[Owasp-board] [Owasp-leaders] Projects Vs Chapters

Jim Manico jim.manico at owasp.org
Wed Sep 16 16:12:04 UTC 2015


The only issue I have with the freemium model is that it's not an open source model. If someone wanted to fork ZAP and make a commercial version of it, as long as the license allows for such things then OWASP should have no problem with it. Same with other projects licensed with permissive open source licenses like MIT.

Again, freemium implies closed source which is not at all the OWASP way.

And Tom, Jeff's partnership model almost exactly matches what you described. Check it out!

Aloha,
--
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org
Join me at AppSecUSA 2015!

> On Sep 16, 2015, at 7:52 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
> 
> I don't personally have issues with either a paid support or paid hosting model for OWASP projects.  The real question there is WHO does the support or handles the hosting.  I don't see that as being a service that the OWASP Foundation would hire someone to do, at least not at this point.  It would be the responsibility of the project leader to figure out the logistics.  Obviously, the fee should take into account the cost of service.
> 
> The one thing that I think we need to avoid is situations where a project would be somehow neutered in functionality and a fee charged for it (ie. "freemium").  That scenario would seem to breed a conflict of interest where the leader is making choices about what is free vs what is paid.  I think that's a big problem when it comes to OWASP tools.
> 
> ~josh
> 
>> On Wed, Sep 16, 2015 at 5:24 AM, Mike Goodwin <mike.goodwin at owasp.org> wrote:
>> I'd like to hear the view of the community on Josh's question too.
>> 
>> Context: My project is a web application. Obviously the code can be downloaded and hosted by users however they see fit, but I was wondering if it would be possible to have a paid for option that is hosted by OWASP with any income being re-invested in the project. Presumably benefits of scale would kick in and it would be cheaper for users to go down this route than to self-host. This is similar in concept to the paid support option that Josh mentioned.
>> 
>> Would this conflict with OWASP rules or values? To be absolutely clear - the code would always remain open source.
>> 
>> Mike
>> 
>>> On 15 September 2015 at 16:49, Josh Sokol <josh.sokol at owasp.org> wrote:
>>> Maybe this is a stupid question, but has anyone considered experimenting with a funding model using the project itself?  Maybe try to raise additional funds by having a paid support option or say if you can raise $X in donations you'll develop Y feature(s)?  The devil is in the details, but that might be a project-centric way to raise money that a chapter wouldn't even have the option to do.
>>> 
>>> ~josh
>>> 
>>>> On Mon, Sep 14, 2015 at 12:22 PM, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
>>>> For reference, the 2015 budget shows OWASP at a loss of around $105k for the year.  Not an issue given the funds currently in reserves, but we did budget to spend more than we brought in so there's not a ton of room to work with there unless we add revenue or eliminate expenses.
>>>> 
>>>> Agree I also noticed this. The activities I'm proposing won't be that high cost, especially compare to actual costs of setting events, but I think a strategy where project leaders can generate pro-actively funds for their own project is a step towards developing them better. 
>>>> 
>>>> 
>>>>> On Mon, Sep 14, 2015 at 12:37 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>>> The Board should be reviewing the budget for 2016 in the next few months so it is an excellent time to make such a proposal.  We just need to know what kinds of activities we are looking at and how much we need to make them happen.  We can then look at anticipated revenue vs expenses in order to determine if there is room in the budget to make it happen.  For reference, the 2015 budget shows OWASP at a loss of around $105k for the year.  Not an issue given the funds currently in reserves, but we did budget to spend more than we brought in so there's not a ton of room to work with there unless we add revenue or eliminate expenses.
