[Owasp-board] [Owasp-leaders] Projects Vs Chapters

Josh Sokol josh.sokol at owasp.org
Tue Sep 15 17:18:55 UTC 2015


Love the idea Simon!  I am excited to see how this model works out for ZAP.

~josh

On Tue, Sep 15, 2015 at 12:07 PM, psiinon <psiinon at gmail.com> wrote:

> We've essentially started doing that with ZAP:
> https://www.bountysource.com/teams/zap :)
> I'm paying for one of the key ZAP contributors to work on some really
> important features out of ZAP funds via that site.
> If that works well then I plan to have a funding push so that I can
> getmore work done that way.
>
> Cheers,
>
> Simon
>
> On Tue, Sep 15, 2015 at 6:02 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> I wasn't really even thinking about grants when I said that.  There are a
>> lot of restrictions around grants that can make them challenging to both
>> procure and support.  My line of thinking was more around a "crowdfunding"
>> type of model.  A project could put up a list of features and cost
>> estimates and have users vote on what would be most valuable to them.
>> Then, put out a call for funding to see if the community would be willing
>> to support the initiative by contributing to it.  OWASP would still need to
>> handle the money in order to ensure that the work was done before it got
>> paid out and wasn't fraudulent, but it might be a way to gain funding for
>> projects via the people who are actually using them.
>>
>> ~josh
>>
>> On Tue, Sep 15, 2015 at 11:45 AM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> This is often very difficult to pull off in open source projects for all
>>> but the most mature and staffed projects. Folks are volunteering and work
>>> when they can.
>>>
>>> Jim, when requesting this kind of funds the project leader:
>>>
>>>    - Can work full time on the project and be able to deliver or
>>>    - Can hire a developer to work full time on the project
>>>
>>>
>>> We need to differentiate responsibilities when you want to get funds
>>>
>>> Whether you never ask for funds and keep on working as you do
>>> (part-time/sporadically)
>>> Or want to pull off some serious features and need to dedicate time and
>>> resources
>>>
>>> But, a leader cannot get grant funds or money and then not deliver, in
>>> that case he better does not consider the option for asking for funds, it
>>> involves a responsibility to it.
>>>
>>> Funds could be granted however for other activities such as promotion
>>> (Brochure, layout work)
>>>
>>> Regards
>>>
>>> Johanna
>>>
>>> On Tue, Sep 15, 2015 at 12:28 PM, Jim Manico <jim.manico at owasp.org>
>>> wrote:
>>>
>>>> > ....leaders provide a plan of the features that will be created with
>>>> the funds and at the end, the results obtained.
>>>>
>>>> This is often very difficult to pull off in open source projects for
>>>> all but the most mature and staffed projects. Folks are volunteering and
>>>> work when they can. To start asking for specific feature commitments done
>>>> at specific times for specific financial donations is often a path to
>>>> disappointment in the open source world. Caution!
>>>>
>>>> --
>>>> Jim Manico
>>>> Global Board Member
>>>> OWASP Foundation
>>>> https://www.owasp.org
>>>> Join me at AppSecUSA <http://appsecusa.org/> 2015!
>>>>
>>>> On Sep 15, 2015, at 9:22 AM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>> Hi Josh
>>>>
>>>> Yes , an example is how grant funds work. When corporations or People
>>>> make donations or part of a grant, it must be defined The features that
>>>> will be built. This maken it transparent and clear for the persons doing
>>>> the donations or through grant funds.
>>>> If we create a pool where projects could make use of it, then it is
>>>> expected that leaders provide a plan of the features that will be created
>>>> with the funds and at the end, the results obtained.
>>>>
>>>> Johanna
>>>> On Tuesday, September 15, 2015, Josh Sokol <josh.sokol at owasp.org>
>>>> wrote:
>>>>
>>>>> Maybe this is a stupid question, but has anyone considered
>>>>> experimenting with a funding model using the project itself?  Maybe try to
>>>>> raise additional funds by having a paid support option or say if you can
>>>>> raise $X in donations you'll develop Y feature(s)?  The devil is in the
>>>>> details, but that might be a project-centric way to raise money that a
>>>>> chapter wouldn't even have the option to do.
>>>>>
>>>>> ~josh
>>>>>
>>>>> On Mon, Sep 14, 2015 at 12:22 PM, johanna curiel curiel <
>>>>> johanna.curiel at owasp.org> wrote:
>>>>>
>>>>>> For reference, the 2015 budget shows OWASP at a loss of around $105k
>>>>>> for the year.  Not an issue given the funds currently in reserves, but we
>>>>>> did budget to spend more than we brought in so there's not a ton of room to
>>>>>> work with there unless we add revenue or eliminate expenses.
>>>>>>
>>>>>> Agree I also noticed this. The activities I'm proposing won't be
>>>>>> that high cost, especially compare to actual costs of setting events, but I
>>>>>> think a strategy where project leaders can generate pro-actively funds for
>>>>>> their own project is a step towards developing them better.
>>>>>>
>>>>>>
>>>>>> On Mon, Sep 14, 2015 at 12:37 PM, Josh Sokol <josh.sokol at owasp.org>
>>>>>> wrote:
>>>>>>
>>>>>>> The Board should be reviewing the budget for 2016 in the next few
>>>>>>> months so it is an excellent time to make such a proposal.  We just need to
>>>>>>> know what kinds of activities we are looking at and how much we need to
>>>>>>> make them happen.  We can then look at anticipated revenue vs expenses in
>>>>>>> order to determine if there is room in the budget to make it happen.  For
>>>>>>> reference, the 2015 budget shows OWASP at a loss of around $105k for the
>>>>>>> year.  Not an issue given the funds currently in reserves, but we did
>>>>>>> budget to spend more than we brought in so there's not a ton of room to
>>>>>>> work with there unless we add revenue or eliminate expenses.
