1 OWASP Organization

This section has the following chapters:

Table of Contents

1.1 An Idea of a new model for OWASP

Here is a post/idea that has been 18 months in the making (in fact since I stepped down as OWASP board member on 12th Feb 2011)

I wrote the text below in response to Jim Manico owasp-leaders list “What is OWASP?” thread, and am quite happy with the OWASP model that I finally was able to document.

Well Jim, I think the problem is in the currently structure of OWASP, where even when there is no malice or vendor-bias by an OWASP leader, the end result comes out that way (and can be interpreted in the way you have recently).

The key problem is that the current ‘Board, Committees and Project/Chapter leadership model’, was created for another era when OWASP was much smaller , with a very different set of problems and with a much smaller WebAppSec industry. Unfortunately, I don’t see a solution for the problem you describe (and others that OWASP has) until that structure is changed.

For a while there was the ’…is OWASP run by Aspect Security?’ now is the ’…is OWASP run by Trustwave?’ maybe next is the ’… is OWASP run by WhiteHat?’ . Until the Board and Committees stop being seen as positions of Power + Kudos + Reputation + Carrer Advancement + ‘PressReleases created on appointment’, this will not be resolved. For example, it is very damaging that OWASP leaders think that they need to be Board/Committee members to get things done. This is not only false, but it creates a power-vacum where other OWASP leaders think that _‘something is being done’ _or that _‘its the other dude responsibility to do that!’. _

The reason why I left the Board 18 months ago was because I realised that the model that we had created for OWASP (which worked so well until then) was expiring and a new model was needed.

Jim description of ‘OWASP is a non-profit community-service based organization’ is absolutely spot-on, and OWASP needs (in my opinion) a Board and ‘Committees’ (or what ever name they are rebranded as) that are focused on that simple but powerful word: **Community **(we will need some creativity on what body/group should have the operational parts of the current Committees that are currently working very well)

I think the time has come to handle most of the OWASP ‘Power and Responsibilities’ to the OWASP employees who know OWASP more than any of us. Maybe we have a system where operational questions (like budgets, salaries, structures, etc…) are voted by majority.

We really need to re-focus OWASP Leaders energy in getting things done and re-invent OWASP in a lean, open, collaborative and effective community (and organization).

OWASP will still need a Board (or whatever name that is rebranded as). But that Board should be 99% focused on Community issues (i.e. how to empower OWASP Leaders to be productive, creative, empowered, happy). And for the_ ‘but OWASP legally needs a board’ _crowd, the other 1% would be to accept the decisions taken by OWASP’s leadership community and employees.

We probably will need to hire more employees to really make this work, and as per the model I’m proposing here, that decision should not be made by the ‘Board or Committees’. That decision should be made by the current employees :)

The good news is that OWASP is in an strong financial position to make this work, the not so good news is that I don’t think this will happen any time soon. And the hard decisions that only a ‘truly independent voice’ (i.e. the employees) would be able to make, will have to wait a couple more months/years.

I don’t know the author or the source, but one of the best quotes I’ve heard is ”….sometimes the best way to find the solution for a problem is to redefine the problem…“ :)

Meanwhile … OWASP is still an amazing organization, doing amazing stuff and making a difference in the WebAppSec world.

I just want us to REALLY make a difference. Using the mountain analogy in the Trillions video , I want us to be climbing the BIG mountain (not the smaller one we have been climbing over the last 10 years)

I don’t want to look back when I’m old to OWASP and say: _‘we did well, but we missed our window of opportunity to change the world’ _

I want to look back and say: “We did out best, and changed the world”

1.2 I wish that OWASP in 2014 ….

In 2014, it would be amazing if OWASP has:

  • an environment where:
    • developers collaborate with security professionals
    • ‘Secure coding questions’ can be asked and answered
    • browser and framework vendors/creators come together to work on the hard problem of ‘web security’
    • governments, companies and ‘web players’, come together to define (and present) action-plans, standards and deliverables
    • the latest research is presented and the new generation of security-focused developers/researchers can find home(s) to develop, nurture and present their ideas
  • OWASP projects (tools, documents, services) that:
    • have so much quality that they are ‘best in class’ and raise the bar for the whole industry
    • are funded because: a) they add really value, and b) users want/need the next versions/features/bug-fixes (see OWASP Project Partnership Model)
    • generate enough revenue that allows full-time staff (devs, qa, documentation, etc…) to be paid at fair market value (for their skills). With a cavet that OWASP cannot pay its leaders
    • are easily consumed by other tools (the project’s materials and capabilities)
    • add so much value to companies, that they become OWASP Paid Corporate members, not because it is the ‘right thing to do’ but because they get so much value from it that they don’t want the ‘OWASP train’ to slow down
    • have a lot of resources available to them (with real/tangent benefits for being an ‘OWASP project’)
    • are given a ‘fair change’ to succeed and mature (with ‘non performing/accepted’ projects quickly removed), taking into account that a lot of projects are just an (healthy) way to create ‘OWASP Leaders’
    • can be consumed from the developer’s IDEs and integrated into the multiple SDL phases/activities
    • can be consumed from ‘cloud services’
  • multiple ecosystems targeted to specific languages, frameworks and communities
  • OWASP chapters that deliver regular training sessions and ‘hands-on’ workshops to its community
  • universities that teach OWASP materials (and that share them for others to use)
  • colleges/schools that use OWASP materials to create a new generation of developers and security professionals that have passion, love to hack and respect the art of ‘creating secure code’
  • OWASP conferences that bring together the OWASP leaders (in a very non-cost-effective way) so that those leaders can work together, present their ideas and meet its users
  • OWASP conferences/chapters that do presentations under a TED-like format (15m max), with its videos reaching wide audiences
  • OWASP conferences/chapters that publish: books of its presentations, academic papers, panel’s conclusions/recommendations/action-plans
  • co-organised events at non-OWASP conferences (specially on developer-focused large conferences)
  • lots and lots and lots of OWASP booths at non-OWASP events (in fact every ‘mid size’ OWASP chapter should do it at local conferences/events)
  • a ‘owasp leader hospitality program’ that looks after OWASP leaders when they travel (to OWASP events)
  • very small (if any) instances of ‘OWASP leaders burned out’ cases (this usually happens to conference’s organisers)
  • strong demands on its project leaders/contributors to present regularly at OWASP conferences and chapters
  • an ‘project reviewers/users’ community that works with OWASP projects in reviewing, mentoring and using those projects
  • a ‘serendipity’ social graph engine that connects OWASP leaders/contributors with each other (when they are traveling around the world)
  • multiple mobile apps that make OWASP ‘goodness’ easy to find and consume
  • very few barriers of entry for new ideas to occur (and projects and chapters to be created)
  • low tolerance for non performing activities, projects, chapters or ‘leaders’ (i.e. when something is not working, remove/clean/break it very quickly it)
  • an army of editors for the OWASP Wiki, with very high rigour and quality-requirements for its content
  • a much bigger OpsTeam (OWASP Operational Team) that makes this all possible, empowers OWASP’s leaders and makes the hard decisions required to keep OWASP’s community working
  • a much more transparent and open OpsTeam where 99% of emails and other OWASP related activities are published and easily consumed (think email boxes published with read-only/viewing privileges)
  • a model where OWASP leaders are empowered to make financial decisions/commitments and spend the available OWASP funds in the way they believe is best, with no (very little) questions asked and very fast approval cycles (see the GSD project for details)
  • a reputation-based trust model where OWASP leaders/contributors are highly respected (and valued) by its peers, employees and industry (think StackOverflow points/badges solution)
  • a high standard for ‘what is an OWASP leader’ based on respect, talent, energy and deliverables
  • a model where it doesn’t matter what title an OWASP leader has, but what has he/she created or delivered
  • a number of certifications based on the model described in the OWASP Red Book , and wide adoption of the other books: Green, Blue, Yellow, Purple and Gray
  • lots and lots and lots of writing on OWASP’s and WebAppSec ideas, topics, strategies, etc… (both in agreement and disagrement on what is happening). The resulting arguments (both pro and con) should then be consolidated in easy to consume and distributed packages
  • large number of isolated ‘owasp houses’ where it is possible to go and spend dedicated time just coding, learning, collaborating, debating, fixing apps, breaking apps, writing SAST/DAST rules, etc…
  • Invested in Developing Software Security Talent under Mark’s or similar programs
  • The OWASP CheatSheets are available in a number of formats (book, tablets, mobile, IDEs)
  • helped to create a set of common schemas and rules for the multiple SAST, DAST and ‘everything in between’ tools
  • a website that is easily consumed and its content forked (with the content available as git repositories)
  • a collaborative/thread discussion environment (think StackOverflow or Reddit vs the current mailman solution)
  • a proper OWASP books collection and distribution on major bookstores/eStores (as per the original vision and design)
  • a place at the table on the most important web application security related discussions/threads
  • multiple summits where everything comes together and everybody is working 100% of the areas they are passioned about, collaborating with other like minded individuals and creating magic
  • regular ‘OWASP Tours’ where multi-city/country events allow ideas/projects to be presented, debated and improved
  • an active role in the evolution of the new generation of fast-deployment-SDLs (in public or private clouds) with security baked into the ‘deploy’ workflow
  • a number of standards that allow the pragmatic evaluation of security services (by commercial vendors) so that the best ones are rewarded for their excellence
  • a standard for the first generation of Software/Application Security Labels that would allow consumers to make informed decisions
  • helped and accelerated the change of focus/investment on ‘Network Security’ into ‘Application Security’. Note: this would expand the current AppSec market by 10x (and OWASP by 10x)
  • helped to bridge the gap between the application security industry and the software-development industry, where they realize that the tools (and services) currently provided in the AppSec world can add a LOT of value (after a couple tweaks). Note: this would expand the current AppSec market (and OWASP) by another 10x

