[Owasp-board] [Owasp-leaders] Projects Vs Chapters

johanna curiel curiel johanna.curiel at owasp.org
Tue Sep 15 16:22:37 UTC 2015


Hi Josh

Yes , an example is how grant funds work. When corporations or People make
donations or part of a grant, it must be defined The features that will be
built. This maken it transparent and clear for the persons doing the
donations or through grant funds.
If we create a pool where projects could make use of it, then it is
expected that leaders provide a plan of the features that will be created
with the funds and at the end, the results obtained.

Johanna
On Tuesday, September 15, 2015, Josh Sokol <josh.sokol at owasp.org> wrote:

> Maybe this is a stupid question, but has anyone considered experimenting
> with a funding model using the project itself?  Maybe try to raise
> additional funds by having a paid support option or say if you can raise $X
> in donations you'll develop Y feature(s)?  The devil is in the details, but
> that might be a project-centric way to raise money that a chapter wouldn't
> even have the option to do.
>
> ~josh
>
> On Mon, Sep 14, 2015 at 12:22 PM, johanna curiel curiel <
> johanna.curiel at owasp.org
> <javascript:_e(%7B%7D,'cvml','johanna.curiel at owasp.org');>> wrote:
>
>> For reference, the 2015 budget shows OWASP at a loss of around $105k for
>> the year.  Not an issue given the funds currently in reserves, but we did
>> budget to spend more than we brought in so there's not a ton of room to
>> work with there unless we add revenue or eliminate expenses.
>>
>> Agree I also noticed this. The activities I'm proposing won't be that
>> high cost, especially compare to actual costs of setting events, but I
>> think a strategy where project leaders can generate pro-actively funds for
>> their own project is a step towards developing them better.
>>
>>
>> On Mon, Sep 14, 2015 at 12:37 PM, Josh Sokol <josh.sokol at owasp.org
>> <javascript:_e(%7B%7D,'cvml','josh.sokol at owasp.org');>> wrote:
>>
>>> The Board should be reviewing the budget for 2016 in the next few months
>>> so it is an excellent time to make such a proposal.  We just need to know
>>> what kinds of activities we are looking at and how much we need to make
>>> them happen.  We can then look at anticipated revenue vs expenses in order
>>> to determine if there is room in the budget to make it happen.  For
>>> reference, the 2015 budget shows OWASP at a loss of around $105k for the
>>> year.  Not an issue given the funds currently in reserves, but we did
>>> budget to spend more than we brought in so there's not a ton of room to
>>> work with there unless we add revenue or eliminate expenses.
>>>
>>> ~josh
>>>
>>> On Mon, Sep 14, 2015 at 11:20 AM, johanna curiel curiel <
>>> johanna.curiel at owasp.org
>>> <javascript:_e(%7B%7D,'cvml','johanna.curiel at owasp.org');>> wrote:
>>>
>>>> Hi Josh
>>>>
>>>> I have taken the work to extract from the budget of 2015 where are the
>>>> major OWASP costs :
>>>> Total revenue projected for 2015 is USD2,540,667.00
>>>>
>>>> From this :
>>>>
>>>> Cost Salaries and Contractors 2015 OWASPEmployees salaries342,237.82bonus
>>>> and commission38,600.00Contractors & Professional servicesVirtual fin
>>>> fee32,000.00Accounting KPMG4,000.00Int Accountinh KPMG EU9,000.00Qtrly
>>>> VAT by COuntry14,489.00Virtual Executive Director/HR Contractor8,700.00Virtual
>>>> - HR Hosting & fees12,000.00IT Admin10,000.00Legal Contractor7,200.00Graphic
>>>> Designer7,200.00Events Manager72,000.00Total557,426.82Percentage from
>>>> total revenue21.94%Cost Conferences 2015 (in USD Dollars)APPSEC US
>>>> $935,557.00APPSEC EU$241,510.00APPSEC ASIA$25,000.00APPSEC LATAM7500Local
>>>> & Regional Events$115,000.00Total in events$1,209,567.00Perventage
>>>> from reveunue47.61%
>>>>
>>>> As I can see there are many expenses involved in operations and
>>>> creating events.(That will sum up around 70% of the OWASP expenses)
>>>>
>>>> >In respose to Paul:
>>>> For 2016 planning, I'm encouraged by all the interest demonstrated by
>>>> these emails, as we adjust our 2016 Budget to reflect the community
>>>> priorities.
>>>>
>>>> I would like to propose some fixed budget for certain activities, I
>>>> believe Claudia was busy also with that part for the Project summits, but
>>>> also for helping promoting projects and training for leaders.
>>>>
>>>> regards
>>>>
>>>> Johanna
>>>>
>>>> On Mon, Sep 14, 2015 at 11:41 AM, Josh Sokol <josh.sokol at owasp.org
>>>> <javascript:_e(%7B%7D,'cvml','josh.sokol at owasp.org');>> wrote:
>>>>
>>>>> Johanna,
>>>>>
>>>>> I was really hoping that Fabio, as current Treasurer, would wade into
>>>>> this conversation, but since he hasn't I will as Treasurer last year.
