[Owasp-leaders] On Project Reboots

Dennis Groves dennis.groves at owasp.org
Tue Apr 10 23:36:42 UTC 2012


It becomes a conflict of interest - can you think of why?

A second reason, how do you fairly compensate leaders from two different
countries who are equal in every way but the strength of their currencies?
How do you justify that difference?

The issue is no different than any project management position - you are
certainly held responsible for spending the money on the project and for
the project - it is not given as a salary for you to do with what you like!
(Did this come to mind when you thought of conflict of interest)

What about long term incentivisation? Our projects are of the kind that
once somebody does a great thing, the free market pulls them away due to
the visibility they gain. So projects are short term incentive as it is,
and our material is already long it tooth. This problem gets worse when you
attach money to it. OWASP is a long term play to make the world better, we
need to incentivise long term commitment.

How do you get volunteers to work on a project another guy gets *paid* to
contribute to? This so nearly destroyed OWASP it didn't exist, and that
very *GIANT* problem that led to OWASP being incorporated non-profit in the
very early days...

This is just a few of the reasons I can immediately think of about *WHY*
leaders can not be paid by OWASP. I am certain there are others.

This doesn't me leaders should not be paid, they should be paid!
They must not be paid by OWASP.



-- 
Dennis Groves <http://about.me/dennis.groves>, MSc
dennis.groves at owasp.org

 <http://www.owasp.org/>

*This work is licensed under the Creative Commons
Attribution-NonCommercial-NoDerivs 3.0 Unported License. To view a copy of
this license, visit http://creativecommons.org/licenses/by-nc-nd/3.0/ or
send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain
View, California, 94041, USA.*



On Wed, Apr 11, 2012 at 00:04, Michael Coates <michael.coates at owasp.org>wrote:

> The key issue that we need to agree and move on (so that we find
> solutions), is that '*Simulating those projects by paying OWASP Leaders to
> work on it , is NOT an option'*
>
>
> I'd like to understand why not.
>
> If we can set aside money that is for a season of code style funding, or
> is used for research interns to work on projects, then it seems like a good
> move.  The end result is high quality security material that is free and
> open to the world.  I am also happy with the idea of bringing in fresh new
> graduates to dive deeper into security areas.  Combined with established
> and experienced leaders you can get some great results.
>
> There are a variety of ways to structure this pay.  It doesn't have to be
> an actual outsource setup where we are attempting to compete with the
> market. I felt like the summer of code we held was a good method. It
> provided a bit of a financial incentive and set up deadlines, deliverables
> and expectations in order to be considered a success.
>
> The end goal is to provide free and open source security materials, tools,
> etc.  I'd rather explore a variety of options instead of claiming that we
> can't fund research/development for these projects in some way.
>
>
>
>
> -------
> Michael Coates | OWASP
> michael.coates at owasp.org | @_mwc
>
>
>
> On Apr 10, 2012, at 11:00 AM, Dinis Cruz wrote:
>
> Nobody is saying that we shouldn't stimulate those projects (of course we
> should)
>
> The question is how?
>
> The key issue that we need to agree and move on (so that we find
> solutions), is that '*Simulating those projects by paying OWASP Leaders to
> work on it , is NOT an option'*
> *
>
> *
> Once we accept that (and it looks like we haven't reached consensus) , I
> think there are a lot of ideas and things we should do to stimulate these
> projects.
>
> That said, the energy MUST come from the projects (OWASP is an enabler)
>
> Dinis Cruz
>
>
> On 10 April 2012 18:50, Eoin <eoin.keary at owasp.org> wrote:
>
> Chris,
>
> Not sure if your simplifying things to be honest....
>
>
> Can you say the Testing guide is also not important based on this logic?
>
>
> I certainly want the community to pick what is important but there are
>
> millions of developers whom are not part of the community, never heard of
>
> owasp and don't understand secure app dev.
>
>
> Shall we deny them of such resources, talent and free information because
>
> OWASP did not bother to focus, stimulate or drive such projects?
>
>
> -ek
>
>
>
>
>
> On 10 April 2012 18:42, Chris Schmidt <chris.schmidt at owasp.org> wrote:
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Hash: SHA1
>
>
> I think that statement is fine and dandy for an organization like
>
> Hibernate (which is one of your examples of this I think) - Hibernate and
>
> SpringSource both have Full-Time Employees that work on their open-source
>
> software for competitive full time wages. This is a totally different
>
> situation. Our funds are much more limited in this scenario and I believe
>
> it is much more worthwhile for the project leaders to come to the
>
> organization with specific proposals about requests for funds and what they
>
> intend to use them for as opposed to the organization determining that
>
> these *n* projects will now be *paid* sub-par rates.
>
>
> To John's point, if the Dev Guide is truly an important project, then why
>
> hasn't there been more of a demand for it and why hasn't someone just
>
> picked up and gotten it done by now. We may think it is important, and I
>
> agree that at one point it probably was - but if there is no energy behind
>
> a project, simply throwing money at it doesn't solve the bigger problem. It
>
> may slow the bleeding, it may even result in a new finished product, but
>
> what is our return on that product (not purely financially speaking) -
>
> especially if there is not an industry need for it any more b/c things like
>
> the Cheat Sheets series have basically replaced them.
>
>
> There are really an infinite amount of reasons that throwing money at
>
> projects and project leaders is generally a bad idea - I'm sure I don't
>
> need to iterate all of them.
>
>
> If we are going to pay developers FT or Contractor wages to work on a
>
> project, that is a completely different story, however that was not what I
>
> got out of the whole thing. We want to pay the existing project teams a
>
> stipend to motivate them to do the work they already signed up for to do as
>
> volunteers and have neglected to do. This in essence, as I already stated,
>
> is rewarding inactive project leaders and members for bad behavior.
>
>
>
> On 4/10/2012 11:09 AM, Jim Manico wrote:
>
> Open source and public domain comes from the spirit and will of
>
> volunteers.
>
>
> This is not entirely true. Some of the most successful and production
>
> quality open source projects have major financial backing.
>
>
> There is nothing in the "mission" of OWASP that prevents us from using
>
> funds to update core guides that help spread AppSec awareness.
>
>
> But I think the risk of letting more time go by were our flagship
>
> projects continue to wane, that's a big problem that is directly
>
> counter to what we should be doing.
>
>
> --
>
> Jim Manico
>
> (808) 652-3805
>
>
> On Apr 10, 2012, at 5:30 AM, John Wilander <john.wilander at owasp.org><
> john.wilander at owasp.org>wrote:
>
>
> Open source and public domain comes from the spirit and will of
>
> volunteers.
>
> -----BEGIN PGP SIGNATURE-----
>
> Version: GnuPG v2.0.14 (MingW32)
>
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
>
> iQEcBAEBAgAGBQJPhHECAAoJEEOkVJOBy86BZ7UH/jA+pOxElOS7YeibLIDbDXIy
>
> ywnWlIHp3sOGgcmVL4pyQpNgXcoJrEj8+WEMU8bZGxrBvnGVoZYohH6FScG3FkPW
>
> 5OtTCLI6ybgQQh88CWjeB9TXHvaHmtigxtWaZemJ29xLF6/ZI5E01CEby7bhQiAM
>
> TTUhGOGcM3qhL5MY1kL4zwbOrQErmWywA4yF80eBe1tsmgRko9Q9UKyuFwSFLIpx
>
> ElqBY8pf1/hNpeb0ZF7urzQquFCtOO1dg4RvTXxdXULjZvoAXUhzolCElFZ8IhMa
>
> eZeX9IL+L2xcloOUnH+toBx2K50HD5eay3PBH9e0VBU+0U5V5bm6WcbIMIWY3dM=
>
> =oRVx
>
> -----END PGP SIGNATURE-----
>
>
>
>
>
> --
>
> Eoin Keary
>
> OWASP Global Board Member (Vice Chair)
>
>
> https://twitter.com/EoinKeary
>
>
>
>
> _______________________________________________
>
> OWASP-Leaders mailing list
>
> OWASP-Leaders at lists.owasp.org
>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120411/c650dec5/attachment-0001.html>


More information about the OWASP-Leaders mailing list