2 OWASP Projects

This section has the following chapters:

Table of Contents

2.1 160k USD available to OWASP Chapters and Projects

This spreadsheet: https://docs.google.com/spreadsheet/pub?hl=en_US&hl=en_US&key=0Atu4kyR3ljftdEdQWTczbUxoMUFnWmlTODZ2ZFZvaXc&output=html contains the list of funds available to OWASP Chapters and Projects (actually mainly chapters)

The concept of allocating funds to Chapters was something that I help to implement a while back and the key concept of it was to allocate a certain % of OWASP membership funds to chapters (or projects) from either a local company 5k corporate membership or a locally executed profitable conference.

The objective was to empower the leaders to spent the funds available to OWASP since ‘in principle’ they owned it..

I’m not sure how much funds have been spent over the last couple years, but I don’t think that it is a lot, specially if we don’t count the amounts used by the last Summit

In fact, the 160k USD currently available, shows that the model is not working as well as it should, i.e. OWASP leaders are not spending (i.e. investing) the money make available to them!

I think there are two reasons for it:

  1. spending money in an organization like OWASP is not easy
  2. there is an idea that ‘money should be kept’ in the bank since it is not wise to spend it all (i.e. be fiscally conservative)

The problem here is that the amount of missed opportunities caused by the non-spending on these funds ie enormous, but because that is very hard to measure (how do you quantify missed opportunities?), it is hard to visualize the solutions and ideas we have not executed on.

I think that one way to help the chapters to spend the $ allocated to them is for them to ‘invest’ in OWASP Projects under a program like the one I present at OWASP Project Reboot 2012 - Here is a better model

2.2 If you ever doubt that OWASP needs more Project Managers/Resources

Like Samantha Groves :

image

Then you should read these amazing monthly reports (written by Samantha)

And also take a look at the new OWASP Projects page: https://www.owasp.org/index.php/Category:OWASP_Project

My only worry is that there is SO MUCH to do!!! and Samantha is only one :(

Last time I spoke with Samantha she was still under the impression that she would only need help in late 2014, I hope that she will soon realize that there are a lot of areas where she could do with more resources (starting with resources to do actual ‘project management’, since at the moment she doesn’t have the time to do that for the projects that really need it)

2.3 On how to get paid to work on OWASP projects

Here is an old blog post (from May 2012) that I never got around to publish (got lost on the drafts folders), that provides more info on why OWASP cannot pay its leaders, and how to get paid to work on OWASP projects

Since this was a personal email, I replaced the OWASP leader name and project with XYZ and Project ABC

Hi XYZ

(before you read my answer below, read this email to the leaders I sent last year: https://lists.owasp.org/pipermail/owasp-leaders/2011-January/004493.html about the opportunity to hire Sandra to work on OWASP Projects)

I know you are not doing it for the money (none of us are), and I agree that if you were able to have dedicated time to work on the Project XYZ it would make massive progress (same thing for a lot of other projects)

The problem is that YOUR fees cannot be paid by OWASP (for all the reasons I mention in the ‘Why OWASP can’t pay OWASP Leaders’ blog post). Even worse, if OWASP would pay your fees, it would probably be a disservice to you since you probably would not be able to charge close to your commercial value (i.e. what a company would pay you). Again that would not be scalable, since it would mean that the the only way you could get paid to work on OWASP is to take a big pay cut.

Now two things:

**1) The way you are currently planning to spend the funds **(which you applied for) is exactly the way I think OWASP can support your (and other leaders) efforts. In fact my idea with OWASP GSD Project (GSD = Get Stuff Done) is to take that to another level and say “Hey… we trust XYZ so he can just get on and get it done (no need to ‘submit proposals’, just list where he wants to spend it)”

