[Owasp-leaders] Advocating for OWASP Projects - need your help

Sherif Mansour sherif.mansour at owasp.org
Sun Nov 13 14:54:28 UTC 2016


+1 with Simon, I would like better collaboration between OWASP and the
projects to recognise developer time & contributions is a more important
resource to an OWASP *project* than funding.
Funding after all is a means to an end, which mainly go to paying dev
resources to building new features, bug fixes and participation. Also note
that paying for a developer is not always the best way of getting
participation

*@Johanna, *I would like to echo Simon's point and clarify a bit more.

Any successful project requires two things:

   1. It solves a useful problem
   2. You are able to convince a significant number of people that your
   project is the best solution to their problem

In ZAP's case one of their key successes is that Mozilla & Linux Foundation
were convinced that ZAP is the best solution to their problem.

They contributed money and developer time in order to continue to maintain
and improve it.
This is a small microcosm of that OWASP projects need in general, i.e.
organisations and people working roughly on the same thing to be convinced
that they are better off investing in the OWASP project, and building it
out together out in the open.

I work for a large tech company, and we for example got an intern to
contribute code to ZAP
https://github.com/zaproxy/community-scripts/tree/master/api/sdlc-integration
for automation, and by communicating it to the rest of the community:
https://www.reddit.com/r/netsec/comments/56h3k6/scripts_that_automate_owasp_zap_as_part_of_a/d8k8jy7/
We got feedback from other security engineers internationally who were
looking to do something similar and would drop their work to embrace this
solution if it meets their needs.

*@Johanna* working with OWASP project leads to understand their roadmaps
and estimates for the work involved, would be the first step so if OWASP
reaches out to foundations that would provide research grants and funding,
then OWASP has a clear set of benefits/added values these foundations could
understand and agree to fund i.e.:
"We need these contributions to go towards building a safer internet and we
will do this by releasing free tools, best practices and train
developers and security engineers on how to use/adopt them"

As part of building out that strategy we'll need a list of foundations we
would want to eventually approach in order to get those funds. Given the
level of concern the world has regarding security right now, there should
be a few foundations that are aligned with out interests.

Additionally before we jump into solutioning i.e. community portal and
community manager, we would need a quick plan/process as to how this is
going to look and add value to OWASP, its a great idea but in order for us
to move the needle we need to plan out what its goals are and how it will
set out to do this i.e:

   - How projects will know/leverage the community solution to ask for
   help?
   - How will it increase its membership and participation?
   - How will it get more developers to contribute code etc..?