>>>>>>>
>>>>>>> ~josh
>>>>>>>
>>>>>>> On Mon, Sep 14, 2015 at 11:20 AM, johanna curiel curiel <
>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>
>>>>>>>> Hi Josh
>>>>>>>>
>>>>>>>> I have taken the work to extract from the budget of 2015 where are
>>>>>>>> the major OWASP costs :
>>>>>>>> Total revenue projected for 2015 is USD2,540,667.00
>>>>>>>>
>>>>>>>> From this :
>>>>>>>>
>>>>>>>> Cost Salaries and Contractors 2015 OWASPEmployees salaries
>>>>>>>> 342,237.82bonus and commission38,600.00Contractors & Professional
>>>>>>>> servicesVirtual fin fee32,000.00Accounting KPMG4,000.00Int
>>>>>>>> Accountinh KPMG EU9,000.00Qtrly VAT by COuntry14,489.00Virtual
>>>>>>>> Executive Director/HR Contractor8,700.00Virtual - HR Hosting & fees
>>>>>>>> 12,000.00IT Admin10,000.00Legal Contractor7,200.00Graphic Designer
>>>>>>>> 7,200.00Events Manager72,000.00Total557,426.82Percentage from
>>>>>>>> total revenue21.94%Cost Conferences 2015 (in USD Dollars)APPSEC US
>>>>>>>> $935,557.00APPSEC EU$241,510.00APPSEC ASIA$25,000.00APPSEC LATAM
>>>>>>>> 7500Local & Regional Events$115,000.00Total in events$1,209,567.00Perventage
>>>>>>>> from reveunue47.61%
>>>>>>>>
>>>>>>>> As I can see there are many expenses involved in operations and
>>>>>>>> creating events.(That will sum up around 70% of the OWASP expenses)
>>>>>>>>
>>>>>>>> >In respose to Paul:
>>>>>>>> For 2016 planning, I'm encouraged by all the interest demonstrated
>>>>>>>> by these emails, as we adjust our 2016 Budget to reflect the community
>>>>>>>> priorities.
>>>>>>>>
>>>>>>>> I would like to propose some fixed budget for certain activities, I
>>>>>>>> believe Claudia was busy also with that part for the Project summits, but
>>>>>>>> also for helping promoting projects and training for leaders.
>>>>>>>>
>>>>>>>> regards
>>>>>>>>
>>>>>>>> Johanna
>>>>>>>>
>>>>>>>> On Mon, Sep 14, 2015 at 11:41 AM, Josh Sokol <josh.sokol at owasp.org>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Johanna,
>>>>>>>>>
>>>>>>>>> I was really hoping that Fabio, as current Treasurer, would wade
>>>>>>>>> into this conversation, but since he hasn't I will as Treasurer last year.
>>>>>>>>>
>>>>>>>>> The short answer to your questions is that OWASP receives money
>>>>>>>>> from many different sources.  Conferences, grants, donations, and yes,
>>>>>>>>> membership.  OWASP also has many expenses that aren't solely covered by
>>>>>>>>> "project expenses" or "chapter expenses".  Money that isn't pre-allocated
>>>>>>>>> to something specific like that ends up in the OWASP funds pool and gets
>>>>>>>>> budgeted to be used for other expenses.  Our paid staff is probably the top
>>>>>>>>> expense where that is concerned, but there are many other things that OWASP
>>>>>>>>> spends money on as well.  The OWASP budget should be publicly available and
>>>>>>>>> I know that the OWASP staff is currently working on the 2014 report which
>>>>>>>>> should be released any day now.
>>>>>>>>>
>>>>>>>>> ~josh
>>>>>>>>>
>>>>>>>>> On Mon, Sep 7, 2015 at 11:30 AM, johanna curiel curiel <
>>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>>
>>>>>>>>>> >How can we make the corporation more aware of this option?
>>>>>>>>>>
>>>>>>>>>> I would like to see first a clarification on *where* is the
>>>>>>>>>> money allocated right now from corporate memberships that have not made any
>>>>>>>>>> choices.
>>>>>>>>>>
>>>>>>>>>> Community funds is USD60,000 a year and this is not only for
>>>>>>>>>> projects but everything to do with the community.
>>>>>>>>>>
>>>>>>>>>> So far there is in memberships between corporate and individuals
>>>>>>>>>> memberships a total of
>>>>>>>>>>
>>>>>>>>>> Corporate memberships (foundation + Chapter) USD 350,000-
>>>>>>>>>> Individual membership    (foundation +chapter)   USD  90,000-
>>>>>>>>>> Total =
>>>>>>>>>>       * USD 440,000*
>>>>>>>>>>
>>>>>>>>>> Following the same sheet the following corporate memberships have
>>>>>>>>>> not been allocated by the sponsors. I would like to know how much money of
>>>>>>>>>> the USD 350,000 belongs to these unallocated
>>>>>>>>>>
>>>>>>>>>>    1. Autodesk, Inc.
>>>>>>>>>>    2. Blackhat US
>>>>>>>>>>    3. CA Technologies
>>>>>>>>>>    4. CDNetworks
>>>>>>>>>>    5. ClassDojo
>>>>>>>>>>    6. Coverity
>>>>>>>>>>    7. eLearn Security
>>>>>>>>>>    8. HERE North America, LLC.