The best part is that this is all doable because OWASP already has enough funds, community, brand and people to kickstart this.

The question is if the focus/energy is there….

UPDATE: Related posts written after this one (see also the posts tagged with the OWASP label)

1.3 Improved Wikipedia funding page, why OWASP needs something similar, and who buys OWASP Corporate Memberships

Just went to Wikipedia and saw this:

which just sounded fair (and much better that looking at Jimmy’s eyes :) ), so I clicked on the **Please Help **Button and used Paypal to help with £20:

and since it was so easy to retweet, I also did that too :)

I think it is very important for Wikipedia to have a funding model that keeps it ad free and comes directly from it’s users (which means that the ‘Wikipedia Users’ are the ‘Wikipedia Customers’ instead of being the ‘Wikipedia Product’ (which btw, is what users are for Google, Facebook, Twitter, etc..)).

In fact that is why it was such an easy decision for me to ‘help’ (which is a better word than ‘donate’) since I value Wikipedia’s services (provided by its operational machine) and I want to be Wikipedia’s Customer not its Product

Now OWASP really needs to figure out a similar model, since the current membership model works OKish but creates massive conflicts of interrest.

Ideally OWASP should be funded by its users, not by the companies that provides services to its users.

Of course that there are some exceptions (like Mozilla) but if you look at the shopping list of logos that is the membership page that is a massive security product/vendor collection.

And btw, I think the time as come to remove the OWASP Membership logos from the HomePage, its getting ridiculous:

Are we really THAT independent and vendor neutral?

Here is an interesting question (since OWASP generates revenue and is profitable):** WHO and WHAT are OWASP’s product? I.e. what is OWASP really selling? **

As an OWASP Leader, am I the product? or the customer?
As an OWASP User, am I the product? or the customer?
As an OWASP Corporate Member, am I the product? or the customer?
As an OWASP AppSec Conference or Chapter speaker, am I the product? or the customer?
As an OWASP AppSec Conference or Chapter attendee, am I the product? or the customer?

This actually takes me to another really interesting question which is ‘**What is the drive behind an OWASP Corporate Memberships’ **(the 5k USD one)?

My theory is that in most cases (90%+) these memberships are directly connected to an OWASP leader (I don’t think this analysis has been done, but from all the OWASP leaders I know, this fells right). Important questions to answer are:

  • “what is the time-delta between ‘somebody’ becoming an OWASP leader, and the company he/she is working for, becoming an OWASP Corporate member?”
  • “how many __OWASP Corporate members exists that have NO OWASP leader(s) in its payroll?’
  • “how many lapsed (or not renewed) OWASP Corporate Memberships happened from companies whose past (in payroll) OWASP Leader(s) are not ‘active at OWASP’ any more?”
  • “how many __OWASP Corporate members exists from companies that provide NO security services or products”
  • “how many __OWASP Corporate members exists from ‘development organisations’ (i.e. companies or groups focused on writing secure code)” (for example it doesn’t look like Etsy is a member)

What is important about this idea, is that IF OWASP memberships are a direct or ‘natural’ consequence/evolution of an OWASP Leader existence, that would mean that OWASP’s lack of focus on its leaders, is not only ‘the wrong thing to do’ but a very bad business decision.

One of the things I tried most when I was a board member was to get OWASP to take more care about its leaders, and it was always an up-hill battle because there is this view that ‘hey the leaders contribute because they want’ (I remember having to argue hard for the concepts of ‘OWASP Leaders are given free OWASP Memberships’ _and _‘OWASP Leaders can go for free to any OWASP conference’).

It is critical for OWASP’s future to look after its leaders much better than it currently does, and if you look at my list on I wish that OWASP in 2014 …. you will see that most are ‘OWASP leaders focused’.

Focusing on OWASP Leaders is a win-win situation and what makes sense from a commercial point of view!

The more OWASP invests and looks after its leaders, the:

  • better projects OWASP will have
  • better presenters OWASP will have
  • more Corporate memberships will exist
  • more value OWASP will be providing to its key target audiences: developers/companies who want to write/buy/use secure code

1.4 OWASP Board Election: Why I voted ‘Abstain’ and why you should go on the record with your vote

(as sent to the owasp-leaders list)

I actually wanted to write a long email about his, but since I’m running out of time, here is the short version:

I just voted Abstain on the Board Election because I think that OWASP needs a new structure and the sooner we replace the current Board, Committees, etc.. with something that works, the better.

When I stepped-down from the Board 18 months ago, I did ask the other Board Members to also step-down, since my idea was that if there was no Board, we would be faced with the ‘nice problem’ to come up with a new model. Jeff was the only one that did it (I’m not taking the credit for it since he had his reasons), but the others stayed there and have since been re-elected or are part of the current election.

I had a big list of items that I wanted to raise (with more details on what is not working, areas that need to be addressed and ideas for the future), but I guess the two ones recurring themes are:

  • Are we (OWASP) really doing our best with what we have? (just think of the brain power that exists at OWASP)
  • Where is the dialog, debate, argument, passion about OWASP and AppSec? (for example, on this election, the only thing that we had were some podcast interviews (or the transcripts created via the GSD project), which I read, and …. I’m actually not going to comment since I want this to be a positive email)

Another reason to vote **Abstain **is to go on the record that I don’t agree with the current model and that (maybe) if enough OWASP leaders also vote **Abstain **, the required changes will happen faster :)

Now, **if you are going to vote, I also think that you should go on the record **about which candidates you voted for ** **(by email or wiki or your blog) .

This ‘public vote of support’ will create a two-way relationship between you (the voter) and the elected board member. It will be more transparent/open and will allow for accountability (which is another thing missing)

Note that I’m not saying that the current Board Members (and candidates) don’t work hard for OWASP and help a lot. They do , just like a lot of other owasp-leaders. It’s just that the current model is broken and if we really want OWASP to go to the next level and make a ‘dent in the WebAppSec Universe’ we need a new model.

Unless of course you think that all is great with OWASP, that we are doing the best that is possible with our human, financial and technological resources, and that no major change is need. I don’t happen to share that view :)

Finally, over the past months I’ve been thinking and blogging about OWASP, and since I know that some of you have ‘owasp-leaders email overload’, I didn’t post all of them here.

Here is a collection of some of my thinking and ideas:

I also tagged a number of posts with OWASP MIA, which where the cases where I was thinking “humm…. shouldn’t OWASP be involved in here?”

Enjoy AppSec USA (which is the first OWASP AppSec USA that I’m going to miss since they started), and please feel free to disagree with this email (and create some debate)).

1.5 OWASP Executive Director Role (Not yet)

Following the announcement sent today to the owasp-leaders list (see below), I replied with my view that OWASP doesn’t need this role today:

I think it is great that a decision to add another resource to OWASP super OpsTeam (the employees) was made, but as I said many times before I don’t think that OWASP needs a CEO/ Executive-Director today.

For the record, I DO think that one day OWASP will need such position, but not today. At the moment, my view is that we should be adding resources to help our Projects or in managing the owasp.org website content.

