[Owasp-board] [Owasp-leaders] Projects Vs Chapters

johanna curiel curiel johanna.curiel at owasp.org
Tue Sep 15 17:06:17 UTC 2015


Josh, agree. But also this way of getting money through crowdsourcing will
also imply a responsibility for the project leader

On Tue, Sep 15, 2015 at 1:02 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> I wasn't really even thinking about grants when I said that.  There are a
> lot of restrictions around grants that can make them challenging to both
> procure and support.  My line of thinking was more around a "crowdfunding"
> type of model.  A project could put up a list of features and cost
> estimates and have users vote on what would be most valuable to them.
> Then, put out a call for funding to see if the community would be willing
> to support the initiative by contributing to it.  OWASP would still need to
> handle the money in order to ensure that the work was done before it got
> paid out and wasn't fraudulent, but it might be a way to gain funding for
> projects via the people who are actually using them.
>
> ~josh
>
> On Tue, Sep 15, 2015 at 11:45 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> This is often very difficult to pull off in open source projects for all
>> but the most mature and staffed projects. Folks are volunteering and work
>> when they can.
>>
>> Jim, when requesting this kind of funds the project leader:
>>
>>    - Can work full time on the project and be able to deliver or
>>    - Can hire a developer to work full time on the project
>>
>>
>> We need to differentiate responsibilities when you want to get funds
>>
>> Whether you never ask for funds and keep on working as you do
>> (part-time/sporadically)
>> Or want to pull off some serious features and need to dedicate time and
>> resources
>>
>> But, a leader cannot get grant funds or money and then not deliver, in
>> that case he better does not consider the option for asking for funds, it
>> involves a responsibility to it.
>>
>> Funds could be granted however for other activities such as promotion
>> (Brochure, layout work)
>>
>> Regards
>>
>> Johanna
>>
>> On Tue, Sep 15, 2015 at 12:28 PM, Jim Manico <jim.manico at owasp.org>
>> wrote:
>>
>>> > ....leaders provide a plan of the features that will be created with
>>> the funds and at the end, the results obtained.
>>>
>>> This is often very difficult to pull off in open source projects for all
>>> but the most mature and staffed projects. Folks are volunteering and work
>>> when they can. To start asking for specific feature commitments done at
>>> specific times for specific financial donations is often a path to
>>> disappointment in the open source world. Caution!
>>>
>>> --
>>> Jim Manico
>>> Global Board Member
>>> OWASP Foundation
>>> https://www.owasp.org
>>> Join me at AppSecUSA <http://appsecusa.org/> 2015!
>>>
>>> On Sep 15, 2015, at 9:22 AM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>> Hi Josh
>>>
>>> Yes , an example is how grant funds work. When corporations or People
>>> make donations or part of a grant, it must be defined The features that
>>> will be built. This maken it transparent and clear for the persons doing
>>> the donations or through grant funds.
>>> If we create a pool where projects could make use of it, then it is
>>> expected that leaders provide a plan of the features that will be created
>>> with the funds and at the end, the results obtained.
>>>
>>> Johanna
>>> On Tuesday, September 15, 2015, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>
>>>> Maybe this is a stupid question, but has anyone considered
>>>> experimenting with a funding model using the project itself?  Maybe try to
>>>> raise additional funds by having a paid support option or say if you can
>>>> raise $X in donations you'll develop Y feature(s)?  The devil is in the
>>>> details, but that might be a project-centric way to raise money that a
>>>> chapter wouldn't even have the option to do.
>>>>
>>>> ~josh
>>>>
>>>> On Mon, Sep 14, 2015 at 12:22 PM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>>> For reference, the 2015 budget shows OWASP at a loss of around $105k
>>>>> for the year.  Not an issue given the funds currently in reserves, but we
>>>>> did budget to spend more than we brought in so there's not a ton of room to
>>>>> work with there unless we add revenue or eliminate expenses.
>>>>>
>>>>> Agree I also noticed this. The activities I'm proposing won't be that
>>>>> high cost, especially compare to actual costs of setting events, but I
>>>>> think a strategy where project leaders can generate pro-actively funds for
>>>>> their own project is a step towards developing them better.
>>>>>
>>>>>
>>>>> On Mon, Sep 14, 2015 at 12:37 PM, Josh Sokol <josh.sokol at owasp.org>
>>>>> wrote:
>>>>>
>>>>>> The Board should be reviewing the budget for 2016 in the next few
>>>>>> months so it is an excellent time to make such a proposal.  We just need to
>>>>>> know what kinds of activities we are looking at and how much we need to
>>>>>> make them happen.  We can then look at anticipated revenue vs expenses in
>>>>>> order to determine if there is room in the budget to make it happen.  For
>>>>>> reference, the 2015 budget shows OWASP at a loss of around $105k for the
>>>>>> year.  Not an issue given the funds currently in reserves, but we did
>>>>>> budget to spend more than we brought in so there's not a ton of room to
>>>>>> work with there unless we add revenue or eliminate expenses.
