[Owasp-board] [Owasp-leaders] Projects

Jim Manico jim.manico at owasp.org
Mon Sep 21 17:18:22 UTC 2015


For owasp.org email addresses, we actually use Google for Work. There are no ads present in this type of Google email account.


For some privacy advocates, I can understand why this is decision is still not acceptable for a variety of reasons. At the very least we are not providing email accounts that are paid for via advertisements.

What I suggest we do (step 1) is go down the various owasp provided communication services and at least be very clear to the community as to what they are getting into before using these owasp provided accounts.

Will you be at appsecusa so we can discuss or work on this in person? I can also point out some of the current projects that are privacy related at OWASP in case you want to help with their efforts.

Jim Manico
Global Board Member
OWASP Foundation
Join me at AppSecUSA 2015!

> On Sep 21, 2015, at 9:17 AM, Ann Racuya-Robbins <ann.racuya.robbins at owasp.org> wrote:
> A very late reply and follow-up to your questions Jim...but thank you very much for asking.
> "OWASP supports many forms of communication, from a closed email system, to social media to slack to wiki to salesforce for enterprise purposes and more. Those who seek deeper privacy can choose to limit which of these they participate in.
> To pay to develop privacy based communication  software would cost millions to even get started and it's way out of our budget and capacity to be honest.
> If you run across any software or service that we can leverage for privacy in addition to our other communication offerings, I'd be all ears, Ann. 
> Is this a fair perspective, Ann? If not please correct me. :)"
> I think you have asked the right question but respectfully I don't agree with your inferred conclusion.  To outline my response:
> What closed email system are you referring to?
> The key context that needs to be addressed is whose server(s) is the data on and how is it administered? 
> In reference to process: I was told that a case had been created and someone would get back to me. Maybe it fell through the cracks but I haven't heard from anyone. How do I follow up?
> There is no question that privacy in communication is difficult but many steps can be taken along the way as the larger solution is created. As you mentioned a disclaimer, though largely feeble, is a first step. This should be a standard and best practice for new tools. 
> Privacy, security and identity are inextricably connected.  If we don't expect and ask for a solution it is unlikely one will be found. In addition this is a area full of opportunity for innovation.
> The dynamics of these interconnections needs to be discussed and worked out. 
> People come to OWASP in part for community and interacting with one another. The price of that interaction should not be the capturing and monetizing of those interactions for the benefit of third parties. There is a long way between "free" products and "fair or affordable" products and services.The price of community and interaction should not be the appropriation of that very sociability and intelligence by third parties. What about at least share the value in a fair way. Could OWASP include in its negotiation with third parties some kind of value sharing, does it already do so? 
> Organizations and associations are under continuing pressure to monetize (make money from) the activities of their members. Transparency here is important.
> Jim, I have found you to be fair and thoughtful and I thank you for that.  I hope OWASP can engage these emerging issues. 
> Regards,
> Ann Racuya-Robbins
>> On Tue, Sep 8, 2015 at 12:37 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> Folks,
>> I'm the board liaison for OWASP projects. I am away for two weeks but when I return I will:
>> 1) Gather all of these suggestions (and more) in one document
>> 2) Form a temporary committee to review these and form a proposal to the board
>> This can happen over the course of weeks, not months.
>> I think the concerns here are very just. I will be happy to assist in forming a proposal to the board as soon as I return. Stating concerns on the leaders list is a good place to start but I think it will help if we combine and mature these ideas into a more formal proposal. (And it should not take long to do so).
>> Of course others can drive this immediately if you like, I'm not needed. But I'm very glad to help in two weeks.
>> Aloha,
>> --
>> Jim Manico
>> Global Board Member
>> OWASP Foundation
>> https://www.owasp.org
>> Join me at AppSecUSA 2015!
>>> On Sep 8, 2015, at 12:50 AM, John Patrick Lita <john.patrick.lita at owasp.org> wrote:
>>> This is a great Conversation Thanks to Simon for opening this Topic.
>>> Project:
>>> Project is also a very difficult one to start, even you have a great idea, if you don't have Budget, Skillful team etc.. Creating a project is very impossible, and you need to dedicate much of your time to start a project. in my experience for project development is quite good "Maybe", because we started the project OWASP ACADEMY www.owaspacademy.com, we are still developing the course materials, we are focusing to introduce all the tools of OWASP, and this is very impossible but the team is still focus to continue and develop the platform. With or Without Funding Assistance from OWASP.
