[Owasp-leaders] On Project Reboots

Dinis Cruz dinis.cruz at owasp.org
Tue Apr 10 17:46:14 UTC 2012


A critical evolution-stage that is happening with a significant number of
OWASP (and other FOSS) projects is the moment when the project grows so
large that any key change requires a substantial amount of work.


Another problem is the fact that most successful projects are the result of
only a small number of key contributors (also called the projects-leader)
who after a significant personal time-commitment, move on into other
projects/initiatives/ideas.

Most of our guides have that problem, so does WebGoat, WebScarab, ESAPI,
O2, etc...

In fact, for a while there was a lot of effort put into 'normalizing' the
references between the multiple guides, which is A MASSIVE piece of work
(btw, this probably can only be done if you got 5 to 10 key players in the
same location for 1 week (with a good amount of preparation work)).

It is just a reality that when OpenSource projects grow, they need
commercial support that pays for contributors to work on it.

And here is the catch, OWASP can't be the one that pays for it (it can pay
for the operational support, project management, mini-summits,
infrastructure, etc.. but not the salaries of the contributors).

It should be the companies (or groups) that benefit from that project that
should come up with the money and hire the key contributors.

In fact, that already happens a lot today at OWASP. There are a huge amount
of OWASP contributions that is already funded by commercial companies that
get value from those projects.

In a way we just need to formalize and operationalize this model.


Dinis Cruz


On 10 April 2012 14:08, Antonio Fontes <antonio.fontes at owasp.org> wrote:

>
> Ooops. Sorry I didn't see that email first... :/
>
> --
> Antonio Fontes
> OWASP Switzerland, board member
> OWASP Geneva, chapter leader
>  skype: antonio.fontes
>
> On 10.04.2012 12:51, John Wilander wrote:
> > Are we asking ourselves why the OWASP Development Guide has not been
> > released in seven years? Is it because ...
> >
> >   * No one knowledgeable in our community cares for it enough to spend
> >     the hours?
> >   * It's a failure in the sense that developers don't like it?
> >   * Commercial books such as The Tangled Web
> >     (http://nostarch.com/tangledweb) does a good enough or better job?
> >   * Our cheat sheets are more usable than a book?
> >   * We haven't spent enough money on the project?
> >
> > Out of the suggested reasons above (and the ones I didn't think of) I
> > believe lack of money is the least probable.
> >
> > There's plenty of former A-level FOSS that's no longer maintained.
> > That's the beauty and curse of open source stuff -- people only fix what
> > matters to them. Do we really have enterprises standing in line
> > requesting a Development Guide? If so, why hasn't anyone responded to
> > this massive demand in seven years? It's open - just fix it.
> >
> > From what I can see there was a Development Guide reboot in Feb 2010 --
> > http://owasp.blogspot.se/2010/02/owasp-development-guide-project.html.
> > Even an organizational and process chart --
> > http://owasp-development-guide.googlecode.com/files/guide-org-chart.pdf.
> > The OWASP-Guide mailing list peaked at 85 emails including digests right
> > after the reboot announcement
> > (http://lists.owasp.org/pipermail/owasp-guide/). But we still have no
> > new guide.
> >
> > Now, did they lack money or something else?
> >
> >    Regards, John
> >
> >
> > 2012/4/10 Eoin <eoin.keary at owasp.org <mailto:eoin.keary at owasp.org>>
> >
> >     Hi Chris, John,
> >
> >     Why did I even suggest a project reboot.
> >     Chapter meetings which are vitally important to the foundation will
> >     never have the impact across such a wide audience as our projects
> >     and guides do.
> >
> >
> >     The OWASP Development guide has not been released since 2005!!
> >     If we have funds I think we should spend on the right things.
> >     The point about leaders getting paid is a valid one, but why not pay
> >     our own people to do great things if we have the funds? (lets be
> >     radical for a minute)...Our material is and always will be open
> >     source but we shall pay an elite team to commit to rebuilding some
> >     old projects.....The reboot funding can also be used to pay for mini
> >     summits, marketing, awareness, fund training etc. But the older
> >     projects need a complete rewrite.
> >
> >     Regarding chapters, I know of many many people who have never
> >     attended a chapter meeting but have based their internal guidelines
> >     on various OWASP materials.
> >     I also believe corporate supporters value our output, guidelines and
> >     tools. Or documents and guides also have proven to be valuable to
> >     the wider industry as can be seen on our citations
> >     <https://www.owasp.org/index.php/Industry:Citations> pages. These
> >     are areas where OWASP makes an impact.
> >
> >     -ek
> >
> >
> >
> >
> >     On 10 April 2012 10:33, John Wilander <john.wilander at owasp.org
> >     <mailto:john.wilander at owasp.org>> wrote:
> >
> >         I totally agree paying OWASP projects or project leaders is
> >         wrong. Dinis convinced me at AppSec DC 2009. Whatever money
> >         OWASP can pay us it'll be pennies compared to our daytime jobs.
> >         The only thing those pennies will do is to remind project
> >         leaders and members that they can earn much more on a paid job.
> >         Ergo less done for OWASP.
> >
> >         We had a chapter meeting on open source security with the lead
> >         developers of cURL (http://curl.haxx.se/) and GNU SASL
> >         (http://www.gnu.org/software/gsasl/). They both had the same
> >         experience - a successful FOSS project typically has numerous
> >         one-time committers and a core of 1-3 long-time committers. The
> >         recently published study "Open Source by the Numbers"
> >         (
> https://events.linuxfoundation.org/images/stories/pdf/lfcs2012_sands.pdf)
> >         shows only 17.3% of FOSS projects have at least one code commit
> >         the last year. It also shows 50.7% have only one team member and
> >         another 20% only two members.
> >
> >         We have to start recognizing that free open source software is
> >         something different from commercial, proprietary software. You
> >         can build FOSS to prove a point, to make the world a better
> >         place, to build a personal brand, to try out a new cool
> >         technology etc. But you don't do it to directly earn money.
> >
> >         OWASP projects will wither and die no matter how A-level or well
> >         known they are. Look at WebScarab.
> >
> >         My proposal:
> >
> >           * Make project leaders/teams state what level of commitment
> >             they intend to have when OWASP promotes their project to
> >             A-level. For instance "We will patch major bugs within 60
> >             days of reporting and there will be new major releases at
> >             least once a year." Note that "We might not fix anything
> >             with this software" is a fine statement but will be weighed
> >             into the decision to promote or not. The leader's/team's
> >             commitment is published with the project.
> >           * If a project team fails to live up to its commitment it's
> >             immediately degraded to B-level. Not as a punishment, just
> >             as a reality check -- apparently nobody is caring for this
> >             project at the moment, right? The leader/team and the
> >             leaders' list should be notified.
> >           * Let projects ask for specific funding. Wanting to organize a
> >             hackathon or get a project page on a specific domain are
> >             viable causes for funding. Regular project work is not IMHO.
> >
> >
> >         Side note: "OWASP is nothing without our projects." Whatever
> >         happened to chapters? For me chapters are at least as much of a
> >         backbone as guides and software. And chapters wither and die too.
> >
> >            Regards, John
> >
> >
> >
> >         2012/4/9 Chris Schmidt <chris.schmidt at owasp.org
> >         <mailto:chris.schmidt at owasp.org>>
> >
> >
> > I have also neglected to comment thus far on the Project
> > Reboots stuff.
> > I could go on and on and on about all the reasons that I
> > don't really
> > think this is a great approach to solve the problem - but I
> > want to
> > focus on a few key things. (Apologies if I jump around a bit
> > in this e-mail)
> >
> > 1) Why is paying volunteers a bad idea?
> >
> > Reputation is worth a great deal more in the Infosec
> > community. I am a
> > living breathing example of this - had it not been for my
> > involvement in
> > ESAPI and OWASP I would have not been able to make the
> > switch from being
> > just another hobbyist security guy who writes software for a
> > living to
> > becoming a guy who writes security software for a living. It
> > was a
> > direct result of my involvement in OWASP that got me the job
> > I currently
> > have. Money is fine and dandy as a motivator, and it will
> > likely spur a