What we need are another Kate, Sarah, Kelly or Samantha, they still work FAR too much for OWASP and my worry is that they will implode one day. **Not sure that they need a boss to tell them what to do, if anything **I would delegate to them the powers currently ‘assigned’ to the Executive Director.

That said, assuming that this hire will go ahead, can we please have the whole process done in a transparent and open way? And by that I mean that ALL details about this job should be done via the OWASP wiki (including the ‘salary package’). We should also ask all candidates to apply publicly and to be available to answer questions from the OWASP leaders and members.

Dinis Cruz

On 9 April 2013 00:04, Michael Coates <michael.coates@owasp.org> wrote:

Leaders,

I’m excited to announce the creation of an executive director position at owasp. The motion was passed at today’s board meeting.

Here’s the public post that went out today.

http://owasp.blogspot.com/2013/04/owasp-creates-executive-director.html

OWASP Creates Executive Director Position

OWASP is driven by volunteers and the contributions of thousands all over the world. Behind the scenes there is also a group of dedicated paid staff that focus on critical operations to ensure the OWASP engine keeps running strong. This team has grown organically over the years as OWASP has recognized the need for dedicated full time individuals to focus on specific task items. In each of these areas we’ve seen great successes from our staff.

As OWASP continues to grow we must also ensure our structure and supporting operations team grows too. The next step in that growth is the creation of the OWASP Executive Director role. The individual in this role will lead the focus and resourcing of our operations team to ensure we execute on our strategic goals each year. This individual will ultimately be responsible for leading the operations team to success and will report directly to the OWASP board. This role will maximize the value our operations team provides to our community, projects and the world.

This is an exciting step forward for OWASP and a demonstration of the continued growth of our community.


Michael Coates | OWASP | @_mwc

OWASP-Leaders mailing list
OWASP-Leaders@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

1.6 OWASP Principles based on NHS?

For a while now, my view is that OWASP’s Mission, Focus and Vision should just be: “WEB APPLICATION SECURITY”

That’s it. OWASP’s community and scope is so wide (a great thing) that trying to be even more specific will end up in a massive thread and unproductive discussion (where just about everybody will be a bit right about something)

In you look at the current text in the owasp home page (which I helped to write) it says:

The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.

I don’t really agree with this mission, since for example I think that OWASP should be “Making Security Invisible (by Becoming the Developer’s Best Friends)”. I.e. Invisible not Visible :)

Also, where is ‘_writing secure cod_e’ on that mission :)

That said there is (some) value in documenting and talking about values and principles, so while writing the Private threads are SO inefficient, Application Security Knowledge is available at the point of Need, and Password Hashes over SSL post, I had a look at the NHS core principles and constitution, and I wonder if we can re-write them :)

Here are the seven key principles that guide the NHS, ‘OWASP Style’:

  • The NHS _OWASP provides a comprehensive service, available to all irrespective of gender, race, disability, age, sexual orientation, religion or belief_
  • Access to NHS _OWASP services (and knowledge) is based on clinical Web Application Security need, not an individual’s ability to pay_
  • The NHS __OWASP aspires to the highest standards of excellence and professionalism
  • The NHS __OWASP_ services must reflect the needs and preferences of developers, security professionals and application consumers patients, their families and their carers_
  • _The NHS __OWASP _works across organisational boundaries and in partnership with other organisations in the interest of _application security patients, local development communities and the wider population_
  • _The NHS __OWASP _is committed to providing best value for taxpayers’ money _its funds and the most effective, fair and sustainable use of finite resources_
  • _The NHS __OWASP _is accountable to the public, communities and patients _professionals it serves_

This would of course mean that OWASP’s OpsTeam (the current employees) take a much stronger role, and that the OWASP ‘machine’ is given the resources/authority to become the _strong services oriented _team that it wants to be.

A key challenge will be to do this without paying OWASP leaders (NHS does pay its doctors) which in my view shouldn’t be done. See Why OWASP can’t pay OWASP Leaders and On how to get paid to work on OWASP projects

Maybe I should add these principles to the list I wrote at I wish that OWASP in 2014 …

1.7 OWASP Revenue Splits and the “Non-profits have a charter to be innovators”

Seth Godin recent post on Non-profits have a charter to be innovators is really spot-on, and very accurately describes the problem that (I believe) exits today at OWASP

When Seth mentions that non-profits usually say: _’…We’re doing important work. Our funders count on us to be reasonable and cautious and proven, because the work we’re doing is too important to risk failure…’, _ he could be speaking on behalf of a number of OWASP Leaders, since I have heard many variations of that phrase at OWASP before (in fact you will see such variation later on this post)

Contrary to what a lot of OWASP core leaders (the ones that care and spend time on ‘OWASP the entity’) believe, OWASP doesn’t have a lack of funds problem!
**
****OWASP has a ‘how to spend money’ problem **

and a

‘Not spending enough OWASP funds’ problem!

**
**If you look at the current situation, you will find:

But, although there is enough money available, the amount spent from those budgets is very small (again I wanted to point to the real numbers, but couldn’t find them)

**So does OWASP really needs fund raising? **

**
**

**Does it really need an improved Conference/Chapter revenue model as proposed by **New Profit Sharing Model Proposal (which is where ‘OWASP energy’ is being spent)

Does it really need more rules and ‘Project Stage Benefits’ with special carrots for projects being given budgets? (see current Samantha’s ideas on it here)

OWASP’s problem is not that it doesn’t have enough funds for its projects, chapters, committees, etc…

The problem is that the funds available are NOT being spend!

This means that the current focus should on finding ways for the available funds to be spent

**
**

Maybe one day OWASP will have the great problem of having to regulate and control the spending of the available funds.

But that is not the problem that exists today!

And as programmer, my view is that the way to takle a big problem, is to solve the ones that we have today, and then deal with other issues later.

To see if I could point OWASP on the right direction, on the New Profit Sharing Model Proposal thread I asked:

_”…Is there a place where I can see/read the current objectives and rational behind the profit sharing? Basically: _

  • _why it is done? _
  • _what are the objectives that we are trying to achieve? _
  • _based on the past 12 months (and what happened with the use of those funds), have those objectives been meet? _
  • _what is working and what is not working? (with the current profit sharing model) - what is the % of the funds allocated that have been spent in the last 12 months? _
  • where have those $$$ been used for? Also, can you point me to an analysis (or list) of all the expenses made by the chapters that received a $$$ share? (and their balances) …“

And Michael’s response is one I have heard many times before, and is exactly the kind of problem Seth Godin talks his Non-profits have a charter to be innovators post:

_
_

”…The new policy is straightforward and also strikes a better balance between declaring foundation funding needs to keep the overall OWASP machine moving and also chapter desires to raise funds and foster chapter/regional growth. …“

What is interesting about that thread and its responses, is that the key issue (which I was trying to get to, with my questions) is “The current funding model for chapters and projects is not working! simply because the money is not being spent!” (and btw, OWASP has enough funds coming in via its Memberships to keep the ‘lights on’)

**
**

So instead of ‘refining’ the current OWASP revenue splitting model, my view is that it should be dramatically changed to a model similar to the GSD project.

For example, here is how it could work, where only the following rules would be in place:

  1. OWASP chapters and projects get 100% of the funds they generate, and have 6 months to spend it
  2. After 6 months that money goes to a global Projects and Chapters pot/bucket/account, which ALL chapters and Projects can access (and spend from)
  3. No OWASP leader can be paid using these funds
  4. There is an ‘approval by default’ on spending requests (with maybe a request for more details’ mode (see GSD project for an example))

And that’s it!

This would put the focus and the energy into spending the money, which is what OWASP should be doing.

Because, just like Seth says:

_
_

”…Go fail. And then fail again. Non-profit failure is too rare, which means that non-profit innovation is too rare as well. Innovators understand that their job is to fail, repeatedly, until they don’t….”

_
_

And in OWASP’s world, this means, that if every Six months we don’t have a list failures, ie places where OWASP money was REALLYYYY badly spent, it means that we are not trying hard enough (or course that we will also have a list of good uses of OWASP money, but those tend to be ignored by the peanut gallery)

See, I know how to spend OWASP money, in fact I am by FAR the one that has spend more OWASP funds ($400K+ on Summits $250K+ on OWASP Seasons of Code, and others). And I can speak by personal experience, that it is very hard to spend OWASP money. I takes a LOT of energy, time, commitment and an ability to accept failure.

