[Owasp-leaders] Advocating for OWASP Projects - need your help

Kevin W. Wall kevin.w.wall at gmail.com
Sat Nov 12 17:55:04 UTC 2016

 On Fri, Nov 11, 2016 at 12:34 PM, Matt Tesauro <matt.tesauro at owasp.org> wrote:
> Apologies for posting the same thing to two lists, but I wanted to share my
> thoughts more broadly than just the board list.
> In response to the board thread here, I wrote the following.
> TLDR:  When projects have so little funds vs chapters, why does it take 21
> emails to spend 1.4% of the Project Outreach budget on Zap - one of our
> project Rockstars.
> ---------- Forwarded message ----------
> From: Matt Tesauro <matt.tesauro at owasp.org>
> Date: Fri, Nov 11, 2016 at 11:26 AM
> Subject: Re: [Owasp-board] Petition budget for OWASP Bug Bounty 2016-2017
> To: johanna curiel curiel <johanna.curiel at owasp.org>
> Cc: Seba <seba at owasp.org>, OWASP Board List <owasp-board at lists.owasp.org>
> I've written this email in my head about 5 times - at this point, I might as
> well spill some digital ink and get these thoughts out of my head.
> <rant>
[big snip]
> So, in a time where part my job as a full-time OWASP staff is to prepare and
> budget for 2017 to try to make projects better, I think it time I become a
> strong and vocal advocate for Projects at OWASP.
> I think Chapters are great - I'm involved in 2 of them in Texas - but
> Chapters don't seem to need a vocal advocate.  Plus, if you think Projects
> are of equal importance to Chapters at OWASP, we have to seriously
> reallocate funds in 2017 to get them on equal footing.
> So, for the Project leaders at OWASP, I'm with you and want to make Projects
> a great home for your awesome work.  Please let me know what isn't working
> for you and I'll do everything I can to get your interests represented in
> the 2017 budget and beyond.
> Cheers!
> </rant>


First off, I want to say that I truly appreciate your support of OWASP projects
and its project leaders.

You specifically asked us to let you know "what isn't working for you". I am
attempting to do that here, but in all honesty, I'm not sure how much of it
can be fixed via 2017 budget adjustments.

As a person who has been involved on several different OWASP projects
(ESAPI, Dev Guide, Cheat Sheet series, and to a much lesser degree [via
GSoC mentoring] AppSensor, ZAP, and CSRFProtector; including ESAPI as
a project co-lead for ESAPI since sometime in 2011), I have observed that
the success or failure of an OWASP project is not tied as much to having
sufficient budget as it is having active participants volunteering their
time. And while reasonable amounts of budget _may_ be able to entice
people to submit bug fixes / enhancements via GitHub pull requests, in
the long term, I do not feel that is sustainable. OWASP does not have the
funds to hire full time developer(s) for all of its flagship projects much
less all of the OWASP projects, and even if we did, that would not
necessarily guarantee the success of those projects.

So, while I wholeheartedly support the request for OWASP to supplement or
match ZAP's project funding of the bug bounty program, I think we need to
step back and ask ourselves why do we have some many new projects that get
stuck in incubator stage, several older lab projects that are stuck in the lab
phase or that were demoted from flagship status (looking at you here, ESAPI!),
and even flagship projects that seem to just die a whimpering death because of
increasing time between releases?

I don't claim to be able to answer this for all projects, but here's some
of the observations from where I sit from my project involvement, especially
with my ESAPI involvement. Take it for what it's worth, which may be nothing.

* Project leaders are overwhelmed in trying to drum up volunteers. Most of
  us are developers or appsec people, not project evangelists. Many of us
  have only limited exposure to the appsec community, so other than our
  project's or OWASP leader's mailing lists, our local OWASP chapter, or
  former colleagues, we don't have a large base of people from whom we can
  drum up support. I think it would be nice if we had a formal way on the
  OWASP wiki to ask for volunteers similar to how one can do that on
  SourceForge. I'm not sure if that would help significantly, but it sure
  doesn't seem like it would hurt.