>>>>>>
>>>>>> ~josh
>>>>>>
>>>>>> On Mon, Sep 14, 2015 at 11:20 AM, johanna curiel curiel <
>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>>> Hi Josh
>>>>>>>
>>>>>>> I have taken the work to extract from the budget of 2015 where are
>>>>>>> the major OWASP costs :
>>>>>>> Total revenue projected for 2015 is USD2,540,667.00
>>>>>>>
>>>>>>> From this :
>>>>>>>
>>>>>>> Cost Salaries and Contractors 2015 OWASPEmployees salaries342,237.82bonus
>>>>>>> and commission38,600.00Contractors & Professional servicesVirtual
>>>>>>> fin fee32,000.00Accounting KPMG4,000.00Int Accountinh KPMG EU
>>>>>>> 9,000.00Qtrly VAT by COuntry14,489.00Virtual Executive Director/HR
>>>>>>> Contractor8,700.00Virtual - HR Hosting & fees12,000.00IT Admin
>>>>>>> 10,000.00Legal Contractor7,200.00Graphic Designer7,200.00Events
>>>>>>> Manager72,000.00Total557,426.82Percentage from total revenue21.94%Cost
>>>>>>> Conferences 2015 (in USD Dollars)APPSEC US$935,557.00APPSEC EU
>>>>>>> $241,510.00APPSEC ASIA$25,000.00APPSEC LATAM7500Local & Regional
>>>>>>> Events$115,000.00Total in events$1,209,567.00Perventage from
>>>>>>> reveunue47.61%
>>>>>>>
>>>>>>> As I can see there are many expenses involved in operations and
>>>>>>> creating events.(That will sum up around 70% of the OWASP expenses)
>>>>>>>
>>>>>>> >In respose to Paul:
>>>>>>> For 2016 planning, I'm encouraged by all the interest demonstrated
>>>>>>> by these emails, as we adjust our 2016 Budget to reflect the community
>>>>>>> priorities.
>>>>>>>
>>>>>>> I would like to propose some fixed budget for certain activities, I
>>>>>>> believe Claudia was busy also with that part for the Project summits, but
>>>>>>> also for helping promoting projects and training for leaders.
>>>>>>>
>>>>>>> regards
>>>>>>>
>>>>>>> Johanna
>>>>>>>
>>>>>>> On Mon, Sep 14, 2015 at 11:41 AM, Josh Sokol <josh.sokol at owasp.org>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Johanna,
>>>>>>>>
>>>>>>>> I was really hoping that Fabio, as current Treasurer, would wade
>>>>>>>> into this conversation, but since he hasn't I will as Treasurer last year.
>>>>>>>>
>>>>>>>> The short answer to your questions is that OWASP receives money
>>>>>>>> from many different sources.  Conferences, grants, donations, and yes,
>>>>>>>> membership.  OWASP also has many expenses that aren't solely covered by
>>>>>>>> "project expenses" or "chapter expenses".  Money that isn't pre-allocated
>>>>>>>> to something specific like that ends up in the OWASP funds pool and gets
>>>>>>>> budgeted to be used for other expenses.  Our paid staff is probably the top
>>>>>>>> expense where that is concerned, but there are many other things that OWASP
>>>>>>>> spends money on as well.  The OWASP budget should be publicly available and
>>>>>>>> I know that the OWASP staff is currently working on the 2014 report which
>>>>>>>> should be released any day now.
>>>>>>>>
>>>>>>>> ~josh
>>>>>>>>
>>>>>>>> On Mon, Sep 7, 2015 at 11:30 AM, johanna curiel curiel <
>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>
>>>>>>>>> >How can we make the corporation more aware of this option?
>>>>>>>>>
>>>>>>>>> I would like to see first a clarification on *where* is the money
>>>>>>>>> allocated right now from corporate memberships that have not made any
>>>>>>>>> choices.
>>>>>>>>>
>>>>>>>>> Community funds is USD60,000 a year and this is not only for
>>>>>>>>> projects but everything to do with the community.
>>>>>>>>>
>>>>>>>>> So far there is in memberships between corporate and individuals
>>>>>>>>> memberships a total of
>>>>>>>>>
>>>>>>>>> Corporate memberships (foundation + Chapter) USD 350,000-
>>>>>>>>> Individual membership    (foundation +chapter)   USD  90,000-
>>>>>>>>> Total =
>>>>>>>>>       * USD 440,000*
>>>>>>>>>
>>>>>>>>> Following the same sheet the following corporate memberships have
>>>>>>>>> not been allocated by the sponsors. I would like to know how much money of
>>>>>>>>> the USD 350,000 belongs to these unallocated
>>>>>>>>>
>>>>>>>>>    1. Autodesk, Inc.
>>>>>>>>>    2. Blackhat US
>>>>>>>>>    3. CA Technologies
>>>>>>>>>    4. CDNetworks
>>>>>>>>>    5. ClassDojo
>>>>>>>>>    6. Coverity
>>>>>>>>>    7. eLearn Security
>>>>>>>>>    8. HERE North America, LLC.
>>>>>>>>>    9. Johnson Controls, Inc.
>>>>>>>>>    10. Rapid7
>>>>>>>>>    11. Software Assurance Marketplace (SWAMP)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Each of these contribute with USD 5000 (following corporate
>>>>>>>>> categories as the appear here:
>>>>>>>>> https://www.owasp.org/index.php/Membership#tab=Corporate_Supporters
>>>>>>>>> )
>>>>>>>>> 11 of them has not been allocated that makes USD 55,000-
>>>>>>>>>
>>>>>>>>> Big Corporate memberships from  4 companies which does not appear
>>>>>>>>> in that Google sheet have contributed with==> 4 x USD 20,000 = USD 80,000
>>>>>>>>> ==> where is this money been allocated?
>>>>>>>>>
>>>>>>>>>    1. Adobe
>>>>>>>>>    2. Qualys
>>>>>>>>>    3. HP
>>>>>>>>>    4. Contrast
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I would like to have a clarification where exactly is the money
>>>>>>>>> allocated from these corporate memberships which in total (following these
>>>>>>>>> calculation accumulates a total of
>>>>>>>>> USD 55,000 + 80,000 = USD 140,000 that none of the corporate
>>>>>>>>> members have allocated.
>>>>>>>>>
>>>>>>>>> If it seems that part of the money goes to community fund then
>>>>>>>>> 140k -60k = USD 80,000 still open where is this money being allocated to?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Mon, Sep 7, 2015 at 9:07 AM, psiinon <psiinon at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Thanks Johanna, this is _really_ interesting.
