[Owasp-leaders] On Project Reboots

Antonio Fontes antonio.fontes at owasp.org
Tue Apr 10 13:08:16 UTC 2012

Ooops. Sorry I didn't see that email first... :/

Antonio Fontes
OWASP Switzerland, board member
OWASP Geneva, chapter leader
  skype: antonio.fontes

On 10.04.2012 12:51, John Wilander wrote:
> Are we asking ourselves why the OWASP Development Guide has not been
> released in seven years? Is it because ...
>   * No one knowledgeable in our community cares for it enough to spend
>     the hours?
>   * It's a failure in the sense that developers don't like it?
>   * Commercial books such as The Tangled Web
>     (http://nostarch.com/tangledweb) does a good enough or better job?
>   * Our cheat sheets are more usable than a book?
>   * We haven't spent enough money on the project?
> Out of the suggested reasons above (and the ones I didn't think of) I
> believe lack of money is the least probable.
> There's plenty of former A-level FOSS that's no longer maintained.
> That's the beauty and curse of open source stuff -- people only fix what
> matters to them. Do we really have enterprises standing in line
> requesting a Development Guide? If so, why hasn't anyone responded to
> this massive demand in seven years? It's open - just fix it.
> From what I can see there was a Development Guide reboot in Feb 2010 --
> http://owasp.blogspot.se/2010/02/owasp-development-guide-project.html.
> Even an organizational and process chart --
> http://owasp-development-guide.googlecode.com/files/guide-org-chart.pdf.
> The OWASP-Guide mailing list peaked at 85 emails including digests right
> after the reboot announcement
> (http://lists.owasp.org/pipermail/owasp-guide/). But we still have no
> new guide.
> Now, did they lack money or something else?
>    Regards, John
> 2012/4/10 Eoin <eoin.keary at owasp.org <mailto:eoin.keary at owasp.org>>
>     Hi Chris, John,
>     Why did I even suggest a project reboot.
>     Chapter meetings which are vitally important to the foundation will
>     never have the impact across such a wide audience as our projects
>     and guides do.
>     The OWASP Development guide has not been released since 2005!!
>     If we have funds I think we should spend on the right things.
>     The point about leaders getting paid is a valid one, but why not pay
>     our own people to do great things if we have the funds? (lets be
>     radical for a minute)...Our material is and always will be open
>     source but we shall pay an elite team to commit to rebuilding some
>     old projects.....The reboot funding can also be used to pay for mini
>     summits, marketing, awareness, fund training etc. But the older
>     projects need a complete rewrite.
>     Regarding chapters, I know of many many people who have never
>     attended a chapter meeting but have based their internal guidelines
>     on various OWASP materials.
>     I also believe corporate supporters value our output, guidelines and
>     tools. Or documents and guides also have proven to be valuable to
>     the wider industry as can be seen on our citations
>     <https://www.owasp.org/index.php/Industry:Citations> pages. These
>     are areas where OWASP makes an impact.
>     -ek
>     On 10 April 2012 10:33, John Wilander <john.wilander at owasp.org
>     <mailto:john.wilander at owasp.org>> wrote:
>         I totally agree paying OWASP projects or project leaders is
>         wrong. Dinis convinced me at AppSec DC 2009. Whatever money
>         OWASP can pay us it'll be pennies compared to our daytime jobs.
>         The only thing those pennies will do is to remind project
>         leaders and members that they can earn much more on a paid job.
>         Ergo less done for OWASP.
>         We had a chapter meeting on open source security with the lead
>         developers of cURL (http://curl.haxx.se/) and GNU SASL
>         (http://www.gnu.org/software/gsasl/). They both had the same
>         experience - a successful FOSS project typically has numerous
>         one-time committers and a core of 1-3 long-time committers. The
>         recently published study "Open Source by the Numbers"
>         (https://events.linuxfoundation.org/images/stories/pdf/lfcs2012_sands.pdf)
>         shows only 17.3% of FOSS projects have at least one code commit
>         the last year. It also shows 50.7% have only one team member and
>         another 20% only two members.
