[Owasp-leaders] Advocating for OWASP Projects - need your help

psiinon psiinon at gmail.com
Sun Nov 13 11:30:36 UTC 2016


I completely agree with Kevin in that lack of money is not the biggest
issue for OWASP projects.
Its time.
Projects take up a huge amount of time, and OWASP doesnt have the funds to
employ full time developers.

So heres a question for all of you - who are the biggest investors in OWASP
right now?
Dont bother looking at https://www.owasp.org/index.php/Acknowledgements
because at least 2 of the biggest supporters arent on there.

Mozilla pays me to spend well over 50% of my time on ZAP, and the Linux
Foundation sponsors Ricardo (thc202) to work full time on ZAP. In both
cases these organizations spend more than the $20,000 required to be a
'Premier Corporate Member' but they dont even get a mention.
I'd argue that these contributions are actually worth far more than their
monetory value.

If we want projects to thrive and grow then we need to convince
organisations to sponsor people to work on OWASP projects. I cant think of
anything more important than this.
How we do that I dont know, but properly thanking some of the existing
supporters would be a good start ;)

Providing more help to encourage and manage contributors would also help a
lot, but thats another topic..

Cheers,

Simon

On Sat, Nov 12, 2016 at 5:55 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
wrote:

>  On Fri, Nov 11, 2016 at 12:34 PM, Matt Tesauro <matt.tesauro at owasp.org>
> wrote:
> > Apologies for posting the same thing to two lists, but I wanted to share
> my
> > thoughts more broadly than just the board list.
> >
> > In response to the board thread here, I wrote the following.
> >
> > TLDR:  When projects have so little funds vs chapters, why does it take
> 21
> > emails to spend 1.4% of the Project Outreach budget on Zap - one of our
> > project Rockstars.
> >
> > ---------- Forwarded message ----------
> > From: Matt Tesauro <matt.tesauro at owasp.org>
> > Date: Fri, Nov 11, 2016 at 11:26 AM
> > Subject: Re: [Owasp-board] Petition budget for OWASP Bug Bounty 2016-2017
> > To: johanna curiel curiel <johanna.curiel at owasp.org>
> > Cc: Seba <seba at owasp.org>, OWASP Board List <owasp-board at lists.owasp.org
> >
> >
> > I've written this email in my head about 5 times - at this point, I
> might as
> > well spill some digital ink and get these thoughts out of my head.
> >
> > <rant>
> >
> [big snip]
> >
> > So, in a time where part my job as a full-time OWASP staff is to prepare
> and
> > budget for 2017 to try to make projects better, I think it time I become
> a
> > strong and vocal advocate for Projects at OWASP.
> >
> > I think Chapters are great - I'm involved in 2 of them in Texas - but
> > Chapters don't seem to need a vocal advocate.  Plus, if you think
> Projects
> > are of equal importance to Chapters at OWASP, we have to seriously
> > reallocate funds in 2017 to get them on equal footing.
> >
> > So, for the Project leaders at OWASP, I'm with you and want to make
> Projects
> > a great home for your awesome work.  Please let me know what isn't
> working
> > for you and I'll do everything I can to get your interests represented in
> > the 2017 budget and beyond.
> >
> > Cheers!
> >
> > </rant>
>
> Matt,
>
> First off, I want to say that I truly appreciate your support of OWASP
> projects
> and its project leaders.
>
> You specifically asked us to let you know "what isn't working for you". I
> am
> attempting to do that here, but in all honesty, I'm not sure how much of it
> can be fixed via 2017 budget adjustments.
>
> As a person who has been involved on several different OWASP projects
> (ESAPI, Dev Guide, Cheat Sheet series, and to a much lesser degree [via
> GSoC mentoring] AppSensor, ZAP, and CSRFProtector; including ESAPI as
> a project co-lead for ESAPI since sometime in 2011), I have observed that
> the success or failure of an OWASP project is not tied as much to having
> sufficient budget as it is having active participants volunteering their
> time. And while reasonable amounts of budget _may_ be able to entice
> people to submit bug fixes / enhancements via GitHub pull requests, in
> the long term, I do not feel that is sustainable. OWASP does not have the
> funds to hire full time developer(s) for all of its flagship projects much
> less all of the OWASP projects, and even if we did, that would not
> necessarily guarantee the success of those projects.
>
> So, while I wholeheartedly support the request for OWASP to supplement or
> match ZAP's project funding of the bug bounty program, I think we need to
> step back and ask ourselves why do we have some many new projects that get
> stuck in incubator stage, several older lab projects that are stuck in the
> lab
> phase or that were demoted from flagship status (looking at you here,
> ESAPI!),
> and even flagship projects that seem to just die a whimpering death
> because of
> increasing time between releases?
>
> I don't claim to be able to answer this for all projects, but here's some
> of the observations from where I sit from my project involvement,
> especially
> with my ESAPI involvement. Take it for what it's worth, which may be
> nothing.
>
> * Project leaders are overwhelmed in trying to drum up volunteers. Most of
>   us are developers or appsec people, not project evangelists. Many of us
>   have only limited exposure to the appsec community, so other than our
>   project's or OWASP leader's mailing lists, our local OWASP chapter, or
>   former colleagues, we don't have a large base of people from whom we can
>   drum up support. I think it would be nice if we had a formal way on the