>>>>>>>>>> And thats a huge imbalance between the chapters and projects.
>>>>>>>>>> Corporate members can obviously choose where their money goes,
>>>>>>>>>> but maybe they are not aware they can choose projects (and if Eoin didnt
>>>>>>>>>> know, that seems very likely!)
>>>>>>>>>> How can we make the corporation more aware of this option?
>>>>>>>>>> And how else can re redress this imbalance?
>>>>>>>>>>
>>>>>>>>>> Cheers,
>>>>>>>>>>
>>>>>>>>>> Simon
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Mon, Sep 7, 2015 at 1:14 PM, johanna curiel curiel <
>>>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>>>
>>>>>>>>>>> In 2013 corporate membership represented 33% of total income for
>>>>>>>>>>> OWASP  opposed to individual membership which represented only 13% of the
>>>>>>>>>>> total income.
>>>>>>>>>>>
>>>>>>>>>>> In 2015 corporate membership(foundation+chapter) has a total
>>>>>>>>>>>  revenue of USD350,000- opposed to USD90,000- from individual
>>>>>>>>>>> memberships(again foundation+chapter)  which is quite considerate:
>>>>>>>>>>> OWASP Foundation Budget - 2015
>>>>>>>>>>> <https://drive.google.com/file/d/0BxjNZI6rYJRKbnBlaHM3LTU2ckk/view?usp=sharing>
>>>>>>>>>>>
>>>>>>>>>>> [image: Inline image 1]
>>>>>>>>>>>
>>>>>>>>>>> Basically all memberships are going to 'chapters'
>>>>>>>>>>>
>>>>>>>>>>> *If more than half of these donations(corporate membership)
>>>>>>>>>>> which I highlighted in green have not been specified for any purpose, then
>>>>>>>>>>> how does the foundation decided into which account goes that money? I would
>>>>>>>>>>> like an answer on this. What I miss here is a break down of the amount and
>>>>>>>>>>> into which budget are these being set.*
>>>>>>>>>>>
>>>>>>>>>>> *It seems that those memberships are going mostly to chapters
>>>>>>>>>>> and some to some projects(highlighted in Yellow) (ZAP + SAMM)*
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> https://docs.google.com/spreadsheets/d/1nVyveCi7nmwYMKK4oWSsVGNvqE9aeUBhamQ7XsZvayU/edit?usp=sharing
>>>>>>>>>>>
>>>>>>>>>>> Btw I cannot find the financial report of 2014, seems as it is
>>>>>>>>>>> quite behind (since we are almost end of 2015)
>>>>>>>>>>>
>>>>>>>>>>> <Screenshot 2015-08-21 10.19.54.png>
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Sep 7, 2015 at 6:17 AM, Colin Watson <
>>>>>>>>>>> colin.watson at owasp.org> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> One thing about membership donations to projects. Last week,
>>>>>>>>>>>> the list
>>>>>>>>>>>> of members was posted to the leaders list for the elections:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> https://docs.google.com/spreadsheets/d/1Tu2MAdu1xNq8RTaqHWMSb_0qM_OE6aaVgKB54q_fQIs/edit#gid=1075228884
>>>>>>>>>>>>
>>>>>>>>>>>> It shows that out of 2336 individual members only 2 have
>>>>>>>>>>>> allocated
>>>>>>>>>>>> their donation to project - in this case "mobile". I agree that
>>>>>>>>>>>> at the
>>>>>>>>>>>> point of joining that many people might select a chapter at
>>>>>>>>>>>> that time,
>>>>>>>>>>>> but I am wondering if this is actually accurate? It doesn't feel
>>>>>>>>>>>> correct that less than 0.1% select a project.
>>>>>>>>>>>>
>>>>>>>>>>>> Last time I renewed, I changed my allocation from a chapter to a
>>>>>>>>>>>> project. But the membership list still shows the allocation as a
>>>>>>>>>>>> chapter, and the chosen project didn't receive any of my
>>>>>>>>>>>> membership
>>>>>>>>>>>> money.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> https://docs.google.com/a/owasp.org/spreadsheets/d/11acTOmtmBGq6-5CIGsjlEByU8POSGqda0r23VNnhEGQ/pub?hl=en_US&hl=en_US&output=html#
>>>>>>>>>>>>
>>>>>>>>>>>> Is this a fault, and which members and projects have been
>>>>>>>>>>>> affected by
>>>>>>>>>>>> this? I wonder if it applies to all project allocation
>>>>>>>>>>>> selections, or
>>>>>>>>>>>> only after a change is requested? Why are there so many
>>>>>>>>>>>> "blanks" and
>>>>>>>>>>>> "none" in the list of membership, and what's the difference?
>>>>>>>>>>>> How long
>>>>>>>>>>>> has it been occurring?
>>>>>>>>>>>>
>>>>>>>>>>>> Colin
>>>>>>>>>>>>
>>>>>>>>>>>> On 6 September 2015 at 21:47, Kevin W. Wall <
>>>>>>>>>>>> kevin.w.wall at gmail.com> wrote:
>>>>>>>>>>>> > Jumping in late to this thread. I already told Simon from day
>>>>>>>>>>>> > one, when he first posted this on the Board and Governance
>>>>>>>>>>>> list that
>>>>>>>>>>>> > I agreed with him 100%, but I just wanted to add some things.
>>>>>>>>>>>> >
>>>>>>>>>>>> > On Thu, Sep 3, 2015 at 4:50 AM, psiinon <psiinon at gmail.com>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>> >> Didnt realise this thread wasnt on the leaders list ;)
>>>>>>>>>>>> >> So starting a new one here as I think its important for us
>>>>>>>>>>>> to discuss.
