[Owasp-board] [Owasp-leaders] Projects Vs Chapters

Jim Manico jim.manico at owasp.org
Tue Sep 15 18:42:36 UTC 2015


Thanks for bringing this up again, Jeff.

I am +100 for any mechanism that helps push investment in open source, 
OWASP and application security.

Anyone interested in project funding, please give this a careful look. 
There is a great deal of gold in this proposal that we should incorporate.

And keep in mind that we do not need "only one" mechanism for project 
funding. We can totally support (and frankly need) multiple funding 
models and investment mechanisms for OWASP projects.

Thanks Jeff,

-- 
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org
Join me at AppSecUSA 2015!



On 9/15/15 11:09 AM, Jeff Williams wrote:
> You all might be interested in the OWASP Project Partnership Model
>
> https://docs.google.com/document/d/1ea4jWVDziLcZMTJUC5qW5psWYROpB-oPlqyl4Ei2xHA/edit?usp=sharing&authkey=CKycuTY
>
> Many contributors may find success by considering a limited crowd 
> sourced approach where the results are to be open sourced at OWASP. 
>  This has been used many times at OWASP in the past as described in 
> the linked document.
>
> --Jeff
>
>
>
>
> On Tue, Sep 15, 2015 at 10:20 AM -0700, "Josh Sokol" 
> <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>
>     Love the idea Simon!  I am excited to see how this model works out
>     for ZAP.
>
>     ~josh
>
>     On Tue, Sep 15, 2015 at 12:07 PM, psiinon <psiinon at gmail.com
>     <mailto:psiinon at gmail.com>> wrote:
>
>         We've essentially started doing that with ZAP:
>         https://www.bountysource.com/teams/zap :)
>         I'm paying for one of the key ZAP contributors to work on some
>         really important features out of ZAP funds via that site.
>         If that works well then I plan to have a funding push so that
>         I can getmore work done that way.
>
>         Cheers,
>
>         Simon
>
>         On Tue, Sep 15, 2015 at 6:02 PM, Josh Sokol
>         <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>
>             I wasn't really even thinking about grants when I said
>             that.  There are a lot of restrictions around grants that
>             can make them challenging to both procure and support.  My
>             line of thinking was more around a "crowdfunding" type of
>             model.  A project could put up a list of features and cost
>             estimates and have users vote on what would be most
>             valuable to them.  Then, put out a call for funding to see
>             if the community would be willing to support the
>             initiative by contributing to it. OWASP would still need
>             to handle the money in order to ensure that the work was
>             done before it got paid out and wasn't fraudulent, but it
>             might be a way to gain funding for projects via the people
>             who are actually using them.
>
>             ~josh
>
>             On Tue, Sep 15, 2015 at 11:45 AM, johanna curiel curiel
>             <johanna.curiel at owasp.org
>             <mailto:johanna.curiel at owasp.org>> wrote:
>
>                 This is often very difficult to pull off in open
>                 source projects for all but the most mature and
>                 staffed projects. Folks are volunteering and work when
>                 they can.
>
>                 Jim, when requesting this kind of funds the project
>                 leader:
>
>                   * Can work full time on the project and be able to
>                     deliver or
>                   * Can hire a developer to work full time on the project
>
>
>                 We need to differentiate responsibilities when you
>                 want to get funds
>
>                 Whether you never ask for funds and keep on working as
>                 you do (part-time/sporadically)
>                 Or want to pull off some serious features and need to
>                 dedicate time and resources
>
>                 But, a leader cannot get grant funds or money and then
>                 not deliver, in that case he better does not consider
>                 the option for asking for funds, it involves
>                 a responsibility to it.
>
>                 Funds could be granted however for other activities
>                 such as promotion (Brochure, layout work)
>
>                 Regards
>
>                 Johanna
>
>                 On Tue, Sep 15, 2015 at 12:28 PM, Jim Manico
>                 <jim.manico at owasp.org <mailto:jim.manico at owasp.org>>
>                 wrote:
>
>                     > ....leaders provide a plan of the features that
>                     will be created with the funds and at the end, the
>                     results obtained.
>
>                     This is often very difficult to pull off in open
>                     source projects for all but the most mature and
>                     staffed projects. Folks are volunteering and work
>                     when they can. To start asking for specific
>                     feature commitments done at specific times for
>                     specific financial donations is often a path to
>                     disappointment in the open source world. Caution!
>
>                     --
>                     Jim Manico
>                     Global Board Member
>                     OWASP Foundation
>                     https://www.owasp.org <https://www.owasp.org/>
>                     Join me at AppSecUSA <http://appsecusa.org/> 2015!
>
>                     On Sep 15, 2015, at 9:22 AM, johanna curiel curiel
>                     <johanna.curiel at owasp.org
>                     <mailto:johanna.curiel at owasp.org>> wrote:
>
>>                     Hi Josh
>>
>>                     Yes , an example is how grant funds work. When
>>                     corporations or People make donations or part of
>>                     a grant, it must be defined The features that
>>                     will be built. This maken it transparent and
>>                     clear for the persons doing the donations or
>>                     through grant funds.
>>                     If we create a pool where projects could make use
>>                     of it, then it is expected that leaders provide a
>>                     plan of the features that will be created with
>>                     the funds and at the end, the results obtained.
>>
>>                     Johanna
>>                     On Tuesday, September 15, 2015, Josh Sokol
>>                     <josh.sokol at owasp.org
>>                     <mailto:josh.sokol at owasp.org>> wrote:
>>
>>                         Maybe this is a stupid question, but has
>>                         anyone considered experimenting with a
>>                         funding model using the project itself? 
>>                         Maybe try to raise additional funds by having
>>                         a paid support option or say if you can raise
>>                         $X in donations you'll develop Y feature(s)?
>>                         The devil is in the details, but that might
>>                         be a project-centric way to raise money that
>>                         a chapter wouldn't even have the option to do.
>>
>>                         ~josh
>>
>>                         On Mon, Sep 14, 2015 at 12:22 PM, johanna
>>                         curiel curiel <johanna.curiel at owasp.org> wrote:
>>
>>                             For reference, the 2015 budget shows
>>                             OWASP at a loss of around $105k for the
>>                             year.  Not an issue given the funds
>>                             currently in reserves, but we did budget
>>                             to spend more than we brought in so
>>                             there's not a ton of room to work with
>>                             there unless we add revenue or eliminate
>>                             expenses.
>>
>>                             Agree I also noticed this. The activities
>>                             I'm proposing won't be that high cost,
>>                             especially compare to actual costs of
>>                             setting events, but I think a strategy
>>                             where project leaders can generate
>>                             pro-actively funds for their own project
>>                             is a step towards developing them better.
>>
>>
>>                             On Mon, Sep 14, 2015 at 12:37 PM, Josh
>>                             Sokol <josh.sokol at owasp.org> wrote:
>>
>>                                 The Board should be reviewing the
>>                                 budget for 2016 in the next few
>>                                 months so it is an excellent time to
>>                                 make such a proposal.  We just need
>>                                 to know what kinds of activities we
>>                                 are looking at and how much we need
>>                                 to make them happen.  We can then
>>                                 look at anticipated revenue vs
>>                                 expenses in order to determine if
>>                                 there is room in the budget to make
>>                                 it happen.  For reference, the 2015
>>                                 budget shows OWASP at a loss of
>>                                 around $105k for the year. Not an
>>                                 issue given the funds currently in
>>                                 reserves, but we did budget to spend
>>                                 more than we brought in so there's
>>                                 not a ton of room to work with there
>>                                 unless we add revenue or eliminate
>>                                 expenses.