> > great deal of interest and energy in the projects that get
> > "funded", but
> > what happens when the project is complete and/or the funds
> > run out? Will
> > those same people stick around and put the same amount of
> > energy into
> > the project that they were when they were being recompensated
> > financially to do so? My point here is that paying our
> > volunteers to do
> > what they have volunteered for completely undermines the
> > entire ethos
> > behind volunteerism and the spirit of OWASP IMHO. There are
> > a great many
> > ways that project leaders can be motivated without promising
> > them money,
> > ways that will be long-term solutions instead of a quick fix
> > to address
> > the symptoms instead of the problem. Essentially, in this
> > case it feels
> > like we are rewarding project leaders for bad behavior.
> >
> > We are essentially saying, "Listen, I know that you said you
> > would lead
> > this project - and you really haven't done so, so how about
> > if I give
> > you a few thousand clams? Will you do what you already said
> > you would do
> > for free then?"
> >
> > Additionally, by taking this path we are creating a set of
> > expectations
> > by other projects that is unhealthy. Why would I actively
> > work on my
> > project if I know I can just let it sit for a couple years
> > and wait for
> > the governance to come around and say ok, your project is
> > important and
> > we will pay you to quit sitting on your hands.
> >
> > 2) How can we re-focus our leaders without paying them?
> >
> > To me, this is a relatively simple problem to solve.
> > Providing a project
> > with the means to accomplish their goals *is* in the
> > interest of the
> > organization as a whole - rather than providing leaders with
> > money for
> > the promise of work done, why don't we instead provide them
> > with the
> > resources they need to get the work done. This could mean a
> > lot of
> > different things for a lot of different projects. As an
> > example, I have
> > been formulating the plans for a Hackathon for the ESAPI
> > project to take
> > place late this summer. This event will re-energize the
> > project itself,
> > bring in a lot of fresh new talent, and will result in some
> > great new
> > ideas from the real world on how to take the ESAPI project
> > to the next
> > level. This isn't for every project tho, and I am not every
> > project
> > leader. If there is something that we feel needs to be
> > re-energized, we
> > should be going to that project leader and saying "What can
> > we, OWASP,
> > be doing to energize your *project*? What tools or resources
> > do you need
> > to bring this project up to speed?" If the leader simply
> > comes back
> > with, "Well, I don't have time to work on this for free"
> > then it sounds
> > to me like they are not the right person to be leading that
> > project.
> >
> > 3) Lastly, who are *we* to say what projects are important?
> >
> > This is a bit of a touchy one all the way around I think -
> > we can use
> > metrics to say what projects are our most referenced, or most
> > downloaded. What we can't say is that one project is more
> > important than
> > another project because this is a subjective observation.
> > ESAPI or
> > AppSensor may be very important projects to some folks, but
> > maybe Top
> > Ten and Cheat Sheets are more important to these folks over
> > here, ZAP is
> > probably more important to breakers than ESAPI or AppSensor,
> > while a
> > builder will likely not regularly refer to the Testing Guide.
> >
> > I think it is important to enable the project leaders to
> > come to us (the
> > GPC or the board) with requests. We should be enabling
> > projects to
> > succeed and if we notice a project leader that isn't really
> > fulfilling
> > their duties and responsibilities as a leader then we should
> > engage them
> > at that point. This is generally made pretty clear on
> > mailing lists and
> > support forums by the communities that use that particular
> > project. The
> > bit that is missing right now is the means for a project
> > leader to
> > approach us and request things from us to help their
> > projects. Maybe the
> > testing guide needs a technical editor to compile and
> > produce the final
> > publishable output for the guide - the GPC and Board are in
> > a position
> > to reach out to the community and also to outside vendors to
> > help fill
> > these gaps where they make sense.
> >
> > It is interesting to note that I have no plans on coming to
> > OWASP to
> > provide funds for the ESAPI hackathon at all except as a
> > last resort. I
> > am counting on working with sponsors for the event to
> > provide all the
> > funding that I will need to make the event a complete
> > success and then
> > using this as a model to contribute a how-to-do-it-correctly
> > kit back to
> > the community so other project leaders can build on my
> > success or learn
> > from my failures to create their own events. I may come to
> > OWASP to get
> > information on our existing corporate sponsors so that I can
> > reach out
> > to them with proposals for sponsorship of the event, but I
> > will do
> > everything in my power to do this without using OWASP funds.
> >
> > Also in hindsight, another good way to get money together to
> > help
> > projects reach goals is to use crowd-sourced funding like the
> > Kickstarter model, the OWASP Project Partnership model that
> > Jeff and
> > John designed last year, or simply grassroots means of
> > reaching out to
> > the community  to say here is what we need, let's make this
> > happen!
> >
> > Conclusion, simply paying the project leaders and/or members
> > to do work
> > is a dangerous non-solution that simply addresses the
> > results of the
> > problem instead of the problem itself - much like putting a
> > band-aid on
> > a bullet wound - it may slow down the bleeding, but
> > eventually your
> > still going to die of lead poisoning or internal bleeding.
> >
> >             _______________________________________________
> >             OWASP-Leaders mailing list
> >             OWASP-Leaders at lists.owasp.org
> >             <mailto:OWASP-Leaders at lists.owasp.org>
> >             https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >
> >
> >
> >         --
> >         John Wilander, https://twitter.com/johnwilander
> >         Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
> >         <http://owaspsweden.blogspot.com/>
> >         Conf
> >         Comm,
> http://www.owasp.org/index.php/Global_Conferences_Committee
> >         My music http://www.johnwilander.com
> >         <http://www.johnwilander.com/> & my résumé
> >         http://johnwilander.se <http://johnwilander.se/>
> >
> >
> >         _______________________________________________
> >         OWASP-Leaders mailing list
> >         OWASP-Leaders at lists.owasp.org <mailto:
> OWASP-Leaders at lists.owasp.org>
> >         https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >
> >
> >
> >     --
> >     Eoin Keary
> >     OWASP Global Board Member (Vice Chair)
> >
> >     https://twitter.com/EoinKeary
> >
> >
> >
> >
> >
> > --
> > John Wilander, https://twitter.com/johnwilander
> > Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
> > Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
> > My music http://www.johnwilander.com & my résumé http://johnwilander.se
> >
> >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120410/139e6042/attachment-0001.html>


More information about the OWASP-Leaders mailing list