>>>>>>>>>>>> >> For background see:
>>>>>>>>>>>> >>
>>>>>>>>>>>> http://lists.owasp.org/pipermail/governance/2015-September/000697.html
>>>>>>>>>>>> >> This is a copy of the email I sent to that thread..
>>>>>>>>>>>> >>
>>>>>>>>>>>> >>
>>>>>>>>>>>> >> First of all I'd like to thank Johanna for all the effort
>>>>>>>>>>>> she's put into
>>>>>>>>>>>> >> reviewing the projects.
>>>>>>>>>>>> >> Its been a huge and mostly thankless task, and the projects
>>>>>>>>>>>> as a whole have
>>>>>>>>>>>> >> really benefited.
>>>>>>>>>>>> >
>>>>>>>>>>>> > Amen to that. And having been involved in one of the projects
>>>>>>>>>>>> (ESAPI)
>>>>>>>>>>>> > that was demoted from Flagship to Lab status, I know it's not
>>>>>>>>>>>> always
>>>>>>>>>>>> > an easy thing to receive the assessments that she and her
>>>>>>>>>>>> team had
>>>>>>>>>>>> > been doing, but we need to be professional about this and not
>>>>>>>>>>>> shoot
>>>>>>>>>>>> > the messenger. Certainly when it came to ESAPI, while I was
>>>>>>>>>>>> > disappointed, I pretty much agreed with the project review
>>>>>>>>>>>> > conclusions.
>>>>>>>>>>>> >
>>>>>>>>>>>> >> Secondly, I'd like to wade into the Projects Vs Chapters
>>>>>>>>>>>> debate :)
>>>>>>>>>>>> >>
>>>>>>>>>>>> >> I have a theory:
>>>>>>>>>>>> >>
>>>>>>>>>>>> >> People who are 'part' of OWASP tend to think that the
>>>>>>>>>>>> Chapters are more
>>>>>>>>>>>> >> important _to_them_ than the projects.
>>>>>>>>>>>> >> Chapters are where we meet people, exchange ideas and learn
>>>>>>>>>>>> things. They are
>>>>>>>>>>>> >> social events.
>>>>>>>>>>>> >
>>>>>>>>>>>> > The exception might be for those of us who attend our local
>>>>>>>>>>>> OWASP
>>>>>>>>>>>> > chapter meetings but who are also actively involved with one
>>>>>>>>>>>> or more
>>>>>>>>>>>> > OWASP projects.
>>>>>>>>>>>> >
>>>>>>>>>>>> >> People outside OWASP think that the Projects are more
>>>>>>>>>>>> important _to_them_
>>>>>>>>>>>> >> than the Chapters.
>>>>>>>>>>>> >> They dont go to chapter meetings, they might not even be
>>>>>>>>>>>> aware of them.
>>>>>>>>>>>> >> They use, or at least are aware of, the main OWASP projects,
>>>>>>>>>>>> mostly the
>>>>>>>>>>>> >> Flagship ones.
>>>>>>>>>>>> >>
>>>>>>>>>>>> >> Anyone agree or disagree?
>>>>>>>>>>>> >
>>>>>>>>>>>> > I think you're analysis is pretty much spot on with few
>>>>>>>>>>>> exceptions
>>>>>>>>>>>> > like the edge case I mentioned above.
>>>>>>>>>>>> >
>>>>>>>>>>>> >> And yes, I'm conveniently ignoring conferences, the wiki etc
>>>>>>>>>>>> etc ;)
>>>>>>>>>>>> >>
>>>>>>>>>>>> >> I think Chapters and Projects are fundamentally different
>>>>>>>>>>>> 'beasts', and I've
>>>>>>>>>>>> >> started and run both :)
>>>>>>>>>>>> >>
>>>>>>>>>>>> >> Chapters are relatively easy to start and maintain.
>>>>>>>>>>>> >> You need to be based in a city with a thriving security
>>>>>>>>>>>> and/or software
>>>>>>>>>>>> >> industry.
>>>>>>>>>>>> >> You need to spend time organising and publicising events,
>>>>>>>>>>>> but its not hard -
>>>>>>>>>>>> >> you dont need specialized skills.
>>>>>>>>>>>> >> Its relatively easy to find people prepared to speak,
>>>>>>>>>>>> arrange rooms and help
>>>>>>>>>>>> >> with other organisational things.
>>>>>>>>>>>> >> Its something you can do in your spare time.
>>>>>>>>>>>> >
>>>>>>>>>>>> > One thing I'll add here. The fact that people can use their
>>>>>>>>>>>> time spent
>>>>>>>>>>>> > attending OWASP chapter meetings as CPEs toward some security
>>>>>>>>>>>> > certification is also a big draw I think. In the past, we've
>>>>>>>>>>>> even
>>>>>>>>>>>> > attracted quite a few non-OWASP members because of this, or
>>>>>>>>>>>> at least
>>>>>>>>>>>> > that appeared to be their primary motivation as some of them
>>>>>>>>>>>> would ask
>>>>>>>>>>>> > about for our chapter leads to provide evidence of attendance
>>>>>>>>>>>> for
>>>>>>>>>>>> > their CPEs and we'd then discover that some of them were not
>>>>>>>>>>>> OWASP
>>>>>>>>>>>> > members (not that we made a big deal about that).
>>>>>>>>>>>> >
>>>>>>>>>>>> > While it's true that one can earn CPEs working on a projects,
>>>>>>>>>>>> the
>>>>>>>>>>>> > evidence bar seems to be a bit higher and a lot harder to
>>>>>>>>>>>> measure.