2) You are asking your currently employer to ‘sponsor’ you with paid time. Now THAT is the way to get you paid. Recognizing when an OWASP Leaders is being sponsored by a company to spend ‘Company time’ on a project is one of the areas that we have failed miserably at OWASP. I tried to move things on the right direction when at the Summit I was able to inject that information into the Attendee list (see “Summit Time paid by’ column in [https://www.owasp.org/index.php/Summit2011_Attendee](https://www.owasp.org/index.php/Summit2011_Attendee)). And this type of ‘payment’ is the most effective one, since you can negotiate your contract with the company that is hiring you (in Private) and it would not break the contributors model. Note for example that that type of deal is the one I have with SI at the moment. I am able to spend my paid time on OWASP and O2 (with no cost to OWASP). And this also happens with a LOT of other OWASP leaders

So XYZ , I still want you (and) other OWASP leaders to be paid for working on OWASP projects. In fact I want you to be paid your full (or close) commercial rates. The key is that we need to figure out a model where 3rd party companies (or governments) pay that bill.

I think we are getting closer now, but with everything, if there isn’t a model created, it will not scale and we will not be able to take it to the next level. This is what I tried to create last year with Sandra’s proposal (https://lists.owasp.org/pipermail/owasp-leaders/2011-January/004493.html) and unfortunately there wasn’t momentum (and vision) on our community to push it (I was also leaving the OWASP Board so I was not comfortable in pushing that concept without full support and commitment from the board and leaders).

Basically the model at https://lists.owasp.org/pipermail/owasp-leaders/2011-January/004493.html is the one that I think will work for you (note how in that case the fees where arranged between SI and Sandra, which is how it should be)

Dinis Cruz

On 15 May 2012 09:55, XYZ wrote:

Hi Dinis,

I’ve agreed to disagree with you on this one; I’m not in it for the money. I just want it to get it done, but I can’t do that (in a reasonable time) whilst working 12-14 hour days. My job allows me to pay my rent, health insurance, car payments, and allow my family to eat. However, it’s not to be, so my time will necessarily limited to weekends, nights after my daughter goes to sleep, and train rides when my paying job doesn’t have too much on.

If OWASP could fund me so that I could take leave without pay (i.e. a career break) for say six months, the headstart would be fantastic. You experienced that headstart when you did O2, and I understand your family’s sacrifice to make that work. Realistically, I don’t have the luxury of savings, so even though I know what is a minimal amount of money I need to live, one to two weeks is not going to get that far on the Project ABC.

I’ve put a budget submission in for the new Project ABC, primarily to organize a face to face at appsec research to do a planning session and most importantly, a hack-a-thon. I have asked my work to sponsor the Project XYZ effort so that I can travel to Athens, but if they don’t agree to allowing me time off and 20% time (i.e. the sponsorship element), then I can’t be there. The reality is that if they say “no” then there’s every chance I can’t work on the project until I leave Company ABC. I hope it’s not a “no”. This is one of the reasons I’ve never done Project ABC work in my employer’s time or on their equipment.

thanks,

XYZ

On Sat, May 12, 2012 at 1:50 PM, Dinis Cruz <dinis.cruz@owasp.org> wrote:

Hi XYZ, I know that we have disagreed in the past on how to best support efforts like the one you are doing, hopefully we can find some common ground on the GSD project .

I’ve just started a new OWASP project (called GSD) that represents how I think OWASP projects can be supported by OWASP:

Note on the ‘where to spend the funds’ examples, that both your projects are perfect fits :)

What do you think?

Dinis Cruz

2.4 OWASP GSD Project (GSD = Get Stuff Done)

Yesterday I started the OWASP GSD Project, based on:

The Project’s main page is at: https://www.owasp.org/index.php/OWASP_GSD_Project and below (end of this post) you will find a copy and paste of today’s version of this project page (which is the first pass at defining what the GSD is)

What I like about this model is that is as empowering as I think one can make it.