At the moment spending money is VERY hard at OWASP, because:

…the culture doesn’t promote that spending

…the culture doesn’t reward spending

….doesn’t reward failure

….doesn’t reward action

AND THAT’s what need to be fixed!

But, the first hurdle, is accepting the real problem, and as you can see by the New Profit Sharing Model Proposal thread, we are not there yet. Only after accepting the fact that OWASP has a ‘spending the money problem’, will a real solution be found (I’m proposing one here, but I’m sure other solutions can be found that are better).

What really matters is if in 6 months time, a very high % of OWASP available funds has been spent.

And I hope it does, since we need to spend those funds if we are going to achieve some of the ideas I posted on my I wish that OWASP in 2014… :)

Unfortunately, things/actions/ideas/projects/events _“that could happen but didn’t” _is something that is very hard to quantify and to mesure. And if creative ways are not found to mesure them, then the status-quo is what is rewarded.

For example, why hasn’t Seth spoke at an OWASP conference? or Summit?

Clearly Seth will add a lot of value to OWASP, but unless we (OWASP) explicitly go after Seth, he is not going to turn up. But what will happen in Six months time, where Seth still hasn’t been at one of OWASP’s events! Will that be seen as a failure, as a missed opportunity? or will that not even be on the radar?

At the last two Summits, there was an idea to bring guys like Seth to it, so that he could share his views and ideas, but at the time there was not enough energy and focus at OWASP to make that happen (we were still trying to make the ‘Summit work’ and spent (for example) a lot of time discussing the need to have a ‘fixed schedule’, instead of getting guys like Seth to be part of it).

Maybe for the next OWASP summit (see Some proposed Visions for next OWASP Summit) that will happen :)

Just posted this to the owasp-leaders list, and would also like to hear your opinion on it:

Hello OWASP leaders,

Since its creation at the OWASP Summit, the OWASP Global Projects Committee has been meeting every week (see agenda of past meetings here) to try to improve the organization and structure of OWASP Projects.

Our first major deliverable was the Assessment Criteria v2.0 which follows the footsteps of the previous version (now called Assessment Criteria V1) and aims to increase the visibility, usability and quality of the amazing projects you have created.

Our next challenge was to organize the 2009 OWASP grants scheme which (as with the Assessment Criteria) was thoroughly debated, discussed and modified, until we reached the format that is currently here: [http://www.owasp.org/index.php/OWASP_Season_of_Code2009](http://www.owasp.org/index.php/OWASP_Season_of_Code2009) .

There are three main changes from the previous OWASP Season of Code:

Change #1) we are proposing that applications are targeted at the following 4 areas (each assigned to one or two committees)

**Change #2) **we are encouraging proposals to be made by groups of OWASP contributors instead of Individuals (or specific projects). For example I really love the idea to create a number of “super OWASP teams” made up of a mix of ‘with-proven-track-record’ OWASP leaders/contributors and new ‘full-of-energy-motivation-

and-sills’ contributors

**Change #3) **to use the Season of Code 2009 budget to pay for ‘Project related expenses’ instead of ‘Contributors/Leaders work”

This last change is quite radical, but one that I really believe is key for OWASP’s future.

And because this change is so important, the decision to do it is not final (hence why it is not on the SoC 2009 page), and I/We want to hear your opinion on this. So please chip-in with your comments, ideas and suggestions.

I’m quoting below two texts from internal GPC (Global Projects Committee) emails which provide additional background information on the rational behind this decision and the operational issues we need to address (these quotes also highlight the enormous value to OWASP that these Committees are creating, since in the past, these type of discussion and threads would have never existed (since apart from the OWASP Board there really was nobody else involved in these types of issues)). I would like to give special credit to Jason Li, for his hard work on this process and for taking the time to write a number of detailed emails (like the one below which I complely agree with)”

Looking forward to your comments,

Dinis Cruz (email continues below)

Jason Li on why the move to change # 3)
”…The direction … to go with SoC funds is that they shouldn’t be use to pay for technical work by our community members.

The hope is to get away from using money as the incentive for our community members to become more active and involved. Rather … the funds … used for things that the OWASP community could not otherwise produce - for example, physical books for promotion, graphic design costs for documentation, design work for templates, etc.

The SoC money would be allocated to the budgets for accepted projects and the budgets would be presumed for “operating costs” so to speak as opposed to “development costs”.

It’s a huge change in direction to be sure….”
_
“…I just wanted to clarify a little bit of the history of SoC. This is paraphrasing Dinis’ oral history so he can correct me where I’ve gone wrong._

The SoC idea was intended as a way to get OWASP more recognition and also to attract new members to the OWASP community. Monetary grants were never intended to “pay for” or cover the cost of the actual work being done. Those grants were meant serve as a “reward” or sorts for participants (as you know, the grant amounts in the past certainly have not equated to the hours put in).

The hope was that OWASP would grow to the point that participating in SoC, and the positive recognition associated with leading an OWASP SoC project would be reward enough. Obviously this might be a little idealistic, and there have been discussions about how to properly “reward” SoC participants. Among the current proposals includes a guaranteed speaking slot at one of the major OWASP conferences (either US or European conferences) and prominent display in the to-be-redesigned OWASP Project website.

But SoC was never meant to pay OWASP community members for development work and a majority of the OWASP Board feels that the longer we continue to do so, the more we encourage that perception. The Board, and Dinis in particular, is extremely adamant that OWASP should not be on a path where OWASP project leaders expect to get paid for their contributions. It runs contrary to the open and volunteer philosophy of OWASP.

The 20k is still legitimate, but it needs to be clarified along with the rest of the page regarding this new direction for SoC funds. The 20k remark is trying to indicate the limits on a proposal. As a completely off the wall example, say the OWASP NeverNeverLand and Wonderland chapters got together and said, “We’re located very far from the US, where OWASP servers are hosted, and it’s prohibitively slow for us to get access to OWASP materials. It would take us $12k to arrange an adequate mirroring solution to improve access to the OWASP website in our part of the world. We know that’s a lot of money but together between our combined regions, there are hundreds of millions of developers that could use OWASP materials. Because of this, we feel like it’s a good use of OWASP funds.” Obviously this is a silly example, but that is type of proposal that we want to allow by indicating large proposals will get more leeway in terms of budget…

Paulo Coimbra on the operational issues created by Change #3 (most of them still need to be sorted out)

”…Committee,

Below, as for SoC 09, I am somewhat randomly pointing out a couple of questions that, from my point of view, are without clarification still.

  1. Precisely what kind of expenses and/or investments will be and will not be paid? It seems to me we still need at the least a clear definition of the non paid rubrics.
  2. What instrument will we use to clarify/define what type of expenses will be paid for each project? Will we ask for an initial estimate of expenses for the whole project? Assuming that we do – and that each applicant attaches the budget estimation to the project– can the jury decide that some expenses will be paid and others won’t? If so, what will the criteria for this decision be?
  3. Let’s assume we ask for an initial estimate of expenses. Let’s assume OWASP Testing Guide made an application and it was approved. Let’s also assume the approved budget is something similar to the following:
  • Technical writing review - $ 2,500
  • Book design/content layout – $ 1,500
  • Publicity/Marketing/Public Relations – $ 2,000
  • Total = $ 6,000

_
3.1. Have we approved a sponsorship of $ 6,000 or have we approved the value of three distinct rubrics?_

3.2. What will happen if the project’s leader ends up saying “I haven’t spent the money approved for book design but I spent more than forecasted to be spent with marketing and so I would like to have a fund re-allocation”? Who will analyse and decide upon these situations?

3.3. Who will control the overall fund allocation? How?

3.4. Who will be paid? The project’s leader or his supplier? When will the payment be done? When the project finishes or when the expenses have been done? Will the payment be made exclusively against invoices/receipts? What will be the admin circuit?

3.5. If we say “Joint proposals (up to 20k) are highly encouraged” and SoC 09 budget is =<>

1.9 Proposal: Remove all commercial/non-OWASP logos from OWASP.org

Following the recent threads about the commercialization of OWASP, I think the time as come for a simple move, that will be a little bit painful, but will clear the water and send a nice big message of what OWASP stands for.