>>>>>>>>>>>> >
>>>>>>>>>>>> >> Projects are much harder.
>>>>>>>>>>>> >> They are relatively easy to start - you 'just' need a good
>>>>>>>>>>>> idea.
>>>>>>>>>>>> >> They are _really_ hard to bring to fruition and maintain.
>>>>>>>>>>>> >> I'll focus on software projects (as I know much more about
>>>>>>>>>>>> those) but I have
>>>>>>>>>>>> >> no doubt documentation projects can be just as difficult.
>>>>>>>>>>>> >> A professional software project is the result of the hard
>>>>>>>>>>>> work of managers,
>>>>>>>>>>>> >> designers, developers, QA, support, technical authors, sales
>>>>>>>>>>>> and marketing
>>>>>>>>>>>> >> (and probably others I've forgotten;).
>>>>>>>>>>>> >> Its a huge amount of effort, and is ongoing - it only lets
>>>>>>>>>>>> up when you
>>>>>>>>>>>> >> 'sunset' the project.
>>>>>>>>>>>> >> Ok, so (non commercial) open source projects dont need sales
>>>>>>>>>>>> staff, but they
>>>>>>>>>>>> >> do need people doing all of the other roles. Its definitely
>>>>>>>>>>>> _not_ just
>>>>>>>>>>>> >> programming!
>>>>>>>>>>>> >
>>>>>>>>>>>> > If anything, usually people are not that keen on doing those
>>>>>>>>>>>> other
>>>>>>>>>>>> > needed roles, such as project documentation, QA,
>>>>>>>>>>>> buildmeister, etc.
>>>>>>>>>>>> >
>>>>>>>>>>>> > Also, the more successful a project becomes (i.e., as
>>>>>>>>>>>> measured in
>>>>>>>>>>>> > terms of the number of users) the harder it is to maintain.
>>>>>>>>>>>> For
>>>>>>>>>>>> > example, long ago, I've noticed that people see to ask more
>>>>>>>>>>>> questions
>>>>>>>>>>>> > on Stack Exchange about ESAPI than the do on either the
>>>>>>>>>>>> ESAPI-Users or
>>>>>>>>>>>> > ESAPI-Dev mailing lists. I suspect that there are other forums
>>>>>>>>>>>> > elsewhere that these things get discussed.
>>>>>>>>>>>> >
>>>>>>>>>>>> >> Its way too much for one person (for a non trivial project).
>>>>>>>>>>>> >> Luckily we have the open source community, but that means a
>>>>>>>>>>>> project leader
>>>>>>>>>>>> >> needs another skill: community building!
>>>>>>>>>>>> >
>>>>>>>>>>>> > Indeed that's one where I feel that I've failed miserably.
>>>>>>>>>>>> I'm not
>>>>>>>>>>>> > particularly a people person nor do I have a lot of contacts
>>>>>>>>>>>> beyond
>>>>>>>>>>>> > the immediate colleagues that I work with, so when the current
>>>>>>>>>>>> > volunteer pool dries up and stops contributing, the project
>>>>>>>>>>>> tends to
>>>>>>>>>>>> > die because of (at least in my case) the inability to find new
>>>>>>>>>>>> > volunteers to help carry the project forward.
>>>>>>>>>>>> >
>>>>>>>>>>>> >> And to be honest most volunteers are developers (and
>>>>>>>>>>>> security people for
>>>>>>>>>>>> >> OWASP projects), its very rare for people with other skills
>>>>>>>>>>>> to get involved.
>>>>>>>>>>>> >
>>>>>>>>>>>> > 100% agree. Also, I personally think that we do a disservice
>>>>>>>>>>>> > sometimes in our industry in that there's an unspoken
>>>>>>>>>>>> perception of a
>>>>>>>>>>>> > pecking order within the security community so that some of
>>>>>>>>>>>> these very
>>>>>>>>>>>> > important roles are greatly devalued (e.g., those who write
>>>>>>>>>>>> > documentation or manage releases or do QA testing or provide
>>>>>>>>>>>> project
>>>>>>>>>>>> > management or other infrastructure support). And while we
>>>>>>>>>>>> generally
>>>>>>>>>>>> > don't come right out and express it, I think it's there and
>>>>>>>>>>>> those who
>>>>>>>>>>>> > might otherwise step up and fill those roles avoid the
>>>>>>>>>>>> security
>>>>>>>>>>>> > community for some other FOSS projects because they feel
>>>>>>>>>>>> under-appreciated.
>>>>>>>>>>>> >
>>>>>>>>>>>> >> I dont think its something you can do in your spare time, at
>>>>>>>>>>>> least for long
>>>>>>>>>>>> >> (I did for a while, and my wife described herself as a "ZAP
>>>>>>>>>>>> widow";)
>>>>>>>>>>>> >
>>>>>>>>>>>> > :D
>>>>>>>>>>>> >
>>>>>>>>>>>> >> So Chapters are relatively easy to maintain, projects _much_
>>>>>>>>>>>> harder.
>>>>>>>>>>>> >
>>>>>>>>>>>> > Making free pizza and beer available at chapter meetings
>>>>>>>>>>>> doesn't hurt!  :)
>>>>>>>>>>>> >
>>>>>>>>>>>> > We've also tried holding mini-hackathons at our local OWASP
>>>>>>>>>>>> meetings
>>>>>>>>>>>> > maybe once a year. It was interesting, but I can't say it was
>>>>>>>>>>>> a
>>>>>>>>>>>> > resounding success, because many there did not know the
>>>>>>>>>>>> programming
>>>>>>>>>>>> > language the project was written in and it took us an undue
>>>>>>>>>>>> amount of
>>>>>>>>>>>> > time just to get to the point where people got their IDE of
>>>>>>>>>>>> choice
>>>>>>>>>>>> > configured to pull the project from GitHub. Also probably
>>>>>>>>>>>> about 1/2
>>>>>>>>>>>> > of the regular attenders don't really program to any great
>>>>>>>>>>>> extent at
>>>>>>>>>>>> > all but rather consider themselves more of pen testers, so
>>>>>>>>>>>> holding
>>>>>>>>>>>> > these mini-hackathons effectively leaves out almost half of
>>>>>>>>>>>> our
>>>>>>>>>>>> > regular attendees so that's not going to be something that
>>>>>>>>>>>> works as a
>>>>>>>>>>>> > long term strategy.
