>>>> 11 of them has not been allocated that makes USD 55,000-
>>>>>
>>>>> Big Corporate memberships from  4 companies which does not appear in
>>>>> that Google sheet have contributed with==> 4 x USD 20,000 = USD 80,000 ==>
>>>>> where is this money been allocated?
>>>>>
>>>>>    1. Adobe
>>>>>    2. Qualys
>>>>>    3. HP
>>>>>    4. Contrast
>>>>>
>>>>>
>>>>> I would like to have a clarification where exactly is the money
>>>>> allocated from these corporate memberships which in total (following these
>>>>> calculation accumulates a total of
>>>>> USD 55,000 + 80,000 = USD 140,000 that none of the corporate members
>>>>> have allocated.
>>>>>
>>>>> If it seems that part of the money goes to community fund then 140k
>>>>> -60k = USD 80,000 still open where is this money being allocated to?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Sep 7, 2015 at 9:07 AM, psiinon <psiinon at gmail.com> wrote:
>>>>>
>>>>>> Thanks Johanna, this is _really_ interesting.
>>>>>> And thats a huge imbalance between the chapters and projects.
>>>>>> Corporate members can obviously choose where their money goes, but
>>>>>> maybe they are not aware they can choose projects (and if Eoin didnt know,
>>>>>> that seems very likely!)
>>>>>> How can we make the corporation more aware of this option?
>>>>>> And how else can re redress this imbalance?
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Simon
>>>>>>
>>>>>>
>>>>>> On Mon, Sep 7, 2015 at 1:14 PM, johanna curiel curiel <
>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>>> In 2013 corporate membership represented 33% of total income for
>>>>>>> OWASP  opposed to individual membership which represented only 13% of the
>>>>>>> total income.
>>>>>>>
>>>>>>> In 2015 corporate membership(foundation+chapter) has a total
>>>>>>>  revenue of USD350,000- opposed to USD90,000- from individual
>>>>>>> memberships(again foundation+chapter)  which is quite considerate:
>>>>>>> OWASP Foundation Budget - 2015
>>>>>>> <https://drive.google.com/file/d/0BxjNZI6rYJRKbnBlaHM3LTU2ckk/view?usp=sharing>
>>>>>>>
>>>>>>> [image: Inline image 1]
>>>>>>>
>>>>>>> Basically all memberships are going to 'chapters'
>>>>>>>
>>>>>>> *If more than half of these donations(corporate membership) which I
>>>>>>> highlighted in green have not been specified for any purpose, then how does
>>>>>>> the foundation decided into which account goes that money? I would like an
>>>>>>> answer on this. What I miss here is a break down of the amount and into
>>>>>>> which budget are these being set.*
>>>>>>>
>>>>>>> *It seems that those memberships are going mostly to chapters and
>>>>>>> some to some projects(highlighted in Yellow) (ZAP + SAMM)*
>>>>>>>
>>>>>>>
>>>>>>> https://docs.google.com/spreadsheets/d/1nVyveCi7nmwYMKK4oWSsVGNvqE9aeUBhamQ7XsZvayU/edit?usp=sharing
>>>>>>>
>>>>>>> Btw I cannot find the financial report of 2014, seems as it is quite
>>>>>>> behind (since we are almost end of 2015)
>>>>>>>
>>>>>>> [image: Inline image 1]
>>>>>>>
>>>>>>> On Mon, Sep 7, 2015 at 6:17 AM, Colin Watson <colin.watson at owasp.org
>>>>>>> > wrote:
>>>>>>>
>>>>>>>> One thing about membership donations to projects. Last week, the
>>>>>>>> list
>>>>>>>> of members was posted to the leaders list for the elections:
>>>>>>>>
>>>>>>>>
>>>>>>>> https://docs.google.com/spreadsheets/d/1Tu2MAdu1xNq8RTaqHWMSb_0qM_OE6aaVgKB54q_fQIs/edit#gid=1075228884
>>>>>>>>
>>>>>>>> It shows that out of 2336 individual members only 2 have allocated
>>>>>>>> their donation to project - in this case "mobile". I agree that at
>>>>>>>> the
>>>>>>>> point of joining that many people might select a chapter at that
>>>>>>>> time,
>>>>>>>> but I am wondering if this is actually accurate? It doesn't feel
>>>>>>>> correct that less than 0.1% select a project.