Remove all commercial/non-owasp-projects logos from OWASP.org

This move has a log of advantages:

  • it is generic so it doesn’t single out anybody
  • it can be done since there are no ‘real’ contractual obligations for OWASP to put company’s XYZ logo on the OWASP site
  • note that OWASP can change the contents of any content/text hosted on owasp.org , as long as the changes are released in an compatible license :)
  • in fact anybody can start the http://owasp-without-logos.org site with all content from owasp.org, expect the 3rd party logos
  • it will push the cases where sponsor-logos are expected to exist, to be placed in separate/dedicated 3rd party websites (like what happens with AppSec conferences)
    • and if there ARE execptions, they should be treated as one-of exceptions (and be fully documented)
  • it will stop the current ‘F1/NASCAR logo parade’ that is the OWASP main page, and some of its projects
  • it will stop the nasty and non-productive “hey that company shouldn’t have their logo in that project” threads
  • it will send a strong message that OWASP is about sharing information and all information/tools/projects that are ‘donated’ to owasp are supposed to be shared in a no-strings/logos attached mode
  • it will clarify that the OWASP logo, name, tools and content CAN be used in commercial situations, as long as it is done outside of OWASP.org
  • it shows a sign of maturity for OWASP, where OWASP doesn’t need (anymore) to sell a bit of its soul in exchange for good content and tools
  • it shows that OWASP’s value to the corporate sponsors, is NOT a logo on owasp.org, but the amazing value provided by the multiple OWASP activities, events and projects.
  • it shows that OWASP can learn from others, and in this case, follow (as Jim recommended) the Apache foundation example (see http://www.apache.org/foundation/marks/responsibility.html )

There are a couple disadvantages:

  • Some OWASP leaders and supporting companies will be annoyed and fell that ‘OWASP changed the value-added they would get by contributing to OWASP’
  • Some OWASP corporate sponsors might even be so angry that they don’t renew their anual membership
  • Some OWASP leaders might be so annoyed that they stop contributing at all to OWASP
  • This is one of those issues that has the potential to generate a gazilion of emails, with lots of opinions and no decisions in the end. Btw, the faster ‘a’ decision is made the better (Yes or No).

I believe that OWASP today (April 2013) is in the perfect situation to make this move. There is enough money to sustain any financial loss (which I don’t think will happen) and the OWASP projects are still in a state where a drop of a couple OWASP leaders wouldn’t have a dramatic effect (which again i don’t think will happen)

So what do you say, fellow OWASP friends, should we make this jump?

My vote is YES, lets get rid of the commercial logos in OWASP and start a new generation of OWASP content and tools

Dinis Cruz

1.10 Sarah Baso as OWASP Executive director, how it broke the model, structure and culture of OWASP employees

(note: I don’t have a lot of time to write the detailed analysis that I wanted to do, but as time is passing by, I wanted to go on the record with my thoughts of that happened. So think of this post as a brain dump of my views on this important topic for OWASP)

In April 8th the OWASP board announced that OWASP Creates Executive Director Position.

My view at the time (and still is) was that OWASP Executive Director Role (Not yet), specially because:

_What we need are another Kate, Sarah, Kelly or Samantha, they still work FAR too much for OWASP and my worry is that they will implode one day. Not sure that they need a boss to tell them what to do, if anything I would delegate to them the powers currently ‘assigned’ to the Executive Director._What happened next surprised most OWASP leaders since a couple days later the OWASP board announced that Sarah Baso would become the new OWASP’s New Executive Director

Which of course means that there was never an effort/attempt to fill that position (externally or internally), and that the decision of that appointment was done much before the 8th of April OWASP Creates Executive Director Position post.

**BIG DISCLAIMER: ** before you read the next part, it is good to take into account that:

  • I was the one that found Sarah Baso for OWASP:
  • During the OWASP Summit we worked a LOT together, with a really amazing collaboration and work environment (yes, there were a couple speed bumps, but Sarah was one of my most trusted helpers and really delivered when it mattered)
  • I have sleep a couple times in her house (when in Minneapolis) and when in London she also spend a couple days in my house
  • She is an a O2 Platform user: Batch PDF creation from OpenXml file (by O2 user)
  • She is a friend and deserves that I spend the time to write these words (remember that the real friend is the one that speaks what is on their mind (and cares enough to spend the time))
  • I have not spoken with Sarah since this appointment was made
  • I am not speaking on behalf of the other OWASP employees (in fact their silence in this matter speaks volumes)

So as you can see I know Sarah very well and have been part of the efforts to bring her to OWASP.

But the appointment of Sarah as the OWASP Executive Director doesn’t feel right to me, and from my view is another reason why the current OWASP board needs to be disolved and re-created from scratch (see An Idea of a new model for OWASP).

Ironically, right in the middle of this situation, lies a really good decision by the OWASP Board (which for an group that is famous for not making decisions, it’s a great move and evolution). I’m talking about the delegation of power and budgets to the OWASP employees, which at least is a step in the right direction, by putting the power and responsibility for key OWASP operational issues in the hands of the OWASP employees.

The problem is that (from my point of view), this ‘appointment’ has a number of issues:

Issue #1: Break of the OWASP Employees model, culture and social-contract

**
**

Lets be clear here, with this move, and with the powers given to Sarah, she can hire and fire other OWASP employees, namely: Kate, Samantha, Alison, Kelly and Matt

This is a massive mistake because it transformed the OWASP Employees (the OpsTeam like I like to call them) from a coesive and strong team, into a fragmented, hierarchical, bureaucrat and ‘political’ structure.

It is very important that the OWASP employees feel empowered to fight for OWASP and its multiple activities (projects, chapters, conferences, initiatives, tours, etc…). But without all being ‘equals’ this is very hard to do.

Issue #2: Lack of transparency on how/when the decision was made

This is a topic that I can’t speak without getting into ‘conspiracy theories’ so I will just say that for an Open organisation like OWASP, this is probably the most ‘non-open/behind-the-scenes activity that I have even seen’

The rest of the analysis I leave to you :)

Issue #3: The way the appointment was done is a case-study on how not to do it

**
**

Not only there was the false impression that there would be a ‘call for candidates’, the way that the OWASP board first pushed it as an appointment, and then (after questions where raised) re-phased it as an ‘Promotion from within’, shows a massive lack of common sense, and more importantly lack of understanding of the OWASP leadership community.

I’m not on the board any more, so I don’t know the details of what happened, by my understanding is that this was not done in a united/coordinated way (by all members of the OWASP board). Which is another bad move, due to the sensitivity of the situation and the massive change of the OWASP operational structure.

**
**

Issue #4: Sarah is not THAT much better than the other OWASP Employees

This is a though one to say on the record, but unfortunately Sarah is in a position where we need to look objectively at her appointment and ask ‘compared with the other OWASP employees, does she deserve the promotion?’

_
_

I.e. is Sarah that much better and qualified than the other current employees: Kate, Samantha, Alison, Kelly and Matt

Remember that we can’t use the measure ‘Sarah is working really hard for OWASP and she has done great stuff for OWASP’

Because, ALL current OWASP employees (Kate, Samantha, Alison, Kelly and Matt) fit that bill.

In fact OWASP is very privileged to have such amazing team, which is actually quite qualified for the job they do.

And remember that by promoting Sarah and making her the ‘boss’ of the other OWASP Employees is basically saying that:_ ‘Sarah is much better then the others and she deserves to be in power’_

Issue #5: Sarah has no CEO or Executive Director experience

Again, if we are going to look at this objectively, Sarah doesn’t have the qualifications for this job. Now It is great to give people opportunities, but for me the position of CEO/Executive-Director of OWASP should be given (one day) to somebody:

  • with a proven track record in that role,
  • that is clearly ‘above’ the current OWASP employees,
  • with past experience in running large teams of organisations with open culture like OWASP (for example a past senior executive of Mozilla, Wikipedia, Apache, etc…)

Issue #6: It is not fair for Sarah that she has been robbed of the opportunity to earn this role

**
**

Ultimately the biggest loser here (at least in the short term) is Sarah. She deservers better than the ‘cold’ reception that she got from the OWASP leadership community, and me writing posts like this.

Note that I’m not saying that Sarah could not ‘one day’ become the OWASP executive director, but not like this, and not like it was done.

For example, if there was supposed to be an ‘promotion from within’ then that should had been a democratic process from within the OWASP employees, namely there should had been a vote where only the OWASP employees would vote and chose amongst themselves who would have the extra powers

Also the lack of public support by the other OWASP employees and ‘heavy weight’ OWASP leaders speaks volumes, and show how divisive this move was.