>>
>>                                 ~josh
>>
>>                                 On Mon, Sep 14, 2015 at 11:20 AM,
>>                                 johanna curiel curiel
>>                                 <johanna.curiel at owasp.org> wrote:
>>
>>                                     Hi Josh
>>
>>                                     I have taken the work to extract
>>                                     from the budget of 2015 where are
>>                                     the major OWASP costs :
>>                                     Total revenue projected for 2015
>>                                     is USD2,540,667.00
>>
>>                                     From this :
>>
>>                                     Cost Salaries and Contractors
>>                                     2015 OWASP 	
>>                                     Employees salaries 	342,237.82
>>                                     bonus and commission 	38,600.00
>>                                     Contractors & Professional services 	
>>                                     Virtual fin fee 	32,000.00
>>                                     Accounting KPMG 	4,000.00
>>                                     Int Accountinh KPMG EU 	9,000.00
>>                                     Qtrly VAT by COuntry 	14,489.00
>>                                     Virtual Executive Director/HR
>>                                     Contractor 	8,700.00
>>                                     Virtual - HR Hosting & fees
>>                                     12,000.00
>>                                     IT Admin 	10,000.00
>>                                     Legal Contractor 	7,200.00
>>                                     Graphic Designer 	7,200.00
>>                                     Events Manager 	72,000.00
>>                                     Total 	557,426.82
>>
>>                                     	
>>                                     Percentage from total revenue
>>                                     21.94%
>>
>>                                     	
>>                                     Cost Conferences 2015 (in USD
>>                                     Dollars) 	
>>                                     APPSEC US 	$935,557.00
>>                                     APPSEC EU 	$241,510.00
>>                                     APPSEC ASIA 	$25,000.00
>>                                     APPSEC LATAM 	7500
>>                                     Local & Regional Events 	$115,000.00
>>                                     Total in events 	$1,209,567.00
>>                                     Perventage from reveunue 	47.61%
>>
>>
>>                                     As I can see there are many
>>                                     expenses involved in operations
>>                                     and creating events.(That will
>>                                     sum up around 70% of the OWASP
>>                                     expenses)
>>
>>                                     >In respose to Paul:
>>                                     For 2016 planning, I'm encouraged
>>                                     by all the interest demonstrated
>>                                     by these emails, as we adjust our
>>                                     2016 Budget to reflect the
>>                                     community priorities.
>>
>>                                     I would like to propose some
>>                                     fixed budget for certain
>>                                     activities, I believe Claudia was
>>                                     busy also with that part for the
>>                                     Project summits, but also for
>>                                     helping promoting projects and
>>                                     training for leaders.
>>
>>                                     regards
>>
>>                                     Johanna
>>
>>                                     On Mon, Sep 14, 2015 at 11:41 AM,
>>                                     Josh Sokol <josh.sokol at owasp.org>
>>                                     wrote:
>>
>>                                         Johanna,
>>
>>                                         I was really hoping that
>>                                         Fabio, as current Treasurer,
>>                                         would wade into this
>>                                         conversation, but since he
>>                                         hasn't I will as Treasurer
>>                                         last year.
>>
>>                                         The short answer to your
>>                                         questions is that OWASP
>>                                         receives money from many
>>                                         different sources.
>>                                         Conferences, grants,
>>                                         donations, and yes,
>>                                         membership. OWASP also has
>>                                         many expenses that aren't
>>                                         solely covered by "project
>>                                         expenses" or "chapter
>>                                         expenses". Money that isn't
>>                                         pre-allocated to something
>>                                         specific like that ends up in
>>                                         the OWASP funds pool and gets
>>                                         budgeted to be used for other
>>                                         expenses.  Our paid staff is
>>                                         probably the top expense
>>                                         where that is concerned, but
>>                                         there are many other things
>>                                         that OWASP spends money on as
>>                                         well. The OWASP budget should
>>                                         be publicly available and I
>>                                         know that the OWASP staff is
>>                                         currently working on the 2014
>>                                         report which should be
>>                                         released any day now.
>>
>>                                         ~josh
>>
>>                                         On Mon, Sep 7, 2015 at 11:30
>>                                         AM, johanna curiel curiel
>>                                         <johanna.curiel at owasp.org> wrote:
>>
>>                                             >How can we make the corporation more aware of this option?
>>
>>                                             I would like to see first
>>                                             a clarification on
>>                                             /where/ is the money
>>                                             allocated right now from
>>                                             corporate memberships
>>                                             that have not made any
>>                                             choices.
>>
>>                                             Community funds is
>>                                             USD60,000 a year and this
>>                                             is not only for projects
>>                                             but everything to do with
>>                                             the community.
>>
>>                                             So far there is in
>>                                             memberships between
>>                                             corporate and individuals
>>                                             memberships a total of
>>
>>                                             Corporate memberships
>>                                             (foundation + Chapter)
>>                                             USD 350,000-
>>                                             Individual membership
>>                                              (foundation +chapter)
>>                                             USD  90,000-
>>                                             Total = * USD 440,000*
>>
>>                                             Following the same
>>                                             sheet the following
>>                                             corporate memberships
>>                                             have not been allocated
>>                                             by the sponsors. I would
>>                                             like to know how much
>>                                             money of the USD
>>                                             350,000 belongs to these
>>                                             unallocated
>>
>>                                              1. Autodesk, Inc.
>>                                              2. Blackhat US
>>                                              3. CA Technologies
>>                                              4. CDNetworks
>>                                              5. ClassDojo
>>                                              6. Coverity
>>                                              7. eLearn Security
>>                                              8. HERE North America, LLC.
>>                                              9. Johnson Controls, Inc.
>>                                             10. Rapid7
>>                                             11. Software Assurance
>>                                                 Marketplace (SWAMP)
>>
>>
>>                                             Each of these contribute
>>                                             with USD 5000 (following
>>                                             corporate categories as
>>                                             the appear here:
>>                                             https://www.owasp.org/index.php/Membership#tab=Corporate_Supporters)
>>                                             11 of them has not been
>>                                             allocated that makes USD
>>                                             55,000-
>>
>>
>>                                             Big Corporate memberships
>>                                             from  4 companies which
>>                                             does not appear in that
>>                                             Google sheet have
>>                                             contributed with==> 4 x
>>                                             USD 20,000 = USD 80,000
>>                                             ==> where is this money
>>                                             been allocated?
>>
>>                                              1. Adobe
>>                                              2. Qualys
>>                                              3. HP
>>                                              4. Contrast
>>
>>
>>                                             I would like to have a
>>                                             clarification
>>                                             where exactly is the
>>                                             money allocated from
>>                                             these corporate
>>                                             memberships which in
>>                                             total (following these
>>                                             calculation accumulates a
>>                                             total of
>>                                             USD 55,000 + 80,000 = USD
>>                                             140,000 that none of the
>>                                             corporate members have
>>                                             allocated.
>>
>>                                             If it seems that part of
>>                                             the money goes
>>                                             to community fund then
>>                                             140k -60k = USD 80,000
>>                                             still open where is this
>>                                             money being allocated to?
>>
>>
>>
>>
>>                                             On Mon, Sep 7, 2015 at
>>                                             9:07 AM, psiinon
>>                                             <psiinon at gmail.com> wrote:
>>
>>                                                 Thanks Johanna, this
>>                                                 is _really_ interesting.
>>                                                 And thats a huge
>>                                                 imbalance between the
>>                                                 chapters and projects.