>>>>>>>>
>>>>>>>> Last time I renewed, I changed my allocation from a chapter to a
>>>>>>>> project. But the membership list still shows the allocation as a
>>>>>>>> chapter, and the chosen project didn't receive any of my membership
>>>>>>>> money.
>>>>>>>>
>>>>>>>>
>>>>>>>> https://docs.google.com/a/owasp.org/spreadsheets/d/11acTOmtmBGq6-5CIGsjlEByU8POSGqda0r23VNnhEGQ/pub?hl=en_US&hl=en_US&output=html#
>>>>>>>>
>>>>>>>> Is this a fault, and which members and projects have been affected
>>>>>>>> by
>>>>>>>> this? I wonder if it applies to all project allocation selections,
>>>>>>>> or
>>>>>>>> only after a change is requested? Why are there so many "blanks" and
>>>>>>>> "none" in the list of membership, and what's the difference? How
>>>>>>>> long
>>>>>>>> has it been occurring?
>>>>>>>>
>>>>>>>> Colin
>>>>>>>>
>>>>>>>> On 6 September 2015 at 21:47, Kevin W. Wall <kevin.w.wall at gmail.com>
>>>>>>>> wrote:
>>>>>>>> > Jumping in late to this thread. I already told Simon from day
>>>>>>>> > one, when he first posted this on the Board and Governance list
>>>>>>>> that
>>>>>>>> > I agreed with him 100%, but I just wanted to add some things.
>>>>>>>> >
>>>>>>>> > On Thu, Sep 3, 2015 at 4:50 AM, psiinon <psiinon at gmail.com>
>>>>>>>> wrote:
>>>>>>>> >> Didnt realise this thread wasnt on the leaders list ;)
>>>>>>>> >> So starting a new one here as I think its important for us to
>>>>>>>> discuss.
>>>>>>>> >> For background see:
>>>>>>>> >>
>>>>>>>> http://lists.owasp.org/pipermail/governance/2015-September/000697.html
>>>>>>>> >> This is a copy of the email I sent to that thread..
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>> >> First of all I'd like to thank Johanna for all the effort she's
>>>>>>>> put into
>>>>>>>> >> reviewing the projects.
>>>>>>>> >> Its been a huge and mostly thankless task, and the projects as a
>>>>>>>> whole have
>>>>>>>> >> really benefited.
>>>>>>>> >
>>>>>>>> > Amen to that. And having been involved in one of the projects
>>>>>>>> (ESAPI)
>>>>>>>> > that was demoted from Flagship to Lab status, I know it's not
>>>>>>>> always
>>>>>>>> > an easy thing to receive the assessments that she and her team had
>>>>>>>> > been doing, but we need to be professional about this and not
>>>>>>>> shoot
>>>>>>>> > the messenger. Certainly when it came to ESAPI, while I was
>>>>>>>> > disappointed, I pretty much agreed with the project review
>>>>>>>> > conclusions.
>>>>>>>> >
>>>>>>>> >> Secondly, I'd like to wade into the Projects Vs Chapters debate
>>>>>>>> :)
>>>>>>>> >>
>>>>>>>> >> I have a theory:
>>>>>>>> >>
>>>>>>>> >> People who are 'part' of OWASP tend to think that the Chapters
>>>>>>>> are more
>>>>>>>> >> important _to_them_ than the projects.
>>>>>>>> >> Chapters are where we meet people, exchange ideas and learn
>>>>>>>> things. They are
>>>>>>>> >> social events.
>>>>>>>> >
>>>>>>>> > The exception might be for those of us who attend our local OWASP
>>>>>>>> > chapter meetings but who are also actively involved with one or
>>>>>>>> more
>>>>>>>> > OWASP projects.
>>>>>>>> >
>>>>>>>> >> People outside OWASP think that the Projects are more important
>>>>>>>> _to_them_
>>>>>>>> >> than the Chapters.