>>>>>
>>>>> The short answer to your questions is that OWASP receives money from
>>>>> many different sources.  Conferences, grants, donations, and yes,
>>>>> membership.  OWASP also has many expenses that aren't solely covered by
>>>>> "project expenses" or "chapter expenses".  Money that isn't pre-allocated
>>>>> to something specific like that ends up in the OWASP funds pool and gets
>>>>> budgeted to be used for other expenses.  Our paid staff is probably the top
>>>>> expense where that is concerned, but there are many other things that OWASP
>>>>> spends money on as well.  The OWASP budget should be publicly available and
>>>>> I know that the OWASP staff is currently working on the 2014 report which
>>>>> should be released any day now.
>>>>>
>>>>> ~josh
>>>>>
>>>>> On Mon, Sep 7, 2015 at 11:30 AM, johanna curiel curiel <
>>>>> johanna.curiel at owasp.org
>>>>> <javascript:_e(%7B%7D,'cvml','johanna.curiel at owasp.org');>> wrote:
>>>>>
>>>>>> >How can we make the corporation more aware of this option?
>>>>>>
>>>>>> I would like to see first a clarification on *where* is the money
>>>>>> allocated right now from corporate memberships that have not made any
>>>>>> choices.
>>>>>>
>>>>>> Community funds is USD60,000 a year and this is not only for projects
>>>>>> but everything to do with the community.
>>>>>>
>>>>>> So far there is in memberships between corporate and individuals
>>>>>> memberships a total of
>>>>>>
>>>>>> Corporate memberships (foundation + Chapter) USD 350,000-
>>>>>> Individual membership    (foundation +chapter)   USD  90,000-
>>>>>> Total =
>>>>>>   * USD 440,000*
>>>>>>
>>>>>> Following the same sheet the following corporate memberships have not
>>>>>> been allocated by the sponsors. I would like to know how much money of the
>>>>>> USD 350,000 belongs to these unallocated
>>>>>>
>>>>>>    1. Autodesk, Inc.
>>>>>>    2. Blackhat US
>>>>>>    3. CA Technologies
>>>>>>    4. CDNetworks
>>>>>>    5. ClassDojo
>>>>>>    6. Coverity
>>>>>>    7. eLearn Security
>>>>>>    8. HERE North America, LLC.
>>>>>>    9. Johnson Controls, Inc.
>>>>>>    10. Rapid7
>>>>>>    11. Software Assurance Marketplace (SWAMP)
>>>>>>
>>>>>>
>>>>>> Each of these contribute with USD 5000 (following corporate
>>>>>> categories as the appear here:
>>>>>> https://www.owasp.org/index.php/Membership#tab=Corporate_Supporters)
>>>>>> 11 of them has not been allocated that makes USD 55,000-
>>>>>>
>>>>>> Big Corporate memberships from  4 companies which does not appear in
>>>>>> that Google sheet have contributed with==> 4 x USD 20,000 = USD 80,000 ==>
>>>>>> where is this money been allocated?
>>>>>>
>>>>>>    1. Adobe
>>>>>>    2. Qualys
>>>>>>    3. HP
>>>>>>    4. Contrast
>>>>>>
>>>>>>
>>>>>> I would like to have a clarification where exactly is the money
>>>>>> allocated from these corporate memberships which in total (following these
>>>>>> calculation accumulates a total of
>>>>>> USD 55,000 + 80,000 = USD 140,000 that none of the corporate members
>>>>>> have allocated.
>>>>>>
>>>>>> If it seems that part of the money goes to community fund then 140k
>>>>>> -60k = USD 80,000 still open where is this money being allocated to?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, Sep 7, 2015 at 9:07 AM, psiinon <psiinon at gmail.com
>>>>>> <javascript:_e(%7B%7D,'cvml','psiinon at gmail.com');>> wrote:
>>>>>>
>>>>>>> Thanks Johanna, this is _really_ interesting.
>>>>>>> And thats a huge imbalance between the chapters and projects.
>>>>>>> Corporate members can obviously choose where their money goes, but
>>>>>>> maybe they are not aware they can choose projects (and if Eoin didnt know,
>>>>>>> that seems very likely!)
>>>>>>> How can we make the corporation more aware of this option?
>>>>>>> And how else can re redress this imbalance?
>>>>>>>
>>>>>>> Cheers,
>>>>>>>
>>>>>>> Simon
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Sep 7, 2015 at 1:14 PM, johanna curiel curiel <
>>>>>>> johanna.curiel at owasp.org
>>>>>>> <javascript:_e(%7B%7D,'cvml','johanna.curiel at owasp.org');>> wrote:
>>>>>>>
>>>>>>>> In 2013 corporate membership represented 33% of total income for
>>>>>>>> OWASP  opposed to individual membership which represented only 13% of the
>>>>>>>> total income.
