[Owasp-leaders] Projects Vs Chapters

Nikola Milosevic nikola.milosevic at owasp.org
Thu Sep 3 09:58:41 UTC 2015

Hello all, here are my two cents from the perspective of another person who
both started both - chapter and project.

>From the Chapter point of view it really depends where do you start your
chapter, or where do you live and how well connected are you. In 2012.,
when I started chapter in Serbia, it was quite tough for me. I wanted that
local community and even to develop some kind of consciousness about
security in my city, but it was hard to start. I knew about one company
that was doing some forensics and pen testing, employing 4 people in total
and that was it. Also, at that time I was finishing my University, so not
too many industrial contacts. And at that time Serbia was a place where
there was almost no security industry. So first couple of talks I needed to
be doing myself about basic OWASP topics with help of some friends who were
also interested and then somehow it built up. After couple of years from
attendance of 10 people and pretty basic talks we had something more
advanced and attendance of over 70. Also companies started being interested
and offering space (first couple of meetings I managed to do in some
classrooms at my ex Uni). When I came to Manchester, where we are both now
- Simon and me, it is much better. It is much easier, since there are a
 lot of companies, employing tens and hundreds of people, it is easy to
find speakers, however, the demography of audience is much different. In
Manchester, most of the people are pen testers, while in Serbia it was
students and developers with almost no security background. So there is
diversity in Chapters, however, I would agree that it is easier than
projects. Regarding OWASP, there is one thing OWASP can help with new
chapters - by providing some initial pack of merchandise (I had one
unpleasant event, when my request was declined, since chapter had no
money), and possibly with some slight mentor-ship, but chapter handbook is
a good start for that.

As of projects, in open source there are great initiatives such as Google
Summer of Code and OWASP Code Summer Sprint. There are probably couple
more, which can help funding project and get some code done. The thing I am
still struggling with is that I cannot dedicate full time to the project,
hardly even part time, and it is for me hard to build community around it.
I don't know whether it depends on the type of the project (like mobile
security and privacy app may be hard), maturity, or it is just due to the
fact that I release public announcement only at the points when we release
new version. However, in community building and recruiting volunteers I
would really appreciate some mentorship or help, since I feel a bit
unsuccessful in that part. Also, regarding funding and fundraising, there
are questions I would have. As I said I participated on some initiatives
which got some work done by students. But in case I want company funding
the question is should I approach company and tell them, I do have this
project, would you like to fund it, or should I wait until they reach out
me? If I reach out, isn't it a bit awkward and possibly rude? If I wait,
wouldn't I wait forever? Since I am a coder myself, to be honest I did not
spent too much time thinking about them, so there might be a problem and I
would need to change it. In order to solve these issues and questions, I
have, but probably other leaders as well, I would quite like to recommend
one thing, and thank Simon that he started the topic. It might be helpful
for younger projects to have some advice from the leaders who did
succeeded, and by this I mean primarily flagship leaders. And also, for new
projects to have assigned maybe one person as mentor. And the role of
mentor would be to give some advice, resources, literature, whatever on
building community around project, recruiting volunteers and fundraising.
This would mean probably like one hour one on one meeting over hangouts or
skype and chat about these topics.

So what the rest of people think?

Pozdrav/Best regards,

Nikola Milošević
OWASP Seraphimdroid project leader
nikola.milosevic at owasp.org
OWASP - Open Web Application Security Project
OWASP Seraphimdroid Project

On Thu, Sep 3, 2015 at 9:50 AM, psiinon <psiinon at gmail.com> wrote:

