[Owasp-leaders] Should OWASP projects (and in particular ZAP) aim to leave the OWASP nest?

Andrew Muller andrew.muller at owasp.org
Wed Dec 2 14:04:38 UTC 2015

I believe a significant reason OWASP isn't a good home for many projects is
that we are unable to spend funds on people's time. I understand the
reasons but this stymies progress and requires folks like Mozilla to pay
for people's time, which is a rare example of generosity and community
spirit. That said, OWASP is a great promotion vehicle for projects and
generates many volunteer requests (and less action). But these we only two
examples (one good, one bad). There are many more.

I see no point begging for ZAP to remain with OWASP, but rather careful,
and perhaps painful, introspection as to why OWASP is failing projects.
There have been some epic and heartbreaking failures recently, but there is
still much good in it. I think it would be worthwhile having someone
impartial who understands corporate governance review where we're at. This
could funded by the pool of funds available to OWASP and would be a strong
and justifiable investment.

On Wednesday, 2 December 2015, Josh Sokol <josh.sokol at owasp.org> wrote:

> Simon,
> It might help if you could elaborate on what OWASP can do to help you get
> to the next level (whatever that is).  OWASP has a lot of people, money,
> etc that are at our Leaders' disposal.  If this decision would be made on
> resources, or lack thereof, then I think we can help justify sticking
> around.  If there's something bigger (like how to make ZAP a freemium model
> perhaps), then I would like to see us having those conversations as well.
> In short, I believe that ZAP (or any project for that matter) is good for
> OWASP and want to see OWASP reciprocate in ways that are beneficial to ZAP.
> ~josh
> On Dec 2, 2015 3:14 AM, "psiinon" <psiinon at gmail.com
> <javascript:_e(%7B%7D,'cvml','psiinon at gmail.com');>> wrote:
>> In a recent thread
>> <http://lists.owasp.org/pipermail/owasp-leaders/2015-December/015726.html>
>> Dinis stated:
>> "all Owasp projects should be seen as research projects. The moment they
>> are big enough (i.e. big team, support, deliverables) and wish to move
>> beyond the 'research label' , is the moment where they need to leave the
>> 'Owasp nest' and face the real world by themselves"
>> I have a lot of sympathy for this perspective, and have indeed been
>> wondering if now is the right time for ZAP to "go it alone".
>> I'd like to stress that this is not just because of recent controversies,
>> so I'd like to discuss these as general principals rather than in relation
>> to recent events.
>> I believe that OWASP has been very beneficial to ZAP, but I'm not sure
>> that OWASP is really set up to support projects that have grown to ZAP's
>> size.
>> So, the 2 questions I'd be very interested in feedback on:
>>    - Should OWASP projects aim to stand on their own outside of OWASP?
>>    - Is this the right time for ZAP to do so?
>> Many thanks,
>> Simon
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> <javascript:_e(%7B%7D,'cvml','OWASP-Leaders at lists.owasp.org');>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders

*Andrew Muller*
Canberra OWASP Chapter Leader
OWASP Testing Guide Co-Leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151203/d770ca48/attachment.html>

More information about the OWASP-Leaders mailing list