>>>>>>>>
>>>>>>>> In 2015 corporate membership(foundation+chapter) has a total
>>>>>>>>  revenue of USD350,000- opposed to USD90,000- from individual
>>>>>>>> memberships(again foundation+chapter)  which is quite considerate:
>>>>>>>> OWASP Foundation Budget - 2015
>>>>>>>> <https://drive.google.com/file/d/0BxjNZI6rYJRKbnBlaHM3LTU2ckk/view?usp=sharing>
>>>>>>>>
>>>>>>>> [image: Inline image 1]
>>>>>>>>
>>>>>>>> Basically all memberships are going to 'chapters'
>>>>>>>>
>>>>>>>> *If more than half of these donations(corporate membership) which I
>>>>>>>> highlighted in green have not been specified for any purpose, then how does
>>>>>>>> the foundation decided into which account goes that money? I would like an
>>>>>>>> answer on this. What I miss here is a break down of the amount and into
>>>>>>>> which budget are these being set.*
>>>>>>>>
>>>>>>>> *It seems that those memberships are going mostly to chapters and
>>>>>>>> some to some projects(highlighted in Yellow) (ZAP + SAMM)*
>>>>>>>>
>>>>>>>>
>>>>>>>> https://docs.google.com/spreadsheets/d/1nVyveCi7nmwYMKK4oWSsVGNvqE9aeUBhamQ7XsZvayU/edit?usp=sharing
>>>>>>>>
>>>>>>>> Btw I cannot find the financial report of 2014, seems as it is
>>>>>>>> quite behind (since we are almost end of 2015)
>>>>>>>>
>>>>>>>> [image: Inline image 1]
>>>>>>>>
>>>>>>>> On Mon, Sep 7, 2015 at 6:17 AM, Colin Watson <
>>>>>>>> colin.watson at owasp.org
>>>>>>>> <javascript:_e(%7B%7D,'cvml','colin.watson at owasp.org');>> wrote:
>>>>>>>>
>>>>>>>>> One thing about membership donations to projects. Last week, the
>>>>>>>>> list
>>>>>>>>> of members was posted to the leaders list for the elections:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> https://docs.google.com/spreadsheets/d/1Tu2MAdu1xNq8RTaqHWMSb_0qM_OE6aaVgKB54q_fQIs/edit#gid=1075228884
>>>>>>>>>
>>>>>>>>> It shows that out of 2336 individual members only 2 have allocated
>>>>>>>>> their donation to project - in this case "mobile". I agree that at
>>>>>>>>> the
>>>>>>>>> point of joining that many people might select a chapter at that
>>>>>>>>> time,
>>>>>>>>> but I am wondering if this is actually accurate? It doesn't feel
>>>>>>>>> correct that less than 0.1% select a project.
>>>>>>>>>
>>>>>>>>> Last time I renewed, I changed my allocation from a chapter to a
>>>>>>>>> project. But the membership list still shows the allocation as a
>>>>>>>>> chapter, and the chosen project didn't receive any of my membership
>>>>>>>>> money.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> https://docs.google.com/a/owasp.org/spreadsheets/d/11acTOmtmBGq6-5CIGsjlEByU8POSGqda0r23VNnhEGQ/pub?hl=en_US&hl=en_US&output=html#
>>>>>>>>>
>>>>>>>>> Is this a fault, and which members and projects have been affected
>>>>>>>>> by
>>>>>>>>> this? I wonder if it applies to all project allocation selections,
>>>>>>>>> or
>>>>>>>>> only after a change is requested? Why are there so many "blanks"
>>>>>>>>> and
>>>>>>>>> "none" in the list of membership, and what's the difference? How
>>>>>>>>> long
>>>>>>>>> has it been occurring?
>>>>>>>>>
>>>>>>>>> Colin
>>>>>>>>>
>>>>>>>>> On 6 September 2015 at 21:47, Kevin W. Wall <
>>>>>>>>> kevin.w.wall at gmail.com
>>>>>>>>> <javascript:_e(%7B%7D,'cvml','kevin.w.wall at gmail.com');>> wrote:
>>>>>>>>> > Jumping in late to this thread. I already told Simon from day
>>>>>>>>> > one, when he first posted this on the Board and Governance list
>>>>>>>>> that
>>>>>>>>> > I agreed with him 100%, but I just wanted to add some things.
>>>>>>>>> >
>>>>>>>>> > On Thu, Sep 3, 2015 at 4:50 AM, psiinon <psiinon at gmail.com
>>>>>>>>> <javascript:_e(%7B%7D,'cvml','psiinon at gmail.com');>> wrote:
>>>>>>>>> >> Didnt realise this thread wasnt on the leaders list ;)
>>>>>>>>> >> So starting a new one here as I think its important for us to
>>>>>>>>> discuss.