>>>>>>>> >> They dont go to chapter meetings, they might not even be aware
>>>>>>>> of them.
>>>>>>>> >> They use, or at least are aware of, the main OWASP projects,
>>>>>>>> mostly the
>>>>>>>> >> Flagship ones.
>>>>>>>> >>
>>>>>>>> >> Anyone agree or disagree?
>>>>>>>> >
>>>>>>>> > I think you're analysis is pretty much spot on with few exceptions
>>>>>>>> > like the edge case I mentioned above.
>>>>>>>> >
>>>>>>>> >> And yes, I'm conveniently ignoring conferences, the wiki etc etc
>>>>>>>> ;)
>>>>>>>> >>
>>>>>>>> >> I think Chapters and Projects are fundamentally different
>>>>>>>> 'beasts', and I've
>>>>>>>> >> started and run both :)
>>>>>>>> >>
>>>>>>>> >> Chapters are relatively easy to start and maintain.
>>>>>>>> >> You need to be based in a city with a thriving security and/or
>>>>>>>> software
>>>>>>>> >> industry.
>>>>>>>> >> You need to spend time organising and publicising events, but
>>>>>>>> its not hard -
>>>>>>>> >> you dont need specialized skills.
>>>>>>>> >> Its relatively easy to find people prepared to speak, arrange
>>>>>>>> rooms and help
>>>>>>>> >> with other organisational things.
>>>>>>>> >> Its something you can do in your spare time.
>>>>>>>> >
>>>>>>>> > One thing I'll add here. The fact that people can use their time
>>>>>>>> spent
>>>>>>>> > attending OWASP chapter meetings as CPEs toward some security
>>>>>>>> > certification is also a big draw I think. In the past, we've even
>>>>>>>> > attracted quite a few non-OWASP members because of this, or at
>>>>>>>> least
>>>>>>>> > that appeared to be their primary motivation as some of them
>>>>>>>> would ask
>>>>>>>> > about for our chapter leads to provide evidence of attendance for
>>>>>>>> > their CPEs and we'd then discover that some of them were not OWASP
>>>>>>>> > members (not that we made a big deal about that).
>>>>>>>> >
>>>>>>>> > While it's true that one can earn CPEs working on a projects, the
>>>>>>>> > evidence bar seems to be a bit higher and a lot harder to measure.
>>>>>>>> >
>>>>>>>> >> Projects are much harder.
>>>>>>>> >> They are relatively easy to start - you 'just' need a good idea.
>>>>>>>> >> They are _really_ hard to bring to fruition and maintain.
>>>>>>>> >> I'll focus on software projects (as I know much more about
>>>>>>>> those) but I have
>>>>>>>> >> no doubt documentation projects can be just as difficult.
>>>>>>>> >> A professional software project is the result of the hard work
>>>>>>>> of managers,
>>>>>>>> >> designers, developers, QA, support, technical authors, sales and
>>>>>>>> marketing
>>>>>>>> >> (and probably others I've forgotten;).
>>>>>>>> >> Its a huge amount of effort, and is ongoing - it only lets up
>>>>>>>> when you
>>>>>>>> >> 'sunset' the project.
>>>>>>>> >> Ok, so (non commercial) open source projects dont need sales
>>>>>>>> staff, but they
>>>>>>>> >> do need people doing all of the other roles. Its definitely
>>>>>>>> _not_ just
>>>>>>>> >> programming!
>>>>>>>> >
>>>>>>>> > If anything, usually people are not that keen on doing those other
>>>>>>>> > needed roles, such as project documentation, QA, buildmeister,
>>>>>>>> etc.
>>>>>>>> >
>>>>>>>> > Also, the more successful a project becomes (i.e., as measured in
>>>>>>>> > terms of the number of users) the harder it is to maintain. For
>>>>>>>> > example, long ago, I've noticed that people see to ask more
>>>>>>>> questions
>>>>>>>> > on Stack Exchange about ESAPI than the do on either the
>>>>>>>> ESAPI-Users or
>>>>>>>> > ESAPI-Dev mailing lists. I suspect that there are other forums
>>>>>>>> > elsewhere that these things get discussed.
