[Owasp-leaders] Why OWASP can't pay OWASP Leaders

Dinis Cruz dinis.cruz at owasp.org
Wed Apr 11 00:52:06 UTC 2012


Michael I was the one that created and executed (initially alone and then
with Paulo) the only Seasons of Code that OWASP did (AoC
2006<https://www.owasp.org/index.php/OWASP_Autumn_Of_Code_2006>, SoC
2007 <https://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007> , SoC
2008<https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008>)
so I know first hand what can be done, what works, what doesn't work and
its side effects. In fact it was that experience that made me have such
strong views on this topic.

There is a subtle but very key distinction that we need to have in this
thread. And that is the issue of 'OWASP paying OWASP leaders'

Hiring interns or other professionals to work on specific projects/tasks is
fine (specially if they are doing what our OWASP leaders and contributors
don't want to do). The main problem happens when OWASP leaders can be part
of the pool that can be paid by OWASP (again nothing wrong with them being
paid by a 3rd party to work on an OWASP Project (like what already happens
today)).

*So why it is very wrong to pay OWASP leaders to work on OWASP projects?*
*
*
Let say that there is 2000 USD available to pay an OWASP leaders to work on
his project

   - *Changing of the social contract  - *The moment money is introduced,
   invariably the target individual is going to make a math calculation (what
   is his current daily rate?, how much he earns at the moment?, how much his
   current boss bills for his time? , etc....).The end result is that we moved
   from a 'contributor' model to a 'service provider' model
      - *'I will do that for free, but won't do it if I am paid' syndrome* -
      If one starts to look at OWASP contributions with a financial angle, then
      what one would gladly do for free is now viewed from a
completely different
      angle. I would strongly recommend the 'Predictably Irrational'
book on this
      topic, which has tons of great example on how money doesn't help (here is
      preview of what the author talks about:
      http://en.wikipedia.org/wiki/Predictably_Irrational#Being_Paid_vs._A_Friendly_Favor
       )

      The RSA Animate - Drive: The surprising truth about what
motivates us<http://www.youtube.com/watch?v=u6XAPnuFjJc> is
      also a brilliant video/animation on motivation:

      - *A rate for an Worldwide audience? - *given the truly global
   presence of OWASP, $2000 might not be a lot for a successful security
   professional (or conference speaker), but it is good money in countries
   like Portugal/Italy, and if you go to India/China it is a lot. So how do we
   do this? Surely it doesn't make any commercial sense (for OWASP) to pay a
   guy from London or the US, right? Can't we get a LOT more hours and effort
   from somebody that lives in a cheaper country! I'm sure there are places in
   the world (or on elance.com) that we can rent a team of workers for
   $2000 for a month !

   - *Prevents multi-national teams from occurring* - What happens when you
   want to get a couple resources involved from different countries? Are you
   going to pay them the same? And if not, is that really sustainable? There
   is a huge amount of HR theory that shows that collaborators are much
   happier (and productive) when they don't know how much money
   their colleges earn (but how can you do that in an OWASP environment like
   OWASP where all financial deals must be disclosed)

   - *A lot more money will be needed* - This is another massive problem.
   If we REALLY want to get the best talent, and REALLY want to take a
   professional approach, then we will have to buy the best talent, which is
   expensive AND will need to be paid a good rate.

   And why should we pay them so much? ... They will deliver, right? Aren't
   they the best? Why shouldn't we put 40k or 100k of OWASP's money in their
   hands?

   Well, apart from the fact that those 100k would not *'create that
   super-duper deliverable'* (we are talking about big projects with
   complex problems that need LOTS of work), the problems I'm raising here
   would be dramatically multiplied

   - *Nobody is independent at OWASP - *Here is the catch, it is impossible
   to find somebody (or a group) inside that OWASP that has any kind
   of independence to be able to make a reall solid decision (everybody has an
   agenda, a pet project/chapter/conference, a particular vision for what
   OWASP should be doing, etc...) So who is going to make the call?