>>>>>>>>> >> For background see:
>>>>>>>>> >>
>>>>>>>>> http://lists.owasp.org/pipermail/governance/2015-September/000697.html
>>>>>>>>> >> This is a copy of the email I sent to that thread..
>>>>>>>>> >>
>>>>>>>>> >>
>>>>>>>>> >> First of all I'd like to thank Johanna for all the effort she's
>>>>>>>>> put into
>>>>>>>>> >> reviewing the projects.
>>>>>>>>> >> Its been a huge and mostly thankless task, and the projects as
>>>>>>>>> a whole have
>>>>>>>>> >> really benefited.
>>>>>>>>> >
>>>>>>>>> > Amen to that. And having been involved in one of the projects
>>>>>>>>> (ESAPI)
>>>>>>>>> > that was demoted from Flagship to Lab status, I know it's not
>>>>>>>>> always
>>>>>>>>> > an easy thing to receive the assessments that she and her team
>>>>>>>>> had
>>>>>>>>> > been doing, but we need to be professional about this and not
>>>>>>>>> shoot
>>>>>>>>> > the messenger. Certainly when it came to ESAPI, while I was
>>>>>>>>> > disappointed, I pretty much agreed with the project review
>>>>>>>>> > conclusions.
>>>>>>>>> >
>>>>>>>>> >> Secondly, I'd like to wade into the Projects Vs Chapters debate
>>>>>>>>> :)
>>>>>>>>> >>
>>>>>>>>> >> I have a theory:
>>>>>>>>> >>
>>>>>>>>> >> People who are 'part' of OWASP tend to think that the Chapters
>>>>>>>>> are more
>>>>>>>>> >> important _to_them_ than the projects.
>>>>>>>>> >> Chapters are where we meet people, exchange ideas and learn
>>>>>>>>> things. They are
>>>>>>>>> >> social events.
>>>>>>>>> >
>>>>>>>>> > The exception might be for those of us who attend our local OWASP
>>>>>>>>> > chapter meetings but who are also actively involved with one or
>>>>>>>>> more
>>>>>>>>> > OWASP projects.
>>>>>>>>> >
>>>>>>>>> >> People outside OWASP think that the Projects are more important
>>>>>>>>> _to_them_
>>>>>>>>> >> than the Chapters.
>>>>>>>>> >> They dont go to chapter meetings, they might not even be aware
>>>>>>>>> of them.
>>>>>>>>> >> They use, or at least are aware of, the main OWASP projects,
>>>>>>>>> mostly the
>>>>>>>>> >> Flagship ones.
>>>>>>>>> >>
>>>>>>>>> >> Anyone agree or disagree?
>>>>>>>>> >
>>>>>>>>> > I think you're analysis is pretty much spot on with few
>>>>>>>>> exceptions
>>>>>>>>> > like the edge case I mentioned above.
>>>>>>>>> >
>>>>>>>>> >> And yes, I'm conveniently ignoring conferences, the wiki etc
>>>>>>>>> etc ;)
>>>>>>>>> >>
>>>>>>>>> >> I think Chapters and Projects are fundamentally different
>>>>>>>>> 'beasts', and I've
>>>>>>>>> >> started and run both :)
>>>>>>>>> >>
>>>>>>>>> >> Chapters are relatively easy to start and maintain.
>>>>>>>>> >> You need to be based in a city with a thriving security and/or
>>>>>>>>> software
>>>>>>>>> >> industry.
>>>>>>>>> >> You need to spend time organising and publicising events, but
>>>>>>>>> its not hard -
>>>>>>>>> >> you dont need specialized skills.
>>>>>>>>> >> Its relatively easy to find people prepared to speak, arrange
>>>>>>>>> rooms and help
>>>>>>>>> >> with other organisational things.
>>>>>>>>> >> Its something you can do in your spare time.
>>>>>>>>> >
>>>>>>>>> > One thing I'll add here. The fact that people can use their time
>>>>>>>>> spent
>>>>>>>>> > attending OWASP chapter meetings as CPEs toward some security
>>>>>>>>> > certification is also a big draw I think. In the past, we've even
>>>>>>>>> > attracted quite a few non-OWASP members because of this, or at
>>>>>>>>> least
>>>>>>>>> > that appeared to be their primary motivation as some of them
>>>>>>>>> would ask
>>>>>>>>> > about for our chapter leads to provide evidence of attendance for
>>>>>>>>> > their CPEs and we'd then discover that some of them were not
>>>>>>>>> OWASP
>>>>>>>>> > members (not that we made a big deal about that).
>>>>>>>>> >
>>>>>>>>> > While it's true that one can earn CPEs working on a projects, the
>>>>>>>>> > evidence bar seems to be a bit higher and a lot harder to
>>>>>>>>> measure.
>>>>>>>>> >
>>>>>>>>> >> Projects are much harder.
>>>>>>>>> >> They are relatively easy to start - you 'just' need a good idea.
>>>>>>>>> >> They are _really_ hard to bring to fruition and maintain.