>>>>>>>>>>    9. Johnson Controls, Inc.
>>>>>>>>>>    10. Rapid7
>>>>>>>>>>    11. Software Assurance Marketplace (SWAMP)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Each of these contribute with USD 5000 (following corporate
>>>>>>>>>> categories as the appear here:
>>>>>>>>>> https://www.owasp.org/index.php/Membership#tab=Corporate_Supporters
>>>>>>>>>> )
>>>>>>>>>> 11 of them has not been allocated that makes USD 55,000-
>>>>>>>>>>
>>>>>>>>>> Big Corporate memberships from  4 companies which does not appear
>>>>>>>>>> in that Google sheet have contributed with==> 4 x USD 20,000 = USD 80,000
>>>>>>>>>> ==> where is this money been allocated?
>>>>>>>>>>
>>>>>>>>>>    1. Adobe
>>>>>>>>>>    2. Qualys
>>>>>>>>>>    3. HP
>>>>>>>>>>    4. Contrast
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I would like to have a clarification where exactly is the money
>>>>>>>>>> allocated from these corporate memberships which in total (following these
>>>>>>>>>> calculation accumulates a total of
>>>>>>>>>> USD 55,000 + 80,000 = USD 140,000 that none of the corporate
>>>>>>>>>> members have allocated.
>>>>>>>>>>
>>>>>>>>>> If it seems that part of the money goes to community fund then
>>>>>>>>>> 140k -60k = USD 80,000 still open where is this money being allocated to?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Mon, Sep 7, 2015 at 9:07 AM, psiinon <psiinon at gmail.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>> Thanks Johanna, this is _really_ interesting.
>>>>>>>>>>> And thats a huge imbalance between the chapters and projects.
>>>>>>>>>>> Corporate members can obviously choose where their money goes,
>>>>>>>>>>> but maybe they are not aware they can choose projects (and if Eoin didnt
>>>>>>>>>>> know, that seems very likely!)
>>>>>>>>>>> How can we make the corporation more aware of this option?
>>>>>>>>>>> And how else can re redress this imbalance?
>>>>>>>>>>>
>>>>>>>>>>> Cheers,
>>>>>>>>>>>
>>>>>>>>>>> Simon
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Sep 7, 2015 at 1:14 PM, johanna curiel curiel <
>>>>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> In 2013 corporate membership represented 33% of total income
>>>>>>>>>>>> for OWASP  opposed to individual membership which represented only 13% of
>>>>>>>>>>>> the total income.
>>>>>>>>>>>>
>>>>>>>>>>>> In 2015 corporate membership(foundation+chapter) has a total
>>>>>>>>>>>>  revenue of USD350,000- opposed to USD90,000- from individual
>>>>>>>>>>>> memberships(again foundation+chapter)  which is quite considerate:
>>>>>>>>>>>> OWASP Foundation Budget - 2015
>>>>>>>>>>>> <https://drive.google.com/file/d/0BxjNZI6rYJRKbnBlaHM3LTU2ckk/view?usp=sharing>
>>>>>>>>>>>>
>>>>>>>>>>>> [image: Inline image 1]
>>>>>>>>>>>>
>>>>>>>>>>>> Basically all memberships are going to 'chapters'
>>>>>>>>>>>>
>>>>>>>>>>>> *If more than half of these donations(corporate membership)
>>>>>>>>>>>> which I highlighted in green have not been specified for any purpose, then
>>>>>>>>>>>> how does the foundation decided into which account goes that money? I would
>>>>>>>>>>>> like an answer on this. What I miss here is a break down of the amount and
>>>>>>>>>>>> into which budget are these being set.*
>>>>>>>>>>>>
>>>>>>>>>>>> *It seems that those memberships are going mostly to chapters
>>>>>>>>>>>> and some to some projects(highlighted in Yellow) (ZAP + SAMM)*
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> https://docs.google.com/spreadsheets/d/1nVyveCi7nmwYMKK4oWSsVGNvqE9aeUBhamQ7XsZvayU/edit?usp=sharing
>>>>>>>>>>>>
>>>>>>>>>>>> Btw I cannot find the financial report of 2014, seems as it is
>>>>>>>>>>>> quite behind (since we are almost end of 2015)
>>>>>>>>>>>>
>>>>>>>>>>>> <Screenshot 2015-08-21 10.19.54.png>
>>>>>>>>>>>>
>>>>>>>>>>>> On Mon, Sep 7, 2015 at 6:17 AM, Colin Watson <
>>>>>>>>>>>> colin.watson at owasp.org> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> One thing about membership donations to projects. Last week,
>>>>>>>>>>>>> the list
>>>>>>>>>>>>> of members was posted to the leaders list for the elections:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> https://docs.google.com/spreadsheets/d/1Tu2MAdu1xNq8RTaqHWMSb_0qM_OE6aaVgKB54q_fQIs/edit#gid=1075228884
>>>>>>>>>>>>>
>>>>>>>>>>>>> It shows that out of 2336 individual members only 2 have
>>>>>>>>>>>>> allocated
>>>>>>>>>>>>> their donation to project - in this case "mobile". I agree
>>>>>>>>>>>>> that at the
>>>>>>>>>>>>> point of joining that many people might select a chapter at
>>>>>>>>>>>>> that time,
>>>>>>>>>>>>> but I am wondering if this is actually accurate? It doesn't
>>>>>>>>>>>>> feel
>>>>>>>>>>>>> correct that less than 0.1% select a project.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Last time I renewed, I changed my allocation from a chapter to
>>>>>>>>>>>>> a
>>>>>>>>>>>>> project. But the membership list still shows the allocation as
>>>>>>>>>>>>> a
>>>>>>>>>>>>> chapter, and the chosen project didn't receive any of my
>>>>>>>>>>>>> membership
>>>>>>>>>>>>> money.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> https://docs.google.com/a/owasp.org/spreadsheets/d/11acTOmtmBGq6-5CIGsjlEByU8POSGqda0r23VNnhEGQ/pub?hl=en_US&hl=en_US&output=html#
>>>>>>>>>>>>>
>>>>>>>>>>>>> Is this a fault, and which members and projects have been
>>>>>>>>>>>>> affected by
>>>>>>>>>>>>> this? I wonder if it applies to all project allocation
>>>>>>>>>>>>> selections, or
>>>>>>>>>>>>> only after a change is requested? Why are there so many
>>>>>>>>>>>>> "blanks" and
>>>>>>>>>>>>> "none" in the list of membership, and what's the difference?