This role really needs to be given to somebody that has a HUGE amount of political capital to spend (and get things done). Without that grass-roots support, any major (or minor) change is going to be a struggle, specially given the distributed nature of OWASP community (and opinions :) )

Issue #7: Sarah doesn’t need the extra power, is the OpsTeam who need it

I also fail to understand why in the current size of the OWASP employees (the OpsTeam) there is a need to have an ‘Executive Director’ with absolute powers over the others?

What decision is Sarah going to do with that power?

Fire one of the employees? I hope not, since none of them deserve that and it would be a crazy move (even worse than the current appointment)

Also, there is already a good separation of duties of the current employees, so they should be empowered to make decisions, not being given an extra management layer and ‘chain of command’

If I talk with Kate, Samantha, Alison, Kelly or Matt, on an topic that they are currently responsible for, I EXPECT them to have the authority and power to deal with the issue at hand. Not to have to go to the board or Sarah and ‘ask for permission or decision’

**
**

Issue #8: It is not fair on the other OWASP employees that they didn’t had a change to apply

**
**

Again I don’t have much inside track on what happened and who-knew-what-when.

And since there is no documentation about the decision, it is fair to assume that the other employees never had a chance to apply.

This is where process and respect matters. It quite possible that on a parallel universe, Sarah would had become the Executive Director in a way that was highly celebrated and endorsed. In this parallel universe, after _an open, transparent, democratic and pragmatic evaluation/process, _Sarah would had emerged as the perfect choice. But that would had required a completely different process and sequence of events.

The issue here is not that Sarah was chosen, the issue is how it was done. Note that although I hired a number of people I knew personally to work on the OWASP summit, all those efforts were done in the open and there was plenty of opportunity for others to apply and take those ‘paid roles’ (and there was budget for more talent (but we couldn’t find it))

Issue #10: Sarah already had a full time job at OWASP: Conferences

So if she is going to take on more responsibilities and roles, who is going to continue the amazing work Sarah was doing at the Conferences?

The other OWASP employees are already maxed out!

If Sarah keeps doing it, why the appointment?

If Sarah drops parts of it, OWASP will be losing energy and focus on one of the areas that is currently working really well!

Issue #11: I’m disappointed with Sarah by her allowing this to happen

Of course that most of you will not care about by the fact that I’m disappointed, and maybe even Sarah wont.

But I was very disappointed by Sarah allowing this happen (specially because she didn’t took the opportunity to use her new powers to make it better (see first points of ‘How to fix it’ section below)).

This fells like a ‘power grab’ and Sarah was not able to resist the offer.

Well … I expected more from Sarah, and she missed an opportunity to show the human and professional qualities that she has.

I hope to change my mind in the future, but I have to say that at the moment I loss some of the respect I had for Sarah :(

Of course that this doesn’t matter since I have no more power at OWASP.

I’m also disappointed by the lack of public critical thinking at the OWASP’s leaders list, and the few number of OWASP leaders that actually take the time (and still care enough about OWASP) to write about their views/opinions (note: I’m not even going to post this blog into the OWASP leaders list (it would be great if somebody else cared enough about OWASP that they posted it there, together with their views on this post)).

I don’t claim that I’m 100% correct with my views and that I have all solutions, but the only way to fix things is to have open and franc discussions/threads about what is going on. And once the ‘issues’ are identified, it is important to also proposed solutions.

…. which leads me to:

How to fix this

We can’t go back in time, so what we need to do now is to look at ways to fix this

Assuming that there is an agreement that something should be done, here are my proposed actions:

  1. change the model so that all OWASP employees are ‘equals’
  2. put a rule in place where the OWASP employees can only be fired by a majority of the OWASP leaders (by vote)
  3. **Cross post or link this blog entry from the OWASP’s official blog **(http://owasp.blogspot.co.uk/) together with other related threads / responses (after all, OWASP is about being open, and this current blog post contains an analysis of OWASP by somebody who has done a lot for this organisation (me :) )
  4. publicly apologise to Sarah for putting here on such though position
  5. publicly apologise to Kate, Samantha, Alison, Kelly and Matt for the unnecessary stress created
  6. publish details for how the decision was made (and when), so that we have a good documentation of what happened and future generations of OWASP leaders can learn from past mistakes

Of course that given the current structure and political mess that is OWASP at the moment, it is probably more likely that we will have an unthinkable _‘5 days-in-a-row without rain and cold _here in London’, than this happening :)

Good luck Sarah, and how can I help?

Since probably Sarah is one of the few ones that is still be reading this post, I would like to first say to you:

I’m sorry …

… for writing this email, and hopefully one day you will appreciate it and see that I’m writing this because I’m your friend and still care about you and OWASP

Good luck

… with your efforts to making OWASP an amazing organisation

Please prove me wrong…

**
**

… by showing how your appointment as Executive Director was a turning point for OWASP and that what happens next will make this post look like the most ‘stupid thing that I ever did’

Let me know how I can help…

… I expect that you will not be happy with this post, but remember that I love OWASP and that I’m writing this because I still care (in fact, a worrying sign for me is how long I took to write this, since there were multiple times last month where I started ‘not caring’ enough to stick my neck out, and do what I believe to be the best for OWASP (in this case, write this post))

Good luck OpsTam, and how can I help?

**
**

Kate, Samantha, Alison, Kelly and Matt (OpsTeam), since you are also reading this, I would like to also say to you:

**
**

I’m sorry …

… for posting something that might make your live harder.

Now you know and I know that you didn’t ask me to write this, and have barely taked to me since the ‘appointment’, hopefully Sarah (and the OWASP Board) will also believe that, and not give you any trouble for this public criticism of their actions.

Sarah, I hope that you view this post as an opportunity to connect and listen to your ‘employees’ and create something positive

Good luck

… since your job at making OWASP work just got more complicated and frustrating.

Let me know how I can help…

**
**

You are the heart and soul of OWASP and nobody cares about OWASP as you do :)

Please keep doing your amazing work for this crazy community, and as active member of that community, I’m here to help you in as much as I can

1.11 Why OWASP can’t pay OWASP Leaders

Since I was the one that created and executed (initially alone and then with Paulo) the only Seasons of Code that OWASP did (AoC 2006 , SoC 2007 , SoC 2008) I know first hand what can be done, what works, what doesn’t work and its side effects. In fact it was that experience that made me have such strong views on this topic.

There is a subtle but very key distinction that we need to have in this thread. And that is the issue of ‘OWASP paying OWASP leaders’

Hiring interns or other professionals to work on specific projects/tasks is fine (specially if they are doing what our OWASP leaders and contributors don’t want to do). The main problem happens when OWASP leaders can be part of the pool that can be paid by OWASP (again nothing wrong with them being paid by a 3rd party to work on an OWASP Project (like what already happens today)).

So why it is very wrong to pay OWASP leaders to work on OWASP projects?

Let say that there is 2000 USD available to pay an OWASP leaders to work on his project

  • **Changing of the social contract - **The moment money is introduced, invariably the target individual is going to make a math calculation (what is his current daily rate?, how much he earns at the moment?, how much his current boss bills for his time? , etc….).The end result is that we moved from a ‘contributor’ model to a ‘service provider’ model
  • _‘I will do that for free, but won’t do it if I am paid’ _syndrome - If one starts to look at OWASP contributions with a financial angle, then what one would gladly do for free is now viewed from a completely different angle. I would strongly recommend the ‘Predictably Irrational’ book on this topic, which has tons of great example on how money doesn’t help (here is preview of what the author talks about: http://en.wikipedia.org/wiki/Predictably_Irrational#Being_Paid_vs._A_Friendly_Favor )

The RSA Animate - Drive: The surprising truth about what motivates us is also a brilliant video/animation on motivation:

  • **A rate for an Worldwide audience? - **given the truly global presence of OWASP, $2000 might not be a lot for a successful security professional (or conference speaker), but it is good money in countries like Portugal/Italy, and if you go to India/China it is a lot. So how do we do this? Surely it doesn’t make any commercial sense (for OWASP) to pay a guy from London or the US, right? Can’t we get a LOT more hours and effort from somebody that lives in a cheaper country! I’m sure there are places in the world (or on elance.com) that we can rent a team of workers for $2000 for a month !
  • Prevents multi-national teams from occurring - What happens when you want to get a couple resources involved from different countries? Are you going to pay them the same? And if not, is that really sustainable? There is a huge amount of HR theory that shows that collaborators are much happier (and productive) when they don’t know how much money their colleges earn (but how can you do that in an OWASP environment like OWASP where all financial deals must be disclosed)
  • A lot more money will be needed - This is another massive problem. If we REALLY want to get the best talent, and REALLY want to take a professional approach, then we will have to buy the best talent, which is expensive AND will need to be paid a good rate.