Hope this helps

-Sherif

On Sun, Nov 13, 2016 at 12:18 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> >>If we want projects to thrive and grow then we need to convince
> organisations to sponsor people to work on OWASP projects. I cant think of
> anything more important than this.
>
> Exactly, we need to help those thriving projects get sponsors or submit to
> grants funds. It is essential that we keep in mind this requires commitment
> from the Project leader
>
> >>How we do that I dont know, but properly thanking some of the existing
> supporters would be a good start ;)
>
> >>Providing more help to encourage and manage contributors would also help
> a lot, but thats another topic..
>
> Thats why we need the Volunteer Portal which is one o the major tasks and
> goals for the Community manager. Without a proper portal, we wil not be
> able to get and patch contributors to projects or activities.
>
>  The volunteer portal was also a task of the past Community manager but
> nothing was delivered. I'm hoping and pushing this as a high pro in the
> agenda.
>
> On Sun, Nov 13, 2016 at 12:30 PM, psiinon <psiinon at gmail.com> wrote:
>
>> I completely agree with Kevin in that lack of money is not the biggest
>> issue for OWASP projects.
>> Its time.
>> Projects take up a huge amount of time, and OWASP doesnt have the funds
>> to employ full time developers.
>>
>> So heres a question for all of you - who are the biggest investors in
>> OWASP right now?
>> Dont bother looking at https://www.owasp.org/index.php/Acknowledgements
>> because at least 2 of the biggest supporters arent on there.
>>
>> Mozilla pays me to spend well over 50% of my time on ZAP, and the Linux
>> Foundation sponsors Ricardo (thc202) to work full time on ZAP. In both
>> cases these organizations spend more than the $20,000 required to be a
>> 'Premier Corporate Member' but they dont even get a mention.
>> I'd argue that these contributions are actually worth far more than their
>> monetory value.
>>
>> If we want projects to thrive and grow then we need to convince
>> organisations to sponsor people to work on OWASP projects. I cant think of
>> anything more important than this.
>> How we do that I dont know, but properly thanking some of the existing
>> supporters would be a good start ;)
>>
>> Providing more help to encourage and manage contributors would also help
>> a lot, but thats another topic..
>>
>> Cheers,
>>
>> Simon
>>
>> On Sat, Nov 12, 2016 at 5:55 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
>> wrote:
>>
>>>  On Fri, Nov 11, 2016 at 12:34 PM, Matt Tesauro <matt.tesauro at owasp.org>
>>> wrote:
>>> > Apologies for posting the same thing to two lists, but I wanted to
>>> share my
>>> > thoughts more broadly than just the board list.
>>> >
>>> > In response to the board thread here, I wrote the following.
>>> >
>>> > TLDR:  When projects have so little funds vs chapters, why does it
>>> take 21
>>> > emails to spend 1.4% of the Project Outreach budget on Zap - one of our
>>> > project Rockstars.
>>> >
>>> > ---------- Forwarded message ----------
>>> > From: Matt Tesauro <matt.tesauro at owasp.org>
>>> > Date: Fri, Nov 11, 2016 at 11:26 AM
>>> > Subject: Re: [Owasp-board] Petition budget for OWASP Bug Bounty
>>> 2016-2017
>>> > To: johanna curiel curiel <johanna.curiel at owasp.org>
>>> > Cc: Seba <seba at owasp.org>, OWASP Board List <
>>> owasp-board at lists.owasp.org>
>>> >
>>> > I've written this email in my head about 5 times - at this point, I
>>> might as
>>> > well spill some digital ink and get these thoughts out of my head.
>>> >
>>> > <rant>
>>> >
>>> [big snip]
>>> >
>>> > So, in a time where part my job as a full-time OWASP staff is to
>>> prepare and
>>> > budget for 2017 to try to make projects better, I think it time I
>>> become a
>>> > strong and vocal advocate for Projects at OWASP.
>>> >
>>> > I think Chapters are great - I'm involved in 2 of them in Texas - but
>>> > Chapters don't seem to need a vocal advocate.  Plus, if you think
>>> Projects
>>> > are of equal importance to Chapters at OWASP, we have to seriously
>>> > reallocate funds in 2017 to get them on equal footing.
>>> >
>>> > So, for the Project leaders at OWASP, I'm with you and want to make
>>> Projects
>>> > a great home for your awesome work.  Please let me know what isn't
>>> working
>>> > for you and I'll do everything I can to get your interests represented
>>> in
>>> > the 2017 budget and beyond.
>>> >
>>> > Cheers!
>>> >
>>> > </rant>
>>>
>>> Matt,
>>>
>>> First off, I want to say that I truly appreciate your support of OWASP
>>> projects
>>> and its project leaders.
>>>
>>> You specifically asked us to let you know "what isn't working for you".
>>> I am
>>> attempting to do that here, but in all honesty, I'm not sure how much of
>>> it
>>> can be fixed via 2017 budget adjustments.
>>>
>>> As a person who has been involved on several different OWASP projects
>>> (ESAPI, Dev Guide, Cheat Sheet series, and to a much lesser degree [via
>>> GSoC mentoring] AppSensor, ZAP, and CSRFProtector; including ESAPI as
>>> a project co-lead for ESAPI since sometime in 2011), I have observed that
>>> the success or failure of an OWASP project is not tied as much to having
>>> sufficient budget as it is having active participants volunteering their
>>> time. And while reasonable amounts of budget _may_ be able to entice
>>> people to submit bug fixes / enhancements via GitHub pull requests, in
>>> the long term, I do not feel that is sustainable. OWASP does not have the
>>> funds to hire full time developer(s) for all of its flagship projects
>>> much
>>> less all of the OWASP projects, and even if we did, that would not
>>> necessarily guarantee the success of those projects.
>>>
>>> So, while I wholeheartedly support the request for OWASP to supplement or
>>> match ZAP's project funding of the bug bounty program, I think we need to
>>> step back and ask ourselves why do we have some many new projects that
>>> get
>>> stuck in incubator stage, several older lab projects that are stuck in
>>> the lab
>>> phase or that were demoted from flagship status (looking at you here,
>>> ESAPI!),
>>> and even flagship projects that seem to just die a whimpering death
>>> because of
>>> increasing time between releases?
>>>
>>> I don't claim to be able to answer this for all projects, but here's some
>>> of the observations from where I sit from my project involvement,
>>> especially