>>>>>>>>> >> I'll focus on software projects (as I know much more about
>>>>>>>>> those) but I have
>>>>>>>>> >> no doubt documentation projects can be just as difficult.
>>>>>>>>> >> A professional software project is the result of the hard work
>>>>>>>>> of managers,
>>>>>>>>> >> designers, developers, QA, support, technical authors, sales
>>>>>>>>> and marketing
>>>>>>>>> >> (and probably others I've forgotten;).
>>>>>>>>> >> Its a huge amount of effort, and is ongoing - it only lets up
>>>>>>>>> when you
>>>>>>>>> >> 'sunset' the project.
>>>>>>>>> >> Ok, so (non commercial) open source projects dont need sales
>>>>>>>>> staff, but they
>>>>>>>>> >> do need people doing all of the other roles. Its definitely
>>>>>>>>> _not_ just
>>>>>>>>> >> programming!
>>>>>>>>> >
>>>>>>>>> > If anything, usually people are not that keen on doing those
>>>>>>>>> other
>>>>>>>>> > needed roles, such as project documentation, QA, buildmeister,
>>>>>>>>> etc.
>>>>>>>>> >
>>>>>>>>> > Also, the more successful a project becomes (i.e., as measured in
>>>>>>>>> > terms of the number of users) the harder it is to maintain. For
>>>>>>>>> > example, long ago, I've noticed that people see to ask more
>>>>>>>>> questions
>>>>>>>>> > on Stack Exchange about ESAPI than the do on either the
>>>>>>>>> ESAPI-Users or
>>>>>>>>> > ESAPI-Dev mailing lists. I suspect that there are other forums
>>>>>>>>> > elsewhere that these things get discussed.
>>>>>>>>> >
>>>>>>>>> >> Its way too much for one person (for a non trivial project).
>>>>>>>>> >> Luckily we have the open source community, but that means a
>>>>>>>>> project leader
>>>>>>>>> >> needs another skill: community building!
>>>>>>>>> >
>>>>>>>>> > Indeed that's one where I feel that I've failed miserably. I'm
>>>>>>>>> not
>>>>>>>>> > particularly a people person nor do I have a lot of contacts
>>>>>>>>> beyond
>>>>>>>>> > the immediate colleagues that I work with, so when the current
>>>>>>>>> > volunteer pool dries up and stops contributing, the project
>>>>>>>>> tends to
>>>>>>>>> > die because of (at least in my case) the inability to find new
>>>>>>>>> > volunteers to help carry the project forward.
>>>>>>>>> >
>>>>>>>>> >> And to be honest most volunteers are developers (and security
>>>>>>>>> people for
>>>>>>>>> >> OWASP projects), its very rare for people with other skills to
>>>>>>>>> get involved.
>>>>>>>>> >
>>>>>>>>> > 100% agree. Also, I personally think that we do a disservice
>>>>>>>>> > sometimes in our industry in that there's an unspoken perception
>>>>>>>>> of a
>>>>>>>>> > pecking order within the security community so that some of
>>>>>>>>> these very
>>>>>>>>> > important roles are greatly devalued (e.g., those who write
>>>>>>>>> > documentation or manage releases or do QA testing or provide
>>>>>>>>> project
>>>>>>>>> > management or other infrastructure support). And while we
>>>>>>>>> generally
>>>>>>>>> > don't come right out and express it, I think it's there and
>>>>>>>>> those who
>>>>>>>>> > might otherwise step up and fill those roles avoid the security
>>>>>>>>> > community for some other FOSS projects because they feel
>>>>>>>>> under-appreciated.
>>>>>>>>> >
>>>>>>>>> >> I dont think its something you can do in your spare time, at
>>>>>>>>> least for long
>>>>>>>>> >> (I did for a while, and my wife described herself as a "ZAP
>>>>>>>>> widow";)
>>>>>>>>> >
>>>>>>>>> > :D
>>>>>>>>> >
>>>>>>>>> >> So Chapters are relatively easy to maintain, projects _much_
>>>>>>>>> harder.
>>>>>>>>> >
>>>>>>>>> > Making free pizza and beer available at chapter meetings doesn't
>>>>>>>>> hurt!  :)
>>>>>>>>> >
>>>>>>>>> > We've also tried holding mini-hackathons at our local OWASP
>>>>>>>>> meetings
>>>>>>>>> > maybe once a year. It was interesting, but I can't say it was a
>>>>>>>>> > resounding success, because many there did not know the
>>>>>>>>> programming
>>>>>>>>> > language the project was written in and it took us an undue
>>>>>>>>> amount of
>>>>>>>>> > time just to get to the point where people got their IDE of
>>>>>>>>> choice
>>>>>>>>> > configured to pull the project from GitHub. Also probably about
>>>>>>>>> 1/2
>>>>>>>>> > of the regular attenders don't really program to any great
>>>>>>>>> extent at
>>>>>>>>> > all but rather consider themselves more of pen testers, so
>>>>>>>>> holding
>>>>>>>>> > these mini-hackathons effectively leaves out almost half of our
>>>>>>>>> > regular attendees so that's not going to be something that works
>>>>>>>>> as a
>>>>>>>>> > long term strategy.
