Saturday, 12 May 2012

Some ideas for OWASP GSD Project

When I started talking about the OWASP GSD Project (GSD = Get Stuff Done) , with fellow OWAPS leaders, one of the questions I received was 'Ok so where will the money be used?'

The concept of GSD is to empower the OWASP Leaders to spend on OWASP projects, so in way the 'what would it be be used for' will be defined by them (the OWASP Leaders).

If you are an OWASP Leader, you are the one that will be empowered to spend GSD funds, so look in the mirror and ask yourself the question 'Where would I spend funds on OWASP Projects' :) .

Here are a couple ideas on where to use available GSD funds:
  • buy 20 copies of the (for example) Open SAMM book and distribute it at a local OWASP chapter meeting
  • support the OWASP Developer Guide and ASVS projects (for example with copywriting, formatting, design, research, proof-reading, pagination, etc...)
  • improve the formatting and presentation of the 'Cheat-Sheet' series,
  • hire a transcription service for key presentations done at OWASP chapters/events (or OWASP PodCasts)
  • create a DVD with all presentations from a specific OWASP event (or other video materials like the AppSec tutorial series)
  • sponsor a booth at an event to present OWASP Projects
  • sponsor travel expenses for a project leader to meet with other project leaders or collaborators (to work on a particular project)
  • organize a mini-summit around an OWASP project
  • create a mini-website focused on a particular project (like 
  • try out a specific commercial service that will make a particular project more effective (version control, bug tracking system, mailing lists, etc...)
  • hire designers to work on OWASP projects
  • translate OWASP content (to and from English)
  • sponsor students to work on OWASP projects (maybe even run a mini-OWASP Season of Code)
  • hire mediawiki editors for the OWASP website (the OWASP projects part of it :)  )
  • hire project manager(s) for OWASP projects
  • etc...
What I've found is that unless we remove just about all barriers of entry for the use of Funds on an OWASP project, what tends to happen is 'Nothing'.

Hopefully the GSD project will help in Getting Stuff Done :)


BGen Specific said...

"Ok so where will the money be used?"

I get the feeling that there is not enough strategic direction if we really have to ask "where should we spend the money".

If we had a strategy or vision - I expect the answers would be obvious (and aligned with that vision or strategy).

Absent a clear vision/strategy, put it into a trust or pay it out in AppSec scholarships.

Dinis Cruz said...

The idea that OWASP needs a 'strategy or vision' is a myth and red-herring.

My view is that the maximum amount of 'definition' that can happen at the top (ie at OWASP-wide level) is to say that "OWASP is an Community (Passionate about Application Security)" See for my views on that.

It is not OWASP (the mothership) that needs a 'strategy or vision' it is the individual activities (Projects, chapters, summits, etc...) that need it.

Think about this, given OWASP size and history, don't you thing that if such 'strategy or vision' was possible it would had emerge by now? Why didn't the last Summit create it?

The reality is that OWASP is a such a wide organization (in terms of geographical spread, interests, people, etc) that it is impossible to create a unified 'vision/strategy'

I happen to think that this is a good thing since it will prevent OWASP from going in a specific direction (and losing a large chunk of its community in the process).

Now ... does Project XYZ need a Vision and Strategy?

Absolutely!!!, and if the project YOU care about doesn't have one, why don't you help to create it? :)

The idea behind the GSD is to empower our projects with funds, and triggering the (positive) side effect, that once people realize that there are funds available to spend on their project, they will start asking real important/interesting questions like for example: "What is the Vision / Strategy for this project?" :)

Dinis Cruz said...

Btw when you say " put it into a trust or pay it out in AppSec scholarships."

If you look closely at the GSD model ( I does fit that description :)

For all practical effects the GSD "Initiative: Funds Available for OWASP Projects" model is a trust/scholarship (with a key limitation that it can't be used to pay for OWASP Leaders)

BGen Specific said...

"The idea that OWASP needs a 'strategy or vision' is a myth and red-herring."

In the entire history of the world - has there ever been a successful organization that had no vision and no strategy?

This is not a myth.
This is not a red-herring.
This is management 101.

"Think about this, given OWASP size and history, don't you thing that if such 'strategy or vision' was possible it would had emerge by now? Why didn't the last Summit create it?"

Isn't this one of the classical logical fallacies... Memory is failing me, but I'm pretty sure it is. Wait... Appeal to antiquity?


If OWASP is really so unique that it can't have a mission - then form sub-boards for "builder", "breaker" and "defender" communities and kick the fund-raising/spending can down to them except as it relates to common infrastructure and support. (This is basically the ASF mission right?) I imagine all three of those communities could come up with a strategy in relatively short order.

Or hire outside management and they'll do it for you - any decent manager will set a course for their organization.

Dinis Cruz said...

I'm not saying that OWASP doesn't need a mission (which in my view should be something as simple as "OWASP is an Community (Passionate about Application Security)" ) , what I'm saying is that the idea that it needs such mission/vision so that 'something' can happen is the myth, red-herring and excuse.

I.e. is the perceived 'lack of vision' that acts as a blocker for things to happen. NO, not at all! The problem is that doing something takes a LOT of work, and it is easier to back-off due to 'lack of vision' than it is to do something about it. And this is not a dig to you, your comments are VERY valuable and they are the first steps in getting more involved :)

Now when you go into down a couple levels (for example the "builder", "breaker" and "defender" communities), then YES they need visions and missions. In fact, why don't you help creating one for them ? And then use the GSD funds to help to make them into reality.

Note that OWASP is much bigger than "builder", "breaker" and "defender" communities. That is just one slice of our community, in fact that is just one way of viewing our community.

Will it work? who knows, but lets try it :)

And regarding hiring outside management consulting to figure it out, it has been tried before and it didn't really work