>>> with my ESAPI involvement. Take it for what it's worth, which may be
>>> nothing.
>>>
>>> * Project leaders are overwhelmed in trying to drum up volunteers. Most
>>> of
>>>   us are developers or appsec people, not project evangelists. Many of us
>>>   have only limited exposure to the appsec community, so other than our
>>>   project's or OWASP leader's mailing lists, our local OWASP chapter, or
>>>   former colleagues, we don't have a large base of people from whom we
>>> can
>>>   drum up support. I think it would be nice if we had a formal way on the
>>>   OWASP wiki to ask for volunteers similar to how one can do that on
>>>   SourceForge. I'm not sure if that would help significantly, but it sure
>>>   doesn't seem like it would hurt.
>>>
>>> * The skill set needed for a project leader is more of one of being a
>>> project
>>>   manager and evangelist than it is one of having good technical skills.
>>>   Speaking at least for myself, those skills are not my strong suit; it
>>> is
>>>   in fact, while after all these years, I still choose to be technical
>>> track
>>>   rather than a management track in my day job even though generally the
>>>   pay scale is better in the latter. I "took" the job merely because
>>> Chris
>>>   Schmidt and got volunteered by Jim Manico and no one else seemed to
>>> want it.
>>>   And had Chris not had also been willing to step up, I would have
>>> rejected
>>>   it outright. I admit that it's not something that I've very good at. I
>>> am
>>>   only doing it because I believe in the project, not because it's skill
>>> set
>>>   is something at which I excel. Leading a technical team at on a day job
>>>   is very, very different than leading a team of volunteers. I've done
>>> the
>>>   former several times and have always been successful at it. But
>>> cajoling
>>>   volunteers is requires a very different set of skills IMO.
>>>
>>> * Many people, or companies / organizations, say they will step up and
>>>   volunteer, but then you either never hear from them again or they
>>>   start working on a bug and then you never hear back from them. And I
>>> think
>>>   that I speak for several other project leaders when I say that we feel
>>>   uncomfortable asking people (especially repeatedly) "whatever happened
>>>   to that bug you working on?". It's hard to get volunteers; it's harder
>>> to
>>>   keep them. It's even harder to keep them engaged for long-term. There
>>> are
>>>   several reasons to that (e.g., people switching their day jobs and no
>>> longer
>>>   having time or things like getting married or having kids) and it is
>>>   extremely awkward to ask anyone to place an OWASP project as a higher
>>>   priority over those things. I flat out won't do that and I don't think
>>>   most other project leaders would either.
>>>
>>> * Projects languish because they need help with expertise for skills
>>> that their
>>>   current volunteers do not have. Yes, we can ask on the leader's list
>>> or our
>>>   project specific list but in my experience that has seldom been
>>> successful
>>>   in identifying resources that require assistance of something more than
>>>   can be provided via than a simple email reply or two. If it requires
>>> someone
>>>   actually rolling up their sleeves and creating a pull request, that
>>> seldom
>>>   happens.  I will give you 3 examples of this for ESAPI where I've
>>> looked for
>>>   assistance and have failed to get sufficient technical help:
>>>     -- Assistance with Maven problems and pom.xml tweaks
>>>     -- Assistance with git and GitHub
>>>     -- Assistance with crypto (in terms of code review; eventually got
>>> the NSA
>>>        to provide that and we know how that turned out)
>>>   How I would like to see OWASP help projects in regards to this?
>>> Perhaps by
>>>   providing some sort of skill set database where people would be able
>>>   to volunteer their expertise. For example, someone might be willing to
>>>   say that "I have expertise in Maven and would be willing to provide
>>> hands-on
>>>   assistance of up to 4 hours/week for up to 3 weeks"? Why is this
>>> important?
>>>   Because, in my experience, asking a specific individual who is
>>> knowledgeable
>>>   and has already volunteered their time and is willing to provide
>>> hands-on
>>>   assistance rather than just a reference to some Maven-related URL
>>> (hey, I
>>>   can Google with the best of them! :) is much more likely to be helpful
>>>   than just blasting out some broad request on the OWASP leaders list or
>>>   on Stack Exchange or similar forum. Maybe this is where project budget
>>> pool
>>>   is willing to help. Maybe those experts feel a need to be compensated
>>> for
>>>   their time (versus simply being recognized as an additional
>>> contributor).
>>>   I don't know, but that certain seemed like the case back in 2010 when I
>>>   was looking for some volunteers to perform a code review of the <
>>> 3KLOC of
>>>   crypto code in ESAPI. (We did receive a couple of responses to help but
>>>   they wanted a sum of money that we couldn't come close to providing; I
>>>   recall one person wanting $10k to review 3KLOC!)
>>>
>>> * Lastly, to bring this somewhat back to relevance of the budget topic at
>>>   hand that started all of this off, providing bug bounties for at least
>>>   ESAPI is close to the bottom of my priority list. In fact, in
>>> cooperation
>>>   with Fabio Cerullo, ESAPI tried that for a 6 month period, willing to
>>>   pay bounties up to $250 IIRC. We got zero takers. (Note that we were
>>>   asking for people to FIX some issues, not to merely identify new
>>> security
>>>   related bugs. IMHO, we have to fix the bugs that we know about first
>>>   instead of just hunting for new ones.)
>>>
>>> Keep in mind, this is merely *my* perspective, first from a project
>>> co-lead
>>> position on ESAPI and secondly from my contributor view on other projects
>>> I noted. I am sure that others involved with projects have other
>>> perspectives
>>> and I would be interesting in hearing their feedback as well.
>>>
>>> Thanks for listening.
>>>
>>> Best regards,
>>> -kevin
>>> --
>>> Blog: http://off-the-wall-security.blogspot.com/    | Twitter:
>>> @KevinWWall
>>> NSA: All your crypto bit are belong to us.
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>
>>
>>
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161113/67f496e6/attachment-0001.html>


More information about the OWASP-Leaders mailing list