>>                                                 Corporate members can
>>                                                 obviously choose
>>                                                 where their money
>>                                                 goes, but maybe they
>>                                                 are not aware they
>>                                                 can choose projects
>>                                                 (and if Eoin didnt
>>                                                 know, that seems very
>>                                                 likely!)
>>                                                 How can we make the
>>                                                 corporation more
>>                                                 aware of this option?
>>                                                 And how else can re
>>                                                 redress this imbalance?
>>
>>                                                 Cheers,
>>
>>                                                 Simon
>>
>>
>>                                                 On Mon, Sep 7, 2015
>>                                                 at 1:14 PM, johanna
>>                                                 curiel curiel
>>                                                 <johanna.curiel at owasp.org>
>>                                                 wrote:
>>
>>                                                     In 2013 corporate
>>                                                     membership
>>                                                     represented 33%
>>                                                     of total income
>>                                                     for OWASP
>>                                                      opposed to
>>                                                     individual
>>                                                     membership which
>>                                                     represented only
>>                                                     13% of the total
>>                                                     income.
>>
>>                                                     In 2015 corporate
>>                                                     membership(foundation+chapter)
>>                                                     has a total
>>                                                      revenue of
>>                                                     USD350,000-
>>                                                     opposed to
>>                                                     USD90,000- from
>>                                                     individual
>>                                                     memberships(again
>>                                                     foundation+chapter)
>>                                                      which is quite
>>                                                     considerate:
>>                                                     OWASP Foundation
>>                                                     Budget - 2015
>>                                                     <https://drive.google.com/file/d/0BxjNZI6rYJRKbnBlaHM3LTU2ckk/view?usp=sharing>
>>                                                     Inline image 1
>>
>>                                                     Basically all
>>                                                     memberships are
>>                                                     going to 'chapters'
>>
>>                                                     /If more than
>>                                                     half of these
>>                                                     donations(corporate
>>                                                     membership) which
>>                                                     I highlighted in
>>                                                     green have not
>>                                                     been specified
>>                                                     for any purpose,
>>                                                     then how does the
>>                                                     foundation
>>                                                     decided into
>>                                                     which account
>>                                                     goes that money?
>>                                                     I would like an
>>                                                     answer on this.
>>                                                     What I miss here
>>                                                     is a break down
>>                                                     of the amount and
>>                                                     into which budget
>>                                                     are these being set./
>>                                                     /
>>                                                     /
>>                                                     /It seems that
>>                                                     those memberships
>>                                                     are going mostly
>>                                                     to chapters and
>>                                                     some to
>>                                                     some projects(highlighted
>>                                                     in Yellow) (ZAP +
>>                                                     SAMM)/
>>
>>                                                     https://docs.google.com/spreadsheets/d/1nVyveCi7nmwYMKK4oWSsVGNvqE9aeUBhamQ7XsZvayU/edit?usp=sharing
>>
>>                                                     Btw I cannot find
>>                                                     the financial
>>                                                     report of 2014,
>>                                                     seems as it is
>>                                                     quite behind
>>                                                     (since we are
>>                                                     almost end of 2015)
>>
>>                                                     <Screenshot
>>                                                     2015-08-21
>>                                                     10.19.54.png>
>>
>>                                                     On Mon, Sep 7,
>>                                                     2015 at 6:17 AM,
>>                                                     Colin Watson
>>                                                     <colin.watson at owasp.org>
>>                                                     wrote:
>>
>>                                                         One thing
>>                                                         about
>>                                                         membership
>>                                                         donations to
>>                                                         projects.
>>                                                         Last week,
>>                                                         the list
>>                                                         of members
>>                                                         was posted to
>>                                                         the leaders
>>                                                         list for the
>>                                                         elections:
>>
>>                                                         https://docs.google.com/spreadsheets/d/1Tu2MAdu1xNq8RTaqHWMSb_0qM_OE6aaVgKB54q_fQIs/edit#gid=1075228884
>>
>>                                                         It shows that
>>                                                         out of 2336
>>                                                         individual
>>                                                         members only
>>                                                         2 have allocated
>>                                                         their
>>                                                         donation to
>>                                                         project - in
>>                                                         this case
>>                                                         "mobile". I
>>                                                         agree that at the
>>                                                         point of
>>                                                         joining that
>>                                                         many people
>>                                                         might select
>>                                                         a chapter at
>>                                                         that time,
>>                                                         but I am
>>                                                         wondering if
>>                                                         this is
>>                                                         actually
>>                                                         accurate? It
>>                                                         doesn't feel
>>                                                         correct that
>>                                                         less than
>>                                                         0.1% select a
>>                                                         project.
>>
>>                                                         Last time I
>>                                                         renewed, I
>>                                                         changed my
>>                                                         allocation
>>                                                         from a
>>                                                         chapter to a
>>                                                         project. But
>>                                                         the
>>                                                         membership
>>                                                         list still
>>                                                         shows the
>>                                                         allocation as a
>>                                                         chapter, and
>>                                                         the chosen
>>                                                         project
>>                                                         didn't
>>                                                         receive any
>>                                                         of my membership
>>                                                         money.
>>
>>                                                         https://docs.google.com/a/owasp.org/spreadsheets/d/11acTOmtmBGq6-5CIGsjlEByU8POSGqda0r23VNnhEGQ/pub?hl=en_US&hl=en_US&output=html#
>>
>>                                                         Is this a
>>                                                         fault, and
>>                                                         which members
>>                                                         and projects
>>                                                         have been
>>                                                         affected by
>>                                                         this? I
>>                                                         wonder if it
>>                                                         applies to
>>                                                         all project
>>                                                         allocation
>>                                                         selections, or
>>                                                         only after a
>>                                                         change is
>>                                                         requested?
>>                                                         Why are there
>>                                                         so many
>>                                                         "blanks" and
>>                                                         "none" in the
>>                                                         list of
>>                                                         membership,
>>                                                         and what's
>>                                                         the
>>                                                         difference?
>>                                                         How long
>>                                                         has it been
>>                                                         occurring?
>>
>>                                                         Colin
>>
>>                                                         On 6
>>                                                         September
>>                                                         2015 at
>>                                                         21:47, Kevin
>>                                                         W. Wall
>>                                                         <kevin.w.wall at gmail.com>
>>                                                         wrote:
>>                                                         > Jumping in
>>                                                         late to this
>>                                                         thread. I
>>                                                         already told
>>                                                         Simon from day
>>                                                         > one, when
>>                                                         he first
>>                                                         posted this
>>                                                         on the Board
>>                                                         and
>>                                                         Governance
>>                                                         list that
>>                                                         > I agreed
>>                                                         with him
>>                                                         100%, but I
>>                                                         just wanted
>>                                                         to add some
>>                                                         things.
>>                                                         >
>>                                                         > On Thu, Sep
>>                                                         3, 2015 at
>>                                                         4:50 AM,
>>                                                         psiinon
>>                                                         <psiinon at gmail.com>
>>                                                         wrote:
>>                                                         >> Didnt
>>                                                         realise this
>>                                                         thread wasnt
>>                                                         on the
>>                                                         leaders list ;)
>>                                                         >> So
>>                                                         starting a
>>                                                         new one here
>>                                                         as I think
>>                                                         its important
>>                                                         for us to
>>                                                         discuss.
>>                                                         >> For
>>                                                         background see:
>>                                                         >>
>>                                                         http://lists.owasp.org/pipermail/governance/2015-September/000697.html
>>                                                         >> This is a
>>                                                         copy of the
>>                                                         email I sent
>>                                                         to that thread..