>>>>>>>> >
>>>>>>>> >> Its way too much for one person (for a non trivial project).
>>>>>>>> >> Luckily we have the open source community, but that means a
>>>>>>>> project leader
>>>>>>>> >> needs another skill: community building!
>>>>>>>> >
>>>>>>>> > Indeed that's one where I feel that I've failed miserably. I'm not
>>>>>>>> > particularly a people person nor do I have a lot of contacts
>>>>>>>> beyond
>>>>>>>> > the immediate colleagues that I work with, so when the current
>>>>>>>> > volunteer pool dries up and stops contributing, the project tends
>>>>>>>> to
>>>>>>>> > die because of (at least in my case) the inability to find new
>>>>>>>> > volunteers to help carry the project forward.
>>>>>>>> >
>>>>>>>> >> And to be honest most volunteers are developers (and security
>>>>>>>> people for
>>>>>>>> >> OWASP projects), its very rare for people with other skills to
>>>>>>>> get involved.
>>>>>>>> >
>>>>>>>> > 100% agree. Also, I personally think that we do a disservice
>>>>>>>> > sometimes in our industry in that there's an unspoken perception
>>>>>>>> of a
>>>>>>>> > pecking order within the security community so that some of these
>>>>>>>> very
>>>>>>>> > important roles are greatly devalued (e.g., those who write
>>>>>>>> > documentation or manage releases or do QA testing or provide
>>>>>>>> project
>>>>>>>> > management or other infrastructure support). And while we
>>>>>>>> generally
>>>>>>>> > don't come right out and express it, I think it's there and those
>>>>>>>> who
>>>>>>>> > might otherwise step up and fill those roles avoid the security
>>>>>>>> > community for some other FOSS projects because they feel
>>>>>>>> under-appreciated.
>>>>>>>> >
>>>>>>>> >> I dont think its something you can do in your spare time, at
>>>>>>>> least for long
>>>>>>>> >> (I did for a while, and my wife described herself as a "ZAP
>>>>>>>> widow";)
>>>>>>>> >
>>>>>>>> > :D
>>>>>>>> >
>>>>>>>> >> So Chapters are relatively easy to maintain, projects _much_
>>>>>>>> harder.
>>>>>>>> >
>>>>>>>> > Making free pizza and beer available at chapter meetings doesn't
>>>>>>>> hurt!  :)
>>>>>>>> >
>>>>>>>> > We've also tried holding mini-hackathons at our local OWASP
>>>>>>>> meetings
>>>>>>>> > maybe once a year. It was interesting, but I can't say it was a
>>>>>>>> > resounding success, because many there did not know the
>>>>>>>> programming
>>>>>>>> > language the project was written in and it took us an undue
>>>>>>>> amount of
>>>>>>>> > time just to get to the point where people got their IDE of choice
>>>>>>>> > configured to pull the project from GitHub. Also probably about
>>>>>>>> 1/2
>>>>>>>> > of the regular attenders don't really program to any great extent
>>>>>>>> at
>>>>>>>> > all but rather consider themselves more of pen testers, so holding
>>>>>>>> > these mini-hackathons effectively leaves out almost half of our
>>>>>>>> > regular attendees so that's not going to be something that works
>>>>>>>> as a
>>>>>>>> > long term strategy.
>>>>>>>> >
>>>>>>>> >> I suspect OWASP as an organisation supports Chapters more
>>>>>>>> effectively, but
>>>>>>>> >> even if it supports both equally Projects dont get as much
>>>>>>>> support as they
>>>>>>>> >> need.
>>>>>>>> >> I think OWASP Chapters are thriving and the Projects are (as a
>>>>>>>> whole)
>>>>>>>> >> diminishing.
>>>>>>>> >> If I'm right and people outside OWASP see the Projects as more
>>>>>>>> important
>>>>>>>> >> than the Chapters then this leads to the impression that OWASP is
>>>>>>>> >> struggling.
>>>>>>>> >>
>>>>>>>> >> What to projects need?