>>> Chapter:
>>> Putting up an OWASP Chapter is it easy? 
>>> For me i think i depends on the situation, condition and the economy of the country, for us we live in the third world country. if you compare the achievement of the previous Chapter Leader of OWASP Manila, we have a big difference when it coming in outreach program ( https://www.owasp.org/index.php/Manila#Archives ) to increase the Software Security Awareness and Introduce the Foundation. it's a huge challenge for me and to my team to Conduct this kind of Project like the "OWASP Software Security Outreach Project".
>>> I don't have a car to use for my transportation, so that i need to travel 3-5 hours of traveling time just to visit a School, College or a University.
>>> Like for example Yesterday we Conducted a Seminar in CAVITE STATE UNIVERSITY, if you Google the CAVITE to ANITPOLO were i live. i leave the house 4:30 AM then i arrive at Cavite University 9:15 AM how cool is that? 
>>> then i spent Money for Transportation, When you Ride a Jeepney here in Philippines they don't Issue Receipt, even riding a Tricycle, UV express and Bus this is the main transportation we have here in Philippines then you need to add the "FATAL TRAFFIC".
>>> To introduce the Foundation Here in Our Country is not easy. and maybe it depends how determine the chapter leader is.
>>>> On Tue, Sep 8, 2015 at 12:30 AM, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
>>>> >How can we make the corporation more aware of this option?
>>>> I would like to see first a clarification on where is the money allocated right now from corporate memberships that have not made any choices.
>>>> Community funds is USD60,000 a year and this is not only for projects but everything to do with the community.
>>>> So far there is in memberships between corporate and individuals memberships a total of 
>>>> Corporate memberships (foundation + Chapter) USD 350,000-
>>>> Individual membership    (foundation +chapter)   USD  90,000-
>>>> Total =                                                                  USD 440,000 
>>>> Following the same sheet the following corporate memberships have not been allocated by the sponsors. I would like to know how much money of the USD 350,000 belongs to these unallocated
>>>> Autodesk, Inc.
>>>> Blackhat US
>>>> CA Technologies
>>>> CDNetworks
>>>> ClassDojo
>>>> Coverity
>>>> eLearn Security
>>>> HERE North America, LLC.
>>>> Johnson Controls, Inc.
>>>> Rapid7
>>>> Software Assurance Marketplace (SWAMP)
>>>> Each of these contribute with USD 5000 (following corporate categories as the appear here: https://www.owasp.org/index.php/Membership#tab=Corporate_Supporters)
>>>> 11 of them has not been allocated that makes USD 55,000-
>>>> Big Corporate memberships from  4 companies which does not appear in that Google sheet have contributed with==> 4 x USD 20,000 = USD 80,000 ==> where is this money been allocated?
>>>> Adobe
>>>> Qualys
>>>> HP
>>>> Contrast
>>>> I would like to have a clarification where exactly is the money allocated from these corporate memberships which in total (following these calculation accumulates a total of
>>>> USD 55,000 + 80,000 = USD 140,000 that none of the corporate members have allocated. 
>>>> If it seems that part of the money goes to community fund then 140k -60k = USD 80,000 still open where is this money being allocated to?
>>>>> On Mon, Sep 7, 2015 at 9:07 AM, psiinon <psiinon at gmail.com> wrote:
>>>>> Thanks Johanna, this is _really_ interesting.
>>>>> And thats a huge imbalance between the chapters and projects.
>>>>> Corporate members can obviously choose where their money goes, but maybe they are not aware they can choose projects (and if Eoin didnt know, that seems very likely!)
>>>>> How can we make the corporation more aware of this option?
>>>>> And how else can re redress this imbalance?
>>>>> Cheers,
>>>>> Simon
>>>>>> On Mon, Sep 7, 2015 at 1:14 PM, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
>>>>>> In 2013 corporate membership represented 33% of total income for OWASP  opposed to individual membership which represented only 13% of the total income.
>>>>>> In 2015 corporate membership(foundation+chapter) has a total  revenue of USD350,000- opposed to USD90,000- from individual memberships(again foundation+chapter)  which is quite considerate:
>>>>>> OWASP Foundation Budget - 2015
>>>>>> <Screenshot 2015-09-07 08.07.40.png>
>>>>>> Basically all memberships are going to 'chapters'
>>>>>> If more than half of these donations(corporate membership) which I highlighted in green have not been specified for any purpose, then how does the foundation decided into which account goes that money? I would like an answer on this. What I miss here is a break down of the amount and into which budget are these being set.