>>>>>>>>>>>> >
>>>>>>>>>>>> >> I suspect OWASP as an organisation supports Chapters more
>>>>>>>>>>>> effectively, but
>>>>>>>>>>>> >> even if it supports both equally Projects dont get as much
>>>>>>>>>>>> support as they
>>>>>>>>>>>> >> need.
>>>>>>>>>>>> >> I think OWASP Chapters are thriving and the Projects are (as
>>>>>>>>>>>> a whole)
>>>>>>>>>>>> >> diminishing.
>>>>>>>>>>>> >> If I'm right and people outside OWASP see the Projects as
>>>>>>>>>>>> more important
>>>>>>>>>>>> >> than the Chapters then this leads to the impression that
>>>>>>>>>>>> OWASP is
>>>>>>>>>>>> >> struggling.
>>>>>>>>>>>> >>
>>>>>>>>>>>> >> What to projects need?
>>>>>>>>>>>> >> I dont think its possible to maintain a 'significant' open
>>>>>>>>>>>> source project
>>>>>>>>>>>> >> unless you are able to spend the majority of your working
>>>>>>>>>>>> day on it.
>>>>>>>>>>>> >> This means projects really have to be sponsored by someone.
>>>>>>>>>>>> >> This is a significant investment for a company, and its
>>>>>>>>>>>> often difficult to
>>>>>>>>>>>> >> justify this sort of investment. Especially if its difficult
>>>>>>>>>>>> to monetise
>>>>>>>>>>>> >> OWASP projects.
>>>>>>>>>>>> >
>>>>>>>>>>>> > Indeed, back in the day when I was still on an AppSec team
>>>>>>>>>>>> for a
>>>>>>>>>>>> > previous company, I tried to convince my management to
>>>>>>>>>>>> allocate about
>>>>>>>>>>>> > eight hours a week from our entire team to contribute to
>>>>>>>>>>>> ESAPI bug
>>>>>>>>>>>> > fixing. It seemed a logical extension of our internal
>>>>>>>>>>>> proprietary
>>>>>>>>>>>> > security components class library which was not nearly as
>>>>>>>>>>>> complete.
>>>>>>>>>>>> > I was unable to convince my management and shortly
>>>>>>>>>>>> afterwards, I
>>>>>>>>>>>> > left that team (for unrelated reasons) and starting working
>>>>>>>>>>>> with a
>>>>>>>>>>>> > team that had security experience that wouldn't easily
>>>>>>>>>>>> translate to
>>>>>>>>>>>> > ESAPI needs.  In fact, my experience was worse than that.
>>>>>>>>>>>> None of my
>>>>>>>>>>>> > colleagues ever decided to help out individually either. Not
>>>>>>>>>>>> a big
>>>>>>>>>>>> > deal; maybe it just wasn't their cup of tea or they had other
>>>>>>>>>>>> > passions that they wanted to contribute to. But gathering
>>>>>>>>>>>> recruits
>>>>>>>>>>>> > willing to participate clearly takes skills and contacts that
>>>>>>>>>>>> I
>>>>>>>>>>>> > apparently do not possess in sufficient quantities.
>>>>>>>>>>>> (Sometimes I
>>>>>>>>>>>> > feel like I'm trying to sell screen doors for submarines.
>>>>>>>>>>>> Sigh.)
>>>>>>>>>>>> >
>>>>>>>>>>>> > All I'm saying is that getting volunteers is hard. Each
>>>>>>>>>>>> sizeable
>>>>>>>>>>>> > project really needs someone willing to fulfill the project
>>>>>>>>>>>> > evangelist role to keep looking for new contributors. For one
>>>>>>>>>>>> > reason (at least it's been my experience) is that KEEPING
>>>>>>>>>>>> volunteers
>>>>>>>>>>>> > for extended periods is even harder and by and large, I think
>>>>>>>>>>>> if
>>>>>>>>>>>> > we looked at the historical data of contributors across all
>>>>>>>>>>>> OWASP
>>>>>>>>>>>> > projects (say, based on commit history), that the data would
>>>>>>>>>>>> bear
>>>>>>>>>>>> > that out. In fact, I'd bet this phenomena goes well beyond
>>>>>>>>>>>> OWASP and
>>>>>>>>>>>> > is experienced by many FOSS projects.
>>>>>>>>>>>> >
>>>>>>>>>>>> >> Does OWASP want to sponsor projects directly?
>>>>>>>>>>>> >> I think thats what it would take to build a thriving set of
>>>>>>>>>>>> Projects.
>>>>>>>>>>>> >> Is that something that could be done?
>>>>>>>>>>>> >
>>>>>>>>>>>> > _COULD_ it be done? Yes. Should it be done is another matter.
>>>>>>>>>>>> > I'd rather not see it become necessary as I really don't want
>>>>>>>>>>>> OWASP
>>>>>>>>>>>> > to turn into a political organization where the project
>>>>>>>>>>>> leaders are
>>>>>>>>>>>> > forced to lobby for funding, and I fear that's what would
>>>>>>>>>>>> happen. I
>>>>>>>>>>>> > think also it would stifle innovation because new incubator
>>>>>>>>>>>> projects
>>>>>>>>>>>> > would likely all dry up (unless a certain amount of funds were
>>>>>>>>>>>> > pre-allocated to them) as they likely couldn't compete
>>>>>>>>>>>> against more
>>>>>>>>>>>> > established projects.