>>                                                         >>
>>                                                         >>
>>                                                         >> First of
>>                                                         all I'd like
>>                                                         to thank
>>                                                         Johanna for
>>                                                         all the
>>                                                         effort she's
>>                                                         put into
>>                                                         >> reviewing
>>                                                         the projects.
>>                                                         >> Its been a
>>                                                         huge and
>>                                                         mostly
>>                                                         thankless
>>                                                         task, and the
>>                                                         projects as a
>>                                                         whole have
>>                                                         >> really
>>                                                         benefited.
>>                                                         >
>>                                                         > Amen to
>>                                                         that. And
>>                                                         having been
>>                                                         involved in
>>                                                         one of the
>>                                                         projects (ESAPI)
>>                                                         > that was
>>                                                         demoted from
>>                                                         Flagship to
>>                                                         Lab status, I
>>                                                         know it's not
>>                                                         always
>>                                                         > an easy
>>                                                         thing to
>>                                                         receive the
>>                                                         assessments
>>                                                         that she and
>>                                                         her team had
>>                                                         > been doing,
>>                                                         but we need
>>                                                         to be
>>                                                         professional
>>                                                         about this
>>                                                         and not shoot
>>                                                         > the
>>                                                         messenger.
>>                                                         Certainly
>>                                                         when it came
>>                                                         to ESAPI,
>>                                                         while I was
>>                                                         >
>>                                                         disappointed,
>>                                                         I pretty much
>>                                                         agreed with
>>                                                         the project
>>                                                         review
>>                                                         > conclusions.
>>                                                         >
>>                                                         >> Secondly,
>>                                                         I'd like to
>>                                                         wade into the
>>                                                         Projects Vs
>>                                                         Chapters
>>                                                         debate :)
>>                                                         >>
>>                                                         >> I have a
>>                                                         theory:
>>                                                         >>
>>                                                         >> People who
>>                                                         are 'part' of
>>                                                         OWASP tend to
>>                                                         think that
>>                                                         the Chapters
>>                                                         are more
>>                                                         >> important
>>                                                         _to_them_
>>                                                         than the
>>                                                         projects.
>>                                                         >> Chapters
>>                                                         are where we
>>                                                         meet people,
>>                                                         exchange
>>                                                         ideas and
>>                                                         learn things.
>>                                                         They are
>>                                                         >> social events.
>>                                                         >
>>                                                         > The
>>                                                         exception
>>                                                         might be for
>>                                                         those of us
>>                                                         who attend
>>                                                         our local OWASP
>>                                                         > chapter
>>                                                         meetings but
>>                                                         who are also
>>                                                         actively
>>                                                         involved with
>>                                                         one or more
>>                                                         > OWASP projects.
>>                                                         >
>>                                                         >> People
>>                                                         outside OWASP
>>                                                         think that
>>                                                         the Projects
>>                                                         are more
>>                                                         important
>>                                                         _to_them_
>>                                                         >> than the
>>                                                         Chapters.
>>                                                         >> They dont
>>                                                         go to chapter
>>                                                         meetings,
>>                                                         they might
>>                                                         not even be
>>                                                         aware of them.
>>                                                         >> They use,
>>                                                         or at least
>>                                                         are aware of,
>>                                                         the main
>>                                                         OWASP
>>                                                         projects,
>>                                                         mostly the
>>                                                         >> Flagship ones.
>>                                                         >>
>>                                                         >> Anyone
>>                                                         agree or
>>                                                         disagree?
>>                                                         >
>>                                                         > I think
>>                                                         you're
>>                                                         analysis is
>>                                                         pretty much
>>                                                         spot on with
>>                                                         few exceptions
>>                                                         > like the
>>                                                         edge case I
>>                                                         mentioned above.
>>                                                         >
>>                                                         >> And yes,
>>                                                         I'm
>>                                                         conveniently
>>                                                         ignoring
>>                                                         conferences,
>>                                                         the wiki etc
>>                                                         etc ;)
>>                                                         >>
>>                                                         >> I think
>>                                                         Chapters and
>>                                                         Projects are
>>                                                         fundamentally
>>                                                         different
>>                                                         'beasts', and
>>                                                         I've
>>                                                         >> started
>>                                                         and run both :)
>>                                                         >>
>>                                                         >> Chapters
>>                                                         are
>>                                                         relatively
>>                                                         easy to start
>>                                                         and maintain.
>>                                                         >> You need
>>                                                         to be based
>>                                                         in a city
>>                                                         with a
>>                                                         thriving
>>                                                         security
>>                                                         and/or software
>>                                                         >> industry.
>>                                                         >> You need
>>                                                         to spend time
>>                                                         organising
>>                                                         and
>>                                                         publicising
>>                                                         events, but
>>                                                         its not hard -
>>                                                         >> you dont
>>                                                         need
>>                                                         specialized
>>                                                         skills.
>>                                                         >> Its
>>                                                         relatively
>>                                                         easy to find
>>                                                         people
>>                                                         prepared to
>>                                                         speak,
>>                                                         arrange rooms
>>                                                         and help
>>                                                         >> with other
>>                                                         organisational things.
>>                                                         >> Its
>>                                                         something you
>>                                                         can do in
>>                                                         your spare time.
>>                                                         >
>>                                                         > One thing
>>                                                         I'll add
>>                                                         here. The
>>                                                         fact that
>>                                                         people can
>>                                                         use their
>>                                                         time spent
>>                                                         > attending
>>                                                         OWASP chapter
>>                                                         meetings as
>>                                                         CPEs toward
>>                                                         some security
>>                                                         >
>>                                                         certification
>>                                                         is also a big
>>                                                         draw I think.
>>                                                         In the past,
>>                                                         we've even
>>                                                         > attracted
>>                                                         quite a few
>>                                                         non-OWASP
>>                                                         members
>>                                                         because of
>>                                                         this, or at least
>>                                                         > that
>>                                                         appeared to
>>                                                         be their
>>                                                         primary
>>                                                         motivation as
>>                                                         some of them
>>                                                         would ask
>>                                                         > about for
>>                                                         our chapter
>>                                                         leads to
>>                                                         provide
>>                                                         evidence of
>>                                                         attendance for
>>                                                         > their CPEs
>>                                                         and we'd then
>>                                                         discover that
>>                                                         some of them
>>                                                         were not OWASP
>>                                                         > members
>>                                                         (not that we
>>                                                         made a big
>>                                                         deal about that).
>>                                                         >
>>                                                         > While it's
>>                                                         true that one
>>                                                         can earn CPEs
>>                                                         working on a
>>                                                         projects, the
>>                                                         > evidence
>>                                                         bar seems to
>>                                                         be a bit
>>                                                         higher and a
>>                                                         lot harder to
>>                                                         measure.
>>                                                         >
>>                                                         >> Projects
>>                                                         are much harder.
>>                                                         >> They are
>>                                                         relatively
>>                                                         easy to start
>>                                                         - you 'just'
>>                                                         need a good idea.
>>                                                         >> They are
>>                                                         _really_ hard
>>                                                         to bring to
>>                                                         fruition and
>>                                                         maintain.
>>                                                         >> I'll focus
>>                                                         on software
>>                                                         projects (as
>>                                                         I know much
>>                                                         more about
>>                                                         those) but I have
>>                                                         >> no doubt
>>                                                         documentation
>>                                                         projects can
>>                                                         be just as
>>                                                         difficult.