>>>>>> It seems that those memberships are going mostly to chapters and some to some projects(highlighted in Yellow) (ZAP + SAMM)
>>>>>> https://docs.google.com/spreadsheets/d/1nVyveCi7nmwYMKK4oWSsVGNvqE9aeUBhamQ7XsZvayU/edit?usp=sharing
>>>>>> Btw I cannot find the financial report of 2014, seems as it is quite behind (since we are almost end of 2015)
>>>>>> <Screenshot 2015-08-21 10.19.54.png>
>>>>>>> On Mon, Sep 7, 2015 at 6:17 AM, Colin Watson <colin.watson at owasp.org> wrote:
>>>>>>> One thing about membership donations to projects. Last week, the list
>>>>>>> of members was posted to the leaders list for the elections:
>>>>>>>    https://docs.google.com/spreadsheets/d/1Tu2MAdu1xNq8RTaqHWMSb_0qM_OE6aaVgKB54q_fQIs/edit#gid=1075228884
>>>>>>> It shows that out of 2336 individual members only 2 have allocated
>>>>>>> their donation to project - in this case "mobile". I agree that at the
>>>>>>> point of joining that many people might select a chapter at that time,
>>>>>>> but I am wondering if this is actually accurate? It doesn't feel
>>>>>>> correct that less than 0.1% select a project.
>>>>>>> Last time I renewed, I changed my allocation from a chapter to a
>>>>>>> project. But the membership list still shows the allocation as a
>>>>>>> chapter, and the chosen project didn't receive any of my membership
>>>>>>> money.
>>>>>>>     https://docs.google.com/a/owasp.org/spreadsheets/d/11acTOmtmBGq6-5CIGsjlEByU8POSGqda0r23VNnhEGQ/pub?hl=en_US&hl=en_US&output=html#
>>>>>>> Is this a fault, and which members and projects have been affected by
>>>>>>> this? I wonder if it applies to all project allocation selections, or
>>>>>>> only after a change is requested? Why are there so many "blanks" and
>>>>>>> "none" in the list of membership, and what's the difference? How long
>>>>>>> has it been occurring?
>>>>>>> Colin
>>>>>>> On 6 September 2015 at 21:47, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:
>>>>>>> > Jumping in late to this thread. I already told Simon from day
>>>>>>> > one, when he first posted this on the Board and Governance list that
>>>>>>> > I agreed with him 100%, but I just wanted to add some things.
>>>>>>> >
>>>>>>> > On Thu, Sep 3, 2015 at 4:50 AM, psiinon <psiinon at gmail.com> wrote:
>>>>>>> >> Didnt realise this thread wasnt on the leaders list ;)
>>>>>>> >> So starting a new one here as I think its important for us to discuss.
>>>>>>> >> For background see:
>>>>>>> >> http://lists.owasp.org/pipermail/governance/2015-September/000697.html
>>>>>>> >> This is a copy of the email I sent to that thread..
>>>>>>> >>
>>>>>>> >>
>>>>>>> >> First of all I'd like to thank Johanna for all the effort she's put into
>>>>>>> >> reviewing the projects.
>>>>>>> >> Its been a huge and mostly thankless task, and the projects as a whole have
>>>>>>> >> really benefited.
>>>>>>> >
>>>>>>> > Amen to that. And having been involved in one of the projects (ESAPI)
>>>>>>> > that was demoted from Flagship to Lab status, I know it's not always
>>>>>>> > an easy thing to receive the assessments that she and her team had
>>>>>>> > been doing, but we need to be professional about this and not shoot
>>>>>>> > the messenger. Certainly when it came to ESAPI, while I was
>>>>>>> > disappointed, I pretty much agreed with the project review
>>>>>>> > conclusions.
>>>>>>> >
>>>>>>> >> Secondly, I'd like to wade into the Projects Vs Chapters debate :)
>>>>>>> >>
>>>>>>> >> I have a theory:
>>>>>>> >>
>>>>>>> >> People who are 'part' of OWASP tend to think that the Chapters are more
>>>>>>> >> important _to_them_ than the projects.
>>>>>>> >> Chapters are where we meet people, exchange ideas and learn things. They are
>>>>>>> >> social events.
>>>>>>> >
>>>>>>> > The exception might be for those of us who attend our local OWASP
>>>>>>> > chapter meetings but who are also actively involved with one or more
>>>>>>> > OWASP projects.