>>>>>>>>>>>>> How long
>>>>>>>>>>>>> has it been occurring?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Colin
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 6 September 2015 at 21:47, Kevin W. Wall <
>>>>>>>>>>>>> kevin.w.wall at gmail.com> wrote:
>>>>>>>>>>>>> > Jumping in late to this thread. I already told Simon from day
>>>>>>>>>>>>> > one, when he first posted this on the Board and Governance
>>>>>>>>>>>>> list that
>>>>>>>>>>>>> > I agreed with him 100%, but I just wanted to add some things.
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > On Thu, Sep 3, 2015 at 4:50 AM, psiinon <psiinon at gmail.com>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>> >> Didnt realise this thread wasnt on the leaders list ;)
>>>>>>>>>>>>> >> So starting a new one here as I think its important for us
>>>>>>>>>>>>> to discuss.
>>>>>>>>>>>>> >> For background see:
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> http://lists.owasp.org/pipermail/governance/2015-September/000697.html
>>>>>>>>>>>>> >> This is a copy of the email I sent to that thread..
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >> First of all I'd like to thank Johanna for all the effort
>>>>>>>>>>>>> she's put into
>>>>>>>>>>>>> >> reviewing the projects.
>>>>>>>>>>>>> >> Its been a huge and mostly thankless task, and the projects
>>>>>>>>>>>>> as a whole have
>>>>>>>>>>>>> >> really benefited.
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > Amen to that. And having been involved in one of the
>>>>>>>>>>>>> projects (ESAPI)
>>>>>>>>>>>>> > that was demoted from Flagship to Lab status, I know it's
>>>>>>>>>>>>> not always
>>>>>>>>>>>>> > an easy thing to receive the assessments that she and her
>>>>>>>>>>>>> team had
>>>>>>>>>>>>> > been doing, but we need to be professional about this and
>>>>>>>>>>>>> not shoot
>>>>>>>>>>>>> > the messenger. Certainly when it came to ESAPI, while I was
>>>>>>>>>>>>> > disappointed, I pretty much agreed with the project review
>>>>>>>>>>>>> > conclusions.
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >> Secondly, I'd like to wade into the Projects Vs Chapters
>>>>>>>>>>>>> debate :)
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >> I have a theory:
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >> People who are 'part' of OWASP tend to think that the
>>>>>>>>>>>>> Chapters are more
>>>>>>>>>>>>> >> important _to_them_ than the projects.
>>>>>>>>>>>>> >> Chapters are where we meet people, exchange ideas and learn
>>>>>>>>>>>>> things. They are
>>>>>>>>>>>>> >> social events.
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > The exception might be for those of us who attend our local
>>>>>>>>>>>>> OWASP
>>>>>>>>>>>>> > chapter meetings but who are also actively involved with one
>>>>>>>>>>>>> or more
>>>>>>>>>>>>> > OWASP projects.
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >> People outside OWASP think that the Projects are more
>>>>>>>>>>>>> important _to_them_
>>>>>>>>>>>>> >> than the Chapters.
>>>>>>>>>>>>> >> They dont go to chapter meetings, they might not even be
>>>>>>>>>>>>> aware of them.
>>>>>>>>>>>>> >> They use, or at least are aware of, the main OWASP
>>>>>>>>>>>>> projects, mostly the
>>>>>>>>>>>>> >> Flagship ones.
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >> Anyone agree or disagree?
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > I think you're analysis is pretty much spot on with few
>>>>>>>>>>>>> exceptions
>>>>>>>>>>>>> > like the edge case I mentioned above.
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >> And yes, I'm conveniently ignoring conferences, the wiki
>>>>>>>>>>>>> etc etc ;)
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >> I think Chapters and Projects are fundamentally different
>>>>>>>>>>>>> 'beasts', and I've
>>>>>>>>>>>>> >> started and run both :)
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >> Chapters are relatively easy to start and maintain.
>>>>>>>>>>>>> >> You need to be based in a city with a thriving security
>>>>>>>>>>>>> and/or software
>>>>>>>>>>>>> >> industry.
>>>>>>>>>>>>> >> You need to spend time organising and publicising events,
>>>>>>>>>>>>> but its not hard -
>>>>>>>>>>>>> >> you dont need specialized skills.
>>>>>>>>>>>>> >> Its relatively easy to find people prepared to speak,
>>>>>>>>>>>>> arrange rooms and help
>>>>>>>>>>>>> >> with other organisational things.
>>>>>>>>>>>>> >> Its something you can do in your spare time.