>>>>> 
>>>>> ~josh
>>>>> 
>>>>>> On Mon, Sep 14, 2015 at 11:20 AM, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
>>>>>> Hi Josh
>>>>>> 
>>>>>> I have taken the work to extract from the budget of 2015 where are the major OWASP costs :
>>>>>> Total revenue projected for 2015 is USD2,540,667.00
>>>>>> 
>>>>>> From this :
>>>>>> 
>>>>>> Cost Salaries and Contractors 2015 OWASP	
>>>>>> Employees salaries	342,237.82
>>>>>> bonus and commission	38,600.00
>>>>>> Contractors & Professional services	
>>>>>> Virtual fin fee	32,000.00
>>>>>> Accounting KPMG	4,000.00
>>>>>> Int Accountinh KPMG EU	9,000.00
>>>>>> Qtrly VAT by COuntry	14,489.00
>>>>>> Virtual Executive Director/HR Contractor	8,700.00
>>>>>> Virtual - HR Hosting & fees	12,000.00
>>>>>> IT Admin	10,000.00
>>>>>> Legal Contractor	7,200.00
>>>>>> Graphic Designer	7,200.00
>>>>>> Events Manager	72,000.00
>>>>>> Total	557,426.82
>>>>>> Percentage from total revenue	21.94%
>>>>>> Cost Conferences 2015 (in USD Dollars)	
>>>>>> APPSEC US	$935,557.00
>>>>>> APPSEC EU	$241,510.00
>>>>>> APPSEC ASIA	$25,000.00
>>>>>> APPSEC LATAM	7500
>>>>>> Local & Regional Events	$115,000.00
>>>>>> Total in events	$1,209,567.00
>>>>>> Perventage from reveunue	47.61%
>>>>>> 
>>>>>> 
>>>>>> As I can see there are many expenses involved in operations and creating events.(That will sum up around 70% of the OWASP expenses)
>>>>>> 
>>>>>> >In respose to Paul:
>>>>>> For 2016 planning, I'm encouraged by all the interest demonstrated by these emails, as we adjust our 2016 Budget to reflect the community priorities.
>>>>>> 
>>>>>> I would like to propose some fixed budget for certain activities, I believe Claudia was busy also with that part for the Project summits, but also for helping promoting projects and training for leaders. 
>>>>>> 
>>>>>> regards
>>>>>> 
>>>>>> Johanna
>>>>>> 
>>>>>>> On Mon, Sep 14, 2015 at 11:41 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>>>>> Johanna,
>>>>>>> 
>>>>>>> I was really hoping that Fabio, as current Treasurer, would wade into this conversation, but since he hasn't I will as Treasurer last year.  
>>>>>>> 
>>>>>>> The short answer to your questions is that OWASP receives money from many different sources.  Conferences, grants, donations, and yes, membership.  OWASP also has many expenses that aren't solely covered by "project expenses" or "chapter expenses".  Money that isn't pre-allocated to something specific like that ends up in the OWASP funds pool and gets budgeted to be used for other expenses.  Our paid staff is probably the top expense where that is concerned, but there are many other things that OWASP spends money on as well.  The OWASP budget should be publicly available and I know that the OWASP staff is currently working on the 2014 report which should be released any day now.
>>>>>>> 
>>>>>>> ~josh
>>>>>>> 
>>>>>>>> On Mon, Sep 7, 2015 at 11:30 AM, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
>>>>>>>> >How can we make the corporation more aware of this option?
>>>>>>>> 
>>>>>>>> I would like to see first a clarification on where is the money allocated right now from corporate memberships that have not made any choices.
>>>>>>>> 
>>>>>>>> Community funds is USD60,000 a year and this is not only for projects but everything to do with the community.
>>>>>>>> 
>>>>>>>> So far there is in memberships between corporate and individuals memberships a total of 
>>>>>>>> 
>>>>>>>> Corporate memberships (foundation + Chapter) USD 350,000-
>>>>>>>> Individual membership    (foundation +chapter)   USD  90,000-
>>>>>>>> Total =                                                                  USD 440,000 
>>>>>>>> 
>>>>>>>> Following the same sheet the following corporate memberships have not been allocated by the sponsors. I would like to know how much money of the USD 350,000 belongs to these unallocated
>>>>>>>> Autodesk, Inc.
>>>>>>>> Blackhat US
>>>>>>>> CA Technologies
>>>>>>>> CDNetworks
>>>>>>>> ClassDojo
>>>>>>>> Coverity
>>>>>>>> eLearn Security
>>>>>>>> HERE North America, LLC.
>>>>>>>> Johnson Controls, Inc.
>>>>>>>> Rapid7
>>>>>>>> Software Assurance Marketplace (SWAMP)
>>>>>>>> 
>>>>>>>> Each of these contribute with USD 5000 (following corporate categories as the appear here: https://www.owasp.org/index.php/Membership#tab=Corporate_Supporters)
>>>>>>>> 11 of them has not been allocated that makes USD 55,000-
>>>>>>>> 
>>>>>>>> Big Corporate memberships from  4 companies which does not appear in that Google sheet have contributed with==> 4 x USD 20,000 = USD 80,000 ==> where is this money been allocated?
>>>>>>>> Adobe
>>>>>>>> Qualys
>>>>>>>> HP
>>>>>>>> Contrast
>>>>>>>> 
>>>>>>>> I would like to have a clarification where exactly is the money allocated from these corporate memberships which in total (following these calculation accumulates a total of
>>>>>>>> USD 55,000 + 80,000 = USD 140,000 that none of the corporate members have allocated. 
