[Owasp-leaders] [Owasp-board] Professionalism and the Future of OWASP

psiinon psiinon at gmail.com
Fri May 20 16:15:00 UTC 2016

Hey Josh,

Thanks for starting this discussion :)
I agree with many of your points, but (as you allude to) OWASP doesnt
actually have that many direct resources at the moment, and by that I mean
Pretty much all of the security work (as opposed to the very valuable and
necessary organisational work) is performed by volunteers.
Volunteers choose where they spend their time, so a huge part of a CTO role
would be trying to sell the direction chosen. Not an easy task :/
I think it would be great if OWASP could align itself behind a limited set
of projects, but I worry that this might be really hard to achieve.
ZAP is the most popular and active OWASP code project, but right now 3 of
us have made the vast majority of enhancements that will be going into the
next release. And 2 out of the 3 are paid to work on ZAP by other open
source based organisations ;)
Anyone have any ideas how we can encourage volunteers to focus on specific
projects rather than spreading all of our efforts across 100s of them?



On Fri, May 20, 2016 at 4:50 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> OWASP Board, Staff, and Leaders,
> I wanted to take a moment to address the elephant in the room.  When I
> look at the front page of owasp.org, I am drawn to a statement that OWASP
> is "operating as a community of like-minded professionals".  Unfortunately,
> when I look at the reality of OWASP, I feel like we have moved more in the
> direction of a clubhouse political debate than an organization of
> like-minded professionals.  Don't get me wrong.  I consider differing views
> and conversations about change to be a good thing, but frequently these
> debates have devolved into profanity and personal attacks.  That is not
> professional and completely inappropriate.  The biggest benefit of our
> mailing list is that it gives you time to fully think through not only your
> words, but also their interpretation, before you "speak" them.  Passion is
> great, but at the end of the day we still need to work with eachother, so
> professionalism needs to trump passion.
> OWASP is a 501c3 not-for-profit *CORPORATION*.   Just because our goal is
> not to make a profit, doesn't mean that we shouldn't act like a
> corporation.  And when you consider the size of our volunteer base, our
> revenue, and our global reach, we are a relatively large corporation.  And
> like a corporation, we have a Board of Directors, we have policies,
> guidelines, and a mission statement.  But if any other corporation acted
> the way that we do, they would not be in business for very long.  Can you
> imagine a global brand like Dell with every stakeholder doing their own
> thing under the same banner?  You'd have 1,000 different laptop models with
> different looks, feel, functionality, documentation, and zero consistency.
> From the outside looking in, as a consumer, it would be pure madness.  More
> than enough to drive your business into the hands of someone else.  Yet,
> that is the state of OWASP today.  Fortunately, it doesn't have to be the
> future.
> I would like to hope that every one of you is here because you believe in
> OWASP's mission statement of improving the security of software.  The
> challenge is that every one of us has a different opinion on how to
> accomplish that.  Each opinion is every bit as valid as the next, but like
> any other business, we need to prioritize our limited resources on the
> strategic initiatives that will give us the biggest bang for our buck.  In
> my opinion, this prioritization process is an area that OWASP has done a
> poor job of in the past.  It is the purpose of the OWASP Board of Directors
> to align our available resources to accomplish a common goal and, to date,
> we have done little more than provide a handful of resources to a handful
> of people, in order to accomplish some goals that are tangential to our
> business.  The result is not bad, but I do question whether OWASP is living
> up to it's potential.  And without strategic alignment, it's no wonder why
> our stakeholders are in routine conflict.  That's what happens when
> everyone has a different idea of how to accomplish a goal.
> Nobody wants a problem without a solution.  I mentioned in a separate
> thread that I feel like the time has come for OWASP to have a formal CTO
> position.  I envision this as a person well qualified and vetted in the
> field of Application Security so that they can do a thorough analysis of
> the space, talk with our stakeholders, and identify documentation, tools,
> etc where OWASP can fill a need.  They would then be responsible for
> creating that projects vision and aligning our resources in order to drive
> it to completion.  This is not a "Project Manager" role, this is a business
> strategy and technical architecture role.  Volunteers would still be free
> to follow their passion, but hopefully they could find one of these
> strategic projects to align themselves with.  And with a common vision and
> goal in mind, hopefully it would reduce contention amongst our impassioned
> community.  In my opinion, its time for OWASP to stop thinking like a club
> and start thinking like a business and I feel like this is necessary to get
> us there.
> I don't see the other projects going away under this model.  OWASP can
> still provide a home and limited resources for them under our brand
> umbrella.  We would just be making the conscious decision to allocate the
> majority of our project resources in order to accomplish some very specific
> strategic initiatives.  The volunteer would still be free to choose how to
> contribute and how much effort they can put in.
> Thoughts on this model for the future of OWASP?  At this point, it's
> mostly an idea in my head, not well-socialized, but this is my attempt to
> try to put it out there for consumption and feedback.  I'm open to your
> additional ideas and suggestions.  Let's just agree to keep it
> professional.  Thank you.
> ~josh
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160520/a1fa6a27/attachment.html>

More information about the OWASP-Leaders mailing list