>>>>>>>>> >
>>>>>>>>> >> I suspect OWASP as an organisation supports Chapters more
>>>>>>>>> effectively, but
>>>>>>>>> >> even if it supports both equally Projects dont get as much
>>>>>>>>> support as they
>>>>>>>>> >> need.
>>>>>>>>> >> I think OWASP Chapters are thriving and the Projects are (as a
>>>>>>>>> whole)
>>>>>>>>> >> diminishing.
>>>>>>>>> >> If I'm right and people outside OWASP see the Projects as more
>>>>>>>>> important
>>>>>>>>> >> than the Chapters then this leads to the impression that OWASP
>>>>>>>>> is
>>>>>>>>> >> struggling.
>>>>>>>>> >>
>>>>>>>>> >> What to projects need?
>>>>>>>>> >> I dont think its possible to maintain a 'significant' open
>>>>>>>>> source project
>>>>>>>>> >> unless you are able to spend the majority of your working day
>>>>>>>>> on it.
>>>>>>>>> >> This means projects really have to be sponsored by someone.
>>>>>>>>> >> This is a significant investment for a company, and its often
>>>>>>>>> difficult to
>>>>>>>>> >> justify this sort of investment. Especially if its difficult to
>>>>>>>>> monetise
>>>>>>>>> >> OWASP projects.
>>>>>>>>> >
>>>>>>>>> > Indeed, back in the day when I was still on an AppSec team for a
>>>>>>>>> > previous company, I tried to convince my management to allocate
>>>>>>>>> about
>>>>>>>>> > eight hours a week from our entire team to contribute to ESAPI
>>>>>>>>> bug
>>>>>>>>> > fixing. It seemed a logical extension of our internal proprietary
>>>>>>>>> > security components class library which was not nearly as
>>>>>>>>> complete.
>>>>>>>>> > I was unable to convince my management and shortly afterwards, I
>>>>>>>>> > left that team (for unrelated reasons) and starting working with
>>>>>>>>> a
>>>>>>>>> > team that had security experience that wouldn't easily translate
>>>>>>>>> to
>>>>>>>>> > ESAPI needs.  In fact, my experience was worse than that. None
>>>>>>>>> of my
>>>>>>>>> > colleagues ever decided to help out individually either. Not a
>>>>>>>>> big
>>>>>>>>> > deal; maybe it just wasn't their cup of tea or they had other
>>>>>>>>> > passions that they wanted to contribute to. But gathering
>>>>>>>>> recruits
>>>>>>>>> > willing to participate clearly takes skills and contacts that I
>>>>>>>>> > apparently do not possess in sufficient quantities. (Sometimes I
>>>>>>>>> > feel like I'm trying to sell screen doors for submarines. Sigh.)
>>>>>>>>> >
>>>>>>>>> > All I'm saying is that getting volunteers is hard. Each sizeable
>>>>>>>>> > project really needs someone willing to fulfill the project
>>>>>>>>> > evangelist role to keep looking for new contributors. For one
>>>>>>>>> > reason (at least it's been my experience) is that KEEPING
>>>>>>>>> volunteers
>>>>>>>>> > for extended periods is even harder and by and large, I think if
>>>>>>>>> > we looked at the historical data of contributors across all OWASP
>>>>>>>>> > projects (say, based on commit history), that the data would bear
>>>>>>>>> > that out. In fact, I'd bet this phenomena goes well beyond OWASP
>>>>>>>>> and
>>>>>>>>> > is experienced by many FOSS projects.
>>>>>>>>> >
>>>>>>>>> >> Does OWASP want to sponsor projects directly?
>>>>>>>>> >> I think thats what it would take to build a thriving set of
>>>>>>>>> Projects.
>>>>>>>>> >> Is that something that could be done?
>>>>>>>>> >
>>>>>>>>> > _COULD_ it be done? Yes. Should it be done is another matter.
>>>>>>>>> > I'd rather not see it become necessary as I really don't want
>>>>>>>>> OWASP
>>>>>>>>> > to turn into a political organization where the project leaders
>>>>>>>>> are
>>>>>>>>> > forced to lobby for funding, and I fear that's what would
>>>>>>>>> happen. I
>>>>>>>>> > think also it would stifle innovation because new incubator
>>>>>>>>> projects
>>>>>>>>> > would likely all dry up (unless a certain amount of funds were
>>>>>>>>> > pre-allocated to them) as they likely couldn't compete against
>>>>>>>>> more
>>>>>>>>> > established projects.