Basically this model:

  • Empowers OWASP leaders to spend funds on OWASP projects
  • Puts a very ‘light’ moderation/control system in place, where proposals are approved by default (in 1 day for < $500 and 7 days for < $5000)
  • Creates a chain of trust beween the multiple parties
  • Can be this simple due to the key ‘OWASP leaders cannot be paid’ rule
  • It is based on trust and reputation
  • It is designed to be simple to use and could be easy abused
  • It is a grass-roots, bottom up approach (i.e. done from the OWASP Community to the OWASP Community)

Now you might think that such system would be abused. My experience in implementing very similar solutions (at OWASP and other places) has shown me that in an open environment, it is very hard to abuse the system in a way that doesn’t (eventually) backfire.

The only places I’ve seem ‘abuses’ is when the information is not clearly presented, attributed and linked

In a way, a system like this shows how hard it is to get stuff done at an organisation like OWASP. Even when just about ALL barriers of entry are removed, and it is really simple to ‘do it’, it takes a lot of effort to create something.

And the reason is simple. There is always a good crowd that has ‘ideas’ on what should happen. But the hard part is to actually ‘do it’ (or create a good brief so that it can be delegated/contracted-out).

Another key concept about this model is that it is not done by the OWASP Board or Committee. I think it is very important that initiatives like this happen from the ‘bottom-up’ and not from the ‘top-down’. That said, I have asked both OWASP Board and GPC (Global Projects Committee) to provide some seed funds, since that is the equivalent of directly investing on OWASP projects.

And you, dear reader (maybe from a company that likes what OWASP is doing or a leader of an OWASP Chapter ), if you have funds that you would to see put to a good use , please allocated some of it to this project :)

What do you think? Any comments, ideas, criticisms, suggestions, etc…?

OWASP GSD (Get Stuff Done) project is focused on enabling and empowering other OWASP Projects with funds, resources, energy and ideas.

The first initiative is the ‘Funds Available for OWASP Projects’ (see details and rules-of-engagement below)

  • Project Leader: Dinis Cruz
  • Proposals Review Team: Dennis Groves, Daniel Cuthbert, Dinis Cruz … (more to be announced)

Initiative: Funds Available for OWASP Projects

What: OWASP Project Sponsorship model where OWASP Leaders can spend up-to the current allocated budget on OWASP Projects

Rules-of-Engagement:

  • Funds are to be used on OWASP Projects
  • Funds to be personally allocated by an OWASP Leader (who takes responsibility for its use and execution)
  • OWASP leaders are free to spend the funds on OWASP Projects in anyway they feel relevant, with only the following KEY restrictions:
    • They can’t pay another OWASP leaders or a company that an OWASP leader is directly connected to
    • For amounts less than $500 they add its description to the respective OWASP WIKI page 24h before they commit to make the expense
    • For amounts less than $5000 they add its description to the respective OWASP WIKI 7 days before they commit to make the expense
    • If there are no comments or objections by the ‘Proposals Review Team’, the funds are automatically approved
    • If a member of the ‘Proposals Review Team’ objects or asks for more information, the funds are NOT approved (until further clarifications)
  • Each expense item is mapped to an individual OWASP leader and multiple OWASP Leaders can work together.
  • Payments will be made by Alison on Invoice submission (by paypal or direct bank transfer)

In 6 months time, a review of the outcomes will be done and see these rules need to be changed

Current Funds Available

  • Total: 0 USD
  • Sponsors: none yet (these could be OWASP Chapters, OWASP Members or 3rd party companies/organizations)

Proposed Use of Funds Available

  • None

FAQ

For Participants:

  • What is an OWASP Leader? : Everybody in the owasp-leaders list
  • Can these funds be used on other OWASP innitiatives (Chapters, Conferences, Summits, etc..) : Nope this is only for OWASP Projects
  • What happens if the ‘Proposals Review Team’ objects or asks questions : The OWASP Leader behind the proposal needs to come back with a better idea or answer :)
  • Is there some kind of ‘Gamification theory’ behind this idea? : Yes :)

_
_For Members of the ‘Proposals Review Team’:

  • What should I do if I like a proposal? : Nothing (unless you have time to help that proposal). Note that proposals with no ‘doubts’ are approved by default
  • What should I do if I have doubts about a proposal? : Write a comment and raise your doubts/questions. Note that proposals with (at least one ) ‘doubt’ comment and NOT approved by default

_
__
_

2.5 OWASP Project Reboot 2012 - Here is a better model

In the last ROI on OWASP investment on Projects (ie paying leaders) post I mentioned that we need a better model to empower OWASP leaders with available funds (which seem to be at the moment about 100,000 USD)

My proposal / idea is to create a OWASP Project Sponsorship model based on these following simple rules:

  • OWASP makes available a budget for OWASP Projects (for example 100k)
  • OWASP leaders are free to use that money in anyway they want, with only the following restrictions:
    • They can’t pay another OWASP leaders or a company that an OWASP leader is directly connected to
    • For amounts** less than $500** they add its description to the respective OWASP WIKI page 24h before they commit to make the expense
    • For amounts** less than $5000 they add its description to the respective OWASP WIKI **7 days before they commit to make the expense
    • Each expense item is mapped to an individual OWASP leader and multiple OWASP Leaders can work together.
    • Payments **will be made by Alison **on Invoice submission (by paypal or direct bank transfer)
  • After the budget is spent (or in 6 months time), OWASP will review the outcomes and see if these rules need to be changed

And that’s it!

This will allow the OWASP leaders (of any type) to just get on with it and find the best ways to take OWASP projects to the next level.

After you read this idea, take a look at the current Project Reboot Proposal at the OWASP Wiki.

From my point of view, there are a number of problems with that proposal:

  • It allows the payment of OWASP leaders (see Why OWASP can’t pay OWASP Leaders for a list of reasons why this is a bad idea)
  • It doesn’t learn from the past and all the hard work that went into the OWASP Season Of Code (SoC) concept - This proposal is basically OWASP SoC 2012, so at least least reuse what has been done before: https://www.owasp.org/index.php/Category:OWASP_Season_of_Code
  • It puts the barrier of entry as an OWASP Membership (which is a 50USD registration) - I would put this barrier of entry at OWASP Leader level, since those are individuals that have earned OWASP’s trust and have delivered (note that the issue of ‘does an OWASP leader deserve to be OWASP leader’ is a separate thread)
  • There are a lot of pieces missing - If we are going down this path (which again is OWASP SoC 2012), then we will need to be as transparent and efficient as the last OWASP SoC. To get a better picture of what will need to be done, spend some time with the amazing pages that Paulo Coimbra (and the GPC) created on https://www.owasp.org/index.php/Category:OWASP_Season_of_Code (for example a lesson learned from past SoC is that all proposals must be submitted via the OWASP wiki)
  • **There is no Project Manager - **Investing in OWASP projects in this way is a full time job. The first step should be to hire a project manager to work on this (one of the beauties of the model I propose above is that is much lighter to implement (since there is a high degree of self control)

Finally, don’t get me wrong! Investing on OWASP’s projects is one of most important things that OWASP needs to do, and if the Project Reboot Proposal is approved, we will be better than we were before.

The reasons for this post, is that I just think there is a better and simpler way of doing it :)

2.6 OWASP project reboot spent funds (not a lot spent so far)

From Alison here are the latest numbers from the OWASP Project Reboot 2012 initiative:

Humm, from the numbers in there, it looks like only the CISO Guide spent some funds

If true, and as we reach the 6 months of the allocation of those funds, the interesting question to ask is : WHY?

Why havent these funds been spent?

I think part of the answer can be found at OWASP Revenue Splits and the “Non-profits have a charter to be innovators”

One interesting development (and potential issue) is the case with the DHS funded projects (like the _Code Review Guide _shown below), which have an expectation to deliver something:

2.7 Project Management at OWASP

What OWASP needs ASAP is Project Management (the type Paulo was doing).

In fact, we don’t need 1, we need 4 or 5 project managers….

