[Owasp-leaders] Fwd: Should OWASP projects (and in particular ZAP) aim to leave the OWASP nest?

Mike Goodwin mike.goodwin at owasp.org
Wed Dec 2 11:43:01 UTC 2015

Resent because I got a delivery failure first time. Sorry if you get it

---------- Forwarded message ----------
From: Mike Goodwin <mike.goodwin at owasp.org>
Date: 2 December 2015 at 11:40
Subject: Re: [Owasp-leaders] Should OWASP projects (and in particular ZAP)
aim to leave the OWASP nest?
To: John Patrick Lita <john.patrick.lita at owasp.org>
Cc: Jim Manico <jim.manico at owasp.org>, "owasp-leaders at lists.owasp.org" <
owasp-leaders at lists.owasp.org>

Dear all,

My thoughts, as the leader of a fairly new incubator project:

Simon asked two good questions, one general one about whether mature
projects should move outside of OWASP and one specific one about whether
ZAP should move. To me, we need to answer the first question first, and
only then figure out what it means for ZAP. So , I am (almost) entirely
focusing on this first question:

*Point 1:* I think that the majority of people come into contact with OWASP
for the first time, through one of the projects, most likely a flagship
project. For me it was the OWASP Top 10. Some of these people will then go
on to become chapter members, chapter leaders, project contributors or
project leaders. Removing the OWASP name from these projects will I
believe, impact the flow of new volunteers into OWASP and therefore damage
it in the medium term.

*Point 2: *I am guessing that a significant part of our sponsorship is
linked in some way to the projects. [Maybe someone who knows for sure could
confirm or refute this]. So removing them will impact our revenues.

*My opinion:* I get that moving a flagship project out of OWASP could be
liberating and benefit that project. However, because of the above two
points, I think it will be harmful to the OWASP mission as a whole.

*What to do then?* Despite this, there are clearly problems with how
projects are managed in OWASP at the moment. I won't repeat all the
arguments here - there have been many many emails about them. So something
needs to be done. At a high level I think we should:

   - Encourage new incubator projects to be created freely and with only
   light governance. This is the place to encourage innovation and make it as
   easy as possible to get started.
   - Offer lightweight but relevant support to these incubator projects.
   GitHub and a wiki are not real support. Using my own project as an example
   (I'm not claiming everyone is like this), what would help most is mentoring
   and advice on how to build awareness of the project, attract contributors
   etc. I would call these the "marketing" aspects of the project.
   - Make the transition from incubator to labs much more controlled and
   rigorous. As well as delivering on a project progress and quality goals, I
   think the projects should be selected based on alignment with a
   well-defined and publicly visible *strategic vision and roadmap for
   projects* that ensures the projects are complement each other. This
   vision could also cal out gaps where there is not current project.The
   outcome of this should be a smaller set of labs projects.
   - Any existing labs projects that do not meet these more difficult goals
   should be released from OWASP or moved back to incubator
   - Funding and more support should be focused on this reduced number of
   projects. This is key - to succeed we need to support fewer projects, but
   support them much more fully.
   - Transition from Labs to flagship doesn't need much change in my
   opinion - it is about proven success and adoption.
   - This will inevitably need more full time staff for the foundation and
   more authority and power to the board (or their delegated project

*(To briefly touch on Simon's second question) What about ZAP? *Well, ZAP
clearly meets quality and success goals. In my worldview, the key question
would be: *Is there a place in our strategic vision for "an easy to use
integrated penetration testing tool for finding vulnerabilities in web

Best regards,

*Mike Goodwin*
OWASP Newcastle UK Chapter Leader
OWASP Threat Dragon Project Leader

On 2 December 2015 at 09:39, John Patrick Lita <john.patrick.lita at owasp.org>

> Yes +1 to sir jim, i think we need to put more attention in ZAP, in this
> case ZAP don't have support and it's better if Mozilla will adopt this
> Tool. i dont know what happen to our foundation,
> On Wed, Dec 2, 2015 at 5:29 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> Simon,
>> I am just glad that ZAP is out there in the open source world.
>> And frankly, I do not see OWASP doing a lot of support it. If you moved
>> it to Mozilla, especially if Mozilla was willing to provide resources to
>> continue making it stronger, I would support such a move and continue to
>> promote it.
>> Respectfully,
>> Jim
>> On 12/2/15 11:05 AM, psiinon wrote:
>> In a recent thread
>> <http://lists.owasp.org/pipermail/owasp-leaders/2015-December/015726.html>
>> Dinis stated:
>> "all Owasp projects should be seen as research projects. The moment they
>> are big enough (i.e. big team, support, deliverables) and wish to move
>> beyond the 'research label' , is the moment where they need to leave the
>> 'Owasp nest' and face the real world by themselves"
>> I have a lot of sympathy for this perspective, and have indeed been
>> wondering if now is the right time for ZAP to "go it alone".
>> I'd like to stress that this is not just because of recent controversies,
>> so I'd like to discuss these as general principals rather than in relation
>> to recent events.
>> I believe that OWASP has been very beneficial to ZAP, but I'm not sure
>> that OWASP is really set up to support projects that have grown to ZAP's
>> size.
>> So, the 2 questions I'd be very interested in feedback on:
>>    - Should OWASP projects aim to stand on their own outside of OWASP?
>>    - Is this the right time for ZAP to do so?
>> Many thanks,
>> Simon
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>> _______________________________________________
>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> --
> Best Regrads
> John Patrick Lita
> *Chapter Leader OWASP Manila*
> FB Page @OwaspManila <https://www.facebook.com/OwaspManila>
> https://www.owasp.org/index.php/Manila
> <https://lists.owasp.org/mailman/listinfo/owasp-manila>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

*Mike Goodwin*
OWASP Newcastle UK Chapter Leader
OWASP Threat Dragon Project Leader

*Mike Goodwin*
OWASP Newcastle UK Chapter Leader
OWASP Threat Dragon Project Leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151202/cb6ecc3a/attachment-0001.html>

More information about the OWASP-Leaders mailing list