>>>>>>>>> >
>>>>>>>>> > I had thought of proposing allowing individual OWASP projects to
>>>>>>>>> > somehow sell their own project-related schwag at conferences and
>>>>>>>>> such
>>>>>>>>> > and keep a percentage of the profits to use for their projects
>>>>>>>>> so that
>>>>>>>>> > they could then use that money however they saw fit (e.g.,
>>>>>>>>> hiring a
>>>>>>>>> > technical writer to write project documentation for instance).
>>>>>>>>> But that
>>>>>>>>> > probably would not make a major impact in funding to a project,
>>>>>>>>> > especially if all the OWASP projects started doing it.
>>>>>>>>> >
>>>>>>>>> >> I'm lucky, Mozilla allows me to spend most of my time working
>>>>>>>>> on ZAP, and
>>>>>>>>> >> thats been invaluable.
>>>>>>>>> >
>>>>>>>>> > I suppose that starts with a company that has a culture of
>>>>>>>>> strongly
>>>>>>>>> > contributing to FOSS. Most of us do not work for such companies.
>>>>>>>>> Most
>>>>>>>>> > work for companies who extensively rely on such software, but
>>>>>>>>> rarely
>>>>>>>>> > allow their companies to contribute to such things on company
>>>>>>>>> time
>>>>>>>>> > because they don't really see it as contributing directly to
>>>>>>>>> their
>>>>>>>>> > bottom line. (NOTE: I want to make clear that this is strictly my
>>>>>>>>> > personal opinion based of a [likely] biased observation and in no
>>>>>>>>> > way represents the official position of either my current nor any
>>>>>>>>> > of my previous employers. And they didn't even make me say that!
>>>>>>>>> :)
>>>>>>>>> >
>>>>>>>>> >> But I'd love to be able to employ some of the ZAP contributors
>>>>>>>>> to work full
>>>>>>>>> >> time on ZAP :)
>>>>>>>>> >> Would OWASP pay for that??
>>>>>>>>> >
>>>>>>>>> > Great question and I think you're not the only project that might
>>>>>>>>> > benefit from that. Although, if that means lobbying for funds by
>>>>>>>>> > competing against other OWASP projects, them I'm out because I
>>>>>>>>> > just don't have the stomach for that. It gets bad enough
>>>>>>>>> competing
>>>>>>>>> > for resources at Google Summer of Code and various OWASP code
>>>>>>>>> sprints,
>>>>>>>>> > and I fear if we increased OWASP funding to amounts needed to
>>>>>>>>> sustain
>>>>>>>>> > OWASP projects, it could lead to divisions in OWASP as people
>>>>>>>>> aligned
>>>>>>>>> > themselves with one project or another.
>>>>>>>>> >
>>>>>>>>> >> It would require much more 'project management' - the kind of
>>>>>>>>> things that
>>>>>>>>> >> people _think_ OWASP is doing, but it doesnt.
>>>>>>>>> >> I often see posts from people asking "why the hell is OWASP
>>>>>>>>> developing X".
>>>>>>>>> >> They seem to think that theres an OWASP committee that meets
>>>>>>>>> and goes "We
>>>>>>>>> >> think we should have project X". Whereas its actually an
>>>>>>>>> individual coming
>>>>>>>>> >> to OWASP and saying "I'm doing X, could this be an OWASP
>>>>>>>>> project?".
>>>>>>>>> >> OWASP Projects are very much 'bottom up' rather than 'top down'.
>>>>>>>>> >
>>>>>>>>> > Well, their perception could also be more of a notion of "why
>>>>>>>>> aren't
>>>>>>>>> > they doing Y instead?" or even "wouldn't make more sense if it
>>>>>>>>> were
>>>>>>>>> > a {Apache,Spring,<insert-your-favorite-FOSS-brand-here>} project
>>>>>>>>> > instead?" And truth be told, I've also asked that question
>>>>>>>>> myself, but
>>>>>>>>> > more because it was like "OWASP already has a project Z that does
>>>>>>>>> > almost exactly what project X is proposing. Why don't they just
>>>>>>>>> join
>>>>>>>>> > project Z instead of spinning of a similar project?".
>>>>>>>>> >
>>>>>>>>> > I think any of those, as well as your conjecture, are possible
>>>>>>>>> reasons
>>>>>>>>> > for them asking that question.
>>>>>>>>> >
>>>>>>>>> >> It may surprise people outside of OWASP that I get _no_
>>>>>>>>> direction at all
>>>>>>>>> >> from OWASP as to how ZAP should move forward.
>>>>>>>>> >> note that I'm _really_ not complaining about that ;)
>>>>>>>>> >
>>>>>>>>> > Hmmm...well, THAT would explain some things!
>>>>>>>>> >
>>>>>>>>> > JK. ;-)
>>>>>>>>> >
>>>>>>>>> >> OWASP does not really invest in projects. It does provide some
>>>>>>>>> support, but
>>>>>>>>> >> to be honest not a great deal.
>>>>>>>>> >> If we decided to invest significant amounts of money in
>>>>>>>>> projects then there
>>>>>>>>> >> would need to be real debate as to what we should invest in.