But I will settle for one in the short term,

There is a HUGE amount of work that needs to be done by the OWASP Operational machine, and THAT is where we (OWASP) needs to be putting our resources (i.e. creating the ‘OWASP Platform’) .

**At the moment we (OWASP) can’t even accept and guide projects that want to become OWASP projects!!! **And let’s not forget the ‘huge’ (i.e. none) support we give our current projects leaders (Hey !..I’m one of those OWASP Leaders that feels quite abandoned at a conner of the OWASP Project’s landscape…)

In fact, the other two tragedies (and losses for owasp) are when regular OWASP contributors and members of our community:

  • choose NOT to host their projects at OWASP, because they see no value in doing that!
  • choose NOT to join an OWASP projects and contribute, because they don’t know how, there is nobody on the other side, or the project is a mess and not easy to see where to start!

And being harsh on us (since we need to), why should they move their project to OWASP or Contribute? It’s too much hard work, there are two many politics, emails don’t get answered, etc…

We (i.e. OWASP) treat our project leader as dirt, we don’t know who they are, we don’t give them any support, we might even (if some OWASP conference organizers have their way) ask them to pay an entrance fee at our conferences (so that they (the project leaders) become a profit center).

This needs to change!!!

Our leader (projects, chapters, conferences, etc…)** are our most valuable asset, and we (OWASP) need to hire the resources** (i.e. project manager)** required to deal with them in the most professional, cordial, quick and focused way** (which is what Paulo was doing (and Kate, Sarah, Allison , Kelly do every day))

2.8 ROI on OWASP investment on Projects (ie paying leaders)

I was thinking about the crazy idea of paying OWASP leaders (still supported by a number of OWASP leaders) and I started wondering what was the ROI (Return of Investment) for OWASP and its community when OWASP did pay OWASP leaders (existing and new ones) to work.

For reference here are the projects sponsored in the past:

OWASP Autumn Of Code 2006 - 34,000$ USD invested on :

OWASP Spring Of Code 2007 - 117,500$ USD invested on:

OWASP Summer of Code 2008 $104,000 USD invested on

As you can see there were a LOT of projects that OWASP sponsored

From a pure ROI point of view, we need to ask: “How many of these projects are successful (or even active) today?” and “How much impact did these this investment actually had?”
**
**
If we look purely from a project deliverables point of view, although there were a number of solid deliveries I think one will struggle to come up with a positive balance (specially since some of the best things done to these projects happened after this sponsorship).

But if we look at this from the point of view of:

  • Bringing new energy to OWASP (namely OWASP leaders)
  • Improve the research on WebAppSecurity
  • Improving the connections and relationships between these OWASP Leaders
  • Empowering these OWASP Leaders to be involved in other areas (and projects) at OWASP (note how a lot of the most active OWASP leaders today were involved)
  • Creation of new Chapters (directly connected to a sponsored OWASP leader) , with some of these chapters also eventually organizing OWASP Conferences

I would say that the balance is massively positive!

So the question is: “if we want to achieve similar results today, should we pay OWASP leaders again or do something different?”

**
**

My view is that we need a new model, one that is based on the concept that ‘OWASP cannot pay for OWASP leaders’ and focused on empowering those leaders.

For more on this topic see:

2.9 Some ideas for OWASP GSD Project

When I started talking about the OWASP GSD Project (GSD = Get Stuff Done) , with fellow OWAPS leaders, one of the questions I received was_ ‘Ok so where will the money be used?’_

The concept of GSD is to empower the OWASP Leaders to spend on OWASP projects, so in way the _‘what would it be be used for’ _will be defined by them (the OWASP Leaders).

If you are an OWASP Leader, you are the one that will be empowered to spend GSD funds, so look in the mirror and ask yourself the question _‘Where would I spend funds on OWASP Projects’ _:) .