>         We have to start recognizing that free open source software is
>         something different from commercial, proprietary software. You
>         can build FOSS to prove a point, to make the world a better
>         place, to build a personal brand, to try out a new cool
>         technology etc. But you don't do it to directly earn money.
>         OWASP projects will wither and die no matter how A-level or well
>         known they are. Look at WebScarab.
>         My proposal:
>           * Make project leaders/teams state what level of commitment
>             they intend to have when OWASP promotes their project to
>             A-level. For instance "We will patch major bugs within 60
>             days of reporting and there will be new major releases at
>             least once a year." Note that "We might not fix anything
>             with this software" is a fine statement but will be weighed
>             into the decision to promote or not. The leader's/team's
>             commitment is published with the project.
>           * If a project team fails to live up to its commitment it's
>             immediately degraded to B-level. Not as a punishment, just
>             as a reality check -- apparently nobody is caring for this
>             project at the moment, right? The leader/team and the
>             leaders' list should be notified.
>           * Let projects ask for specific funding. Wanting to organize a
>             hackathon or get a project page on a specific domain are
>             viable causes for funding. Regular project work is not IMHO.
>         Side note: "OWASP is nothing without our projects." Whatever
>         happened to chapters? For me chapters are at least as much of a
>         backbone as guides and software. And chapters wither and die too.
>            Regards, John
>         2012/4/9 Chris Schmidt <chris.schmidt at owasp.org
>         <mailto:chris.schmidt at owasp.org>>
> I have also neglected to comment thus far on the Project
> Reboots stuff.
> I could go on and on and on about all the reasons that I
> don't really
> think this is a great approach to solve the problem - but I
> want to
> focus on a few key things. (Apologies if I jump around a bit
> in this e-mail)
> 1) Why is paying volunteers a bad idea?
> Reputation is worth a great deal more in the Infosec
> community. I am a
> living breathing example of this - had it not been for my
> involvement in
> ESAPI and OWASP I would have not been able to make the
> switch from being
> just another hobbyist security guy who writes software for a
> living to
> becoming a guy who writes security software for a living. It
> was a
> direct result of my involvement in OWASP that got me the job
> I currently
> have. Money is fine and dandy as a motivator, and it will
> likely spur a
> great deal of interest and energy in the projects that get
> "funded", but
> what happens when the project is complete and/or the funds
> run out? Will
> those same people stick around and put the same amount of
> energy into
> the project that they were when they were being recompensated
> financially to do so? My point here is that paying our
> volunteers to do
> what they have volunteered for completely undermines the
> entire ethos
> behind volunteerism and the spirit of OWASP IMHO. There are
> a great many
> ways that project leaders can be motivated without promising
> them money,
> ways that will be long-term solutions instead of a quick fix
> to address
> the symptoms instead of the problem. Essentially, in this
> case it feels
> like we are rewarding project leaders for bad behavior.
> We are essentially saying, "Listen, I know that you said you
> would lead
> this project - and you really haven't done so, so how about
> if I give
> you a few thousand clams? Will you do what you already said
> you would do
> for free then?"
> Additionally, by taking this path we are creating a set of
> expectations
> by other projects that is unhealthy. Why would I actively
> work on my
> project if I know I can just let it sit for a couple years
> and wait for
> the governance to come around and say ok, your project is
> important and
> we will pay you to quit sitting on your hands.
> 2) How can we re-focus our leaders without paying them?
> To me, this is a relatively simple problem to solve.
