[Owasp-leaders] Should OWASP projects (and in particular ZAP) aim to leave the OWASP nest?

Dinis Cruz dinis.cruz at owasp.org
Fri Dec 4 00:43:27 UTC 2015

well the reasons why I believe OWASP  should not be allowed to pay owasp
leaders are listed here

And since I have not been on the OWASP board for about 5 years, I think we
need to realise that IF it was possible to pay owasp leaders to work on
OWASP projects, THAT (paying owasp leaders) would have happened by now
(after all, there has been enough budget to make that happen)

The problem is that there is still this 'idea' that "IF ONLY we could do
that (pay owasp leaders) amazing stuff would happen".

Sometimes it is better to be clear on the rules of engagement, so that the
energy can be focused on ideas that work

For example paying expenses to get OWASP leaders together or project
related operational expenses, is a much more realistic target for the
available funds (in fact we already have good track record in using funds
that way)

Jim, when we spoke last time you mentioned *the* *idea of hiring technical
editors to work on OWASP projects (from a global point of view)*. Just to
be clear, as long as they are not OWASP Leaders, I think that *would also
be a great use of OWASP funds.* Think for example how useful would it be to
provide our OWASP projects support with:
 - documentation
 - diagrams
 - pagination, copy editing, spelling, index pages (for docs projects)
 - README(s)
 - installation scripts
 - QA/Testing
 - Writing Unit tests

(for the reasons why I don't believe we should pay OWASP leaders to do the
above tasks see

And remember that IF was possible to pay owasp leaders, by now, we should
have already a couple success stories.

For me what OWASP can really do for its projects is to provide:
 - a community,
 - a stage to present it
 - as much operational support as possible
 - love and energy


On 4 December 2015 at 00:14, Andrew van der Stock <vanderaj at owasp.org>

> Everytime I bring it up, and that was at several board meetings this year,
> it gets shot down. Josh and I had one really long talk about this at AppSec
> USA, and I don't think we ever got around to putting the outcome of that
> into practice.
> Honestly, I've moved on from this discussion as it's fruitless. There may
> be no "rules" per se, but just try and do it. Only one project has
> sufficient funds to pay someone to work for at least a month.
> My current position is that whilst there is pressure not to pay the folks
> who actually work on the projects, we should get projects to apply for
> project grants to come to an AppSec event a week or so before hand with
> specific achievable deliverables. We then pay them to come fly in, stay and
> be fed for that week. The CEF funding pool for this already exists, it's
> just not used that heavily.
> That would be a good stepping stone until we can get to the point of
> spending at least 33% of our annual grant funds on projects, so we can spin
> up Fellowships or similar a la Linux Foundation. We have a budget not
> dissimilar to LF, and they pay Linus Torvalds and others to work on Linux.
> I am not saying there is anyone like a "Linus" here, or that it needs to be
> a permanent staff position, but it should be at least long enough to be a
> viable way to live for a period of time and achieve things.
> As a board, we also need to get out there and get sponsorships and grants
> for this type of thing. I don't think we do enough fund raising for
> projects, or use our university contacts to get masters by research
> students to help us with our projects and research.
> thanks
> Andrew
> On Thu, Dec 3, 2015 at 11:28 AM, Jim Manico <jim.manico at owasp.org> wrote:
>> > I believe a significant reason OWASP isn't a good home for many
>> projects is that we are unable to spend funds on people's time.
>> That is not a rule at all - no one is stopping project leaders from using
>> their funds to hire folk. Some really do not like this idea but it's not
>> (at all) a rule.
>> - Jim
>> On 12/2/15 4:04 PM, Andrew Muller wrote:
>> I believe a significant reason OWASP isn't a good home for many projects
>> is that we are unable to spend funds on people's time. I understand the
>> reasons but this stymies progress and requires folks like Mozilla to pay
>> for people's time, which is a rare example of generosity and community
>> spirit. That said, OWASP is a great promotion vehicle for projects and
>> generates many volunteer requests (and less action). But these we only two
>> examples (one good, one bad). There are many more.
>> I see no point begging for ZAP to remain with OWASP, but rather careful,
>> and perhaps painful, introspection as to why OWASP is failing projects.
>> There have been some epic and heartbreaking failures recently, but there is
>> still much good in it. I think it would be worthwhile having someone
>> impartial who understands corporate governance review where we're at. This
>> could funded by the pool of funds available to OWASP and would be a strong
>> and justifiable investment.
>> On Wednesday, 2 December 2015, Josh Sokol < <josh.sokol at owasp.org>
>> josh.sokol at owasp.org> wrote:
>>> Simon,
>>> It might help if you could elaborate on what OWASP can do to help you
>>> get to the next level (whatever that is).  OWASP has a lot of people,
>>> money, etc that are at our Leaders' disposal.  If this decision would be
>>> made on resources, or lack thereof, then I think we can help justify
>>> sticking around.  If there's something bigger (like how to make ZAP a
>>> freemium model perhaps), then I would like to see us having those
>>> conversations as well.  In short, I believe that ZAP (or any project for
>>> that matter) is good for OWASP and want to see OWASP reciprocate in ways
>>> that are beneficial to ZAP.
>>> ~josh
>>> On Dec 2, 2015 3:14 AM, "psiinon" <psiinon at gmail.com> wrote:
>>>> In a recent thread
>>>> <http://lists.owasp.org/pipermail/owasp-leaders/2015-December/015726.html>
>>>> Dinis stated:
>>>> "all Owasp projects should be seen as research projects. The moment
>>>> they are big enough (i.e. big team, support, deliverables) and wish to move
>>>> beyond the 'research label' , is the moment where they need to leave the
>>>> 'Owasp nest' and face the real world by themselves"
>>>> I have a lot of sympathy for this perspective, and have indeed been
>>>> wondering if now is the right time for ZAP to "go it alone".
>>>> I'd like to stress that this is not just because of recent
>>>> controversies, so I'd like to discuss these as general principals rather
>>>> than in relation to recent events.
>>>> I believe that OWASP has been very beneficial to ZAP, but I'm not sure
>>>> that OWASP is really set up to support projects that have grown to ZAP's
>>>> size.
>>>> So, the 2 questions I'd be very interested in feedback on:
>>>>    - Should OWASP projects aim to stand on their own outside of OWASP?
>>>>    - Is this the right time for ZAP to do so?
>>>> Many thanks,
>>>> Simon
>>>> --
>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> --
>> ____________________
>> *Andrew Muller*
>> Canberra OWASP Chapter Leader
>> OWASP Testing Guide Co-Leader
>> _______________________________________________
>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151204/2fc4fd33/attachment.html>

More information about the OWASP-Leaders mailing list