And why should we pay them so much? … They will deliver, right? Aren’t they the best? Why shouldn’t we put 40k or 100k of OWASP’s money in their hands?

Well, apart from the fact that those 100k would not ‘create that super-duper deliverable’ (we are talking about big projects with complex problems that need LOTS of work), the problems I’m raising here would be dramatically multiplied

  • **Nobody is independent at OWASP - **Here is the catch, it is impossible to find somebody (or a group) inside that OWASP that has any kind of independence to be able to make a real solid decision (everybody has an agenda, a pet project/chapter/conference, a particular vision for what OWASP should be doing, etc…) So who is going to make the call?
  • **Little secret - on the last OWASP Seasons of Code, all (decent) proposals got funded **- so how did we avoided this problem in the last OWASP Seasons of Code? I.e. how did we actually selected the owasp leaders who deserved the funding? In what turned out to be an amazing feat of maths and mappings, we actually funded every decent proposal that was summited (remember that OWASP was MUCH smaller than it is now, and there was still space for a number of new OWASP contributors to join the party)
  • He/she are the ones being paid, THEY should do that’ syndrome - This is another problem that happens when there is somebody that clearly is being paid when others are not. Yes we will still have this problem when they are paid outside of OWASP, but to be on the same ‘level’ as somebody else and they are being paid, really creates a bad vibe
  • **Lots of negative energy is created - **For me the point of the last Seasons of Code, was not to pay people!

It was to motivate them, to empower them and to give them space inside OWASP.

This is why It was so important to me that no good proposal was left out, since the objective was to motivate people to do their best (not to get a group of OWASP contributors to start fighting each other)

  • **It breaks an OWASP Contributor heart to receive a NO - **We also had a couple cases were great OWASP leaders/contributors, turned to the board (where I was at the time) and said. ”..Hey I have this idea, can you give me 20k / 40k so that I can spend the time to do it? … you know I can do it!, I have a good track record !..”. And it was pretty obvious that when we didn’t support that idea, that OWASP leader was really not happy
    • How to say NO to a big contributor - If OWASP leaders could be paid by OWASP, it would create situations where it is very hard to say NO to a big OWASP contributor, even if maybe he is not as qualified to do the job as the other candidates (there are always emotions involved).
    • _‘I could had done better with that money’ _syndrome - And then after the work is done and delivered, the one who got paid, is now a sitting duck for sniper fire that will pick his/hers work apart
    • **What to do when the leaders don’t deliver? - **We also had this on the last OWASP Season of Code, where a couple really Large (with capital L) OWASP contributors, took a good chunk of cash and didn’t really do a good job! So what do you do? Are we really going to buy that fight and shame that person in public for doing a bad job? Also, how to you handle other OWASP leaders/contributors that also worked on that task but didn’t get paid.
    • **We can’t even count the leaders that we have today, can we review their work? **At the moment we can’t even keep track of our current projects and still have a lot of project review work to be done. Are we (OWASP) really in any shape to review commercial/paid work?
  • What about the other big contributors - Also take into account, that there are a number of OWASP leaders who have spent years of their life working for OWASP projects
    • **For example: My Wife would kill me (if other owasp leaders got paid) **I spent 18 months without any pay to work on the OWASP O2 Platform. I still have debts today from the lack of income I suffered during that period. My wife was really unhappy with that (understatement of the century) and my kids gave me a very hard time. But they supported it, because they accepted my passion and focus on ‘doing the right’ thing. I’m not asking for any money from OWASP, BUT if others are getting paid, then that would completely change the dynamics of my relationship with OWASP (at least it would for my wife)
    • What about Jeff and Dave? These two, even had to use some of their own money to buy some OWASP assets and release them to the OWASP community (surely they should be repaid that?)
    • **What about Denis, Andrew, Daniel, Matteo, John …. **(the list would go on and on and on…)
    • Slippery slope:
    • What about the conference organizers - shouldn’t they also get slice of the profit they generate?
    • What about the successful chapters? - specially the ones with lots of attendees and generated funds?
    • What about those hard-working board and committee members? - should they also be paid for they countless hours?
    • **This will bread corruption and favouritism **- which is human nature given the right environment
  • **Killing the golden goose - **If you look carefully, we already have an amazing capability to ‘convince’ highly paid individuals to work for free and dedicate their energy into something they believe. For example if you add up all the ‘money’ (in time) that is ‘donated’ to OWASP every day or month by its leaders, contributors, participants, you would be amazed (for example it would probably cost 1,000,000$ (1M$) to pay for the talent that we were able to assembly at the last Summit (and even then, I don’t think that if we were paying the attendee’s a fee for their time, we would had been able to assembly that crowd)
    • **Not Paying OWASP Leaders is a self-defence mechanism - **Give the massive web of trust that OWASP has (just add up all its leaders), it is much easier to trust them with OWASP funds when they can’t pay themselves or a friend (it also dramatically simplifies the rules of engagement)
  • **Let’s get 3rd parties to fund those OWASP leaders **- Jeff and John proposed a great model with the OWASP Project Partnership Model which is how we can get OWASP leaders/contributors to be paid for working on OWASP projects. I don’t know who said _’..the real sign of a product’s value is when somebody is willing to pay for it…’ _but it is very true. In fact, it should be a sign of maturity and market-acceptance, the fact that somebody (company, government, etc) is ready to invest on that project.
  • **Prevents OWASP from finding better solutions (to Money) - **Finally this is (for me) the key reason why paying OWASP leaders is a very BAD idea.

We (OWASP) need to figure out what are the social/commercial models that work for OWASP (and make us productive).

Clearly contributing to OWASP makes business sense. If it didn’t we wouldn’t have the sustainability and energy we have.

There are countless stories of OWASP leaders getting better jobs, being promoted, increasing their income, learning key skills, etc… There are also a number of companies that regularly support OWASP. They don’t do it because they want to be nice, they do it because it makes commercial sense to them.

**So what we REALLY need to do, is to rationalize what makes OWASP work, and see if we can improve the current model, so that we can have more and more people being paid to work for OWASP Activities. **

I could continue, but hopefully some of these points will clarify why OWASP can’t pay OWASP.

Wrapping up, this is actually a great opportunity to move OWASP to the next level.

1.12 Why the need to enable the use of OWASP chapter funds

I just send the text below to the OWASP Leaders list, which was part of this thread
_
_My answer was to Tim’s comment and I started a new thread with it

Tim’s solution (see below) is great and we should apply it now (using data from the last year). The only thing I would change is to remove the C (soft cap) and P (hard cap). This would have a net positive result for all chapters (and not move the money to the ‘OWASP mothership’ which is a very sensitive topic).

For the ones really interested in this thread/topic, you should read the amazing Seth Godin’s post Non-profits have a charter to be innovators which really explains why OWASP (as an organisation) as the DUTY and moral responsibility to spend its available funds, to experiment, to get things done, etc….)

The other very important question is **WHY! **(as explained by the also amazing ‘Why how what’ presentation by Simon Sinek)

Why does OWASP need money?

Why do chapters need money?

Why should owasp leaders use their political/business/personal capital in becoming a ‘vendor’ for OWASP?

In my view, OWASP needs money to Get Stuff Done!

**
**

And although there is always an idea that OWASP funds will be massively wasted, the reality (just look back at History) is that It is very hard to spend OWASP Money

**
**

The best examples are the dormant funds in the Chapters, the Project Reboot funds that have barely been used and (my failed attempt) at the GSD project (Get Stuff Done) which has 3k USD that any of you could spend TODAY

As I mentioned in my OWASP Revenue Splits and the “Non-profits have a charter to be innovators” post, OWASP has a** ‘How to spend the money’ **problem and in the 160k USD available to OWASP Chapters and Projects (written in April 2012 hence the smaller amount) I wrote:

In fact, the 160k USD currently available, shows that the model is not working as well as it should, i.e. OWASP leaders are not spending (i.e. investing) the money make available to them!

_
_

I think there are two reasons for it:

  • spending money in an organization like OWASP is not easy
  • there is an idea that ‘money should be kept’ in the bank since it is not wise to spend it all (i.e. be fiscally conservative)

The problem here is that the amount of missed opportunities caused by the non-spending on these funds ie enormous, but because that is very hard to measure (how do you quantify missed opportunities?), it is hard to visualize the solutions and ideas we have not executed on.