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > One thing I'll add here. The fact that people can use their
>>>>>>>>>>>>> time spent
>>>>>>>>>>>>> > attending OWASP chapter meetings as CPEs toward some security
>>>>>>>>>>>>> > certification is also a big draw I think. In the past, we've
>>>>>>>>>>>>> even
>>>>>>>>>>>>> > attracted quite a few non-OWASP members because of this, or
>>>>>>>>>>>>> at least
>>>>>>>>>>>>> > that appeared to be their primary motivation as some of them
>>>>>>>>>>>>> would ask
>>>>>>>>>>>>> > about for our chapter leads to provide evidence of
>>>>>>>>>>>>> attendance for
>>>>>>>>>>>>> > their CPEs and we'd then discover that some of them were not
>>>>>>>>>>>>> OWASP
>>>>>>>>>>>>> > members (not that we made a big deal about that).
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > While it's true that one can earn CPEs working on a
>>>>>>>>>>>>> projects, the
>>>>>>>>>>>>> > evidence bar seems to be a bit higher and a lot harder to
>>>>>>>>>>>>> measure.
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >> Projects are much harder.
>>>>>>>>>>>>> >> They are relatively easy to start - you 'just' need a good
>>>>>>>>>>>>> idea.
>>>>>>>>>>>>> >> They are _really_ hard to bring to fruition and maintain.
>>>>>>>>>>>>> >> I'll focus on software projects (as I know much more about
>>>>>>>>>>>>> those) but I have
>>>>>>>>>>>>> >> no doubt documentation projects can be just as difficult.
>>>>>>>>>>>>> >> A professional software project is the result of the hard
>>>>>>>>>>>>> work of managers,
>>>>>>>>>>>>> >> designers, developers, QA, support, technical authors,
>>>>>>>>>>>>> sales and marketing
>>>>>>>>>>>>> >> (and probably others I've forgotten;).
>>>>>>>>>>>>> >> Its a huge amount of effort, and is ongoing - it only lets
>>>>>>>>>>>>> up when you
>>>>>>>>>>>>> >> 'sunset' the project.
>>>>>>>>>>>>> >> Ok, so (non commercial) open source projects dont need
>>>>>>>>>>>>> sales staff, but they
>>>>>>>>>>>>> >> do need people doing all of the other roles. Its definitely
>>>>>>>>>>>>> _not_ just
>>>>>>>>>>>>> >> programming!
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > If anything, usually people are not that keen on doing those
>>>>>>>>>>>>> other
>>>>>>>>>>>>> > needed roles, such as project documentation, QA,
>>>>>>>>>>>>> buildmeister, etc.
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > Also, the more successful a project becomes (i.e., as
>>>>>>>>>>>>> measured in
>>>>>>>>>>>>> > terms of the number of users) the harder it is to maintain.
>>>>>>>>>>>>> For
>>>>>>>>>>>>> > example, long ago, I've noticed that people see to ask more
>>>>>>>>>>>>> questions
>>>>>>>>>>>>> > on Stack Exchange about ESAPI than the do on either the
>>>>>>>>>>>>> ESAPI-Users or
>>>>>>>>>>>>> > ESAPI-Dev mailing lists. I suspect that there are other
>>>>>>>>>>>>> forums
>>>>>>>>>>>>> > elsewhere that these things get discussed.
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >> Its way too much for one person (for a non trivial project).
>>>>>>>>>>>>> >> Luckily we have the open source community, but that means a
>>>>>>>>>>>>> project leader
>>>>>>>>>>>>> >> needs another skill: community building!
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > Indeed that's one where I feel that I've failed miserably.
>>>>>>>>>>>>> I'm not
>>>>>>>>>>>>> > particularly a people person nor do I have a lot of contacts
>>>>>>>>>>>>> beyond
>>>>>>>>>>>>> > the immediate colleagues that I work with, so when the
>>>>>>>>>>>>> current
>>>>>>>>>>>>> > volunteer pool dries up and stops contributing, the project
>>>>>>>>>>>>> tends to
>>>>>>>>>>>>> > die because of (at least in my case) the inability to find
>>>>>>>>>>>>> new
>>>>>>>>>>>>> > volunteers to help carry the project forward.
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >> And to be honest most volunteers are developers (and
>>>>>>>>>>>>> security people for
>>>>>>>>>>>>> >> OWASP projects), its very rare for people with other skills
>>>>>>>>>>>>> to get involved.
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > 100% agree. Also, I personally think that we do a disservice
>>>>>>>>>>>>> > sometimes in our industry in that there's an unspoken
>>>>>>>>>>>>> perception of a
>>>>>>>>>>>>> > pecking order within the security community so that some of
>>>>>>>>>>>>> these very
>>>>>>>>>>>>> > important roles are greatly devalued (e.g., those who write
>>>>>>>>>>>>> > documentation or manage releases or do QA testing or provide
>>>>>>>>>>>>> project
>>>>>>>>>>>>> > management or other infrastructure support). And while we
>>>>>>>>>>>>> generally
>>>>>>>>>>>>> > don't come right out and express it, I think it's there and
>>>>>>>>>>>>> those who
>>>>>>>>>>>>> > might otherwise step up and fill those roles avoid the
>>>>>>>>>>>>> security
>>>>>>>>>>>>> > community for some other FOSS projects because they feel
>>>>>>>>>>>>> under-appreciated.
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >> I dont think its something you can do in your spare time,
>>>>>>>>>>>>> at least for long
>>>>>>>>>>>>> >> (I did for a while, and my wife described herself as a "ZAP
>>>>>>>>>>>>> widow";)
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > :D
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >> So Chapters are relatively easy to maintain, projects
>>>>>>>>>>>>> _much_ harder.
