[Owasp-leaders] Should OWASP projects (and in particular ZAP) aim to leave the OWASP nest?

Andrew van der Stock vanderaj at owasp.org
Fri Dec 4 00:14:49 UTC 2015

Everytime I bring it up, and that was at several board meetings this year,
it gets shot down. Josh and I had one really long talk about this at AppSec
USA, and I don't think we ever got around to putting the outcome of that
into practice.

Honestly, I've moved on from this discussion as it's fruitless. There may
be no "rules" per se, but just try and do it. Only one project has
sufficient funds to pay someone to work for at least a month.

My current position is that whilst there is pressure not to pay the folks
who actually work on the projects, we should get projects to apply for
project grants to come to an AppSec event a week or so before hand with
specific achievable deliverables. We then pay them to come fly in, stay and
be fed for that week. The CEF funding pool for this already exists, it's
just not used that heavily.

That would be a good stepping stone until we can get to the point of
spending at least 33% of our annual grant funds on projects, so we can spin
up Fellowships or similar a la Linux Foundation. We have a budget not
dissimilar to LF, and they pay Linus Torvalds and others to work on Linux.
I am not saying there is anyone like a "Linus" here, or that it needs to be
a permanent staff position, but it should be at least long enough to be a
viable way to live for a period of time and achieve things.

As a board, we also need to get out there and get sponsorships and grants
for this type of thing. I don't think we do enough fund raising for
projects, or use our university contacts to get masters by research
students to help us with our projects and research.


On Thu, Dec 3, 2015 at 11:28 AM, Jim Manico <jim.manico at owasp.org> wrote:

> > I believe a significant reason OWASP isn't a good home for many projects
> is that we are unable to spend funds on people's time.
> That is not a rule at all - no one is stopping project leaders from using
> their funds to hire folk. Some really do not like this idea but it's not
> (at all) a rule.
> - Jim
> On 12/2/15 4:04 PM, Andrew Muller wrote:
> I believe a significant reason OWASP isn't a good home for many projects
> is that we are unable to spend funds on people's time. I understand the
> reasons but this stymies progress and requires folks like Mozilla to pay
> for people's time, which is a rare example of generosity and community
> spirit. That said, OWASP is a great promotion vehicle for projects and
> generates many volunteer requests (and less action). But these we only two
> examples (one good, one bad). There are many more.
> I see no point begging for ZAP to remain with OWASP, but rather careful,
> and perhaps painful, introspection as to why OWASP is failing projects.
> There have been some epic and heartbreaking failures recently, but there is
> still much good in it. I think it would be worthwhile having someone
> impartial who understands corporate governance review where we're at. This
> could funded by the pool of funds available to OWASP and would be a strong
> and justifiable investment.
> On Wednesday, 2 December 2015, Josh Sokol < <josh.sokol at owasp.org>
> josh.sokol at owasp.org> wrote:
>> Simon,
>> It might help if you could elaborate on what OWASP can do to help you get
>> to the next level (whatever that is).  OWASP has a lot of people, money,
>> etc that are at our Leaders' disposal.  If this decision would be made on
>> resources, or lack thereof, then I think we can help justify sticking
>> around.  If there's something bigger (like how to make ZAP a freemium model
>> perhaps), then I would like to see us having those conversations as well.
>> In short, I believe that ZAP (or any project for that matter) is good for
>> OWASP and want to see OWASP reciprocate in ways that are beneficial to ZAP.
>> ~josh
>> On Dec 2, 2015 3:14 AM, "psiinon" <psiinon at gmail.com> wrote:
>>> In a recent thread
>>> <http://lists.owasp.org/pipermail/owasp-leaders/2015-December/015726.html>
>>> Dinis stated:
>>> "all Owasp projects should be seen as research projects. The moment they
>>> are big enough (i.e. big team, support, deliverables) and wish to move
>>> beyond the 'research label' , is the moment where they need to leave the
>>> 'Owasp nest' and face the real world by themselves"
>>> I have a lot of sympathy for this perspective, and have indeed been
>>> wondering if now is the right time for ZAP to "go it alone".
>>> I'd like to stress that this is not just because of recent
>>> controversies, so I'd like to discuss these as general principals rather
>>> than in relation to recent events.
>>> I believe that OWASP has been very beneficial to ZAP, but I'm not sure
>>> that OWASP is really set up to support projects that have grown to ZAP's
>>> size.
>>> So, the 2 questions I'd be very interested in feedback on:
>>>    - Should OWASP projects aim to stand on their own outside of OWASP?
>>>    - Is this the right time for ZAP to do so?
>>> Many thanks,
>>> Simon
>>> --
>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> --
> ____________________
> *Andrew Muller*
> Canberra OWASP Chapter Leader
> OWASP Testing Guide Co-Leader
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151204/8b3c780e/attachment-0001.html>

More information about the OWASP-Leaders mailing list