>>>>>>>>>>>> >
>>>>>>>>>>>> > I had thought of proposing allowing individual OWASP projects
>>>>>>>>>>>> to
>>>>>>>>>>>> > somehow sell their own project-related schwag at conferences
>>>>>>>>>>>> and such
>>>>>>>>>>>> > and keep a percentage of the profits to use for their
>>>>>>>>>>>> projects so that
>>>>>>>>>>>> > they could then use that money however they saw fit (e.g.,
>>>>>>>>>>>> hiring a
>>>>>>>>>>>> > technical writer to write project documentation for
>>>>>>>>>>>> instance). But that
>>>>>>>>>>>> > probably would not make a major impact in funding to a
>>>>>>>>>>>> project,
>>>>>>>>>>>> > especially if all the OWASP projects started doing it.
>>>>>>>>>>>> >
>>>>>>>>>>>> >> I'm lucky, Mozilla allows me to spend most of my time
>>>>>>>>>>>> working on ZAP, and
>>>>>>>>>>>> >> thats been invaluable.
>>>>>>>>>>>> >
>>>>>>>>>>>> > I suppose that starts with a company that has a culture of
>>>>>>>>>>>> strongly
>>>>>>>>>>>> > contributing to FOSS. Most of us do not work for such
>>>>>>>>>>>> companies. Most
>>>>>>>>>>>> > work for companies who extensively rely on such software, but
>>>>>>>>>>>> rarely
>>>>>>>>>>>> > allow their companies to contribute to such things on company
>>>>>>>>>>>> time
>>>>>>>>>>>> > because they don't really see it as contributing directly to
>>>>>>>>>>>> their
>>>>>>>>>>>> > bottom line. (NOTE: I want to make clear that this is
>>>>>>>>>>>> strictly my
>>>>>>>>>>>> > personal opinion based of a [likely] biased observation and
>>>>>>>>>>>> in no
>>>>>>>>>>>> > way represents the official position of either my current nor
>>>>>>>>>>>> any
>>>>>>>>>>>> > of my previous employers. And they didn't even make me say
>>>>>>>>>>>> that! :)
>>>>>>>>>>>> >
>>>>>>>>>>>> >> But I'd love to be able to employ some of the ZAP
>>>>>>>>>>>> contributors to work full
>>>>>>>>>>>> >> time on ZAP :)
>>>>>>>>>>>> >> Would OWASP pay for that??
>>>>>>>>>>>> >
>>>>>>>>>>>> > Great question and I think you're not the only project that
>>>>>>>>>>>> might
>>>>>>>>>>>> > benefit from that. Although, if that means lobbying for funds
>>>>>>>>>>>> by
>>>>>>>>>>>> > competing against other OWASP projects, them I'm out because I
>>>>>>>>>>>> > just don't have the stomach for that. It gets bad enough
>>>>>>>>>>>> competing
>>>>>>>>>>>> > for resources at Google Summer of Code and various OWASP code
>>>>>>>>>>>> sprints,
>>>>>>>>>>>> > and I fear if we increased OWASP funding to amounts needed to
>>>>>>>>>>>> sustain
>>>>>>>>>>>> > OWASP projects, it could lead to divisions in OWASP as people
>>>>>>>>>>>> aligned
>>>>>>>>>>>> > themselves with one project or another.
>>>>>>>>>>>> >
>>>>>>>>>>>> >> It would require much more 'project management' - the kind
>>>>>>>>>>>> of things that
>>>>>>>>>>>> >> people _think_ OWASP is doing, but it doesnt.
>>>>>>>>>>>> >> I often see posts from people asking "why the hell is OWASP
>>>>>>>>>>>> developing X".
>>>>>>>>>>>> >> They seem to think that theres an OWASP committee that meets
>>>>>>>>>>>> and goes "We
>>>>>>>>>>>> >> think we should have project X". Whereas its actually an
>>>>>>>>>>>> individual coming
>>>>>>>>>>>> >> to OWASP and saying "I'm doing X, could this be an OWASP
>>>>>>>>>>>> project?".
>>>>>>>>>>>> >> OWASP Projects are very much 'bottom up' rather than 'top
>>>>>>>>>>>> down'.
>>>>>>>>>>>> >
>>>>>>>>>>>> > Well, their perception could also be more of a notion of "why
>>>>>>>>>>>> aren't
>>>>>>>>>>>> > they doing Y instead?" or even "wouldn't make more sense if
>>>>>>>>>>>> it were
>>>>>>>>>>>> > a {Apache,Spring,<insert-your-favorite-FOSS-brand-here>}
>>>>>>>>>>>> project
>>>>>>>>>>>> > instead?" And truth be told, I've also asked that question
>>>>>>>>>>>> myself, but
>>>>>>>>>>>> > more because it was like "OWASP already has a project Z that
>>>>>>>>>>>> does
>>>>>>>>>>>> > almost exactly what project X is proposing. Why don't they
>>>>>>>>>>>> just join
>>>>>>>>>>>> > project Z instead of spinning of a similar project?".
>>>>>>>>>>>> >
>>>>>>>>>>>> > I think any of those, as well as your conjecture, are
>>>>>>>>>>>> possible reasons
>>>>>>>>>>>> > for them asking that question.
>>>>>>>>>>>> >
>>>>>>>>>>>> >> It may surprise people outside of OWASP that I get _no_
>>>>>>>>>>>> direction at all
>>>>>>>>>>>> >> from OWASP as to how ZAP should move forward.