>>                                                         >> A
>>                                                         professional
>>                                                         software
>>                                                         project is
>>                                                         the result of
>>                                                         the hard work
>>                                                         of managers,
>>                                                         >> designers,
>>                                                         developers,
>>                                                         QA, support,
>>                                                         technical
>>                                                         authors,
>>                                                         sales and
>>                                                         marketing
>>                                                         >> (and
>>                                                         probably
>>                                                         others I've
>>                                                         forgotten;).
>>                                                         >> Its a huge
>>                                                         amount of
>>                                                         effort, and
>>                                                         is ongoing -
>>                                                         it only lets
>>                                                         up when you
>>                                                         >> 'sunset'
>>                                                         the project.
>>                                                         >> Ok, so
>>                                                         (non
>>                                                         commercial)
>>                                                         open source
>>                                                         projects dont
>>                                                         need sales
>>                                                         staff, but they
>>                                                         >> do need
>>                                                         people doing
>>                                                         all of the
>>                                                         other roles.
>>                                                         Its
>>                                                         definitely
>>                                                         _not_ just
>>                                                         >> programming!
>>                                                         >
>>                                                         > If
>>                                                         anything,
>>                                                         usually
>>                                                         people are
>>                                                         not that keen
>>                                                         on doing
>>                                                         those other
>>                                                         > needed
>>                                                         roles, such
>>                                                         as project
>>                                                         documentation, QA,
>>                                                         buildmeister,
>>                                                         etc.
>>                                                         >
>>                                                         > Also, the
>>                                                         more
>>                                                         successful a
>>                                                         project
>>                                                         becomes
>>                                                         (i.e., as
>>                                                         measured in
>>                                                         > terms of
>>                                                         the number of
>>                                                         users) the
>>                                                         harder it is
>>                                                         to maintain. For
>>                                                         > example,
>>                                                         long ago,
>>                                                         I've noticed
>>                                                         that people
>>                                                         see to ask
>>                                                         more questions
>>                                                         > on Stack
>>                                                         Exchange
>>                                                         about ESAPI
>>                                                         than the do
>>                                                         on either the
>>                                                         ESAPI-Users or
>>                                                         > ESAPI-Dev
>>                                                         mailing
>>                                                         lists. I
>>                                                         suspect that
>>                                                         there are
>>                                                         other forums
>>                                                         > elsewhere
>>                                                         that these
>>                                                         things get
>>                                                         discussed.
>>                                                         >
>>                                                         >> Its way
>>                                                         too much for
>>                                                         one person
>>                                                         (for a non
>>                                                         trivial project).
>>                                                         >> Luckily we
>>                                                         have the open
>>                                                         source
>>                                                         community,
>>                                                         but that
>>                                                         means a
>>                                                         project leader
>>                                                         >> needs
>>                                                         another
>>                                                         skill:
>>                                                         community
>>                                                         building!
>>                                                         >
>>                                                         > Indeed
>>                                                         that's one
>>                                                         where I feel
>>                                                         that I've
>>                                                         failed
>>                                                         miserably.
>>                                                         I'm not
>>                                                         >
>>                                                         particularly
>>                                                         a people
>>                                                         person nor do
>>                                                         I have a lot
>>                                                         of contacts
>>                                                         beyond
>>                                                         > the
>>                                                         immediate
>>                                                         colleagues
>>                                                         that I work
>>                                                         with, so when
>>                                                         the current
>>                                                         > volunteer
>>                                                         pool dries up
>>                                                         and stops
>>                                                         contributing,
>>                                                         the project
>>                                                         tends to
>>                                                         > die because
>>                                                         of (at least
>>                                                         in my case)
>>                                                         the inability
>>                                                         to find new
>>                                                         > volunteers
>>                                                         to help carry
>>                                                         the project
>>                                                         forward.
>>                                                         >
>>                                                         >> And to be
>>                                                         honest most
>>                                                         volunteers
>>                                                         are
>>                                                         developers
>>                                                         (and security
>>                                                         people for
>>                                                         >> OWASP
>>                                                         projects),
>>                                                         its very rare
>>                                                         for people
>>                                                         with other
>>                                                         skills to get
>>                                                         involved.
>>                                                         >
>>                                                         > 100% agree.
>>                                                         Also, I
>>                                                         personally
>>                                                         think that we
>>                                                         do a disservice
>>                                                         > sometimes
>>                                                         in our
>>                                                         industry in
>>                                                         that there's
>>                                                         an unspoken
>>                                                         perception of a
>>                                                         > pecking
>>                                                         order within
>>                                                         the security
>>                                                         community so
>>                                                         that some of
>>                                                         these very
>>                                                         > important
>>                                                         roles are
>>                                                         greatly
>>                                                         devalued
>>                                                         (e.g., those
>>                                                         who write
>>                                                         >
>>                                                         documentation
>>                                                         or manage
>>                                                         releases or
>>                                                         do QA testing
>>                                                         or provide
>>                                                         project
>>                                                         > management
>>                                                         or other
>>                                                         infrastructure support).
>>                                                         And while we
>>                                                         generally
>>                                                         > don't come
>>                                                         right out and
>>                                                         express it, I
>>                                                         think it's
>>                                                         there and
>>                                                         those who
>>                                                         > might
>>                                                         otherwise
>>                                                         step up and
>>                                                         fill those
>>                                                         roles avoid
>>                                                         the security
>>                                                         > community
>>                                                         for some
>>                                                         other FOSS
>>                                                         projects
>>                                                         because they
>>                                                         feel
>>                                                         under-appreciated.
>>                                                         >
>>                                                         >> I dont
>>                                                         think its
>>                                                         something you
>>                                                         can do in
>>                                                         your spare
>>                                                         time, at
>>                                                         least for long
>>                                                         >> (I did for
>>                                                         a while, and
>>                                                         my wife
>>                                                         described
>>                                                         herself as a
>>                                                         "ZAP widow";)
>>                                                         >
>>                                                         > :D
>>                                                         >
>>                                                         >> So
>>                                                         Chapters are
>>                                                         relatively
>>                                                         easy to
>>                                                         maintain,
>>                                                         projects
>>                                                         _much_ harder.
>>                                                         >
>>                                                         > Making free
>>                                                         pizza and
>>                                                         beer
>>                                                         available at
>>                                                         chapter
>>                                                         meetings
>>                                                         doesn't hurt! :)
>>                                                         >
>>                                                         > We've also
>>                                                         tried holding
>>                                                         mini-hackathons
>>                                                         at our local
>>                                                         OWASP meetings
>>                                                         > maybe once
>>                                                         a year. It
>>                                                         was
>>                                                         interesting,
>>                                                         but I can't
>>                                                         say it was a
>>                                                         > resounding
>>                                                         success,
>>                                                         because many
>>                                                         there did not
>>                                                         know the
>>                                                         programming
>>                                                         > language
>>                                                         the project
>>                                                         was written
>>                                                         in and it
>>                                                         took us an
>>                                                         undue amount of
>>                                                         > time just
>>                                                         to get to the
>>                                                         point where
>>                                                         people got
>>                                                         their IDE of
>>                                                         choice
>>                                                         > configured
>>                                                         to pull the
>>                                                         project from
>>                                                         GitHub. Also
>>                                                         probably
>>                                                         about 1/2
>>                                                         > of the
>>                                                         regular
>>                                                         attenders
>>                                                         don't really
>>                                                         program to
>>                                                         any great
>>                                                         extent at
>>                                                         > all but
>>                                                         rather
>>                                                         consider
>>                                                         themselves
>>                                                         more of pen
>>                                                         testers, so
>>                                                         holding
>>                                                         > these
>>                                                         mini-hackathons
>>                                                         effectively
>>                                                         leaves out
>>                                                         almost half
>>                                                         of our
>>                                                         > regular
>>                                                         attendees so
>>                                                         that's not
>>                                                         going to be
>>                                                         something
>>                                                         that works as a
>>                                                         > long term
>>                                                         strategy.