>>>>>>>>> >> And I realise that thats difficult, particularly as OWASP is
>>>>>>>>> supported by
>>>>>>>>> >> commercial organisations, and they wont want OWASP investing in
>>>>>>>>> projects
>>>>>>>>> >> that compete with their own offerings.
>>>>>>>>> >>
>>>>>>>>> >> There are other things that OWASP could do other than paying
>>>>>>>>> developers
>>>>>>>>> >> directly.
>>>>>>>>> >> We could spend much more effort encouraging companies to
>>>>>>>>> contribute to OWASP
>>>>>>>>> >> projects, especially by donating engineering effort.
>>>>>>>>> >> We could help projects with the 'non programming' aspects -
>>>>>>>>> documentation,
>>>>>>>>> >> testing, marketing etc.
>>>>>>>>> >> We could provide more advice and guidance - I dont want people
>>>>>>>>> to dictate
>>>>>>>>> >> where ZAP should be headed, but I'd love constructive feedback
>>>>>>>>> :)
>>>>>>>>> >
>>>>>>>>> > Well, being a project lead of a much less successful project,
>>>>>>>>> I've
>>>>>>>>> > thought long and hard about the obstacles that I've faced.
>>>>>>>>> >
>>>>>>>>> > Most of that has been around getting people to help with the
>>>>>>>>> following
>>>>>>>>> > types of things:
>>>>>>>>> >     * Project documentation, most notably overall user manuals
>>>>>>>>> and FAQs
>>>>>>>>> >       and wiki entries.
>>>>>>>>> >     * Help with maven / pom.xml issue and release management in
>>>>>>>>> general
>>>>>>>>> >     * Assistance with version control, most notably git and
>>>>>>>>> GitHub
>>>>>>>>> >     * Someone willing to be a sounding board for proposed design
>>>>>>>>> changes
>>>>>>>>> >
>>>>>>>>> > As I've reflected about it, one of the things that I've noted is
>>>>>>>>> that
>>>>>>>>> > many of these are specialities that are cross-cutting across many
>>>>>>>>> > OWASP projects.
>>>>>>>>> >
>>>>>>>>> > I think one way that we might be able to address these some of
>>>>>>>>> these
>>>>>>>>> > concerns is to create a Subject Matter Expert list of people who
>>>>>>>>> would
>>>>>>>>> > be willing to volunteer to help out projects by contributing a
>>>>>>>>> few
>>>>>>>>> > hours here or there. For starters, I am than willing to put my
>>>>>>>>> name
>>>>>>>>> > into the hat an be willing to contribute as an applied
>>>>>>>>> cryptography
>>>>>>>>> > SME for any projects that have crypto related questions or maybe
>>>>>>>>> need
>>>>>>>>> > some crypto code reviewed by a fresh pair of eyes (at least as
>>>>>>>>> long as
>>>>>>>>> > it's written in a programming language I've familiar with). Of
>>>>>>>>> course,
>>>>>>>>> > the irony of it is that likely would require a new OWASP project
>>>>>>>>> to
>>>>>>>>> > maintain that OWASP SME list. (Not it! :)
>>>>>>>>> >
>>>>>>>>> >> Ok, thats ended up being a pretty rambling email ;)
>>>>>>>>> >
>>>>>>>>> > Trust me, I've written more than my share!
>>>>>>>>> >
>>>>>>>>> >> I'll end there and see what responses I get :D
>>>>>>>>> >
>>>>>>>>> > Here's one. Thanks for listening OWASP!
>>>>>>>>> >
>>>>>>>>> > -kevin
>>>>>>>>> > --
>>>>>>>>> > Blog: http://off-the-wall-security.blogspot.com/
>>>>>>>>> > NSA: All your crypto bit are belong to us.
>>>>>>>>> > _______________________________________________
>>>>>>>>> > OWASP-Leaders mailing list
>>>>>>>>> > OWASP-Leaders at lists.owasp.org
>>>>>>>>> <javascript:_e(%7B%7D,'cvml','OWASP-Leaders at lists.owasp.org');>
>>>>>>>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>> _______________________________________________
>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>>> <javascript:_e(%7B%7D,'cvml','OWASP-Leaders at lists.owasp.org');>
>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Owasp-board mailing list
>>>>>>>> Owasp-board at lists.owasp.org
>>>>>>>> <javascript:_e(%7B%7D,'cvml','Owasp-board at lists.owasp.org');>
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Owasp-board mailing list
>>>>>> Owasp-board at lists.owasp.org
>>>>>> <javascript:_e(%7B%7D,'cvml','Owasp-board at lists.owasp.org');>
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150915/58a7eec6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot 2015-08-21 10.19.54.png
Type: image/png
Size: 84176 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150915/58a7eec6/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot 2015-09-07 08.07.40.png
Type: image/png
Size: 117046 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150915/58a7eec6/attachment-0003.png>


More information about the Owasp-board mailing list