>>>>>>> >
>>>>>>> >> People outside OWASP think that the Projects are more important _to_them_
>>>>>>> >> than the Chapters.
>>>>>>> >> They dont go to chapter meetings, they might not even be aware of them.
>>>>>>> >> They use, or at least are aware of, the main OWASP projects, mostly the
>>>>>>> >> Flagship ones.
>>>>>>> >>
>>>>>>> >> Anyone agree or disagree?
>>>>>>> >
>>>>>>> > I think you're analysis is pretty much spot on with few exceptions
>>>>>>> > like the edge case I mentioned above.
>>>>>>> >
>>>>>>> >> And yes, I'm conveniently ignoring conferences, the wiki etc etc ;)
>>>>>>> >>
>>>>>>> >> I think Chapters and Projects are fundamentally different 'beasts', and I've
>>>>>>> >> started and run both :)
>>>>>>> >>
>>>>>>> >> Chapters are relatively easy to start and maintain.
>>>>>>> >> You need to be based in a city with a thriving security and/or software
>>>>>>> >> industry.
>>>>>>> >> You need to spend time organising and publicising events, but its not hard -
>>>>>>> >> you dont need specialized skills.
>>>>>>> >> Its relatively easy to find people prepared to speak, arrange rooms and help
>>>>>>> >> with other organisational things.
>>>>>>> >> Its something you can do in your spare time.
>>>>>>> >
>>>>>>> > One thing I'll add here. The fact that people can use their time spent
>>>>>>> > attending OWASP chapter meetings as CPEs toward some security
>>>>>>> > certification is also a big draw I think. In the past, we've even
>>>>>>> > attracted quite a few non-OWASP members because of this, or at least
>>>>>>> > that appeared to be their primary motivation as some of them would ask
>>>>>>> > about for our chapter leads to provide evidence of attendance for
>>>>>>> > their CPEs and we'd then discover that some of them were not OWASP
>>>>>>> > members (not that we made a big deal about that).
>>>>>>> >
>>>>>>> > While it's true that one can earn CPEs working on a projects, the
>>>>>>> > evidence bar seems to be a bit higher and a lot harder to measure.
>>>>>>> >
>>>>>>> >> Projects are much harder.
>>>>>>> >> They are relatively easy to start - you 'just' need a good idea.
>>>>>>> >> They are _really_ hard to bring to fruition and maintain.
>>>>>>> >> I'll focus on software projects (as I know much more about those) but I have
>>>>>>> >> no doubt documentation projects can be just as difficult.
>>>>>>> >> A professional software project is the result of the hard work of managers,
>>>>>>> >> designers, developers, QA, support, technical authors, sales and marketing
>>>>>>> >> (and probably others I've forgotten;).
>>>>>>> >> Its a huge amount of effort, and is ongoing - it only lets up when you
>>>>>>> >> 'sunset' the project.
>>>>>>> >> Ok, so (non commercial) open source projects dont need sales staff, but they
>>>>>>> >> do need people doing all of the other roles. Its definitely _not_ just
>>>>>>> >> programming!
>>>>>>> >
>>>>>>> > If anything, usually people are not that keen on doing those other
>>>>>>> > needed roles, such as project documentation, QA, buildmeister, etc.
>>>>>>> >
>>>>>>> > Also, the more successful a project becomes (i.e., as measured in
>>>>>>> > terms of the number of users) the harder it is to maintain. For
>>>>>>> > example, long ago, I've noticed that people see to ask more questions
>>>>>>> > on Stack Exchange about ESAPI than the do on either the ESAPI-Users or
>>>>>>> > ESAPI-Dev mailing lists. I suspect that there are other forums
>>>>>>> > elsewhere that these things get discussed.
>>>>>>> >
>>>>>>> >> Its way too much for one person (for a non trivial project).
>>>>>>> >> Luckily we have the open source community, but that means a project leader
>>>>>>> >> needs another skill: community building!
>>>>>>> >
>>>>>>> > Indeed that's one where I feel that I've failed miserably. I'm not
>>>>>>> > particularly a people person nor do I have a lot of contacts beyond
>>>>>>> > the immediate colleagues that I work with, so when the current
>>>>>>> > volunteer pool dries up and stops contributing, the project tends to
>>>>>>> > die because of (at least in my case) the inability to find new
>>>>>>> > volunteers to help carry the project forward.
