[Owasp-leaders] New OWASP project

Yvan Boily yvanboily at gmail.com
Wed Nov 2 03:26:41 EDT 2011

First and foremost, this is not a commentary on Lucas' project.  I
personally don't see the value of it, but at the same time I haven't spent
much time thinking about how I would use it.

Most of you don't know me, so I will explain a little bit more about
myself; I have been involved in OWASP on and off over the last several
years at the chapter level, and have recently decided to get more involved
in the project.  I was planning to get involved slowly, but things got
catalyzed when Mark reached out after we released a tool I have been
working on at Mozilla.  I am now standing in to take over the OWASP
Security Tools for Developers project, and will be relying on the leaders
list to help me ensure that the people currently engaged stay so.

While it is pretty clear that while OWASP has to remain open to new
projects and the ideas of its members and its community, following this
thread has shown that there is a fair amount of concern about how the OWASP
brand is being used.

I know there is some work being done in this area, but I think that it is
critical for OWASP to assemble a mechanism for introducing and incubating
projects to the point they are worthy of the OWASP  stamp; a good model
might be the Apache Incubator programme that facilitates projects moving
from experiment to full fledged Apache Foundation project based on a set of

On Tue, Nov 1, 2011 at 4:14 PM, Jason Li <jason.li at owasp.org> wrote:

> All,
> OWASP encourages projects of any type, as long as they are open and
> related to application security. Those are the only requirements for a
> project idea. As Michael pointed out, the low barrier to entry encourages
> participation from talented volunteers.

The low barrier to entry is important, but the degree of endorsement of the
constituent projects should be commensurate with the degree of merit,
stability, and value the project offers.  As a project matures it should
graduate through a set of ranks and it should be a critical milestone that
has had sufficient use and review from the community before something gets
'blessed' as a full OWASP project.

> Yes, that has resulted in a huge landscape of OWASP projects - all of
> which are in various stages of maturity. This situation makes navigating
> the OWASP Project landscape difficult. But it is not the responsibility or
> burden of a project leader to worry about those issues. OWASP as an
> organization should be responsible for managing the project landscape and
> facilitating navigation of that landscape.  Project leaders should be
> focused on their project.
There's no telling where any project will or will not go from the onset. We
> have many projects that die on the vine after the project leader realizes
> the use cases are limited, or that the user population isn't there, or the
> proof of concept doesn't pan out. We have many projects that grow from the
> inkling of an idea to wildly and unexpectedly popular projects that become
> almost synonymous with OWASP. And we don't have the crystal ball to predict
> which ones are which in advanced.

That is all the more reason to build a set of success criteria, and ensure
that there is mentorship and guidance offered to community members who
bring time and effort to the table.  If a project or concept doesn't work
as an isolated project, then the volunteers who are mentored will be more
likely to engage in other project areas that might be of interest,
especially if their mentor or the community can point them to a direct area
they can contribute to.

> Ultimately, it is still up to the project and its leader to succeed. A
> project that has value will find an audience and support within the
> community; a project that doesn't have value won't.
> But just because *you* can't see the potential value in a project doesn't
> mean that there won't be value in it.

You are correct, but if value can't be demonstrated then it will be hard
for the community to invest the time and effort to contribute to the
project.  Having a clear demonstration of how to extract value from a
project is an important step to enticing involvement.  A proliferation of
projects that don't demonstrate value will eventually undermine the
organization as people point to the under-developed or poorly managed
constituents of the OWASP project and assume that the entire project is in
that state.

> If we have a volunteer that *wants* to work on a project, and there's the
> potential that even one person out there someday finds it useful, isn't
> that worthwhile?

It is absolutely valuable to bring the effort, energy, and ideas into the
community, but until it the contribution converts those resources into
something of clear, consumable value, it should not get the endorsement of
the community.  A useless project that wastes the time of a potential
community member, or worse a potential contributor, has eroded the project.

> And before anyone argues that it would be more worthwhile if we diverted
> such volunteer energy and efforts towards projects with universally
> acknowledged potential, guess what? Volunteers work on what they want to
> work on. That's the nature of volunteers. I believe OWASP would be *very*
> hard pressed to "assign" volunteers to specific tasks unless they're
> already interested in doing it anyway.

Engagement is an extremely challenging task when you have a team that is
employed and has employer mandated goals, it is even more challenging when
the people involved are volunteers.

Part of engagement is ensuring that people who are contributing feel
properly rewarded; for many open source or volunteer contributors that
reward comes in the form of recognition from their community.  Successfully
managing a project through an incubation process would be a significant
accomplishment for individuals, and each step is an opportunity to
introduce a stronger sense of community.  Each time a contributer achieves
one of those steps they will very likely have made a personal investment
into the OWASP project that makes it less likely that the volunteer will
pull up stakes and move on.  When a volunteer reaches that degree of
engagement with the community and project it becomes more likely they will
not need to be 'assigned', they will be asking where they can contribute!

> So if a potential project contributor has an idea that doesn't go against
> OWASP core values and principles, and they want to commit and devote the
> energy to work on implementing that idea, then why shouldn't we encourage
> and support that person?

I don't think anyone is wants to discourage contributors, but there is a
difference between encouraging participation, and slapping the OWASP brand
onto something of dubious value.  Too many people have invested too much
time and effort in the history of the project to risk damaging it by not
curating the brand in a meaningful fashion.

> The Global Projects Committee took this approach in encouraging Lucas to
> proceed with his project idea and we wish him good luck and success with
> his project.
> The GPC has already been working to make the project inception process
> more scalable. I hope that we will soon be able to provide a platform for
> folks to comment and provide feedback on project ideas. But ultimately the
> project leader will take the project in the direction they see fit.

I look forward to getting more engaged with the other leaders to keep the
OWASP Security Tools for Developers (I don't know that I will ever get used
to the STD acronym o_O) project moving forward!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111102/1bca44ec/attachment-0001.html 

More information about the OWASP-Leaders mailing list