[Owasp-leaders] Projects Vs Chapters

psiinon psiinon at gmail.com
Thu Sep 3 08:50:52 UTC 2015

Didnt realise this thread wasnt on the leaders list ;)
So starting a new one here as I think its important for us to discuss.
For background see:
This is a copy of the email I sent to that thread..

First of all I'd like to thank Johanna for all the effort she's put into
reviewing the projects.
Its been a huge and mostly thankless task, and the projects as a whole have
really benefited.

Secondly, I'd like to wade into the Projects Vs Chapters debate :)

I have a theory:

People who are 'part' of OWASP tend to think that the Chapters are more
important _to_them_ than the projects.
Chapters are where we meet people, exchange ideas and learn things. They
are social events.

People outside OWASP think that the Projects are more important _to_them_
than the Chapters.
They dont go to chapter meetings, they might not even be aware of them.
They use, or at least are aware of, the main OWASP projects, mostly the
Flagship ones.

Anyone agree or disagree?
And yes, I'm conveniently ignoring conferences, the wiki etc etc ;)

I think Chapters and Projects are fundamentally different 'beasts', and
I've started and run both :)

Chapters are relatively easy to start and maintain.
You need to be based in a city with a thriving security and/or software
You need to spend time organising and publicising events, but its not hard
- you dont need specialized skills.
Its relatively easy to find people prepared to speak, arrange rooms and
help with other organisational things.
Its something you can do in your spare time.

Projects are much harder.
They are relatively easy to start - you 'just' need a good idea.
They are _really_ hard to bring to fruition and maintain.
I'll focus on software projects (as I know much more about those) but I
have no doubt documentation projects can be just as difficult.
A professional software project is the result of the hard work of managers,
designers, developers, QA, support, technical authors, sales and marketing
(and probably others I've forgotten;).
Its a huge amount of effort, and is ongoing - it only lets up when you
'sunset' the project.
Ok, so (non commercial) open source projects dont need sales staff, but
they do need people doing all of the other roles. Its definitely _not_ just
Its way too much for one person (for a non trivial project).
Luckily we have the open source community, but that means a project leader
needs another skill: community building!
And to be honest most volunteers are developers (and security people for
OWASP projects), its very rare for people with other skills to get involved.
I dont think its something you can do in your spare time, at least for long
(I did for a while, and my wife described herself as a "ZAP widow";)

So Chapters are relatively easy to maintain, projects _much_ harder.
I suspect OWASP as an organisation supports Chapters more effectively, but
even if it supports both equally Projects dont get as much support as they
I think OWASP Chapters are thriving and the Projects are (as a whole)
If I'm right and people outside OWASP see the Projects as more important
than the Chapters then this leads to the impression that OWASP is

What to projects need?
I dont think its possible to maintain a 'significant' open source project
unless you are able to spend the majority of your working day on it.
This means projects really have to be sponsored by someone.
This is a significant investment for a company, and its often difficult to
justify this sort of investment. Especially if its difficult to monetise
OWASP projects.
Does OWASP want to sponsor projects directly?
I think thats what it would take to build a thriving set of Projects.
Is that something that could be done?
I'm lucky, Mozilla allows me to spend most of my time working on ZAP, and
thats been invaluable.
But I'd love to be able to employ some of the ZAP contributors to work full
time on ZAP :)
Would OWASP pay for that??

It would require much more 'project management' - the kind of things that
people _think_ OWASP is doing, but it doesnt.
I often see posts from people asking "why the hell is OWASP developing X".
They seem to think that theres an OWASP committee that meets and goes "We
think we should have project X". Whereas its actually an individual coming
to OWASP and saying "I'm doing X, could this be an OWASP project?".
OWASP Projects are very much 'bottom up' rather than 'top down'.
It may surprise people outside of OWASP that I get _no_ direction at all
from OWASP as to how ZAP should move forward.
note that I'm _really_ not complaining about that ;)

OWASP does not really invest in projects. It does provide some support, but
to be honest not a great deal.
If we decided to invest significant amounts of money in projects then there
would need to be real debate as to what we should invest in.
And I realise that thats difficult, particularly as OWASP is supported by
commercial organisations, and they wont want OWASP investing in projects
that compete with their own offerings.

There are other things that OWASP could do other than paying developers
We could spend much more effort encouraging companies to contribute to
OWASP projects, especially by donating engineering effort.
We could help projects with the 'non programming' aspects - documentation,
testing, marketing etc.
We could provide more advice and guidance - I dont want people to dictate
where ZAP should be headed, but I'd love constructive feedback :)

Ok, thats ended up being a pretty rambling email ;)
I'll end there and see what responses I get :D



OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150903/f809a2eb/attachment.html>

More information about the OWASP-Leaders mailing list