>>>>>>>> 
>>>>>>>> If it seems that part of the money goes to community fund then 140k -60k = USD 80,000 still open where is this money being allocated to?
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>>> On Mon, Sep 7, 2015 at 9:07 AM, psiinon <psiinon at gmail.com> wrote:
>>>>>>>>> Thanks Johanna, this is _really_ interesting.
>>>>>>>>> And thats a huge imbalance between the chapters and projects.
>>>>>>>>> Corporate members can obviously choose where their money goes, but maybe they are not aware they can choose projects (and if Eoin didnt know, that seems very likely!)
>>>>>>>>> How can we make the corporation more aware of this option?
>>>>>>>>> And how else can re redress this imbalance?
>>>>>>>>> 
>>>>>>>>> Cheers,
>>>>>>>>> 
>>>>>>>>> Simon
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>>> On Mon, Sep 7, 2015 at 1:14 PM, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
>>>>>>>>>> In 2013 corporate membership represented 33% of total income for OWASP  opposed to individual membership which represented only 13% of the total income.
>>>>>>>>>> 
>>>>>>>>>> In 2015 corporate membership(foundation+chapter) has a total  revenue of USD350,000- opposed to USD90,000- from individual memberships(again foundation+chapter)  which is quite considerate:
>>>>>>>>>> OWASP Foundation Budget - 2015
>>>>>>>>>>  
>>>>>>>>>> <Screenshot 2015-09-07 08.07.40.png>
>>>>>>>>>> 
>>>>>>>>>> Basically all memberships are going to 'chapters'
>>>>>>>>>> 
>>>>>>>>>> If more than half of these donations(corporate membership) which I highlighted in green have not been specified for any purpose, then how does the foundation decided into which account goes that money? I would like an answer on this. What I miss here is a break down of the amount and into which budget are these being set.
>>>>>>>>>> 
>>>>>>>>>> It seems that those memberships are going mostly to chapters and some to some projects(highlighted in Yellow) (ZAP + SAMM)
>>>>>>>>>> 
>>>>>>>>>> https://docs.google.com/spreadsheets/d/1nVyveCi7nmwYMKK4oWSsVGNvqE9aeUBhamQ7XsZvayU/edit?usp=sharing
>>>>>>>>>> 
>>>>>>>>>> Btw I cannot find the financial report of 2014, seems as it is quite behind (since we are almost end of 2015)
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>>> On Mon, Sep 7, 2015 at 6:17 AM, Colin Watson <colin.watson at owasp.org> wrote:
>>>>>>>>>>> One thing about membership donations to projects. Last week, the list
>>>>>>>>>>> of members was posted to the leaders list for the elections:
>>>>>>>>>>> 
>>>>>>>>>>>    https://docs.google.com/spreadsheets/d/1Tu2MAdu1xNq8RTaqHWMSb_0qM_OE6aaVgKB54q_fQIs/edit#gid=1075228884
>>>>>>>>>>> 
>>>>>>>>>>> It shows that out of 2336 individual members only 2 have allocated
>>>>>>>>>>> their donation to project - in this case "mobile". I agree that at the
>>>>>>>>>>> point of joining that many people might select a chapter at that time,
>>>>>>>>>>> but I am wondering if this is actually accurate? It doesn't feel
>>>>>>>>>>> correct that less than 0.1% select a project.
>>>>>>>>>>> 
>>>>>>>>>>> Last time I renewed, I changed my allocation from a chapter to a
>>>>>>>>>>> project. But the membership list still shows the allocation as a
>>>>>>>>>>> chapter, and the chosen project didn't receive any of my membership
>>>>>>>>>>> money.
>>>>>>>>>>> 
>>>>>>>>>>>     https://docs.google.com/a/owasp.org/spreadsheets/d/11acTOmtmBGq6-5CIGsjlEByU8POSGqda0r23VNnhEGQ/pub?hl=en_US&hl=en_US&output=html#
>>>>>>>>>>> 
>>>>>>>>>>> Is this a fault, and which members and projects have been affected by
>>>>>>>>>>> this? I wonder if it applies to all project allocation selections, or
>>>>>>>>>>> only after a change is requested? Why are there so many "blanks" and
>>>>>>>>>>> "none" in the list of membership, and what's the difference? How long
>>>>>>>>>>> has it been occurring?
>>>>>>>>>>> 
>>>>>>>>>>> Colin
>>>>>>>>>>> 
>>>>>>>>>>> On 6 September 2015 at 21:47, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:
>>>>>>>>>>> > Jumping in late to this thread. I already told Simon from day
>>>>>>>>>>> > one, when he first posted this on the Board and Governance list that
>>>>>>>>>>> > I agreed with him 100%, but I just wanted to add some things.