>   OWASP wiki to ask for volunteers similar to how one can do that on
>   SourceForge. I'm not sure if that would help significantly, but it sure
>   doesn't seem like it would hurt.
>
> * The skill set needed for a project leader is more of one of being a
> project
>   manager and evangelist than it is one of having good technical skills.
>   Speaking at least for myself, those skills are not my strong suit; it is
>   in fact, while after all these years, I still choose to be technical
> track
>   rather than a management track in my day job even though generally the
>   pay scale is better in the latter. I "took" the job merely because Chris
>   Schmidt and got volunteered by Jim Manico and no one else seemed to want
> it.
>   And had Chris not had also been willing to step up, I would have rejected
>   it outright. I admit that it's not something that I've very good at. I am
>   only doing it because I believe in the project, not because it's skill
> set
>   is something at which I excel. Leading a technical team at on a day job
>   is very, very different than leading a team of volunteers. I've done the
>   former several times and have always been successful at it. But cajoling
>   volunteers is requires a very different set of skills IMO.
>
> * Many people, or companies / organizations, say they will step up and
>   volunteer, but then you either never hear from them again or they
>   start working on a bug and then you never hear back from them. And I
> think
>   that I speak for several other project leaders when I say that we feel
>   uncomfortable asking people (especially repeatedly) "whatever happened
>   to that bug you working on?". It's hard to get volunteers; it's harder to
>   keep them. It's even harder to keep them engaged for long-term. There are
>   several reasons to that (e.g., people switching their day jobs and no
> longer
>   having time or things like getting married or having kids) and it is
>   extremely awkward to ask anyone to place an OWASP project as a higher
>   priority over those things. I flat out won't do that and I don't think
>   most other project leaders would either.
>
> * Projects languish because they need help with expertise for skills that
> their
>   current volunteers do not have. Yes, we can ask on the leader's list or
> our
>   project specific list but in my experience that has seldom been
> successful
>   in identifying resources that require assistance of something more than
>   can be provided via than a simple email reply or two. If it requires
> someone
>   actually rolling up their sleeves and creating a pull request, that
> seldom
>   happens.  I will give you 3 examples of this for ESAPI where I've looked
> for
>   assistance and have failed to get sufficient technical help:
>     -- Assistance with Maven problems and pom.xml tweaks
>     -- Assistance with git and GitHub
>     -- Assistance with crypto (in terms of code review; eventually got the
> NSA
>        to provide that and we know how that turned out)
>   How I would like to see OWASP help projects in regards to this? Perhaps
> by
>   providing some sort of skill set database where people would be able
>   to volunteer their expertise. For example, someone might be willing to
>   say that "I have expertise in Maven and would be willing to provide
> hands-on
>   assistance of up to 4 hours/week for up to 3 weeks"? Why is this
> important?
>   Because, in my experience, asking a specific individual who is
> knowledgeable
>   and has already volunteered their time and is willing to provide hands-on
>   assistance rather than just a reference to some Maven-related URL (hey, I
>   can Google with the best of them! :) is much more likely to be helpful
>   than just blasting out some broad request on the OWASP leaders list or
>   on Stack Exchange or similar forum. Maybe this is where project budget
> pool
>   is willing to help. Maybe those experts feel a need to be compensated for
>   their time (versus simply being recognized as an additional contributor).
>   I don't know, but that certain seemed like the case back in 2010 when I
>   was looking for some volunteers to perform a code review of the < 3KLOC
> of
>   crypto code in ESAPI. (We did receive a couple of responses to help but
>   they wanted a sum of money that we couldn't come close to providing; I
>   recall one person wanting $10k to review 3KLOC!)
>
> * Lastly, to bring this somewhat back to relevance of the budget topic at
>   hand that started all of this off, providing bug bounties for at least
>   ESAPI is close to the bottom of my priority list. In fact, in cooperation
>   with Fabio Cerullo, ESAPI tried that for a 6 month period, willing to
>   pay bounties up to $250 IIRC. We got zero takers. (Note that we were
>   asking for people to FIX some issues, not to merely identify new security
>   related bugs. IMHO, we have to fix the bugs that we know about first
>   instead of just hunting for new ones.)
>
> Keep in mind, this is merely *my* perspective, first from a project co-lead
> position on ESAPI and secondly from my contributor view on other projects
> I noted. I am sure that others involved with projects have other
> perspectives
> and I would be interesting in hearing their feedback as well.
>
> Thanks for listening.
>
> Best regards,
> -kevin
> --
> Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
> NSA: All your crypto bit are belong to us.
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>



-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161113/c200d6b0/attachment.html>


More information about the OWASP-Leaders mailing list