> Didnt realise this thread wasnt on the leaders list ;)
> So starting a new one here as I think its important for us to discuss.
> For background see:
> http://lists.owasp.org/pipermail/governance/2015-September/000697.html
> This is a copy of the email I sent to that thread..
> First of all I'd like to thank Johanna for all the effort she's put into
> reviewing the projects.
> Its been a huge and mostly thankless task, and the projects as a whole
> have really benefited.
> Secondly, I'd like to wade into the Projects Vs Chapters debate :)
> I have a theory:
> People who are 'part' of OWASP tend to think that the Chapters are more
> important _to_them_ than the projects.
> Chapters are where we meet people, exchange ideas and learn things. They
> are social events.
> People outside OWASP think that the Projects are more important _to_them_
> than the Chapters.
> They dont go to chapter meetings, they might not even be aware of them.
> They use, or at least are aware of, the main OWASP projects, mostly the
> Flagship ones.
> Anyone agree or disagree?
> And yes, I'm conveniently ignoring conferences, the wiki etc etc ;)
> I think Chapters and Projects are fundamentally different 'beasts', and
> I've started and run both :)
> Chapters are relatively easy to start and maintain.
> You need to be based in a city with a thriving security and/or software
> industry.
> You need to spend time organising and publicising events, but its not hard
> - you dont need specialized skills.
> Its relatively easy to find people prepared to speak, arrange rooms and
> help with other organisational things.
> Its something you can do in your spare time.
> Projects are much harder.
> They are relatively easy to start - you 'just' need a good idea.
> They are _really_ hard to bring to fruition and maintain.
> I'll focus on software projects (as I know much more about those) but I
> have no doubt documentation projects can be just as difficult.
> A professional software project is the result of the hard work of
> managers, designers, developers, QA, support, technical authors, sales and
> marketing (and probably others I've forgotten;).
> Its a huge amount of effort, and is ongoing - it only lets up when you
> 'sunset' the project.
> Ok, so (non commercial) open source projects dont need sales staff, but
> they do need people doing all of the other roles. Its definitely _not_ just
> programming!
> Its way too much for one person (for a non trivial project).
> Luckily we have the open source community, but that means a project leader
> needs another skill: community building!
> And to be honest most volunteers are developers (and security people for
> OWASP projects), its very rare for people with other skills to get involved.
> I dont think its something you can do in your spare time, at least for
> long (I did for a while, and my wife described herself as a "ZAP widow";)
> So Chapters are relatively easy to maintain, projects _much_ harder.
> I suspect OWASP as an organisation supports Chapters more effectively, but
> even if it supports both equally Projects dont get as much support as they
> need.
> I think OWASP Chapters are thriving and the Projects are (as a whole)
> diminishing.
> If I'm right and people outside OWASP see the Projects as more important
> than the Chapters then this leads to the impression that OWASP is
> struggling.
> What to projects need?
> I dont think its possible to maintain a 'significant' open source project
> unless you are able to spend the majority of your working day on it.
> This means projects really have to be sponsored by someone.
> This is a significant investment for a company, and its often difficult to
> justify this sort of investment. Especially if its difficult to monetise
> OWASP projects.
> Does OWASP want to sponsor projects directly?
> I think thats what it would take to build a thriving set of Projects.
> Is that something that could be done?
> I'm lucky, Mozilla allows me to spend most of my time working on ZAP, and
> thats been invaluable.
> But I'd love to be able to employ some of the ZAP contributors to work
> full time on ZAP :)
> Would OWASP pay for that??
> It would require much more 'project management' - the kind of things that
> people _think_ OWASP is doing, but it doesnt.
> I often see posts from people asking "why the hell is OWASP developing X".
> They seem to think that theres an OWASP committee that meets and goes "We
> think we should have project X". Whereas its actually an individual coming
> to OWASP and saying "I'm doing X, could this be an OWASP project?".
> OWASP Projects are very much 'bottom up' rather than 'top down'.
> It may surprise people outside of OWASP that I get _no_ direction at all
> from OWASP as to how ZAP should move forward.
> note that I'm _really_ not complaining about that ;)
> OWASP does not really invest in projects. It does provide some support,
> but to be honest not a great deal.
> If we decided to invest significant amounts of money in projects then
> there would need to be real debate as to what we should invest in.
> And I realise that thats difficult, particularly as OWASP is supported by
> commercial organisations, and they wont want OWASP investing in projects
> that compete with their own offerings.
> There are other things that OWASP could do other than paying developers
> directly.
> We could spend much more effort encouraging companies to contribute to
> OWASP projects, especially by donating engineering effort.
> We could help projects with the 'non programming' aspects - documentation,
> testing, marketing etc.
> We could provide more advice and guidance - I dont want people to dictate
> where ZAP should be headed, but I'd love constructive feedback :)
> Ok, thats ended up being a pretty rambling email ;)
> I'll end there and see what responses I get :D
> Cheers,
> Simon
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150903/2373230e/attachment-0001.html>

More information about the OWASP-Leaders mailing list