>>>>>>>>>>> >
>>>>>>>>>>> > On Thu, Sep 3, 2015 at 4:50 AM, psiinon <psiinon at gmail.com> wrote:
>>>>>>>>>>> >> Didnt realise this thread wasnt on the leaders list ;)
>>>>>>>>>>> >> So starting a new one here as I think its important for us to discuss.
>>>>>>>>>>> >> For background see:
>>>>>>>>>>> >> http://lists.owasp.org/pipermail/governance/2015-September/000697.html
>>>>>>>>>>> >> This is a copy of the email I sent to that thread..
>>>>>>>>>>> >>
>>>>>>>>>>> >>
>>>>>>>>>>> >> First of all I'd like to thank Johanna for all the effort she's put into
>>>>>>>>>>> >> reviewing the projects.
>>>>>>>>>>> >> Its been a huge and mostly thankless task, and the projects as a whole have
>>>>>>>>>>> >> really benefited.
>>>>>>>>>>> >
>>>>>>>>>>> > Amen to that. And having been involved in one of the projects (ESAPI)
>>>>>>>>>>> > that was demoted from Flagship to Lab status, I know it's not always
>>>>>>>>>>> > an easy thing to receive the assessments that she and her team had
>>>>>>>>>>> > been doing, but we need to be professional about this and not shoot
>>>>>>>>>>> > the messenger. Certainly when it came to ESAPI, while I was
>>>>>>>>>>> > disappointed, I pretty much agreed with the project review
>>>>>>>>>>> > conclusions.
>>>>>>>>>>> >
>>>>>>>>>>> >> Secondly, I'd like to wade into the Projects Vs Chapters debate :)
>>>>>>>>>>> >>
>>>>>>>>>>> >> I have a theory:
>>>>>>>>>>> >>
>>>>>>>>>>> >> People who are 'part' of OWASP tend to think that the Chapters are more
>>>>>>>>>>> >> important _to_them_ than the projects.
>>>>>>>>>>> >> Chapters are where we meet people, exchange ideas and learn things. They are
>>>>>>>>>>> >> social events.
>>>>>>>>>>> >
>>>>>>>>>>> > The exception might be for those of us who attend our local OWASP
>>>>>>>>>>> > chapter meetings but who are also actively involved with one or more
>>>>>>>>>>> > OWASP projects.
>>>>>>>>>>> >
>>>>>>>>>>> >> People outside OWASP think that the Projects are more important _to_them_
>>>>>>>>>>> >> than the Chapters.
>>>>>>>>>>> >> They dont go to chapter meetings, they might not even be aware of them.
>>>>>>>>>>> >> They use, or at least are aware of, the main OWASP projects, mostly the
>>>>>>>>>>> >> Flagship ones.
>>>>>>>>>>> >>
>>>>>>>>>>> >> Anyone agree or disagree?
>>>>>>>>>>> >
>>>>>>>>>>> > I think you're analysis is pretty much spot on with few exceptions
>>>>>>>>>>> > like the edge case I mentioned above.
>>>>>>>>>>> >
>>>>>>>>>>> >> And yes, I'm conveniently ignoring conferences, the wiki etc etc ;)
>>>>>>>>>>> >>
>>>>>>>>>>> >> I think Chapters and Projects are fundamentally different 'beasts', and I've
>>>>>>>>>>> >> started and run both :)
>>>>>>>>>>> >>
>>>>>>>>>>> >> Chapters are relatively easy to start and maintain.
>>>>>>>>>>> >> You need to be based in a city with a thriving security and/or software
>>>>>>>>>>> >> industry.
>>>>>>>>>>> >> You need to spend time organising and publicising events, but its not hard -
>>>>>>>>>>> >> you dont need specialized skills.
>>>>>>>>>>> >> Its relatively easy to find people prepared to speak, arrange rooms and help
>>>>>>>>>>> >> with other organisational things.
>>>>>>>>>>> >> Its something you can do in your spare time.
>>>>>>>>>>> >
>>>>>>>>>>> > One thing I'll add here. The fact that people can use their time spent
>>>>>>>>>>> > attending OWASP chapter meetings as CPEs toward some security
>>>>>>>>>>> > certification is also a big draw I think. In the past, we've even
>>>>>>>>>>> > attracted quite a few non-OWASP members because of this, or at least
>>>>>>>>>>> > that appeared to be their primary motivation as some of them would ask
>>>>>>>>>>> > about for our chapter leads to provide evidence of attendance for
>>>>>>>>>>> > their CPEs and we'd then discover that some of them were not OWASP
>>>>>>>>>>> > members (not that we made a big deal about that).