>>                                                         >
>>                                                         >> I suspect
>>                                                         OWASP as an
>>                                                         organisation
>>                                                         supports
>>                                                         Chapters more
>>                                                         effectively, but
>>                                                         >> even if it
>>                                                         supports both
>>                                                         equally
>>                                                         Projects dont
>>                                                         get as much
>>                                                         support as they
>>                                                         >> need.
>>                                                         >> I think
>>                                                         OWASP
>>                                                         Chapters are
>>                                                         thriving and
>>                                                         the Projects
>>                                                         are (as a whole)
>>                                                         >> diminishing.
>>                                                         >> If I'm
>>                                                         right and
>>                                                         people
>>                                                         outside OWASP
>>                                                         see the
>>                                                         Projects as
>>                                                         more important
>>                                                         >> than the
>>                                                         Chapters then
>>                                                         this leads to
>>                                                         the
>>                                                         impression
>>                                                         that OWASP is
>>                                                         >> struggling.
>>                                                         >>
>>                                                         >> What to
>>                                                         projects need?
>>                                                         >> I dont
>>                                                         think its
>>                                                         possible to
>>                                                         maintain a
>>                                                         'significant'
>>                                                         open source
>>                                                         project
>>                                                         >> unless you
>>                                                         are able to
>>                                                         spend the
>>                                                         majority of
>>                                                         your working
>>                                                         day on it.
>>                                                         >> This means
>>                                                         projects
>>                                                         really have
>>                                                         to be
>>                                                         sponsored by
>>                                                         someone.
>>                                                         >> This is a
>>                                                         significant
>>                                                         investment
>>                                                         for a
>>                                                         company, and
>>                                                         its often
>>                                                         difficult to
>>                                                         >> justify
>>                                                         this sort of
>>                                                         investment.
>>                                                         Especially if
>>                                                         its difficult
>>                                                         to monetise
>>                                                         >> OWASP
>>                                                         projects.
>>                                                         >
>>                                                         > Indeed,
>>                                                         back in the
>>                                                         day when I
>>                                                         was still on
>>                                                         an AppSec
>>                                                         team for a
>>                                                         > previous
>>                                                         company, I
>>                                                         tried to
>>                                                         convince my
>>                                                         management to
>>                                                         allocate about
>>                                                         > eight hours
>>                                                         a week from
>>                                                         our entire
>>                                                         team to
>>                                                         contribute to
>>                                                         ESAPI bug
>>                                                         > fixing. It
>>                                                         seemed a
>>                                                         logical
>>                                                         extension of
>>                                                         our internal
>>                                                         proprietary
>>                                                         > security
>>                                                         components
>>                                                         class library
>>                                                         which was not
>>                                                         nearly as
>>                                                         complete.
>>                                                         > I was
>>                                                         unable to
>>                                                         convince my
>>                                                         management
>>                                                         and shortly
>>                                                         afterwards, I
>>                                                         > left that
>>                                                         team (for
>>                                                         unrelated
>>                                                         reasons) and
>>                                                         starting
>>                                                         working with a
>>                                                         > team that
>>                                                         had security
>>                                                         experience
>>                                                         that wouldn't
>>                                                         easily
>>                                                         translate to
>>                                                         > ESAPI
>>                                                         needs.  In
>>                                                         fact, my
>>                                                         experience
>>                                                         was worse
>>                                                         than that.
>>                                                         None of my
>>                                                         > colleagues
>>                                                         ever decided
>>                                                         to help out
>>                                                         individually
>>                                                         either. Not a big
>>                                                         > deal; maybe
>>                                                         it just
>>                                                         wasn't their
>>                                                         cup of tea or
>>                                                         they had other
>>                                                         > passions
>>                                                         that they
>>                                                         wanted to
>>                                                         contribute
>>                                                         to. But
>>                                                         gathering
>>                                                         recruits
>>                                                         > willing to
>>                                                         participate
>>                                                         clearly takes
>>                                                         skills and
>>                                                         contacts that I
>>                                                         > apparently
>>                                                         do not
>>                                                         possess in
>>                                                         sufficient
>>                                                         quantities.
>>                                                         (Sometimes I
>>                                                         > feel like
>>                                                         I'm trying to
>>                                                         sell screen
>>                                                         doors for
>>                                                         submarines.
>>                                                         Sigh.)
>>                                                         >
>>                                                         > All I'm
>>                                                         saying is
>>                                                         that getting
>>                                                         volunteers is
>>                                                         hard. Each
>>                                                         sizeable
>>                                                         > project
>>                                                         really needs
>>                                                         someone
>>                                                         willing to
>>                                                         fulfill the
>>                                                         project
>>                                                         > evangelist
>>                                                         role to keep
>>                                                         looking for
>>                                                         new
>>                                                         contributors.
>>                                                         For one
>>                                                         > reason (at
>>                                                         least it's
>>                                                         been my
>>                                                         experience)
>>                                                         is that
>>                                                         KEEPING
>>                                                         volunteers
>>                                                         > for
>>                                                         extended
>>                                                         periods is
>>                                                         even harder
>>                                                         and by and
>>                                                         large, I think if
>>                                                         > we looked
>>                                                         at the
>>                                                         historical
>>                                                         data of
>>                                                         contributors
>>                                                         across all OWASP
>>                                                         > projects
>>                                                         (say, based
>>                                                         on commit
>>                                                         history),
>>                                                         that the data
>>                                                         would bear
>>                                                         > that out.
>>                                                         In fact, I'd
>>                                                         bet this
>>                                                         phenomena
>>                                                         goes well
>>                                                         beyond OWASP and
>>                                                         > is
>>                                                         experienced
>>                                                         by many FOSS
>>                                                         projects.
>>                                                         >
>>                                                         >> Does OWASP
>>                                                         want to
>>                                                         sponsor
>>                                                         projects
>>                                                         directly?
>>                                                         >> I think
>>                                                         thats what it
>>                                                         would take to
>>                                                         build a
>>                                                         thriving set
>>                                                         of Projects.
>>                                                         >> Is that
>>                                                         something
>>                                                         that could be
>>                                                         done?
>>                                                         >
>>                                                         > _COULD_ it
>>                                                         be done? Yes.
>>                                                         Should it be
>>                                                         done is
>>                                                         another matter.
>>                                                         > I'd rather
>>                                                         not see it
>>                                                         become
>>                                                         necessary as
>>                                                         I really
>>                                                         don't want OWASP
>>                                                         > to turn
>>                                                         into a
>>                                                         political
>>                                                         organization
>>                                                         where the
>>                                                         project
>>                                                         leaders are
>>                                                         > forced to
>>                                                         lobby for
>>                                                         funding, and
>>                                                         I fear that's
>>                                                         what would
>>                                                         happen. I
>>                                                         > think also
>>                                                         it would
>>                                                         stifle
>>                                                         innovation
>>                                                         because new
>>                                                         incubator
>>                                                         projects
>>                                                         > would
>>                                                         likely all
>>                                                         dry up
>>                                                         (unless a
>>                                                         certain
>>                                                         amount of
>>                                                         funds were
>>                                                         >
>>                                                         pre-allocated
>>                                                         to them) as
>>                                                         they likely
>>                                                         couldn't
>>                                                         compete
>>                                                         against more
>>                                                         > established
>>                                                         projects.