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > Making free pizza and beer available at chapter meetings
>>>>>>>>>>>>> doesn't hurt!  :)
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > We've also tried holding mini-hackathons at our local OWASP
>>>>>>>>>>>>> meetings
>>>>>>>>>>>>> > maybe once a year. It was interesting, but I can't say it
>>>>>>>>>>>>> was a
>>>>>>>>>>>>> > resounding success, because many there did not know the
>>>>>>>>>>>>> programming
>>>>>>>>>>>>> > language the project was written in and it took us an undue
>>>>>>>>>>>>> amount of
>>>>>>>>>>>>> > time just to get to the point where people got their IDE of
>>>>>>>>>>>>> choice
>>>>>>>>>>>>> > configured to pull the project from GitHub. Also probably
>>>>>>>>>>>>> about 1/2
>>>>>>>>>>>>> > of the regular attenders don't really program to any great
>>>>>>>>>>>>> extent at
>>>>>>>>>>>>> > all but rather consider themselves more of pen testers, so
>>>>>>>>>>>>> holding
>>>>>>>>>>>>> > these mini-hackathons effectively leaves out almost half of
>>>>>>>>>>>>> our
>>>>>>>>>>>>> > regular attendees so that's not going to be something that
>>>>>>>>>>>>> works as a
>>>>>>>>>>>>> > long term strategy.
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >> I suspect OWASP as an organisation supports Chapters more
>>>>>>>>>>>>> effectively, but
>>>>>>>>>>>>> >> even if it supports both equally Projects dont get as much
>>>>>>>>>>>>> support as they
>>>>>>>>>>>>> >> need.
>>>>>>>>>>>>> >> I think OWASP Chapters are thriving and the Projects are
>>>>>>>>>>>>> (as a whole)
>>>>>>>>>>>>> >> diminishing.
>>>>>>>>>>>>> >> If I'm right and people outside OWASP see the Projects as
>>>>>>>>>>>>> more important
>>>>>>>>>>>>> >> than the Chapters then this leads to the impression that
>>>>>>>>>>>>> OWASP is
>>>>>>>>>>>>> >> struggling.
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >> What to projects need?
>>>>>>>>>>>>> >> I dont think its possible to maintain a 'significant' open
>>>>>>>>>>>>> source project
>>>>>>>>>>>>> >> unless you are able to spend the majority of your working
>>>>>>>>>>>>> day on it.
>>>>>>>>>>>>> >> This means projects really have to be sponsored by someone.
>>>>>>>>>>>>> >> This is a significant investment for a company, and its
>>>>>>>>>>>>> often difficult to
>>>>>>>>>>>>> >> justify this sort of investment. Especially if its
>>>>>>>>>>>>> difficult to monetise
>>>>>>>>>>>>> >> OWASP projects.
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > Indeed, back in the day when I was still on an AppSec team
>>>>>>>>>>>>> for a
>>>>>>>>>>>>> > previous company, I tried to convince my management to
>>>>>>>>>>>>> allocate about
>>>>>>>>>>>>> > eight hours a week from our entire team to contribute to
>>>>>>>>>>>>> ESAPI bug
>>>>>>>>>>>>> > fixing. It seemed a logical extension of our internal
>>>>>>>>>>>>> proprietary
>>>>>>>>>>>>> > security components class library which was not nearly as
>>>>>>>>>>>>> complete.
>>>>>>>>>>>>> > I was unable to convince my management and shortly
>>>>>>>>>>>>> afterwards, I
>>>>>>>>>>>>> > left that team (for unrelated reasons) and starting working
>>>>>>>>>>>>> with a
>>>>>>>>>>>>> > team that had security experience that wouldn't easily
>>>>>>>>>>>>> translate to
>>>>>>>>>>>>> > ESAPI needs.  In fact, my experience was worse than that.
>>>>>>>>>>>>> None of my
>>>>>>>>>>>>> > colleagues ever decided to help out individually either. Not
>>>>>>>>>>>>> a big
>>>>>>>>>>>>> > deal; maybe it just wasn't their cup of tea or they had other
>>>>>>>>>>>>> > passions that they wanted to contribute to. But gathering
>>>>>>>>>>>>> recruits
>>>>>>>>>>>>> > willing to participate clearly takes skills and contacts
>>>>>>>>>>>>> that I
>>>>>>>>>>>>> > apparently do not possess in sufficient quantities.
>>>>>>>>>>>>> (Sometimes I
>>>>>>>>>>>>> > feel like I'm trying to sell screen doors for submarines.
>>>>>>>>>>>>> Sigh.)
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > All I'm saying is that getting volunteers is hard. Each
>>>>>>>>>>>>> sizeable
>>>>>>>>>>>>> > project really needs someone willing to fulfill the project
>>>>>>>>>>>>> > evangelist role to keep looking for new contributors. For one
>>>>>>>>>>>>> > reason (at least it's been my experience) is that KEEPING
>>>>>>>>>>>>> volunteers
>>>>>>>>>>>>> > for extended periods is even harder and by and large, I
>>>>>>>>>>>>> think if
>>>>>>>>>>>>> > we looked at the historical data of contributors across all
>>>>>>>>>>>>> OWASP
>>>>>>>>>>>>> > projects (say, based on commit history), that the data would
>>>>>>>>>>>>> bear
>>>>>>>>>>>>> > that out. In fact, I'd bet this phenomena goes well beyond
>>>>>>>>>>>>> OWASP and
>>>>>>>>>>>>> > is experienced by many FOSS projects.
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >> Does OWASP want to sponsor projects directly?