* The skill set needed for a project leader is more of one of being a project
  manager and evangelist than it is one of having good technical skills.
  Speaking at least for myself, those skills are not my strong suit; it is
  in fact, while after all these years, I still choose to be technical track
  rather than a management track in my day job even though generally the
  pay scale is better in the latter. I "took" the job merely because Chris
  Schmidt and got volunteered by Jim Manico and no one else seemed to want it.
  And had Chris not had also been willing to step up, I would have rejected
  it outright. I admit that it's not something that I've very good at. I am
  only doing it because I believe in the project, not because it's skill set
  is something at which I excel. Leading a technical team at on a day job
  is very, very different than leading a team of volunteers. I've done the
  former several times and have always been successful at it. But cajoling
  volunteers is requires a very different set of skills IMO.

* Many people, or companies / organizations, say they will step up and
  volunteer, but then you either never hear from them again or they
  start working on a bug and then you never hear back from them. And I think
  that I speak for several other project leaders when I say that we feel
  uncomfortable asking people (especially repeatedly) "whatever happened
  to that bug you working on?". It's hard to get volunteers; it's harder to
  keep them. It's even harder to keep them engaged for long-term. There are
  several reasons to that (e.g., people switching their day jobs and no longer
  having time or things like getting married or having kids) and it is
  extremely awkward to ask anyone to place an OWASP project as a higher
  priority over those things. I flat out won't do that and I don't think
  most other project leaders would either.

* Projects languish because they need help with expertise for skills that their
  current volunteers do not have. Yes, we can ask on the leader's list or our
  project specific list but in my experience that has seldom been successful
  in identifying resources that require assistance of something more than
  can be provided via than a simple email reply or two. If it requires someone
  actually rolling up their sleeves and creating a pull request, that seldom
  happens.  I will give you 3 examples of this for ESAPI where I've looked for
  assistance and have failed to get sufficient technical help:
    -- Assistance with Maven problems and pom.xml tweaks
    -- Assistance with git and GitHub
    -- Assistance with crypto (in terms of code review; eventually got the NSA
       to provide that and we know how that turned out)
  How I would like to see OWASP help projects in regards to this? Perhaps by
  providing some sort of skill set database where people would be able
  to volunteer their expertise. For example, someone might be willing to
  say that "I have expertise in Maven and would be willing to provide hands-on
  assistance of up to 4 hours/week for up to 3 weeks"? Why is this important?
  Because, in my experience, asking a specific individual who is knowledgeable
  and has already volunteered their time and is willing to provide hands-on
  assistance rather than just a reference to some Maven-related URL (hey, I
  can Google with the best of them! :) is much more likely to be helpful
  than just blasting out some broad request on the OWASP leaders list or
  on Stack Exchange or similar forum. Maybe this is where project budget pool
  is willing to help. Maybe those experts feel a need to be compensated for
  their time (versus simply being recognized as an additional contributor).
  I don't know, but that certain seemed like the case back in 2010 when I
  was looking for some volunteers to perform a code review of the < 3KLOC of
  crypto code in ESAPI. (We did receive a couple of responses to help but
  they wanted a sum of money that we couldn't come close to providing; I
  recall one person wanting $10k to review 3KLOC!)

* Lastly, to bring this somewhat back to relevance of the budget topic at
  hand that started all of this off, providing bug bounties for at least
  ESAPI is close to the bottom of my priority list. In fact, in cooperation
  with Fabio Cerullo, ESAPI tried that for a 6 month period, willing to
  pay bounties up to $250 IIRC. We got zero takers. (Note that we were
  asking for people to FIX some issues, not to merely identify new security
  related bugs. IMHO, we have to fix the bugs that we know about first
  instead of just hunting for new ones.)

Keep in mind, this is merely *my* perspective, first from a project co-lead
position on ESAPI and secondly from my contributor view on other projects
I noted. I am sure that others involved with projects have other perspectives
and I would be interesting in hearing their feedback as well.

Thanks for listening.

Best regards,
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.

More information about the OWASP-Leaders mailing list