>>>>>>> >
>>>>>>> >> And to be honest most volunteers are developers (and security people for
>>>>>>> >> OWASP projects), its very rare for people with other skills to get involved.
>>>>>>> >
>>>>>>> > 100% agree. Also, I personally think that we do a disservice
>>>>>>> > sometimes in our industry in that there's an unspoken perception of a
>>>>>>> > pecking order within the security community so that some of these very
>>>>>>> > important roles are greatly devalued (e.g., those who write
>>>>>>> > documentation or manage releases or do QA testing or provide project
>>>>>>> > management or other infrastructure support). And while we generally
>>>>>>> > don't come right out and express it, I think it's there and those who
>>>>>>> > might otherwise step up and fill those roles avoid the security
>>>>>>> > community for some other FOSS projects because they feel under-appreciated.
>>>>>>> >
>>>>>>> >> I dont think its something you can do in your spare time, at least for long
>>>>>>> >> (I did for a while, and my wife described herself as a "ZAP widow";)
>>>>>>> >
>>>>>>> > :D
>>>>>>> >
>>>>>>> >> So Chapters are relatively easy to maintain, projects _much_ harder.
>>>>>>> >
>>>>>>> > Making free pizza and beer available at chapter meetings doesn't hurt!  :)
>>>>>>> >
>>>>>>> > We've also tried holding mini-hackathons at our local OWASP meetings
>>>>>>> > maybe once a year. It was interesting, but I can't say it was a
>>>>>>> > resounding success, because many there did not know the programming
>>>>>>> > language the project was written in and it took us an undue amount of
>>>>>>> > time just to get to the point where people got their IDE of choice
>>>>>>> > configured to pull the project from GitHub. Also probably about 1/2
>>>>>>> > of the regular attenders don't really program to any great extent at
>>>>>>> > all but rather consider themselves more of pen testers, so holding
>>>>>>> > these mini-hackathons effectively leaves out almost half of our
>>>>>>> > regular attendees so that's not going to be something that works as a
>>>>>>> > long term strategy.
>>>>>>> >
>>>>>>> >> I suspect OWASP as an organisation supports Chapters more effectively, but
>>>>>>> >> even if it supports both equally Projects dont get as much support as they
>>>>>>> >> need.
>>>>>>> >> I think OWASP Chapters are thriving and the Projects are (as a whole)
>>>>>>> >> diminishing.
>>>>>>> >> If I'm right and people outside OWASP see the Projects as more important
>>>>>>> >> than the Chapters then this leads to the impression that OWASP is
>>>>>>> >> struggling.
>>>>>>> >>
>>>>>>> >> What to projects need?
>>>>>>> >> I dont think its possible to maintain a 'significant' open source project
>>>>>>> >> unless you are able to spend the majority of your working day on it.
>>>>>>> >> This means projects really have to be sponsored by someone.
>>>>>>> >> This is a significant investment for a company, and its often difficult to
>>>>>>> >> justify this sort of investment. Especially if its difficult to monetise
>>>>>>> >> OWASP projects.
>>>>>>> >
>>>>>>> > Indeed, back in the day when I was still on an AppSec team for a
>>>>>>> > previous company, I tried to convince my management to allocate about
>>>>>>> > eight hours a week from our entire team to contribute to ESAPI bug
>>>>>>> > fixing. It seemed a logical extension of our internal proprietary
>>>>>>> > security components class library which was not nearly as complete.
>>>>>>> > I was unable to convince my management and shortly afterwards, I
>>>>>>> > left that team (for unrelated reasons) and starting working with a
>>>>>>> > team that had security experience that wouldn't easily translate to
>>>>>>> > ESAPI needs.  In fact, my experience was worse than that. None of my
>>>>>>> > colleagues ever decided to help out individually either. Not a big
>>>>>>> > deal; maybe it just wasn't their cup of tea or they had other
>>>>>>> > passions that they wanted to contribute to. But gathering recruits
>>>>>>> > willing to participate clearly takes skills and contacts that I
>>>>>>> > apparently do not possess in sufficient quantities. (Sometimes I
>>>>>>> > feel like I'm trying to sell screen doors for submarines. Sigh.)
