Thursday 19 April 2012

OWASP Project Reboot 2012 - Here is a better model

In the last ROI on OWASP investment on Projects (ie paying leaders) post I mentioned that we need a better model to empower OWASP leaders with available funds (which seem to be at the moment about 100,000 USD)

My proposal / idea is to create a OWASP Project Sponsorship model based on these following simple rules:

  • OWASP makes available a budget for OWASP Projects (for example 100k)
  • OWASP leaders are free to use that money in anyway they want, with only the following restrictions:
    • They can't pay another OWASP leaders or a company that an OWASP leader is directly connected to
    • For amounts less than $500 they add its description to the respective OWASP WIKI page 24h before they commit to make the expense
    • For amounts less than $5000 they add its description to the respective OWASP WIKI 7 days  before they commit to make the expense
    • Each expense item is mapped to an individual OWASP leader and multiple OWASP Leaders can work together.
    • Payments will be made by Alison on Invoice submission (by paypal or direct bank transfer)
  • After the budget is spent (or in 6 months time), OWASP will review the outcomes and see if these rules need to be changed
And that's it!

This will allow the OWASP leaders (of any type) to just get on with it and find the best ways to take OWASP projects to the next level.

After you read this idea, take a look at the current Project Reboot Proposal at the OWASP Wiki.

From my point of view, there are a number of problems with that proposal:
  • It allows the payment of OWASP leaders (see Why OWASP can't pay OWASP Leaders for a list of reasons why this is a bad idea)
  • It doesn't learn from the past and all the hard work that went into the OWASP Season Of Code (SoC) concept - This proposal is basically OWASP SoC 2012, so at least least reuse what has been done before: https://www.owasp.org/index.php/Category:OWASP_Season_of_Code
  • It puts the barrier of entry as an OWASP Membership (which is a 50USD registration) - I would put this barrier of entry at OWASP Leader level, since those are individuals that have earned OWASP's trust and have delivered (note that the issue of  'does an OWASP leader deserve to be OWASP leader' is a separate thread)
  • There are a lot of pieces missing - If we are going down this path (which again is OWASP SoC 2012), then we will need to be as transparent and efficient as the last OWASP SoC. To get a better picture of what will need to be done, spend some time with the amazing pages that Paulo Coimbra (and the GPC) created on https://www.owasp.org/index.php/Category:OWASP_Season_of_Code (for example a lesson learned from past SoC is that all proposals must be submitted via the OWASP wiki)
  • There is no Project Manager - Investing in OWASP projects in this way is a full time job. The first step should be to hire a project manager to work on this (one of the beauties of the model I propose above is that is much lighter to implement (since there is a high degree of self control)
Finally, don't get me wrong! Investing on OWASP's projects is one of most important things that OWASP needs to do, and if the Project Reboot Proposal is approved, we will be better than we were before.

The reasons for this post, is that I just think there is a better and simpler way of doing it :)