>>                                                         >
>>                                                         > I had
>>                                                         thought of
>>                                                         proposing
>>                                                         allowing
>>                                                         individual
>>                                                         OWASP projects to
>>                                                         > somehow
>>                                                         sell their
>>                                                         own
>>                                                         project-related
>>                                                         schwag at
>>                                                         conferences
>>                                                         and such
>>                                                         > and keep a
>>                                                         percentage of
>>                                                         the profits
>>                                                         to use for
>>                                                         their
>>                                                         projects so that
>>                                                         > they could
>>                                                         then use that
>>                                                         money however
>>                                                         they saw fit
>>                                                         (e.g., hiring a
>>                                                         > technical
>>                                                         writer to
>>                                                         write project
>>                                                         documentation
>>                                                         for
>>                                                         instance).
>>                                                         But that
>>                                                         > probably
>>                                                         would not
>>                                                         make a major
>>                                                         impact in
>>                                                         funding to a
>>                                                         project,
>>                                                         > especially
>>                                                         if all the
>>                                                         OWASP
>>                                                         projects
>>                                                         started doing it.
>>                                                         >
>>                                                         >> I'm lucky,
>>                                                         Mozilla
>>                                                         allows me to
>>                                                         spend most of
>>                                                         my time
>>                                                         working on
>>                                                         ZAP, and
>>                                                         >> thats been
>>                                                         invaluable.
>>                                                         >
>>                                                         > I suppose
>>                                                         that starts
>>                                                         with a
>>                                                         company that
>>                                                         has a culture
>>                                                         of strongly
>>                                                         >
>>                                                         contributing
>>                                                         to FOSS. Most
>>                                                         of us do not
>>                                                         work for such
>>                                                         companies. Most
>>                                                         > work for
>>                                                         companies who
>>                                                         extensively
>>                                                         rely on such
>>                                                         software, but
>>                                                         rarely
>>                                                         > allow their
>>                                                         companies to
>>                                                         contribute to
>>                                                         such things
>>                                                         on company time
>>                                                         > because
>>                                                         they don't
>>                                                         really see it
>>                                                         as
>>                                                         contributing
>>                                                         directly to their
>>                                                         > bottom
>>                                                         line. (NOTE:
>>                                                         I want to
>>                                                         make clear
>>                                                         that this is
>>                                                         strictly my
>>                                                         > personal
>>                                                         opinion based
>>                                                         of a [likely]
>>                                                         biased
>>                                                         observation
>>                                                         and in no
>>                                                         > way
>>                                                         represents
>>                                                         the official
>>                                                         position of
>>                                                         either my
>>                                                         current nor any
>>                                                         > of my
>>                                                         previous
>>                                                         employers.
>>                                                         And they
>>                                                         didn't even
>>                                                         make me say
>>                                                         that! :)
>>                                                         >
>>                                                         >> But I'd
>>                                                         love to be
>>                                                         able to
>>                                                         employ some
>>                                                         of the ZAP
>>                                                         contributors
>>                                                         to work full
>>                                                         >> time on ZAP :)
>>                                                         >> Would
>>                                                         OWASP pay for
>>                                                         that??
>>                                                         >
>>                                                         > Great
>>                                                         question and
>>                                                         I think
>>                                                         you're not
>>                                                         the only
>>                                                         project that
>>                                                         might
>>                                                         > benefit
>>                                                         from that.
>>                                                         Although, if
>>                                                         that means
>>                                                         lobbying for
>>                                                         funds by
>>                                                         > competing
>>                                                         against other
>>                                                         OWASP
>>                                                         projects,
>>                                                         them I'm out
>>                                                         because I
>>                                                         > just don't
>>                                                         have the
>>                                                         stomach for
>>                                                         that. It gets
>>                                                         bad enough
>>                                                         competing
>>                                                         > for
>>                                                         resources at
>>                                                         Google Summer
>>                                                         of Code and
>>                                                         various OWASP
>>                                                         code sprints,
>>                                                         > and I fear
>>                                                         if we
>>                                                         increased
>>                                                         OWASP funding
>>                                                         to amounts
>>                                                         needed to sustain
>>                                                         > OWASP
>>                                                         projects, it
>>                                                         could lead to
>>                                                         divisions in
>>                                                         OWASP as
>>                                                         people aligned
>>                                                         > themselves
>>                                                         with one
>>                                                         project or
>>                                                         another.
>>                                                         >
>>                                                         >> It would
>>                                                         require much
>>                                                         more 'project
>>                                                         management' -
>>                                                         the kind of
>>                                                         things that
>>                                                         >> people
>>                                                         _think_ OWASP
>>                                                         is doing, but
>>                                                         it doesnt.
>>                                                         >> I often
>>                                                         see posts
>>                                                         from people
>>                                                         asking "why
>>                                                         the hell is
>>                                                         OWASP
>>                                                         developing X".
>>                                                         >> They seem
>>                                                         to think that
>>                                                         theres an
>>                                                         OWASP
>>                                                         committee
>>                                                         that meets
>>                                                         and goes "We
>>                                                         >> think we
>>                                                         should have
>>                                                         project X".
>>                                                         Whereas its
>>                                                         actually an
>>                                                         individual coming
>>                                                         >> to OWASP
>>                                                         and saying
>>                                                         "I'm doing X,
>>                                                         could this be
>>                                                         an OWASP
>>                                                         project?".
>>                                                         >> OWASP
>>                                                         Projects are
>>                                                         very much
>>                                                         'bottom up'
>>                                                         rather than
>>                                                         'top down'.
>>                                                         >
>>                                                         > Well, their
>>                                                         perception
>>                                                         could also be
>>                                                         more of a
>>                                                         notion of
>>                                                         "why aren't
>>                                                         > they doing
>>                                                         Y instead?"
>>                                                         or even
>>                                                         "wouldn't
>>                                                         make more
>>                                                         sense if it were
>>                                                         > a
>>                                                         {Apache,Spring,<insert-your-favorite-FOSS-brand-here>}
>>                                                         project
>>                                                         > instead?"
>>                                                         And truth be
>>                                                         told, I've
>>                                                         also asked
>>                                                         that question
>>                                                         myself, but
>>                                                         > more
>>                                                         because it
>>                                                         was like
>>                                                         "OWASP
>>                                                         already has a
>>                                                         project Z
>>                                                         that does
>>                                                         > almost
>>                                                         exactly what
>>                                                         project X is
>>                                                         proposing.
>>                                                         Why don't
>>                                                         they just join
>>                                                         > project Z
>>                                                         instead of
>>                                                         spinning of a
>>                                                         similar
>>                                                         project?".
>>                                                         >
>>                                                         > I think any
>>                                                         of those, as
>>                                                         well as your
>>                                                         conjecture,
>>                                                         are possible
>>                                                         reasons
>>                                                         > for them
>>                                                         asking that
>>                                                         question.
>>                                                         >
>>                                                         >> It may
>>                                                         surprise
>>                                                         people
>>                                                         outside of
>>                                                         OWASP that I
>>                                                         get _no_
>>                                                         direction at all
>>                                                         >> from OWASP
>>                                                         as to how ZAP
>>                                                         should move
>>                                                         forward.
>>                                                         >> note that
>>                                                         I'm _really_
>>                                                         not
>>                                                         complaining
>>                                                         about that ;)
>>                                                         >
>>                                                         >
>>                                                         Hmmm...well,
>>                                                         THAT would
>>                                                         explain some
>>                                                         things!