Here are a couple ideas on where to use available GSD funds:

  • buy 20 copies of the (for example) Open SAMM book and distribute it at a local OWASP chapter meeting
  • support the OWASP Developer Guide and ASVS projects (for example with copywriting, formatting, design, research, proof-reading, pagination, etc…)
  • improve the formatting and presentation of the ‘Cheat-Sheet’ series,
  • hire a transcription service for key presentations done at OWASP chapters/events (or OWASP PodCasts)
  • create a DVD with all presentations from a specific OWASP event (or other video materials like the AppSec tutorial series)
  • sponsor a booth at an event to present OWASP Projects
  • sponsor travel expenses for a project leader to meet with other project leaders or collaborators (to work on a particular project)
  • organize a mini-summit around an OWASP project
  • create a mini-website focused on a particular project (like ESAPI.org)
  • try out a specific commercial service that will make a particular project more effective (version control, bug tracking system, mailing lists, etc…)
  • hire designers to work on OWASP projects
  • translate OWASP content (to and from English)
  • sponsor students to work on OWASP projects (maybe even run a mini-OWASP Season of Code)
  • hire mediawiki editors for the OWASP website (the OWASP projects part of it :) )
  • hire project manager(s) for OWASP projects
  • etc…

What I’ve found is that unless we remove just about all barriers of entry for the use of Funds on an OWASP project, what tends to happen is ‘Nothing’.

Hopefully the GSD project will help in Getting Stuff Done :)

2.10 The difference between being ‘Appointed’ and being ‘Accepted’ as an OWASP Leader (of its Fork)

OWASP is a community that really embraces new ideas, new contributors and projects.

For somebody motivated (and with time/energy) there are very few ‘real’ barriers on entry. Even the cases where it ‘feels’ like there are barriers of entry or ‘bureaucracy’, those are mainly artificial and easy bypassed (with the right level of energy and commitment)

The problem is Empowerment

What I found (by observing lots of OWASP projects starting, blossoming and dying) is that what makes the difference is how Empowered is an individual on a particular project/tasks.

The easiest scenario is when a new project is born, since by default the person motivated to launch it, will feel empowered to do work on that project.

But when we get into contributing/collaborating with other projects, or in dealing with community matters (like what the OWASP Committees try to address), it gets more complicated, since there is an invisible barrier that most don’t want to cross.

Although the default answer at OWASP to people with ideas is “why don’t you go and do it yourself”, what actually tends to happen is: **Nothing **(or very little)

And yes, OWASP does have a problem with the ’…yes I can help…‘ brigade, which are the ones that are first to offer to help, but seldom do any actual work (in most cases these ‘non-helpers’ are neutral, since they don’t have an significant impact (positive or negative)).

For me, the the real problem is one where the candidate (current or future OWASP leader) ‘feels’ that he/she needs to be ‘Appointed’

I think it is human nature that creates the ‘need’ to feel that one is allowed to touch/change a particular project. And since there isn’t a direct effort to tackle that ‘need’, we go back to the default outcome which is: **Nothing **(or very little).

And what a great tragedy it is, when you have somebody who wants to work, wants to learn, wants to contribute, wants to change, but somehow the initial spark fails to happen, and that energy/focus is lost.

There were four cases where I really saw this in action.

  1. the OWASP Seasons of Code
  2. the OWASP Summits
  3. the OWASP Committees (created in the first Summit)
  4. creating a web page in the OWASP wiki

In all these cases, all that it took for a huge amount of energy (and work) to happen on particular project (or area) was for somebody to have his/her idea ‘accepted’ in the public sphere

  • the Season of Code participants (which would had made more money flipping burgers) felt empowered to participate and contribute to a particular project or idea
  • the OWASP summits, that where designed around the idea of ‘working sessions’, which made the participants fell empowered on these ‘working sessions’ topics
  • the committees which (initially) empowered existing OWASP leaders to tackle a huge amount of OWASP related issues (Projects, Conferences, Chapters, Membership) and outreach efforts (Industry, Education, Connections)
  • the magic sparkle and empowerment that happens when an owasp leaders/contributor sees a webpage in owasp.org with his name

The problem with these activities is that they are very ‘top down’ and rely on an ‘higher authority’ to do the ‘Appointments’.