_
_

I think that one way to help the chapters to spend the $ allocated to them is for them to ‘invest’ in OWASP Projects under a program like the one I present at OWASP Project Reboot 2012 - Here is a better model

What is great about such_ ‘owasp chapters global fund’ _is that:

  • It moves the discussion from ‘how much money do I have’ to ‘what should I do with the funds available
  • It really supports the chapters that don’t have a lot of funds today
  • It can also also benefit chapters with substancial funds today, since there is no reason why they can’t also access those resources
  • it promotes accountability and ownership of funds allocated
  • it puts an ‘artificial’ timeline on the use of funds allocated (i.e. there is a ‘pressure’ to deliver)
  • it helps to find the OWASP leaders who know how to spend OWASP funds and make magic happen (like Fabio with the Latam and EU tours)
  • It empowers action, and promotes the idea that ‘we trust our chapter leaders to do the right thing’
  • it documents the places where OWASP funds are used (making those ideas/actions easy to replicated)
  • it also documents the failed experiments (which are healthy, but don’t need to be repeated :) ).
  • it stops the ‘ownership of funds’ and ‘lets keep it in a safe place’ that we currently have
  • It can dramatically simplify how the funds are accessed since there will be a central point of contact and pot (with better/faster processes that world worldwide)
  • it turns up the volume/pressure on the ‘_% of OWASP funds used’, _since everytime _something that could happen, doesn’t happen, _OWASP misses an opportunity (and we need some ‘urgency’ and focus on ‘not lossing those opportunities).

See the rules I wrote down at the GSD project for how this could work in practice.

Like I mentioned before, I don’t really care about where the money is, and what percentages there are in place (in fact history is showing us how divisive those splits can be). The point is that OWASP Funds MUST be available to Who wants to use them!

**
**

And as I listed in I wish that OWASP in 2014 …., it would be great that one day we will have at OWASP:

  • ….
  • _a model where OWASP leaders are empowered to make financial decisions/commitments and spend the available OWASP funds in the way they believe is best, with no (very little) questions asked and very fast approval cycles (see the GSD project for details)
    _
  • ….

Dinis Cruz

On 6 June 2013 17:35, Tim <tim.morgan@owasp.org> wrote:

Yes, this is what came to my mind as well. Incorporating Dinis
suggestion and some of my own ideas, what about this:

Individual membership dues: 75% to chapter, 25% to foundation
Corporate membership dues: 25% to chapter, 75% to foundation
Conference/event profits: 25% to chapter, 75% to foundation

Let C be the chapter funds “soft” cap
Let P be the shared chapter pool “hard” cap

Once per year, do the following:
For any chapter with funds greater than C, move %50 of any excess
funds C into a shared chapter pool

If the the chapter pool is greater than P, move all excess funds to
the global foundation

Any chapters can “overdraw” their chapter account and pull from the
chapter pool. Perhaps some kind of limit should be put on how much
any given chapter pulls from the shared pool in a year.

Reasoning:

I think individual membership dues are important to keep with the
chapter. It encourages contribution and participation at the local
level. Corporate membership is probably not quite the same in that
way. Also, I’m guessing individual membership dues are not the
biggest contributor to chapter funds right now (whereas conferences
and corporate contributions probably are), so it isn’t going to cause
a big lockup of funds by putting more of the individual dues toward a
chapter.

In this system, the shared chapter pool is not so much different than
what we are doing this year in 2013 where a $500 overdraw was offered
to poor chapters. I think this overdraw ability is very useful to
new chapters.

Of course all suggested numbers above are negotiable, it’s just a
framework for more fairly unlocking excess funds.
tim

1.13 Why NDAs have no place at OWASP

I was looking for a place to link why it is such a bad idea for OWASP to consider or accept the idea of signing NDA’s with 3rd parties, and since I couldn’t find it on the OWASP Wiki, I’m reposting here what I wrote in June 2011: 

 1 _I don't buy the argument that there is a ton of opportunities that OWASP is  
 2 missing because we don't have this 'save harbour' locations to talk.
 3 
 4 The other key concept that you guys are missing is that the 'no  
 5 NDA everything is public' is actually the best way for *OWASP to control  
 6 OWASP* and to prevent the existence of 'pockets of knowledge' or 'groups  
 7 that know more than others' inside OWASP (just try to image how this would  
 8 work in practice and you will see how impractical this would be).
 9 
10 If we want to preserve our community and open spirit we need to have  
11 an uncompromising Open environment.
12 
13 I would also argue that a big problem in our industry (and software  
14 development/apps in general) is the excessive use of NDA and lack of  
15 information sharing. So if any thing, OWASP should be pushing the other  
16 direction and be actively promoting dialog and 'conversations'
17 
18 For example look at how we were able at the last OWASP Summit to get  
19 directly competing companies to sit on the same table and talk 'openly'.  
20 THAT is what we need to. Create the time and place, and the dialog with  
21 OWASP will come.
22 
23 _
24 
25 _  
26 _
27 
28 You can read the rest of the threat at: [No i will not sign your NDA but...](https://lists\
29 .owasp.org/pipermail/owasp-leaders/2011-June/005700.html)
30 
31   
32 
33 
34   
35 
36 
37 A good example of the mess created by providing 'secret data' to an OWASP leaders (with th\
38 e promisse the it wont be disclosed) if what has happened with the OWASP Top 10 data. See \
39 this post: [Stats used to support OWASP Top 10 entries (next version must publish them)](h\
40 ttp://blog.diniscruz.com/2013/01/stats-used-to-support-owasp-top-10.html) for more details\
41 .

1.14 Me and Jim Manico

I really like Jim. He is passionate, loves OWASP and has great energy.

Although he is from the Hawaii, he has Italian Sicilian blood, which means that his first reaction tends to be a bit off piste. But he listens well, he has an amazing breadth/depth of technological skills and is (like me) trying to change/fix the world.

These days, since I’m not in any position of power at OWASP (I left the Board two years ago), I am in a very privileged position where I can speak freely about my ideas (see You will not have your best ideas when you are in a position of Power). And as you can see by the 46 posts (so far) on this blog about OWASP I have been doing that a lot :)

Since I know that I can hard to deal with and can sometimes cause offence with my comments, views or actions (see Why do others think that I’m “hard to deal with” and that “I don’t listen” ), I asked him recently: _“Jim, are we ok? or have my latest OWASP related emails pissed you off.” _

And true to form, here is Jim’s answer (re-posted with permission) which just shows how an amazing person he is:

Dinis,

Sure you annoy me sometimes, but more importantly you always stay on topic around web security, OWASP governance and OWASP’s future. And you are solid about respecting OWASP’s basic ethical guidelines.

The fact that you annoy me irrelevant. This is not about me. The fact that you are “on point” around OWASP issues is what matters. It’s about what is good for OWASP.

I really don’t agree with you that much either. On occasion I do agree, but I often do not.

But this is ok, we need to keep rattling each others cages. I can take it. We are pushing for the same thing - a healthy OWASP.

So, Dinis. Bring it, man. Give me your best. It’s my job and responsibility as an OWASP board member to engage with you respectfully when you express ideas about making OWASP better.

1.15 On John Wilander….

John asked me this today via linkedIn to write a recommendation for him:

_Dear Dinis, _

_As I wrote on the leaders list I’m no longer co-leader of OWASP Sweden as of this week’s chapter meeting in Stockholm. Hopefully you can help to briefly summarize/recommend my OWASP work 2007 till now.

Thanks in advance!

-John Wilander_

Which of course I was happy to do.

Here is what I wrote:

John is one of the few guys in the world that I would hire on the spot (if I could). Not only he is an expert in his field (checkout his PHD on ‘using static analysis for security’) he is a great Person (with capital P)

His contributions at OWASP rank above the highest ever, specially the way he organised the OWASP AppSec EU conference in Stockholm, and how we was able to assembly an amazing set of participants for his ‘Browser track’ at the the OWASP Summit in Lisbon.

John also is a great singer and I have really amazing memories of us playing together in multiple OWASP conferences and summit.

Finally, but as important, John is a team player, has a great soul and is somebody I would trust implicitly. This means that he is an amazing asset for any team.

As you can see by this review, I have John in very high regard, and hope that one day I will be privileged to work with him on another project/initiative :) Thanks John for all your great work and contributions (so far) to OWASP and the WebAppSec community :)

Up next

2 OWASP Projects