[Owasp-leaders] ESAPI, money and changing OWASP for the better

Andrea Cogliati andrea.cogliati at owasp.org
Sun Jan 9 18:08:25 EST 2011

On Jan 9, 2011, at 1:11 PM, Jim Manico wrote:

> [...] The volunteers of ESAPI do, and should do, what interests them.  That does not always translate into what needs to be done. Combine some paid resources who do the “necessities” with the volunteer group – and we have a winning combination that pushes us towards real production ESAPI fast.  There are many open source projects which have this same model.

Jim, I'm not sure that I agree with the sentence "volunteers [...] do and should do what interests them." Speaking in general terms - and this is a discussion that can easily be injected in your "OWASP Board, Rebooted" thread - in any organizations, members MUST do what needs to be done. Just as an example, if you volunteer for Habitat for Humanity or for Médecins Sans Frontières, you can't do whatever you want: your tasks are very detailed and specific; if you can't perform whatever is required, the answer might be "thanks, but no thanks." In a sense, being a volunteer is not dissimilar to being an employee: it just means that you're not paid, but you have duties, chores, deadlines, probably a boss (who's probably not paid as well), ...

I remember a discussion here on the leaders list about how to bring more projects to production quality and, IIRC, the essential points were that the project leaders should be able to assemble a team to perform certain required tasks, and that the OWASP organization should provide certain horizontal functions, like technical document review, project management, ... not easily found in a community of hackers (no offense intended, I know that several OWASP members are very successful entrepreneurs, business people, talented artists and excellent soccer players). 

Do we need to have paid resources? Maybe, but maybe we never put serious effort into finding volunteers to perform certain required tasks.

Can "structured projects" coexist with "best-effort projects"? Probably yes, but we need a way to differentiate the former from the latter.

OWASP has a tremendous potential, and each and every project we have is absolutely awesome: kudos to all the project leaders; but, as you pointed out, some projects have a better usability than others.

This is definitely a strategic decision to make and maybe it deserves some discussion at the Summit.


More information about the OWASP-Leaders mailing list