>>>>>>>>>>>> >> note that I'm _really_ not complaining about that ;)
>>>>>>>>>>>> >
>>>>>>>>>>>> > Hmmm...well, THAT would explain some things!
>>>>>>>>>>>> >
>>>>>>>>>>>> > JK. ;-)
>>>>>>>>>>>> >
>>>>>>>>>>>> >> OWASP does not really invest in projects. It does provide
>>>>>>>>>>>> some support, but
>>>>>>>>>>>> >> to be honest not a great deal.
>>>>>>>>>>>> >> If we decided to invest significant amounts of money in
>>>>>>>>>>>> projects then there
>>>>>>>>>>>> >> would need to be real debate as to what we should invest in.
>>>>>>>>>>>> >> And I realise that thats difficult, particularly as OWASP is
>>>>>>>>>>>> supported by
>>>>>>>>>>>> >> commercial organisations, and they wont want OWASP investing
>>>>>>>>>>>> in projects
>>>>>>>>>>>> >> that compete with their own offerings.
>>>>>>>>>>>> >>
>>>>>>>>>>>> >> There are other things that OWASP could do other than paying
>>>>>>>>>>>> developers
>>>>>>>>>>>> >> directly.
>>>>>>>>>>>> >> We could spend much more effort encouraging companies to
>>>>>>>>>>>> contribute to OWASP
>>>>>>>>>>>> >> projects, especially by donating engineering effort.
>>>>>>>>>>>> >> We could help projects with the 'non programming' aspects -
>>>>>>>>>>>> documentation,
>>>>>>>>>>>> >> testing, marketing etc.
>>>>>>>>>>>> >> We could provide more advice and guidance - I dont want
>>>>>>>>>>>> people to dictate
>>>>>>>>>>>> >> where ZAP should be headed, but I'd love constructive
>>>>>>>>>>>> feedback :)
>>>>>>>>>>>> >
>>>>>>>>>>>> > Well, being a project lead of a much less successful project,
>>>>>>>>>>>> I've
>>>>>>>>>>>> > thought long and hard about the obstacles that I've faced.
>>>>>>>>>>>> >
>>>>>>>>>>>> > Most of that has been around getting people to help with the
>>>>>>>>>>>> following
>>>>>>>>>>>> > types of things:
>>>>>>>>>>>> >     * Project documentation, most notably overall user
>>>>>>>>>>>> manuals and FAQs
>>>>>>>>>>>> >       and wiki entries.
>>>>>>>>>>>> >     * Help with maven / pom.xml issue and release management
>>>>>>>>>>>> in general
>>>>>>>>>>>> >     * Assistance with version control, most notably git and
>>>>>>>>>>>> GitHub
>>>>>>>>>>>> >     * Someone willing to be a sounding board for proposed
>>>>>>>>>>>> design changes
>>>>>>>>>>>> >
>>>>>>>>>>>> > As I've reflected about it, one of the things that I've noted
>>>>>>>>>>>> is that
>>>>>>>>>>>> > many of these are specialities that are cross-cutting across
>>>>>>>>>>>> many
>>>>>>>>>>>> > OWASP projects.
>>>>>>>>>>>> >
>>>>>>>>>>>> > I think one way that we might be able to address these some
>>>>>>>>>>>> of these
>>>>>>>>>>>> > concerns is to create a Subject Matter Expert list of people
>>>>>>>>>>>> who would
>>>>>>>>>>>> > be willing to volunteer to help out projects by contributing
>>>>>>>>>>>> a few
>>>>>>>>>>>> > hours here or there. For starters, I am than willing to put
>>>>>>>>>>>> my name
>>>>>>>>>>>> > into the hat an be willing to contribute as an applied
>>>>>>>>>>>> cryptography
>>>>>>>>>>>> > SME for any projects that have crypto related questions or
>>>>>>>>>>>> maybe need
>>>>>>>>>>>> > some crypto code reviewed by a fresh pair of eyes (at least
>>>>>>>>>>>> as long as
>>>>>>>>>>>> > it's written in a programming language I've familiar with).
>>>>>>>>>>>> Of course,
>>>>>>>>>>>> > the irony of it is that likely would require a new OWASP
>>>>>>>>>>>> project to
>>>>>>>>>>>> > maintain that OWASP SME list. (Not it! :)
>>>>>>>>>>>> >
>>>>>>>>>>>> >> Ok, thats ended up being a pretty rambling email ;)
>>>>>>>>>>>> >
>>>>>>>>>>>> > Trust me, I've written more than my share!
>>>>>>>>>>>> >
>>>>>>>>>>>> >> I'll end there and see what responses I get :D
>>>>>>>>>>>> >
>>>>>>>>>>>> > Here's one. Thanks for listening OWASP!
>>>>>>>>>>>> >
>>>>>>>>>>>> > -kevin
>>>>>>>>>>>> > --
>>>>>>>>>>>> > Blog: http://off-the-wall-security.blogspot.com/
>>>>>>>>>>>> > NSA: All your crypto bit are belong to us.
>>>>>>>>>>>> > _______________________________________________
>>>>>>>>>>>> > OWASP-Leaders mailing list
>>>>>>>>>>>> > OWASP-Leaders at lists.owasp.org
>>>>>>>>>>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> Owasp-board mailing list
>>>>>>>>>>> Owasp-board at lists.owasp.org
>>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Owasp-board mailing list
>>>>>>>>> Owasp-board at lists.owasp.org
>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150915/1ae6613c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot 2015-09-07 08.07.40.png
Type: image/png
Size: 117046 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150915/1ae6613c/attachment-0001.png>


More information about the Owasp-board mailing list