>>>>>>>> >> I dont think its possible to maintain a 'significant' open
>>>>>>>> source project
>>>>>>>> >> unless you are able to spend the majority of your working day on
>>>>>>>> it.
>>>>>>>> >> This means projects really have to be sponsored by someone.
>>>>>>>> >> This is a significant investment for a company, and its often
>>>>>>>> difficult to
>>>>>>>> >> justify this sort of investment. Especially if its difficult to
>>>>>>>> monetise
>>>>>>>> >> OWASP projects.
>>>>>>>> >
>>>>>>>> > Indeed, back in the day when I was still on an AppSec team for a
>>>>>>>> > previous company, I tried to convince my management to allocate
>>>>>>>> about
>>>>>>>> > eight hours a week from our entire team to contribute to ESAPI bug
>>>>>>>> > fixing. It seemed a logical extension of our internal proprietary
>>>>>>>> > security components class library which was not nearly as
>>>>>>>> complete.
>>>>>>>> > I was unable to convince my management and shortly afterwards, I
>>>>>>>> > left that team (for unrelated reasons) and starting working with a
>>>>>>>> > team that had security experience that wouldn't easily translate
>>>>>>>> to
>>>>>>>> > ESAPI needs.  In fact, my experience was worse than that. None of
>>>>>>>> my
>>>>>>>> > colleagues ever decided to help out individually either. Not a big
>>>>>>>> > deal; maybe it just wasn't their cup of tea or they had other
>>>>>>>> > passions that they wanted to contribute to. But gathering recruits
>>>>>>>> > willing to participate clearly takes skills and contacts that I
>>>>>>>> > apparently do not possess in sufficient quantities. (Sometimes I
>>>>>>>> > feel like I'm trying to sell screen doors for submarines. Sigh.)
>>>>>>>> >
>>>>>>>> > All I'm saying is that getting volunteers is hard. Each sizeable
>>>>>>>> > project really needs someone willing to fulfill the project
>>>>>>>> > evangelist role to keep looking for new contributors. For one
>>>>>>>> > reason (at least it's been my experience) is that KEEPING
>>>>>>>> volunteers
>>>>>>>> > for extended periods is even harder and by and large, I think if
>>>>>>>> > we looked at the historical data of contributors across all OWASP
>>>>>>>> > projects (say, based on commit history), that the data would bear
>>>>>>>> > that out. In fact, I'd bet this phenomena goes well beyond OWASP
>>>>>>>> and
>>>>>>>> > is experienced by many FOSS projects.
>>>>>>>> >
>>>>>>>> >> Does OWASP want to sponsor projects directly?
>>>>>>>> >> I think thats what it would take to build a thriving set of
>>>>>>>> Projects.
>>>>>>>> >> Is that something that could be done?
>>>>>>>> >
>>>>>>>> > _COULD_ it be done? Yes. Should it be done is another matter.
>>>>>>>> > I'd rather not see it become necessary as I really don't want
>>>>>>>> OWASP
>>>>>>>> > to turn into a political organization where the project leaders
>>>>>>>> are
>>>>>>>> > forced to lobby for funding, and I fear that's what would happen.
>>>>>>>> I
>>>>>>>> > think also it would stifle innovation because new incubator
>>>>>>>> projects
>>>>>>>> > would likely all dry up (unless a certain amount of funds were
>>>>>>>> > pre-allocated to them) as they likely couldn't compete against
>>>>>>>> more
>>>>>>>> > established projects.
>>>>>>>> >
>>>>>>>> > I had thought of proposing allowing individual OWASP projects to
>>>>>>>> > somehow sell their own project-related schwag at conferences and
>>>>>>>> such
>>>>>>>> > and keep a percentage of the profits to use for their projects so
>>>>>>>> that
>>>>>>>> > they could then use that money however they saw fit (e.g., hiring
>>>>>>>> a
>>>>>>>> > technical writer to write project documentation for instance).
>>>>>>>> But that
>>>>>>>> > probably would not make a major impact in funding to a project,
>>>>>>>> > especially if all the OWASP projects started doing it.
>>>>>>>> >
>>>>>>>> >> I'm lucky, Mozilla allows me to spend most of my time working on
>>>>>>>> ZAP, and
>>>>>>>> >> thats been invaluable.