>>>>>>> >
>>>>>>> > All I'm saying is that getting volunteers is hard. Each sizeable
>>>>>>> > project really needs someone willing to fulfill the project
>>>>>>> > evangelist role to keep looking for new contributors. For one
>>>>>>> > reason (at least it's been my experience) is that KEEPING volunteers
>>>>>>> > for extended periods is even harder and by and large, I think if
>>>>>>> > we looked at the historical data of contributors across all OWASP
>>>>>>> > projects (say, based on commit history), that the data would bear
>>>>>>> > that out. In fact, I'd bet this phenomena goes well beyond OWASP and
>>>>>>> > is experienced by many FOSS projects.
>>>>>>> >
>>>>>>> >> Does OWASP want to sponsor projects directly?
>>>>>>> >> I think thats what it would take to build a thriving set of Projects.
>>>>>>> >> Is that something that could be done?
>>>>>>> >
>>>>>>> > _COULD_ it be done? Yes. Should it be done is another matter.
>>>>>>> > I'd rather not see it become necessary as I really don't want OWASP
>>>>>>> > to turn into a political organization where the project leaders are
>>>>>>> > forced to lobby for funding, and I fear that's what would happen. I
>>>>>>> > think also it would stifle innovation because new incubator projects
>>>>>>> > would likely all dry up (unless a certain amount of funds were
>>>>>>> > pre-allocated to them) as they likely couldn't compete against more
>>>>>>> > established projects.
>>>>>>> >
>>>>>>> > I had thought of proposing allowing individual OWASP projects to
>>>>>>> > somehow sell their own project-related schwag at conferences and such
>>>>>>> > and keep a percentage of the profits to use for their projects so that
>>>>>>> > they could then use that money however they saw fit (e.g., hiring a
>>>>>>> > technical writer to write project documentation for instance). But that
>>>>>>> > probably would not make a major impact in funding to a project,
>>>>>>> > especially if all the OWASP projects started doing it.
>>>>>>> >
>>>>>>> >> I'm lucky, Mozilla allows me to spend most of my time working on ZAP, and
>>>>>>> >> thats been invaluable.
>>>>>>> >
>>>>>>> > I suppose that starts with a company that has a culture of strongly
>>>>>>> > contributing to FOSS. Most of us do not work for such companies. Most
>>>>>>> > work for companies who extensively rely on such software, but rarely
>>>>>>> > allow their companies to contribute to such things on company time
>>>>>>> > because they don't really see it as contributing directly to their
>>>>>>> > bottom line. (NOTE: I want to make clear that this is strictly my
>>>>>>> > personal opinion based of a [likely] biased observation and in no
>>>>>>> > way represents the official position of either my current nor any
>>>>>>> > of my previous employers. And they didn't even make me say that! :)
>>>>>>> >
>>>>>>> >> But I'd love to be able to employ some of the ZAP contributors to work full
>>>>>>> >> time on ZAP :)
>>>>>>> >> Would OWASP pay for that??
>>>>>>> >
>>>>>>> > Great question and I think you're not the only project that might
>>>>>>> > benefit from that. Although, if that means lobbying for funds by
>>>>>>> > competing against other OWASP projects, them I'm out because I
>>>>>>> > just don't have the stomach for that. It gets bad enough competing
>>>>>>> > for resources at Google Summer of Code and various OWASP code sprints,
>>>>>>> > and I fear if we increased OWASP funding to amounts needed to sustain
>>>>>>> > OWASP projects, it could lead to divisions in OWASP as people aligned
>>>>>>> > themselves with one project or another.
>>>>>>> >
>>>>>>> >> It would require much more 'project management' - the kind of things that
>>>>>>> >> people _think_ OWASP is doing, but it doesnt.
>>>>>>> >> I often see posts from people asking "why the hell is OWASP developing X".
>>>>>>> >> They seem to think that theres an OWASP committee that meets and goes "We
>>>>>>> >> think we should have project X". Whereas its actually an individual coming
>>>>>>> >> to OWASP and saying "I'm doing X, could this be an OWASP project?".
>>>>>>> >> OWASP Projects are very much 'bottom up' rather than 'top down'.
>>>>>>> >
>>>>>>> > Well, their perception could also be more of a notion of "why aren't
>>>>>>> > they doing Y instead?" or even "wouldn't make more sense if it were
>>>>>>> > a {Apache,Spring,<insert-your-favorite-FOSS-brand-here>} project
>>>>>>> > instead?" And truth be told, I've also asked that question myself, but
>>>>>>> > more because it was like "OWASP already has a project Z that does
>>>>>>> > almost exactly what project X is proposing. Why don't they just join
>>>>>>> > project Z instead of spinning of a similar project?".