>>>>>>>>>>> >
>>>>>>>>>>> > While it's true that one can earn CPEs working on a projects, the
>>>>>>>>>>> > evidence bar seems to be a bit higher and a lot harder to measure.
>>>>>>>>>>> >
>>>>>>>>>>> >> Projects are much harder.
>>>>>>>>>>> >> They are relatively easy to start - you 'just' need a good idea.
>>>>>>>>>>> >> They are _really_ hard to bring to fruition and maintain.
>>>>>>>>>>> >> I'll focus on software projects (as I know much more about those) but I have
>>>>>>>>>>> >> no doubt documentation projects can be just as difficult.
>>>>>>>>>>> >> A professional software project is the result of the hard work of managers,
>>>>>>>>>>> >> designers, developers, QA, support, technical authors, sales and marketing
>>>>>>>>>>> >> (and probably others I've forgotten;).
>>>>>>>>>>> >> Its a huge amount of effort, and is ongoing - it only lets up when you
>>>>>>>>>>> >> 'sunset' the project.
>>>>>>>>>>> >> Ok, so (non commercial) open source projects dont need sales staff, but they
>>>>>>>>>>> >> do need people doing all of the other roles. Its definitely _not_ just
>>>>>>>>>>> >> programming!
>>>>>>>>>>> >
>>>>>>>>>>> > If anything, usually people are not that keen on doing those other
>>>>>>>>>>> > needed roles, such as project documentation, QA, buildmeister, etc.
>>>>>>>>>>> >
>>>>>>>>>>> > Also, the more successful a project becomes (i.e., as measured in
>>>>>>>>>>> > terms of the number of users) the harder it is to maintain. For
>>>>>>>>>>> > example, long ago, I've noticed that people see to ask more questions
>>>>>>>>>>> > on Stack Exchange about ESAPI than the do on either the ESAPI-Users or
>>>>>>>>>>> > ESAPI-Dev mailing lists. I suspect that there are other forums
>>>>>>>>>>> > elsewhere that these things get discussed.
>>>>>>>>>>> >
>>>>>>>>>>> >> Its way too much for one person (for a non trivial project).
>>>>>>>>>>> >> Luckily we have the open source community, but that means a project leader
>>>>>>>>>>> >> needs another skill: community building!
>>>>>>>>>>> >
>>>>>>>>>>> > Indeed that's one where I feel that I've failed miserably. I'm not
>>>>>>>>>>> > particularly a people person nor do I have a lot of contacts beyond
>>>>>>>>>>> > the immediate colleagues that I work with, so when the current
>>>>>>>>>>> > volunteer pool dries up and stops contributing, the project tends to
>>>>>>>>>>> > die because of (at least in my case) the inability to find new
>>>>>>>>>>> > volunteers to help carry the project forward.
>>>>>>>>>>> >
>>>>>>>>>>> >> And to be honest most volunteers are developers (and security people for
>>>>>>>>>>> >> OWASP projects), its very rare for people with other skills to get involved.
>>>>>>>>>>> >
>>>>>>>>>>> > 100% agree. Also, I personally think that we do a disservice
>>>>>>>>>>> > sometimes in our industry in that there's an unspoken perception of a
>>>>>>>>>>> > pecking order within the security community so that some of these very
>>>>>>>>>>> > important roles are greatly devalued (e.g., those who write
>>>>>>>>>>> > documentation or manage releases or do QA testing or provide project
>>>>>>>>>>> > management or other infrastructure support). And while we generally
>>>>>>>>>>> > don't come right out and express it, I think it's there and those who
>>>>>>>>>>> > might otherwise step up and fill those roles avoid the security
>>>>>>>>>>> > community for some other FOSS projects because they feel under-appreciated.
>>>>>>>>>>> >
>>>>>>>>>>> >> I dont think its something you can do in your spare time, at least for long
>>>>>>>>>>> >> (I did for a while, and my wife described herself as a "ZAP widow";)
>>>>>>>>>>> >
>>>>>>>>>>> > :D
>>>>>>>>>>> >
>>>>>>>>>>> >> So Chapters are relatively easy to maintain, projects _much_ harder.
