[Owasp-leaders] Should OWASP projects (and in particular ZAP) aim to leave the OWASP nest?

psiinon psiinon at gmail.com
Wed Dec 2 14:06:38 UTC 2015


Hi Josh,

A very good question.
And one that I might struggle to answer!
But exploring it in this forum could be very useful for ZAP, OWASP and
other projects, so I'll do my best.

I think OWASP has traditionally been very focussed on chapters and
conferences.
Projects get a homepage and the option to use various OWASP accounts, but
are broadly left to their own devices.
Sometime this can be a good thing - I do like the fact that no one at OWASP
has tried to tell me how to run ZAP or where it should be going.
But I suspect for other (code?) projects, especially for those led by
leaders with less (development?) experience then this could well be a
problem and may well have caused projects to wither away.

But I would like to take ZAP to 'the next level'.
And without going down the 'fremium' route - I've always stated that there
will be no 'Pro' edition and I intend to stick to that.
For reference I dont have a problem with the freemium model, but I _want_
there to be a completely open source community based web appsec tool, and
for me thats ZAP.

But the only way I can realistically see us taking ZAP to the next level is
by getting more people to work on ZAP full time.
I've put in a proposal to a well known open source organisation (not
Mozilla in this case) for funding for another full time developer (in
addition to me, who Mozilla sponsor).
I've also been in discussions with other companies that use ZAP and I'm
hoping that this will result in some of their developers working some of
their time on ZAP.
Maybe this is a way OWASP could help projects like ZAP?
I do think we need to establish an identity distinct from OWASP, eg with a
dedicated ZAP website. But I agree that this doesnt mean that ZAP has to
leave OWASP.
So maybe there needs to be a (relatively) well funded initiative within
OWASP for helping projects like ZAP move to the next level. I suspect the
challenges are similar for all such projects. And if these projects can
break out of the OWASP/Appsec bubble then it could be hugely beneficial to
OWASP and security in general.

Does that help?

Feedback and suggestions very much appreciated!

Simon


On Wed, Dec 2, 2015 at 1:47 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> Simon,
>
> It might help if you could elaborate on what OWASP can do to help you get
> to the next level (whatever that is).  OWASP has a lot of people, money,
> etc that are at our Leaders' disposal.  If this decision would be made on
> resources, or lack thereof, then I think we can help justify sticking
> around.  If there's something bigger (like how to make ZAP a freemium model
> perhaps), then I would like to see us having those conversations as well.
> In short, I believe that ZAP (or any project for that matter) is good for
> OWASP and want to see OWASP reciprocate in ways that are beneficial to ZAP.
>
> ~josh
> On Dec 2, 2015 3:14 AM, "psiinon" <psiinon at gmail.com> wrote:
>
>> In a recent thread
>> <http://lists.owasp.org/pipermail/owasp-leaders/2015-December/015726.html>
>> Dinis stated:
>>
>> "all Owasp projects should be seen as research projects. The moment they
>> are big enough (i.e. big team, support, deliverables) and wish to move
>> beyond the 'research label' , is the moment where they need to leave the
>> 'Owasp nest' and face the real world by themselves"
>>
>> I have a lot of sympathy for this perspective, and have indeed been
>> wondering if now is the right time for ZAP to "go it alone".
>>
>> I'd like to stress that this is not just because of recent controversies,
>> so I'd like to discuss these as general principals rather than in relation
>> to recent events.
>>
>> I believe that OWASP has been very beneficial to ZAP, but I'm not sure
>> that OWASP is really set up to support projects that have grown to ZAP's
>> size.
>>
>> So, the 2 questions I'd be very interested in feedback on:
>>
>>    - Should OWASP projects aim to stand on their own outside of OWASP?
>>    - Is this the right time for ZAP to do so?
>>
>> Many thanks,
>>
>> Simon
>>
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>


-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151202/450fbc18/attachment-0001.html>


More information about the OWASP-Leaders mailing list