>>>>>>> >
>>>>>>> > I think any of those, as well as your conjecture, are possible reasons
>>>>>>> > for them asking that question.
>>>>>>> >
>>>>>>> >> It may surprise people outside of OWASP that I get _no_ direction at all
>>>>>>> >> from OWASP as to how ZAP should move forward.
>>>>>>> >> note that I'm _really_ not complaining about that ;)
>>>>>>> >
>>>>>>> > Hmmm...well, THAT would explain some things!
>>>>>>> >
>>>>>>> > JK. ;-)
>>>>>>> >
>>>>>>> >> OWASP does not really invest in projects. It does provide some support, but
>>>>>>> >> to be honest not a great deal.
>>>>>>> >> If we decided to invest significant amounts of money in projects then there
>>>>>>> >> would need to be real debate as to what we should invest in.
>>>>>>> >> And I realise that thats difficult, particularly as OWASP is supported by
>>>>>>> >> commercial organisations, and they wont want OWASP investing in projects
>>>>>>> >> that compete with their own offerings.
>>>>>>> >>
>>>>>>> >> There are other things that OWASP could do other than paying developers
>>>>>>> >> directly.
>>>>>>> >> We could spend much more effort encouraging companies to contribute to OWASP
>>>>>>> >> projects, especially by donating engineering effort.
>>>>>>> >> We could help projects with the 'non programming' aspects - documentation,
>>>>>>> >> testing, marketing etc.
>>>>>>> >> We could provide more advice and guidance - I dont want people to dictate
>>>>>>> >> where ZAP should be headed, but I'd love constructive feedback :)
>>>>>>> >
>>>>>>> > Well, being a project lead of a much less successful project, I've
>>>>>>> > thought long and hard about the obstacles that I've faced.
>>>>>>> >
>>>>>>> > Most of that has been around getting people to help with the following
>>>>>>> > types of things:
>>>>>>> >     * Project documentation, most notably overall user manuals and FAQs
>>>>>>> >       and wiki entries.
>>>>>>> >     * Help with maven / pom.xml issue and release management in general
>>>>>>> >     * Assistance with version control, most notably git and GitHub
>>>>>>> >     * Someone willing to be a sounding board for proposed design changes
>>>>>>> >
>>>>>>> > As I've reflected about it, one of the things that I've noted is that
>>>>>>> > many of these are specialities that are cross-cutting across many
>>>>>>> > OWASP projects.
>>>>>>> >
>>>>>>> > I think one way that we might be able to address these some of these
>>>>>>> > concerns is to create a Subject Matter Expert list of people who would
>>>>>>> > be willing to volunteer to help out projects by contributing a few
>>>>>>> > hours here or there. For starters, I am than willing to put my name
>>>>>>> > into the hat an be willing to contribute as an applied cryptography
>>>>>>> > SME for any projects that have crypto related questions or maybe need
>>>>>>> > some crypto code reviewed by a fresh pair of eyes (at least as long as
>>>>>>> > it's written in a programming language I've familiar with). Of course,
>>>>>>> > the irony of it is that likely would require a new OWASP project to
>>>>>>> > maintain that OWASP SME list. (Not it! :)
>>>>>>> >
>>>>>>> >> Ok, thats ended up being a pretty rambling email ;)
>>>>>>> >
>>>>>>> > Trust me, I've written more than my share!
>>>>>>> >
>>>>>>> >> I'll end there and see what responses I get :D
>>>>>>> >
>>>>>>> > Here's one. Thanks for listening OWASP!
>>>>>>> >
>>>>>>> > -kevin
>>>>>>> > --
>>>>>>> > Blog: http://off-the-wall-security.blogspot.com/
>>>>>>> > NSA: All your crypto bit are belong to us.
>>>>>>> > _______________________________________________
>>>>>>> > OWASP-Leaders mailing list
>>>>>>> > OWASP-Leaders at lists.owasp.org
>>>>>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>> _______________________________________________
>>>>>> Owasp-board mailing list
>>>>>> Owasp-board at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>> -- 
>>>>> OWASP ZAP Project leader
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> -- 
>>> Best Regrads
>>> John Patrick Lita
>>> Chapter Leader OWASP Manila
>>> FB Page @OwaspManila
>>> https://www.owasp.org/index.php/Manila
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150921/4d703f01/attachment-0001.html>

More information about the Owasp-board mailing list