Which means that when that when the ‘Appointments’ stop, (in 95%+ of cases) the Empowerment and energy stops.

In fact, what happens after a while, is that we have a perverse model where the people appointed have run out of energy,ideas or time, but still have the role, which now prevents new blood from taking over. The current state of the Committees are a great case study of this. Most are just about dead (and the ones that are not, are being driven by external events: Conferences, an election a new project manager, etc…), but since there a ‘felling’ that ‘somebody in charge’ there isn’t the urgency (and awareness) that really important areas for OWASP (and AppSec) are currently (for all practical purposes) stopped and leaderless

The problem is that OWASP at the moment doesn’t do a ‘Spring Clean’ of leaderships and ‘Appointments’, which means that although it is easy to get in, it is very **hard to get out **(and it takes a lot to step down from a Leadership position). Humm … maybe at the next OWASP Band we should play the Hotel OWASP to the tune of Hotel California :)

In my view, the solution is to:

  • re-invent the OWASP committees as OWASP Initiatives (which are focused on empowering specific tasks)
  • remove all project leaders that have been on a project, initiative, committee but have done nothing (measurable) in the last 6 months (a good test is just to ask: ‘Dear project leader XYX, what have you done for the project/initiative/committee ABC over the last 6 months.’).

The removal of the OWASP leaderships is very important, since the dark side of _Appointing _leaders, is that while they are there, it is quite toxic (and political) for somebody else to ‘step-up’ and start doing something about that project (i.e. most don’t want to buy that fight, or have the time to deal with the political implications/BS).

And this takes me to the real idea behind this post:

The difference between being ‘Appointed’ and being ‘Accepted’ as an OWASP Leader (of its Fork)

What we want is a situation where members of the OWASP community fell empowered to Fork (i.e take ownership) a particular project or idea.

Then, the real ‘Appointment’ happens by the community that recognises his/hers ideas, and accepts the vision followed/executed (with eventually that person becoming the ‘project leader’).

This is much more healthier and risk-free than the current ‘Appointment’ model since, if that person fails to deliver, the loss is minimal

Also important is the fact that this ‘Forking’ allows for multiple simultaneous attempts/efforts by different participants. Which maximizes the changes of success.

Compare that with the current ‘Appointment’ model, which by design choses one path/person vs another one (unless all candidates are accepted), and removes energy/Empowerment from the ‘losing’ parties.

For more thinking on the ‘Fork projects or content’ idea see the Design for Fork and the liquididy of OpenSource/Git post.

Linus has shown us that Forking is the way to create a community around code. Now we need to use the same principles of Forking to create vibrant communities OWASP projects and activities

2.11 Why large OWASP projects start to stale (and who should pay for the work)

A critical evolution-stage that is happening with a significant number of OWASP (and other FOSS) projects is the moment when the project grows so large that any key change requires a substantial amount of work.

Another problem is the fact that most successful projects are the result of only a small number of key contributors (also called the projects-leader) who after a significant personal time-commitment, move on into other projects/initiatives/ideas.

Most of our guides have that problem, so does WebGoat, WebScarab, ESAPI, O2, etc…

In fact, for a while there was a lot of effort put into ‘normalizing’ the references between the multiple guides, which is A MASSIVE piece of work (btw, this probably can only be done if you got 5 to 10 key players in the same location for 1 week (with a good amount of preparation work)).

It is just a reality that when OpenSource projects grow, they need commercial support that pays for contributors to work on it.

And here is the catch, OWASP can’t be the one that pays for it (it can pay for the operational support, project management, mini-summits, infrastructure, etc.. but not the salaries of the contributors).

It should be the companies (or groups) that benefit from that project that should come up with the money and hire the key contributors.

In fact, that already happens a lot today at OWASP. There are a huge amount of OWASP contributions that is already funded by commercial companies that get value from those projects.

In a way we just need to formalize and operationalize this model.

Up next

3 OWASP Summits