> Providing a project
> with the means to accomplish their goals *is* in the
> interest of the
> organization as a whole - rather than providing leaders with
> money for
> the promise of work done, why don't we instead provide them
> with the
> resources they need to get the work done. This could mean a
> lot of
> different things for a lot of different projects. As an
> example, I have
> been formulating the plans for a Hackathon for the ESAPI
> project to take
> place late this summer. This event will re-energize the
> project itself,
> bring in a lot of fresh new talent, and will result in some
> great new
> ideas from the real world on how to take the ESAPI project
> to the next
> level. This isn't for every project tho, and I am not every
> project
> leader. If there is something that we feel needs to be
> re-energized, we
> should be going to that project leader and saying "What can
> we, OWASP,
> be doing to energize your *project*? What tools or resources
> do you need
> to bring this project up to speed?" If the leader simply
> comes back
> with, "Well, I don't have time to work on this for free"
> then it sounds
> to me like they are not the right person to be leading that
> project.
> 3) Lastly, who are *we* to say what projects are important?
> This is a bit of a touchy one all the way around I think -
> we can use
> metrics to say what projects are our most referenced, or most
> downloaded. What we can't say is that one project is more
> important than
> another project because this is a subjective observation.
> ESAPI or
> AppSensor may be very important projects to some folks, but
> maybe Top
> Ten and Cheat Sheets are more important to these folks over
> here, ZAP is
> probably more important to breakers than ESAPI or AppSensor,
> while a
> builder will likely not regularly refer to the Testing Guide.
> I think it is important to enable the project leaders to
> come to us (the
> GPC or the board) with requests. We should be enabling
> projects to
> succeed and if we notice a project leader that isn't really
> fulfilling
> their duties and responsibilities as a leader then we should
> engage them
> at that point. This is generally made pretty clear on
> mailing lists and
> support forums by the communities that use that particular
> project. The
> bit that is missing right now is the means for a project
> leader to
> approach us and request things from us to help their
> projects. Maybe the
> testing guide needs a technical editor to compile and
> produce the final
> publishable output for the guide - the GPC and Board are in
> a position
> to reach out to the community and also to outside vendors to
> help fill
> these gaps where they make sense.
> It is interesting to note that I have no plans on coming to
> OWASP to
> provide funds for the ESAPI hackathon at all except as a
> last resort. I
> am counting on working with sponsors for the event to
> provide all the
> funding that I will need to make the event a complete
> success and then
> using this as a model to contribute a how-to-do-it-correctly
> kit back to
> the community so other project leaders can build on my
> success or learn
> from my failures to create their own events. I may come to
> OWASP to get
> information on our existing corporate sponsors so that I can
> reach out
> to them with proposals for sponsorship of the event, but I
> will do
> everything in my power to do this without using OWASP funds.
> Also in hindsight, another good way to get money together to
> help
> projects reach goals is to use crowd-sourced funding like the
> Kickstarter model, the OWASP Project Partnership model that
> Jeff and
> John designed last year, or simply grassroots means of
> reaching out to
> the community  to say here is what we need, let's make this
> happen!
> Conclusion, simply paying the project leaders and/or members
> to do work
> is a dangerous non-solution that simply addresses the
> results of the
> problem instead of the problem itself - much like putting a
> band-aid on
> a bullet wound - it may slow down the bleeding, but
> eventually your
> still going to die of lead poisoning or internal bleeding.
>             _______________________________________________
>             OWASP-Leaders mailing list
>             OWASP-Leaders at lists.owasp.org
>             <mailto:OWASP-Leaders at lists.owasp.org>
>             https://lists.owasp.org/mailman/listinfo/owasp-leaders
>         -- 
>         John Wilander, https://twitter.com/johnwilander
>         Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
>         <http://owaspsweden.blogspot.com/>
>         Conf
>         Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
>         My music http://www.johnwilander.com
>         <http://www.johnwilander.com/> & my résumé
>         http://johnwilander.se <http://johnwilander.se/>
>         _______________________________________________
>         OWASP-Leaders mailing list
>         OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>     -- 
>     Eoin Keary
>     OWASP Global Board Member (Vice Chair)
>     https://twitter.com/EoinKeary
> -- 
> John Wilander, https://twitter.com/johnwilander
> Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
> Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
> My music http://www.johnwilander.com & my résumé http://johnwilander.se
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list