   - *Little secret - on the last OWASP Seasons of Code, all (decent)
   proposals got funded *- so how did we avoided this problem in the last
   OWASP Seasons of Code? I.e. how did we actually selected the owasp leaders
   who deserved the funding? In what turned out to be an amazing feat of maths
   and mappings, we actually funded every decent proposal that was summited
   (remember that OWASP was MUCH smaller than it is now, and there was still
   space for a number of new OWASP contributors to join the party)

   - *'He/she are the ones being paid, THEY should do that' syndrome* -
   This is another problem that happens when there is somebody that clearly is
   being paid when others are not. Yes we will still have this problem when
   they are paid outside of OWASP, but to be on the same 'level' as somebody
   else and they are being paid, really creates a bad vibe

   - *Lots of negative energy is created - *For me the point of the last
   Seasons of Code, was not to pay people!

   It was to motivate them, to empower them and to give them space inside
   OWASP.

   This is why It was so important to me that no good proposal was left
   out, since the objective was to motivate people to do their best (not to
   get a group of OWASP contributors to start fighting each other)

   - *It breaks an OWASP Contributor heart to receive a NO - *We also had a
   couple cases were great OWASP leaders/contributors, turned to the board
   (where I was at the time) and said. *"..Hey I have this idea, can you
   give me 20k / 40k so that I can spend the time to do it? ... you know I can
   do it!, I have a good track record !.."*. And it was pretty obvious that
   when we didn't support that idea, that OWASP leader was really not happy

   - *How to say NO to a big contributor* - If  OWASP leaders could be paid
      by OWASP, it would create situations where it is very hard to say NO to a
      big OWASP contributor, even if maybe he is not as qualified to do the job
      as the other candidates (there are always emotions involved).

      - *'I could had done better with that money' syndrome* - And then
      after the work is done and delivered, the one who got paid, is now a
      sitting duck for sniper fire that will pick his/hers work apart

      - *What to do when the leaders don't deliver? - *We also had this on
      the last OWASP Season of Code, where a couple really Large (with
capital L)
      OWASP contributors, took a good chunk of cash and didn't really do a good
      job! So what do you do? Are we really going to buy that fight and shame
      that person in public for doing a bad job? Also, how to you handle other
      OWASP leaders/contributors that also worked on that task but didn't get
      paid.

      - *We can't even count the leaders that we have today, can we review
      their work? *At the moment we can't even keep track of our current
      projects and still have a lot of project review work to be done. Are we
      (OWASP) really in any shape to review commercial/paid work?

      - *What about the other big contributors* - Also take into account,
   that there are a number of OWASP leaders who have spent years of their life
   working for OWASP projects

   - *For example: My Wife would kill me (if other owasp leaders got paid) *I
      spent 18 months without any pay to work on the OWASP O2 Platform. I still
      have debts today from the lack of income I suffered during that
period. My
      wife was really unhappy with that (understatement of the century) and my
      kids gave me a very hard time. But they supported it, because
they accepted
      my passion and focus on 'doing the right' thing. I'm not asking for any
      money from OWASP, BUT if others are getting paid, then that
      would completely change the dynamics of my relationship with OWASP (at
      least it would for my wife)

      - *What about Jeff and Dave?* These two, even had to use some of his
      own money to buy some OWASP assets and release them to the OWASP
community
      (surely they should be repaid that?)

      - *What about Denis, Andrew, Daniel, Matteo, John .... *(the list
      would go on and on and on...)


   - *Slippery slope:

   *
      - *What about the conference organizers* - shouldn't they also get
      slice of the profit they generate?
      - *What about the successful chapters?* - specially the ones with
      lots of attendees and generated funds?
      - *What about those hard-working board and committee members?* -
      should they also be paid for they countless hours?
      - *This will bread corruption and favouritism *- which is human
      nature given the right environment

      - *Killing the golden goose - *If you look carefully, we already have
   an amazing capability to 'convince' highly paid individuals to work for
   free and dedicate their energy into something they believe. For example if
   you add up all the 'money' (in time) that is 'donated' to OWASP every day
   or month by its leaders, contributors, participants, you would be amazed
   (for example it would probably cost 1,000,000$ (1M$) to pay for the talent
   that we were able to assembly at the last Summit (and even then, I don't
   think that if we were paying the attendee's a fee for their time, we would
   had been able to assembly that crowd)

