[Owasp-leaders] [Owasp-board] Rethinking startegy regarding projects

Tim tim.morgan at owasp.org
Thu Nov 26 17:02:40 UTC 2015

I'm all for reform of some sort, but it should be done carefully and I
don't know of any obvious solution to the dilution problem.  Whatever
changes we make, let's make them conservative and targeted for now andb
see how it goes.

Also, I think it is important to distinguish between software projects
and non-software projects.  It seems our biggest issue right now is
with people trying to write code under the OWASP brand, but not
following through and making the software high quality.

Consider for a moment the skillsets of most OWASP volunteers.  We tend
to be security people.  It might make a lot of sense for us to write
code for "breakers" types of projects, since only security people see
the value in doing that and have the associated know-how.

However, for "defenders" types of coding projects, does it really make
sense to build yet more frameworks?  Sometimes this could work, but in
most cases, how can we possibly compete with existing frameworks that
have large numbers of volunteers and/or companies behind them?

Better stop now before I start rambling, but those are my thoughts at
the moment.


On Thu, Nov 26, 2015 at 12:17:12PM +0200, Jim Manico wrote:
> I think OWASP projects are critical to the foundation and I want to support new ideas that new projects bring.
> But I surrender. We really need to rethink the whole OWASP project philosophy and seek better focus and direction. We're all over the place and our energy is very diluted and sometimes abused.
> I have a lot of ideas, but frankly I'm not sure what the best direction is. But I am open to significant change.
> By the same token, we have some amazing flagship projects and I think it would be a tragedy if those went away.
> --
> Jim Manico
> Global Board Member
> OWASP Foundation
> https://www.owasp.org
> Join me in Rome for AppSecEU 2016!
> > On Nov 26, 2015, at 12:00 PM, psiinon <psiinon at gmail.com> wrote:
> > 
> > I agree that this is a good time to rethink OWASP's project strategy.
> > Creating and maintaining high quality open source projects takes a lot of time and effort, and can only be done in ones 'spare time' for a relatively short period.
> > Successful projects need sponsorship and people who are able to dedicate a significant part of their working week to them.
> > Abandoned or poorly maintained projects only damage OWASP's reputation.
> > 
> > Should we effectively ditch all but the flagship projects? Only taking on new projects when they reach that level of quality?
> > Would a tool that becomes successful in its own right _want_ to be adopted by OWASP?
> > Should OWASP ditch project altogether??
> > Or maybe just ditch all but the documentation projects?
> > Maybe we should just recommend open source projects, a sort of 'OWASP approved' badge?
> > 
> > If we do keep some projects (and I think we should;) then what purpose should they serve?
> > Providing high quality tools that help make the internet more secure?
> > Helping people learn about security?
> > Driving awareness of OWASP? (How would people learn about OWASP if not via projects like the Top 10 and ZAP?)
> > Provide tools and features that commercial companies are not currently providing (effectively, or for a reasonable price)?
> > Interested to see what other people think.
> > 
> > Cheers,
> > 
> > Simon
> > 
> > 
> >> On Thu, Nov 26, 2015 at 9:19 AM, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
> >> Leaders and members of the board 
> >> 
> >> As former member of the project review team, I have been observing the increasing issues related with projects
> >> Fact is, we do not have enough volunteers nor staff to support and watch quality of projects, do reviews and have a supervison on them.
> >> 
> >> More than often, projects become dormant or inactive.
> >> Recently The misuse of owasp brand have been an issue with projects like Benchmark and recent  complains of users from The PHPSEC project. But this is an on going issue.
> >> 
> >> I think is time that OWASP rethink its strategy regarding projects
> >> 
> >> Maybe instead of trying to offer a platform that is not sustainable, owasp should adopt and sponsor projects  that already have established a name on their own
> >> 
> >> Nothing stops a dedicated individual to start an open source project on his own. In The past when owasp was a small organization ran by dedicated volunteers, it worked for these couple of projects, but right now is out of hand. Take a look how many active projects are actually being mantained.
> >> 
> >> Mantaining a project takes a lot of dedication and this is what People need to realize when starting an open source project
> >> 
> >> What I see quite often is People wanting to misuse Owasp brand instead of willing to pull a project
> >> Major reason I quit from reviewing and the fact that we do not have feasible resources to produce projects that are sustainable in the long term.
> >> 
> >> I'm also cancelling the proposal with regards of bounty source program. Reality is that without dedicated efforts and resources , it wont be sustainable.
> >> 
> >> Regards
> >> 
> >> Johanna 
> >> 
> >> 
> >> 
> >> _______________________________________________
> >> Owasp-board mailing list
> >> Owasp-board at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-board
> > 
> > 
> > 
> > -- 
> > OWASP ZAP Project leader
> > _______________________________________________
> > Owasp-board mailing list
> > Owasp-board at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-board

> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list