>>>>>>>>>>> >
>>>>>>>>>>> > Making free pizza and beer available at chapter meetings doesn't hurt!  :)
>>>>>>>>>>> >
>>>>>>>>>>> > We've also tried holding mini-hackathons at our local OWASP meetings
>>>>>>>>>>> > maybe once a year. It was interesting, but I can't say it was a
>>>>>>>>>>> > resounding success, because many there did not know the programming
>>>>>>>>>>> > language the project was written in and it took us an undue amount of
>>>>>>>>>>> > time just to get to the point where people got their IDE of choice
>>>>>>>>>>> > configured to pull the project from GitHub. Also probably about 1/2
>>>>>>>>>>> > of the regular attenders don't really program to any great extent at
>>>>>>>>>>> > all but rather consider themselves more of pen testers, so holding
>>>>>>>>>>> > these mini-hackathons effectively leaves out almost half of our
>>>>>>>>>>> > regular attendees so that's not going to be something that works as a
>>>>>>>>>>> > long term strategy.
>>>>>>>>>>> >
>>>>>>>>>>> >> I suspect OWASP as an organisation supports Chapters more effectively, but
>>>>>>>>>>> >> even if it supports both equally Projects dont get as much support as they
>>>>>>>>>>> >> need.
>>>>>>>>>>> >> I think OWASP Chapters are thriving and the Projects are (as a whole)
>>>>>>>>>>> >> diminishing.
>>>>>>>>>>> >> If I'm right and people outside OWASP see the Projects as more important
>>>>>>>>>>> >> than the Chapters then this leads to the impression that OWASP is
>>>>>>>>>>> >> struggling.
>>>>>>>>>>> >>
>>>>>>>>>>> >> What to projects need?
>>>>>>>>>>> >> I dont think its possible to maintain a 'significant' open source project
>>>>>>>>>>> >> unless you are able to spend the majority of your working day on it.
>>>>>>>>>>> >> This means projects really have to be sponsored by someone.
>>>>>>>>>>> >> This is a significant investment for a company, and its often difficult to
>>>>>>>>>>> >> justify this sort of investment. Especially if its difficult to monetise
>>>>>>>>>>> >> OWASP projects.
>>>>>>>>>>> >
>>>>>>>>>>> > Indeed, back in the day when I was still on an AppSec team for a
>>>>>>>>>>> > previous company, I tried to convince my management to allocate about
>>>>>>>>>>> > eight hours a week from our entire team to contribute to ESAPI bug
>>>>>>>>>>> > fixing. It seemed a logical extension of our internal proprietary
>>>>>>>>>>> > security components class library which was not nearly as complete.
>>>>>>>>>>> > I was unable to convince my management and shortly afterwards, I
>>>>>>>>>>> > left that team (for unrelated reasons) and starting working with a
>>>>>>>>>>> > team that had security experience that wouldn't easily translate to
>>>>>>>>>>> > ESAPI needs.  In fact, my experience was worse than that. None of my
>>>>>>>>>>> > colleagues ever decided to help out individually either. Not a big
>>>>>>>>>>> > deal; maybe it just wasn't their cup of tea or they had other
>>>>>>>>>>> > passions that they wanted to contribute to. But gathering recruits
>>>>>>>>>>> > willing to participate clearly takes skills and contacts that I
>>>>>>>>>>> > apparently do not possess in sufficient quantities. (Sometimes I
>>>>>>>>>>> > feel like I'm trying to sell screen doors for submarines. Sigh.)
>>>>>>>>>>> >
>>>>>>>>>>> > All I'm saying is that getting volunteers is hard. Each sizeable
>>>>>>>>>>> > project really needs someone willing to fulfill the project
>>>>>>>>>>> > evangelist role to keep looking for new contributors. For one
>>>>>>>>>>> > reason (at least it's been my experience) is that KEEPING volunteers
>>>>>>>>>>> > for extended periods is even harder and by and large, I think if
>>>>>>>>>>> > we looked at the historical data of contributors across all OWASP
>>>>>>>>>>> > projects (say, based on commit history), that the data would bear
>>>>>>>>>>> > that out. In fact, I'd bet this phenomena goes well beyond OWASP and
>>>>>>>>>>> > is experienced by many FOSS projects.
>>>>>>>>>>> >
>>>>>>>>>>> >> Does OWASP want to sponsor projects directly?
>>>>>>>>>>> >> I think thats what it would take to build a thriving set of Projects.
>>>>>>>>>>> >> Is that something that could be done?
>>>>>>>>>>> >
>>>>>>>>>>> > _COULD_ it be done? Yes. Should it be done is another matter.