   - *Not Paying OWASP Leaders is a self-defence mechanism - *Give the
      massive web of trust that OWASP has (just add up all its leaders), it is
      much easier to trust them with OWASP funds when they can't pay themselves
      or a friend (it also dramatically simplifies the rules of engagement)

      - *Let's get 3rd parties to fund those OWASP leaders *-  Jeff and
   John proposed a great model with the OWASP Project Partnership
Model<https://docs.google.com/document/d/1ea4jWVDziLcZMTJUC5qW5psWYROpB-oPlqyl4Ei2xHA/edit?hl=en_US>
which
   is how we can get OWASP leaders/contributors to be paid for working on
   OWASP projects. I don't know who said  *'..the real sign of a product's
   value is when somebody is willing to pay for it...' *but it is very
   true. In fact, it should be a sign of maturity and market-acceptance, the
   fact that somebody (company, government, etc) is ready to invest on that
   project.

   - *Prevents OWASP from finding better solutions (to Money) - *Finally
   this is (for me) the key reason why paying OWASP leaders is a very BAD
   idea.

   *We (OWASP) need to figure out what are the social/commercial models
   that work for OWASP (and make use productive).*

   Clearly contributing to OWASP makes business sense. If it didn't we
   wouldn't have the sustainability and energy we had.

   There are countless stories of OWASP leaders getting better jobs, being
   promoted, increasing their income, learning key skills, etc... There are
   also a number of companies that regularly support OWASP. They don't do it
   because they want to be nice, they do it because it makes commercial sense
   to them.

   *So what we REALLY need to do, is to rationalize what makes OWASP work,
   and see if we can improve the current model, so that we can have more and
   more people being paid to work for OWASP Activities. *

I could continue, but hopefully some of these points will clarify why OWASP
can't pay OWASP.

Wrapping up, this is actually a great opportunity to move OWASP to the next
level.

Dinis Cruz


On 11 April 2012 00:04, Michael Coates <michael.coates at owasp.org> wrote:

> The key issue that we need to agree and move on (so that we find
> solutions), is that '*Simulating those projects by paying OWASP Leaders to
> work on it , is NOT an option'*
>
>
> I'd like to understand why not.
>
> If we can set aside money that is for a season of code style funding, or
> is used for research interns to work on projects, then it seems like a good
> move.  The end result is high quality security material that is free and
> open to the world.  I am also happy with the idea of bringing in fresh new
> graduates to dive deeper into security areas.  Combined with established
> and experienced leaders you can get some great results.
>
> There are a variety of ways to structure this pay.  It doesn't have to be
> an actual outsource setup where we are attempting to compete with the
> market. I felt like the summer of code we held was a good method. It
> provided a bit of a financial incentive and set up deadlines, deliverables
> and expectations in order to be considered a success.
>
> The end goal is to provide free and open source security materials, tools,
> etc.  I'd rather explore a variety of options instead of claiming that we
> can't fund research/development for these projects in some way.
>
>
>
>
> -------
> Michael Coates | OWASP
> michael.coates at owasp.org | @_mwc
>
>
>
> On Apr 10, 2012, at 11:00 AM, Dinis Cruz wrote:
>
> Nobody is saying that we shouldn't stimulate those projects (of course we
> should)
>
> The question is how?
>
> The key issue that we need to agree and move on (so that we find
> solutions), is that '*Simulating those projects by paying OWASP Leaders to
> work on it , is NOT an option'*
> *
>
> *
> Once we accept that (and it looks like we haven't reached consensus) , I
> think there are a lot of ideas and things we should do to stimulate these
> projects.
>
> That said, the energy MUST come from the projects (OWASP is an enabler)
>
> Dinis Cruz
>
>
> On 10 April 2012 18:50, Eoin <eoin.keary at owasp.org> wrote:
>
> Chris,
>
> Not sure if your simplifying things to be honest....
>
>
> Can you say the Testing guide is also not important based on this logic?
>
>
> I certainly want the community to pick what is important but there are
>
> millions of developers whom are not part of the community, never heard of
>
> owasp and don't understand secure app dev.
>
>
> Shall we deny them of such resources, talent and free information because
>
> OWASP did not bother to focus, stimulate or drive such projects?
>
>
> -ek
>
>
>
>
>
> On 10 April 2012 18:42, Chris Schmidt <chris.schmidt at owasp.org> wrote:
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Hash: SHA1
>
>
> I think that statement is fine and dandy for an organization like
>
> Hibernate (which is one of your examples of this I think) - Hibernate and
>
> SpringSource both have Full-Time Employees that work on their open-source
>
> software for competitive full time wages. This is a totally different
>
> situation. Our funds are much more limited in this scenario and I believe
>
> it is much more worthwhile for the project leaders to come to the
>
> organization with specific proposals about requests for funds and what they
>
> intend to use them for as opposed to the organization determining that
>
> these *n* projects will now be *paid* sub-par rates.
>
>
> To John's point, if the Dev Guide is truly an important project, then why
>
> hasn't there been more of a demand for it and why hasn't someone just
>
> picked up and gotten it done by now. We may think it is important, and I
>
> agree that at one point it probably was - but if there is no energy behind
>
> a project, simply throwing money at it doesn't solve the bigger problem. It
>
> may slow the bleeding, it may even result in a new finished product, but
>
> what is our return on that product (not purely financially speaking) -
>
> especially if there is not an industry need for it any more b/c things like
>
> the Cheat Sheets series have basically replaced them.
>
>
> There are really an infinite amount of reasons that throwing money at
>
> projects and project leaders is generally a bad idea - I'm sure I don't
>
> need to iterate all of them.
>
>
> If we are going to pay developers FT or Contractor wages to work on a
>
> project, that is a completely different story, however that was not what I
>
> got out of the whole thing. We want to pay the existing project teams a
>
> stipend to motivate them to do the work they already signed up for to do as
>
> volunteers and have neglected to do. This in essence, as I already stated,
>
> is rewarding inactive project leaders and members for bad behavior.
>
>
>
> On 4/10/2012 11:09 AM, Jim Manico wrote:
>
> Open source and public domain comes from the spirit and will of
>
> volunteers.
>
>
> This is not entirely true. Some of the most successful and production
>
> quality open source projects have major financial backing.
>
>
> There is nothing in the "mission" of OWASP that prevents us from using
>
> funds to update core guides that help spread AppSec awareness.
>
>
> But I think the risk of letting more time go by were our flagship
>
> projects continue to wane, that's a big problem that is directly
>
> counter to what we should be doing.
>
>
> --
>
> Jim Manico
>
> (808) 652-3805
>
>
> On Apr 10, 2012, at 5:30 AM, John Wilander <john.wilander at owasp.org><
> john.wilander at owasp.org>wrote:
>
>
> Open source and public domain comes from the spirit and will of
>
> volunteers.
>
> -----BEGIN PGP SIGNATURE-----
>
> Version: GnuPG v2.0.14 (MingW32)
>
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
>
> iQEcBAEBAgAGBQJPhHECAAoJEEOkVJOBy86BZ7UH/jA+pOxElOS7YeibLIDbDXIy
>
> ywnWlIHp3sOGgcmVL4pyQpNgXcoJrEj8+WEMU8bZGxrBvnGVoZYohH6FScG3FkPW
>
> 5OtTCLI6ybgQQh88CWjeB9TXHvaHmtigxtWaZemJ29xLF6/ZI5E01CEby7bhQiAM
>
> TTUhGOGcM3qhL5MY1kL4zwbOrQErmWywA4yF80eBe1tsmgRko9Q9UKyuFwSFLIpx
>
> ElqBY8pf1/hNpeb0ZF7urzQquFCtOO1dg4RvTXxdXULjZvoAXUhzolCElFZ8IhMa
>
> eZeX9IL+L2xcloOUnH+toBx2K50HD5eay3PBH9e0VBU+0U5V5bm6WcbIMIWY3dM=
>
> =oRVx
>
> -----END PGP SIGNATURE-----
>
>
>
>
>
> --
>
> Eoin Keary
>
> OWASP Global Board Member (Vice Chair)
>
>
> https://twitter.com/EoinKeary
>
>
>
>
> _______________________________________________
>
> OWASP-Leaders mailing list
>
> OWASP-Leaders at lists.owasp.org
>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120411/68f564be/attachment-0001.html>


More information about the OWASP-Leaders mailing list