>>                                                         >
>>                                                         > JK. ;-)
>>                                                         >
>>                                                         >> OWASP does
>>                                                         not really
>>                                                         invest in
>>                                                         projects. It
>>                                                         does provide
>>                                                         some support, but
>>                                                         >> to be
>>                                                         honest not a
>>                                                         great deal.
>>                                                         >> If we
>>                                                         decided to
>>                                                         invest
>>                                                         significant
>>                                                         amounts of
>>                                                         money in
>>                                                         projects then
>>                                                         there
>>                                                         >> would need
>>                                                         to be real
>>                                                         debate as to
>>                                                         what we
>>                                                         should invest in.
>>                                                         >> And I
>>                                                         realise that
>>                                                         thats
>>                                                         difficult,
>>                                                         particularly
>>                                                         as OWASP is
>>                                                         supported by
>>                                                         >> commercial
>>                                                         organisations, and
>>                                                         they wont
>>                                                         want OWASP
>>                                                         investing in
>>                                                         projects
>>                                                         >> that
>>                                                         compete with
>>                                                         their own
>>                                                         offerings.
>>                                                         >>
>>                                                         >> There are
>>                                                         other things
>>                                                         that OWASP
>>                                                         could do
>>                                                         other than
>>                                                         paying developers
>>                                                         >> directly.
>>                                                         >> We could
>>                                                         spend much
>>                                                         more effort
>>                                                         encouraging
>>                                                         companies to
>>                                                         contribute to
>>                                                         OWASP
>>                                                         >> projects,
>>                                                         especially by
>>                                                         donating
>>                                                         engineering
>>                                                         effort.
>>                                                         >> We could
>>                                                         help projects
>>                                                         with the 'non
>>                                                         programming'
>>                                                         aspects -
>>                                                         documentation,
>>                                                         >> testing,
>>                                                         marketing etc.
>>                                                         >> We could
>>                                                         provide more
>>                                                         advice and
>>                                                         guidance - I
>>                                                         dont want
>>                                                         people to dictate
>>                                                         >> where ZAP
>>                                                         should be
>>                                                         headed, but
>>                                                         I'd love
>>                                                         constructive
>>                                                         feedback :)
>>                                                         >
>>                                                         > Well, being
>>                                                         a project
>>                                                         lead of a
>>                                                         much less
>>                                                         successful
>>                                                         project, I've
>>                                                         > thought
>>                                                         long and hard
>>                                                         about the
>>                                                         obstacles
>>                                                         that I've faced.
>>                                                         >
>>                                                         > Most of
>>                                                         that has been
>>                                                         around
>>                                                         getting
>>                                                         people to
>>                                                         help with the
>>                                                         following
>>                                                         > types of
>>                                                         things:
>>                                                         >     *
>>                                                         Project
>>                                                         documentation, most
>>                                                         notably
>>                                                         overall user
>>                                                         manuals and FAQs
>>                                                         >       and
>>                                                         wiki entries.
>>                                                         >     * Help
>>                                                         with maven /
>>                                                         pom.xml issue
>>                                                         and release
>>                                                         management in
>>                                                         general
>>                                                         >     *
>>                                                         Assistance
>>                                                         with version
>>                                                         control, most
>>                                                         notably git
>>                                                         and GitHub
>>                                                         >     *
>>                                                         Someone
>>                                                         willing to be
>>                                                         a sounding
>>                                                         board for
>>                                                         proposed
>>                                                         design changes
>>                                                         >
>>                                                         > As I've
>>                                                         reflected
>>                                                         about it, one
>>                                                         of the things
>>                                                         that I've
>>                                                         noted is that
>>                                                         > many of
>>                                                         these are
>>                                                         specialities
>>                                                         that are
>>                                                         cross-cutting
>>                                                         across many
>>                                                         > OWASP projects.
>>                                                         >
>>                                                         > I think one
>>                                                         way that we
>>                                                         might be able
>>                                                         to address
>>                                                         these some of
>>                                                         these
>>                                                         > concerns is
>>                                                         to create a
>>                                                         Subject
>>                                                         Matter Expert
>>                                                         list of
>>                                                         people who would
>>                                                         > be willing
>>                                                         to volunteer
>>                                                         to help out
>>                                                         projects by
>>                                                         contributing
>>                                                         a few
>>                                                         > hours here
>>                                                         or there. For
>>                                                         starters, I
>>                                                         am than
>>                                                         willing to
>>                                                         put my name
>>                                                         > into the
>>                                                         hat an be
>>                                                         willing to
>>                                                         contribute as
>>                                                         an applied
>>                                                         cryptography
>>                                                         > SME for any
>>                                                         projects that
>>                                                         have crypto
>>                                                         related
>>                                                         questions or
>>                                                         maybe need
>>                                                         > some crypto
>>                                                         code reviewed
>>                                                         by a fresh
>>                                                         pair of eyes
>>                                                         (at least as
>>                                                         long as
>>                                                         > it's
>>                                                         written in a
>>                                                         programming
>>                                                         language I've
>>                                                         familiar
>>                                                         with). Of course,
>>                                                         > the irony
>>                                                         of it is that
>>                                                         likely would
>>                                                         require a new
>>                                                         OWASP project to
>>                                                         > maintain
>>                                                         that OWASP
>>                                                         SME list.
>>                                                         (Not it! :)
>>                                                         >
>>                                                         >> Ok, thats
>>                                                         ended up
>>                                                         being a
>>                                                         pretty
>>                                                         rambling email ;)
>>                                                         >
>>                                                         > Trust me,
>>                                                         I've written
>>                                                         more than my
>>                                                         share!
>>                                                         >
>>                                                         >> I'll end
>>                                                         there and see
>>                                                         what
>>                                                         responses I
>>                                                         get :D
>>                                                         >
>>                                                         > Here's one.
>>                                                         Thanks for
>>                                                         listening OWASP!
>>                                                         >
>>                                                         > -kevin
>>                                                         > --
>>                                                         > Blog:
>>                                                         http://off-the-wall-security.blogspot.com/
>>                                                         > NSA: All
>>                                                         your crypto
>>                                                         bit are
>>                                                         belong to us.
>>                                                         >
>>                                                         _______________________________________________
>>                                                         >
>>                                                         OWASP-Leaders
>>                                                         mailing list
>>                                                         >
>>                                                         OWASP-Leaders at lists.owasp.org
>>                                                         >
>>                                                         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>                                                         _______________________________________________
>>                                                         OWASP-Leaders
>>                                                         mailing list
>>                                                         OWASP-Leaders at lists.owasp.org
>>                                                         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>                                                     _______________________________________________
>>                                                     Owasp-board
>>                                                     mailing list
>>                                                     Owasp-board at lists.owasp.org
>>                                                     https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>
>>
>>                                                 -- 
>>                                                 OWASP ZAP
>>                                                 <https://www.owasp.org/index.php/ZAP>
>>                                                 Project leader
>>
>>
>>
>>                                             _______________________________________________
>>                                             Owasp-board mailing list
>>                                             Owasp-board at lists.owasp.org
>>                                             https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>
>>
>>
>>
>>                     _______________________________________________
>>                     Owasp-board mailing list
>>                     Owasp-board at lists.owasp.org
>>                     <mailto:Owasp-board at lists.owasp.org>
>>                     https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
>             _______________________________________________
>             Owasp-board mailing list
>             Owasp-board at lists.owasp.org
>             <mailto:Owasp-board at lists.owasp.org>
>             https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
>         -- 
>         OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150915/59d0ad69/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 117046 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150915/59d0ad69/attachment-0001.png>


More information about the Owasp-board mailing list