>>>>>>>>>>> > I'd rather not see it become necessary as I really don't want OWASP
>>>>>>>>>>> > to turn into a political organization where the project leaders are
>>>>>>>>>>> > forced to lobby for funding, and I fear that's what would happen. I
>>>>>>>>>>> > think also it would stifle innovation because new incubator projects
>>>>>>>>>>> > would likely all dry up (unless a certain amount of funds were
>>>>>>>>>>> > pre-allocated to them) as they likely couldn't compete against more
>>>>>>>>>>> > established projects.
>>>>>>>>>>> >
>>>>>>>>>>> > I had thought of proposing allowing individual OWASP projects to
>>>>>>>>>>> > somehow sell their own project-related schwag at conferences and such
>>>>>>>>>>> > and keep a percentage of the profits to use for their projects so that
>>>>>>>>>>> > they could then use that money however they saw fit (e.g., hiring a
>>>>>>>>>>> > technical writer to write project documentation for instance). But that
>>>>>>>>>>> > probably would not make a major impact in funding to a project,
>>>>>>>>>>> > especially if all the OWASP projects started doing it.
>>>>>>>>>>> >
>>>>>>>>>>> >> I'm lucky, Mozilla allows me to spend most of my time working on ZAP, and
>>>>>>>>>>> >> thats been invaluable.
>>>>>>>>>>> >
>>>>>>>>>>> > I suppose that starts with a company that has a culture of strongly
>>>>>>>>>>> > contributing to FOSS. Most of us do not work for such companies. Most
>>>>>>>>>>> > work for companies who extensively rely on such software, but rarely
>>>>>>>>>>> > allow their companies to contribute to such things on company time
>>>>>>>>>>> > because they don't really see it as contributing directly to their
>>>>>>>>>>> > bottom line. (NOTE: I want to make clear that this is strictly my
>>>>>>>>>>> > personal opinion based of a [likely] biased observation and in no
>>>>>>>>>>> > way represents the official position of either my current nor any
>>>>>>>>>>> > of my previous employers. And they didn't even make me say that! :)
>>>>>>>>>>> >
>>>>>>>>>>> >> But I'd love to be able to employ some of the ZAP contributors to work full
>>>>>>>>>>> >> time on ZAP :)
>>>>>>>>>>> >> Would OWASP pay for that??
>>>>>>>>>>> >
>>>>>>>>>>> > Great question and I think you're not the only project that might
>>>>>>>>>>> > benefit from that. Although, if that means lobbying for funds by
>>>>>>>>>>> > competing against other OWASP projects, them I'm out because I
>>>>>>>>>>> > just don't have the stomach for that. It gets bad enough competing
>>>>>>>>>>> > for resources at Google Summer of Code and various OWASP code sprints,
>>>>>>>>>>> > and I fear if we increased OWASP funding to amounts needed to sustain
>>>>>>>>>>> > OWASP projects, it could lead to divisions in OWASP as people aligned
>>>>>>>>>>> > themselves with one project or another.
>>>>>>>>>>> >
>>>>>>>>>>> >> It would require much more 'project management' - the kind of things that
>>>>>>>>>>> >> people _think_ OWASP is doing, but it doesnt.
>>>>>>>>>>> >> I often see posts from people asking "why the hell is OWASP developing X".
>>>>>>>>>>> >> They seem to think that theres an OWASP committee that meets and goes "We
>>>>>>>>>>> >> think we should have project X". Whereas its actually an individual coming
>>>>>>>>>>> >> to OWASP and saying "I'm doing X, could this be an OWASP project?".
>>>>>>>>>>> >> OWASP Projects are very much 'bottom up' rather than 'top down'.
>>>>>>>>>>> >
>>>>>>>>>>> > Well, their perception could also be more of a notion of "why aren't
>>>>>>>>>>> > they doing Y instead?" or even "wouldn't make more sense if it were
>>>>>>>>>>> > a {Apache,Spring,<insert-your-favorite-FOSS-brand-here>} project
>>>>>>>>>>> > instead?" And truth be told, I've also asked that question myself, but
>>>>>>>>>>> > more because it was like "OWASP already has a project Z that does
>>>>>>>>>>> > almost exactly what project X is proposing. Why don't they just join
>>>>>>>>>>> > project Z instead of spinning of a similar project?".
>>>>>>>>>>> >
>>>>>>>>>>> > I think any of those, as well as your conjecture, are possible reasons
>>>>>>>>>>> > for them asking that question.
>>>>>>>>>>> >
>>>>>>>>>>> >> It may surprise people outside of OWASP that I get _no_ direction at all
>>>>>>>>>>> >> from OWASP as to how ZAP should move forward.
>>>>>>>>>>> >> note that I'm _really_ not complaining about that ;)
>>>>>>>>>>> >
>>>>>>>>>>> > Hmmm...well, THAT would explain some things!
