Wed Nov 1 13:33:20 EST 2006
Starting to complain that 1) most Owasp members are 'takers' instead of 'givers' and 2) they are only interested in getting from Owasp things for FREE (as in beer, i.e. no cost) , is in my view:
- offensive to those Owasp members (who I include myself in) since they are being called: thieves, opportunistic and selfish
- short-sighted, since there is much more than meets the eye (things are never black or white)
- counter-productive, since it is creating unnecessary frictions and bad feelings amongst the community, and
- Missing the point, since the main discussion point should be always about FREEDOM and not about COST
Going further, from my point of view, blaming the current lack of participation in Owasp projects on the 'quality' of the current Owasp community (which are being labeled as 'takers' and not 'givers') is merely a scapegoat exercise which fails to address the core problems and doesn't allows for the real issue to be dealt with.
In my view, it is not the responsibility and duty of the current Owasp members (for example the persons subscribed to the current mailing lists) to be active participants and to dedicate enormous amount of time to those projects.
In my view, IT IS THE SPECIFIC OWASP PROJECT LEADER THAT HAS THE RESPONSIBILITY AND DUTY TO CREATE AN ENVIRONMENT where those project's members (and the other Owasp leaders) fell motivated to participate and become active members. This is not easy and takes quite a lot of work, dedication and patience by those project leaders.
This means that it is the OWASP PROJECT LEADER THAT HAS TO:
- make everybody aware of what is going on
- create simple, relevant and usable mini-tasks which can be executed by the community (it should be possible for somebody that wants to contribute to be able to go to a web page and be given a task which will not take him/her more than 30m to 2h to execute (compare that to the current situation))
- actively market the Owasp project and encourage participation
- manage expectations and ensure that the project's members are motivated and happy
- ensure that all contributions are respectively credited and that people are rewarded for their time and commitment
- create products based on that Project's deliverables (white papers, tools, security templates, etc....) which can be sold by Owasp
Due to my past contributions to Owasp and my professional Project manager experience, I believe that I have earned the right to make these grand statements, specially since I consider that I (Dinis Cruz, current Owasp leader of the Owasp-dotNet projects) am a very BAD LEADER because I was not able to make the current 130 Owasp-DotNet subscribers participate in the current Owasp-dotNet projects (I am including myself in the guilty-list). I have also been very bad at replying to contributors (sorry specially to Michael Silk (article) and Kerem Kusmezer (http module)) and should have done much more to help those subscribers to understand how the tools that I have developed and published work and how they can contribute.
One of my objectives for 2005 is to make this community participate and 'come to life' (and I don't blame them for not participating, I blame myself)
What Owasp needs now are strong, creative and active leaders who will have to continuously prove (i.e. every week, every month, every year) that they deserve to be Owasp Leaders and that they can be responsible for his/hers projects.
In fact, one of the main reasons why the 'OWASP Foundation' must guarantee and fight for
1) the FREEDOM of all material produced and
2) the OPENNESS of its doors (i.e. anybody can join and be (if desired) a non-contributor member)
, is because when Leaders stop behaving accordingly to his/hers responsibilities (for personal or professional reasons) his/hers replacement (amicably or not) must be an relatively easy and strait-forward process (following the wishes of that project's community).
As in the Hacker or Open Source community, an Owasp Leader can only be an Owasp Leader if the Owasp community accepts and recognizes his/hers leadership (see the Linus example).
In my view, this model creates a positive and healthy environment where the focus is always on productivity and never (or at least as little as possible) in political games and 'who is the boss' type of argument.
B) My comments on .... Jeff as a OWASP leader
Before I go any further let me just say that:
- I don't question Jeff's commitment and belief in Owasp
- I think that Jeff has done a great job with the creation of the Owasp Foundation
- I think that Jeff was very brave and courageous when he accepted (from Mark) the role as the main Owasp Leader
- I think that Jeff should continue to have some management roles in Owasp
But I DON'T THINK THAT JEFF SHOULD CONTINUE TO BE THE MAIN Owasp Leader, since I don't think that Jeff has (based on his actions so far) what I would consider to be the right profile to be the main leader that Owasp needs today
Although Jeff is beyond doubt a very active and productive Owasp member (whose technical competence and professionalism is of the highest caliber) I don't think that Jeff (to which I sincerely apologize for such a public criticism) has the energy, vision and 'craziness' required to lead a project like Owasp (as it is today). Maybe it is Jeff's training as a Lawyer that makes him risk-adverse, maybe it is just his personally, and maybe it is just the current phase that Owasp is currently in (there is no reason why Jeff's profile is not the most indicated to lead Owasp in one, two or ten years time).
What Owasp needs now is to have an energetic, dynamic, thought provoking and inspiring leader who can lead Owasp into a being major player in the Web Application Security World, and help it to make the world a 'safer' (and better) place.
More information about the Owasp-guide