>>>>>>>>>>>>> >> I think thats what it would take to build a thriving set of
>>>>>>>>>>>>> Projects.
>>>>>>>>>>>>> >> Is that something that could be done?
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > _COULD_ it be done? Yes. Should it be done is another matter.
>>>>>>>>>>>>> > I'd rather not see it become necessary as I really don't
>>>>>>>>>>>>> want OWASP
>>>>>>>>>>>>> > to turn into a political organization where the project
>>>>>>>>>>>>> leaders are
>>>>>>>>>>>>> > forced to lobby for funding, and I fear that's what would
>>>>>>>>>>>>> happen. I
>>>>>>>>>>>>> > think also it would stifle innovation because new incubator
>>>>>>>>>>>>> projects
>>>>>>>>>>>>> > would likely all dry up (unless a certain amount of funds
>>>>>>>>>>>>> were
>>>>>>>>>>>>> > pre-allocated to them) as they likely couldn't compete
>>>>>>>>>>>>> against more
>>>>>>>>>>>>> > established projects.
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > I had thought of proposing allowing individual OWASP
>>>>>>>>>>>>> projects to
>>>>>>>>>>>>> > somehow sell their own project-related schwag at conferences
>>>>>>>>>>>>> and such
>>>>>>>>>>>>> > and keep a percentage of the profits to use for their
>>>>>>>>>>>>> projects so that
>>>>>>>>>>>>> > they could then use that money however they saw fit (e.g.,
>>>>>>>>>>>>> hiring a
>>>>>>>>>>>>> > technical writer to write project documentation for
>>>>>>>>>>>>> instance). But that
>>>>>>>>>>>>> > probably would not make a major impact in funding to a
>>>>>>>>>>>>> project,
>>>>>>>>>>>>> > especially if all the OWASP projects started doing it.
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >> I'm lucky, Mozilla allows me to spend most of my time
>>>>>>>>>>>>> working on ZAP, and
>>>>>>>>>>>>> >> thats been invaluable.
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > I suppose that starts with a company that has a culture of
>>>>>>>>>>>>> strongly
>>>>>>>>>>>>> > contributing to FOSS. Most of us do not work for such
>>>>>>>>>>>>> companies. Most
>>>>>>>>>>>>> > work for companies who extensively rely on such software,
>>>>>>>>>>>>> but rarely
>>>>>>>>>>>>> > allow their companies to contribute to such things on
>>>>>>>>>>>>> company time
>>>>>>>>>>>>> > because they don't really see it as contributing directly to
>>>>>>>>>>>>> their
>>>>>>>>>>>>> > bottom line. (NOTE: I want to make clear that this is
>>>>>>>>>>>>> strictly my
>>>>>>>>>>>>> > personal opinion based of a [likely] biased observation and
>>>>>>>>>>>>> in no
>>>>>>>>>>>>> > way represents the official position of either my current
>>>>>>>>>>>>> nor any
>>>>>>>>>>>>> > of my previous employers. And they didn't even make me say
>>>>>>>>>>>>> that! :)
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >> But I'd love to be able to employ some of the ZAP
>>>>>>>>>>>>> contributors to work full
>>>>>>>>>>>>> >> time on ZAP :)
>>>>>>>>>>>>> >> Would OWASP pay for that??
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > Great question and I think you're not the only project that
>>>>>>>>>>>>> might
>>>>>>>>>>>>> > benefit from that. Although, if that means lobbying for
>>>>>>>>>>>>> funds by
>>>>>>>>>>>>> > competing against other OWASP projects, them I'm out because
>>>>>>>>>>>>> I
>>>>>>>>>>>>> > just don't have the stomach for that. It gets bad enough
>>>>>>>>>>>>> competing
>>>>>>>>>>>>> > for resources at Google Summer of Code and various OWASP
>>>>>>>>>>>>> code sprints,
>>>>>>>>>>>>> > and I fear if we increased OWASP funding to amounts needed
>>>>>>>>>>>>> to sustain
>>>>>>>>>>>>> > OWASP projects, it could lead to divisions in OWASP as
>>>>>>>>>>>>> people aligned
>>>>>>>>>>>>> > themselves with one project or another.
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >> It would require much more 'project management' - the kind
>>>>>>>>>>>>> of things that
>>>>>>>>>>>>> >> people _think_ OWASP is doing, but it doesnt.
>>>>>>>>>>>>> >> I often see posts from people asking "why the hell is OWASP
>>>>>>>>>>>>> developing X".
>>>>>>>>>>>>> >> They seem to think that theres an OWASP committee that
>>>>>>>>>>>>> meets and goes "We
>>>>>>>>>>>>> >> think we should have project X". Whereas its actually an
>>>>>>>>>>>>> individual coming
>>>>>>>>>>>>> >> to OWASP and saying "I'm doing X, could this be an OWASP
>>>>>>>>>>>>> project?".
>>>>>>>>>>>>> >> OWASP Projects are very much 'bottom up' rather than 'top
>>>>>>>>>>>>> down'.
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > Well, their perception could also be more of a notion of
>>>>>>>>>>>>> "why aren't
>>>>>>>>>>>>> > they doing Y instead?" or even "wouldn't make more sense if
>>>>>>>>>>>>> it were
>>>>>>>>>>>>> > a {Apache,Spring,<insert-your-favorite-FOSS-brand-here>}
>>>>>>>>>>>>> project
>>>>>>>>>>>>> > instead?" And truth be told, I've also asked that question
>>>>>>>>>>>>> myself, but
>>>>>>>>>>>>> > more because it was like "OWASP already has a project Z that
>>>>>>>>>>>>> does
>>>>>>>>>>>>> > almost exactly what project X is proposing. Why don't they
>>>>>>>>>>>>> just join
>>>>>>>>>>>>> > project Z instead of spinning of a similar project?".