>>>>>>>>>>> >
>>>>>>>>>>> > JK. ;-)
>>>>>>>>>>> >
>>>>>>>>>>> >> OWASP does not really invest in projects. It does provide some support, but
>>>>>>>>>>> >> to be honest not a great deal.
>>>>>>>>>>> >> If we decided to invest significant amounts of money in projects then there
>>>>>>>>>>> >> would need to be real debate as to what we should invest in.
>>>>>>>>>>> >> And I realise that thats difficult, particularly as OWASP is supported by
>>>>>>>>>>> >> commercial organisations, and they wont want OWASP investing in projects
>>>>>>>>>>> >> that compete with their own offerings.
>>>>>>>>>>> >>
>>>>>>>>>>> >> There are other things that OWASP could do other than paying developers
>>>>>>>>>>> >> directly.
>>>>>>>>>>> >> We could spend much more effort encouraging companies to contribute to OWASP
>>>>>>>>>>> >> projects, especially by donating engineering effort.
>>>>>>>>>>> >> We could help projects with the 'non programming' aspects - documentation,
>>>>>>>>>>> >> testing, marketing etc.
>>>>>>>>>>> >> We could provide more advice and guidance - I dont want people to dictate
>>>>>>>>>>> >> where ZAP should be headed, but I'd love constructive feedback :)
>>>>>>>>>>> >
>>>>>>>>>>> > Well, being a project lead of a much less successful project, I've
>>>>>>>>>>> > thought long and hard about the obstacles that I've faced.
>>>>>>>>>>> >
>>>>>>>>>>> > Most of that has been around getting people to help with the following
>>>>>>>>>>> > types of things:
>>>>>>>>>>> >     * Project documentation, most notably overall user manuals and FAQs
>>>>>>>>>>> >       and wiki entries.
>>>>>>>>>>> >     * Help with maven / pom.xml issue and release management in general
>>>>>>>>>>> >     * Assistance with version control, most notably git and GitHub
>>>>>>>>>>> >     * Someone willing to be a sounding board for proposed design changes
>>>>>>>>>>> >
>>>>>>>>>>> > As I've reflected about it, one of the things that I've noted is that
>>>>>>>>>>> > many of these are specialities that are cross-cutting across many
>>>>>>>>>>> > OWASP projects.
>>>>>>>>>>> >
>>>>>>>>>>> > I think one way that we might be able to address these some of these
>>>>>>>>>>> > concerns is to create a Subject Matter Expert list of people who would
>>>>>>>>>>> > be willing to volunteer to help out projects by contributing a few
>>>>>>>>>>> > hours here or there. For starters, I am than willing to put my name
>>>>>>>>>>> > into the hat an be willing to contribute as an applied cryptography
>>>>>>>>>>> > SME for any projects that have crypto related questions or maybe need
>>>>>>>>>>> > some crypto code reviewed by a fresh pair of eyes (at least as long as
>>>>>>>>>>> > it's written in a programming language I've familiar with). Of course,
>>>>>>>>>>> > the irony of it is that likely would require a new OWASP project to
>>>>>>>>>>> > maintain that OWASP SME list. (Not it! :)
>>>>>>>>>>> >
>>>>>>>>>>> >> Ok, thats ended up being a pretty rambling email ;)
>>>>>>>>>>> >
>>>>>>>>>>> > Trust me, I've written more than my share!
>>>>>>>>>>> >
>>>>>>>>>>> >> I'll end there and see what responses I get :D
>>>>>>>>>>> >
>>>>>>>>>>> > Here's one. Thanks for listening OWASP!
>>>>>>>>>>> >
>>>>>>>>>>> > -kevin
>>>>>>>>>>> > --
>>>>>>>>>>> > Blog: http://off-the-wall-security.blogspot.com/
>>>>>>>>>>> > NSA: All your crypto bit are belong to us.
>>>>>>>>>>> > _______________________________________________
>>>>>>>>>>> > OWASP-Leaders mailing list
>>>>>>>>>>> > OWASP-Leaders at lists.owasp.org
>>>>>>>>>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Owasp-board mailing list
>>>>>>>>>> Owasp-board at lists.owasp.org
>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> -- 
>>>>>>>>> OWASP ZAP Project leader
>>>>>>>> 
>>>>>>>> 
>>>>>>>> _______________________________________________
>>>>>>>> Owasp-board mailing list
>>>>>>>> Owasp-board at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>> 
>>> 
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150916/9a780008/attachment-0001.html>


More information about the Owasp-board mailing list