>>>>>>>> >
>>>>>>>> > I suppose that starts with a company that has a culture of
>>>>>>>> strongly
>>>>>>>> > contributing to FOSS. Most of us do not work for such companies.
>>>>>>>> Most
>>>>>>>> > work for companies who extensively rely on such software, but
>>>>>>>> rarely
>>>>>>>> > allow their companies to contribute to such things on company time
>>>>>>>> > because they don't really see it as contributing directly to their
>>>>>>>> > bottom line. (NOTE: I want to make clear that this is strictly my
>>>>>>>> > personal opinion based of a [likely] biased observation and in no
>>>>>>>> > way represents the official position of either my current nor any
>>>>>>>> > of my previous employers. And they didn't even make me say that!
>>>>>>>> :)
>>>>>>>> >
>>>>>>>> >> But I'd love to be able to employ some of the ZAP contributors
>>>>>>>> to work full
>>>>>>>> >> time on ZAP :)
>>>>>>>> >> Would OWASP pay for that??
>>>>>>>> >
>>>>>>>> > Great question and I think you're not the only project that might
>>>>>>>> > benefit from that. Although, if that means lobbying for funds by
>>>>>>>> > competing against other OWASP projects, them I'm out because I
>>>>>>>> > just don't have the stomach for that. It gets bad enough competing
>>>>>>>> > for resources at Google Summer of Code and various OWASP code
>>>>>>>> sprints,
>>>>>>>> > and I fear if we increased OWASP funding to amounts needed to
>>>>>>>> sustain
>>>>>>>> > OWASP projects, it could lead to divisions in OWASP as people
>>>>>>>> aligned
>>>>>>>> > themselves with one project or another.
>>>>>>>> >
>>>>>>>> >> It would require much more 'project management' - the kind of
>>>>>>>> things that
>>>>>>>> >> people _think_ OWASP is doing, but it doesnt.
>>>>>>>> >> I often see posts from people asking "why the hell is OWASP
>>>>>>>> developing X".
>>>>>>>> >> They seem to think that theres an OWASP committee that meets and
>>>>>>>> goes "We
>>>>>>>> >> think we should have project X". Whereas its actually an
>>>>>>>> individual coming
>>>>>>>> >> to OWASP and saying "I'm doing X, could this be an OWASP
>>>>>>>> project?".
>>>>>>>> >> OWASP Projects are very much 'bottom up' rather than 'top down'.
>>>>>>>> >
>>>>>>>> > Well, their perception could also be more of a notion of "why
>>>>>>>> aren't
>>>>>>>> > they doing Y instead?" or even "wouldn't make more sense if it
>>>>>>>> were
>>>>>>>> > a {Apache,Spring,<insert-your-favorite-FOSS-brand-here>} project
>>>>>>>> > instead?" And truth be told, I've also asked that question
>>>>>>>> myself, but
>>>>>>>> > more because it was like "OWASP already has a project Z that does
>>>>>>>> > almost exactly what project X is proposing. Why don't they just
>>>>>>>> join
>>>>>>>> > project Z instead of spinning of a similar project?".
>>>>>>>> >
>>>>>>>> > I think any of those, as well as your conjecture, are possible
>>>>>>>> reasons
>>>>>>>> > for them asking that question.
>>>>>>>> >
>>>>>>>> >> It may surprise people outside of OWASP that I get _no_
>>>>>>>> direction at all
>>>>>>>> >> from OWASP as to how ZAP should move forward.
>>>>>>>> >> note that I'm _really_ not complaining about that ;)
>>>>>>>> >
>>>>>>>> > Hmmm...well, THAT would explain some things!
>>>>>>>> >
>>>>>>>> > JK. ;-)
>>>>>>>> >
>>>>>>>> >> OWASP does not really invest in projects. It does provide some
>>>>>>>> support, but
>>>>>>>> >> to be honest not a great deal.
>>>>>>>> >> If we decided to invest significant amounts of money in projects
>>>>>>>> then there
>>>>>>>> >> would need to be real debate as to what we should invest in.