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > I think any of those, as well as your conjecture, are
>>>>>>>>>>>>> possible reasons
>>>>>>>>>>>>> > for them asking that question.
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >> It may surprise people outside of OWASP that I get _no_
>>>>>>>>>>>>> direction at all
>>>>>>>>>>>>> >> from OWASP as to how ZAP should move forward.
>>>>>>>>>>>>> >> note that I'm _really_ not complaining about that ;)
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > Hmmm...well, THAT would explain some things!
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > JK. ;-)
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >> OWASP does not really invest in projects. It does provide
>>>>>>>>>>>>> some support, but
>>>>>>>>>>>>> >> to be honest not a great deal.
>>>>>>>>>>>>> >> If we decided to invest significant amounts of money in
>>>>>>>>>>>>> projects then there
>>>>>>>>>>>>> >> would need to be real debate as to what we should invest in.
>>>>>>>>>>>>> >> And I realise that thats difficult, particularly as OWASP
>>>>>>>>>>>>> is supported by
>>>>>>>>>>>>> >> commercial organisations, and they wont want OWASP
>>>>>>>>>>>>> investing in projects
>>>>>>>>>>>>> >> that compete with their own offerings.
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >> There are other things that OWASP could do other than
>>>>>>>>>>>>> paying developers
>>>>>>>>>>>>> >> directly.
>>>>>>>>>>>>> >> We could spend much more effort encouraging companies to
>>>>>>>>>>>>> contribute to OWASP
>>>>>>>>>>>>> >> projects, especially by donating engineering effort.
>>>>>>>>>>>>> >> We could help projects with the 'non programming' aspects -
>>>>>>>>>>>>> documentation,
>>>>>>>>>>>>> >> testing, marketing etc.
>>>>>>>>>>>>> >> We could provide more advice and guidance - I dont want
>>>>>>>>>>>>> people to dictate
>>>>>>>>>>>>> >> where ZAP should be headed, but I'd love constructive
>>>>>>>>>>>>> feedback :)
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > Well, being a project lead of a much less successful
>>>>>>>>>>>>> project, I've
>>>>>>>>>>>>> > thought long and hard about the obstacles that I've faced.
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > Most of that has been around getting people to help with the
>>>>>>>>>>>>> following
>>>>>>>>>>>>> > types of things:
>>>>>>>>>>>>> >     * Project documentation, most notably overall user
>>>>>>>>>>>>> manuals and FAQs
>>>>>>>>>>>>> >       and wiki entries.
>>>>>>>>>>>>> >     * Help with maven / pom.xml issue and release management
>>>>>>>>>>>>> in general
>>>>>>>>>>>>> >     * Assistance with version control, most notably git and
>>>>>>>>>>>>> GitHub
>>>>>>>>>>>>> >     * Someone willing to be a sounding board for proposed
>>>>>>>>>>>>> design changes
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > As I've reflected about it, one of the things that I've
>>>>>>>>>>>>> noted is that
>>>>>>>>>>>>> > many of these are specialities that are cross-cutting across
>>>>>>>>>>>>> many
>>>>>>>>>>>>> > OWASP projects.
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > I think one way that we might be able to address these some
>>>>>>>>>>>>> of these
>>>>>>>>>>>>> > concerns is to create a Subject Matter Expert list of people
>>>>>>>>>>>>> who would
>>>>>>>>>>>>> > be willing to volunteer to help out projects by contributing
>>>>>>>>>>>>> a few
>>>>>>>>>>>>> > hours here or there. For starters, I am than willing to put
>>>>>>>>>>>>> my name
>>>>>>>>>>>>> > into the hat an be willing to contribute as an applied
>>>>>>>>>>>>> cryptography
>>>>>>>>>>>>> > SME for any projects that have crypto related questions or
>>>>>>>>>>>>> maybe need
>>>>>>>>>>>>> > some crypto code reviewed by a fresh pair of eyes (at least
>>>>>>>>>>>>> as long as
>>>>>>>>>>>>> > it's written in a programming language I've familiar with).
>>>>>>>>>>>>> Of course,
>>>>>>>>>>>>> > the irony of it is that likely would require a new OWASP
>>>>>>>>>>>>> project to
>>>>>>>>>>>>> > maintain that OWASP SME list. (Not it! :)
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >> Ok, thats ended up being a pretty rambling email ;)
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > Trust me, I've written more than my share!
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >> I'll end there and see what responses I get :D
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > Here's one. Thanks for listening OWASP!
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > -kevin
>>>>>>>>>>>>> > --
>>>>>>>>>>>>> > Blog: http://off-the-wall-security.blogspot.com/
>>>>>>>>>>>>> > NSA: All your crypto bit are belong to us.
>>>>>>>>>>>>> > _______________________________________________
>>>>>>>>>>>>> > OWASP-Leaders mailing list
>>>>>>>>>>>>> > OWASP-Leaders at lists.owasp.org
>>>>>>>>>>>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> Owasp-board mailing list
>>>>>>>>>>>> Owasp-board at lists.owasp.org
>>>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Owasp-board mailing list
>>>>>>>>>> Owasp-board at lists.owasp.org
>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150915/5290def6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot 2015-09-07 08.07.40.png
Type: image/png
Size: 117046 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150915/5290def6/attachment-0001.png>


More information about the Owasp-board mailing list