>>>>>>>> >> And I realise that thats difficult, particularly as OWASP is
>>>>>>>> supported by
>>>>>>>> >> commercial organisations, and they wont want OWASP investing in
>>>>>>>> projects
>>>>>>>> >> that compete with their own offerings.
>>>>>>>> >>
>>>>>>>> >> There are other things that OWASP could do other than paying
>>>>>>>> developers
>>>>>>>> >> directly.
>>>>>>>> >> We could spend much more effort encouraging companies to
>>>>>>>> contribute to OWASP
>>>>>>>> >> projects, especially by donating engineering effort.
>>>>>>>> >> We could help projects with the 'non programming' aspects -
>>>>>>>> documentation,
>>>>>>>> >> testing, marketing etc.
>>>>>>>> >> We could provide more advice and guidance - I dont want people
>>>>>>>> to dictate
>>>>>>>> >> where ZAP should be headed, but I'd love constructive feedback :)
>>>>>>>> >
>>>>>>>> > Well, being a project lead of a much less successful project, I've
>>>>>>>> > thought long and hard about the obstacles that I've faced.
>>>>>>>> >
>>>>>>>> > Most of that has been around getting people to help with the
>>>>>>>> following
>>>>>>>> > types of things:
>>>>>>>> >     * Project documentation, most notably overall user manuals
>>>>>>>> and FAQs
>>>>>>>> >       and wiki entries.
>>>>>>>> >     * Help with maven / pom.xml issue and release management in
>>>>>>>> general
>>>>>>>> >     * Assistance with version control, most notably git and GitHub
>>>>>>>> >     * Someone willing to be a sounding board for proposed design
>>>>>>>> changes
>>>>>>>> >
>>>>>>>> > As I've reflected about it, one of the things that I've noted is
>>>>>>>> that
>>>>>>>> > many of these are specialities that are cross-cutting across many
>>>>>>>> > OWASP projects.
>>>>>>>> >
>>>>>>>> > I think one way that we might be able to address these some of
>>>>>>>> these
>>>>>>>> > concerns is to create a Subject Matter Expert list of people who
>>>>>>>> would
>>>>>>>> > be willing to volunteer to help out projects by contributing a few
>>>>>>>> > hours here or there. For starters, I am than willing to put my
>>>>>>>> name
>>>>>>>> > into the hat an be willing to contribute as an applied
>>>>>>>> cryptography
>>>>>>>> > SME for any projects that have crypto related questions or maybe
>>>>>>>> need
>>>>>>>> > some crypto code reviewed by a fresh pair of eyes (at least as
>>>>>>>> long as
>>>>>>>> > it's written in a programming language I've familiar with). Of
>>>>>>>> course,
>>>>>>>> > the irony of it is that likely would require a new OWASP project
>>>>>>>> to
>>>>>>>> > maintain that OWASP SME list. (Not it! :)
>>>>>>>> >
>>>>>>>> >> Ok, thats ended up being a pretty rambling email ;)
>>>>>>>> >
>>>>>>>> > Trust me, I've written more than my share!
>>>>>>>> >
>>>>>>>> >> I'll end there and see what responses I get :D
>>>>>>>> >
>>>>>>>> > Here's one. Thanks for listening OWASP!
>>>>>>>> >
>>>>>>>> > -kevin
>>>>>>>> > --
>>>>>>>> > Blog: http://off-the-wall-security.blogspot.com/
>>>>>>>> > NSA: All your crypto bit are belong to us.
>>>>>>>> > _______________________________________________
>>>>>>>> > OWASP-Leaders mailing list
>>>>>>>> > OWASP-Leaders at lists.owasp.org
>>>>>>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>> _______________________________________________
>>>>>>>> OWASP-Leaders mailing list
>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Owasp-board mailing list
>>>>>>> Owasp-board at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150915/e09156e1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot 2015-08-21 10.19.54.png
Type: image/png
Size: 84176 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150915/e09156e1/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot 2015-09-07 08.07.40.png
Type: image/png
Size: 117046 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150915/e09156e1/attachment-0003.png>


More information about the Owasp-board mailing list