Saturday 12 May 2012

OWASP GSD Project (GSD = Get Stuff Done)

Yesterday I started the OWASP GSD Project, based on:
The Project's main page is at:  and below (end of this post) you will find a copy and paste of today's version of this project page (which is the first pass at defining what the GSD is)

What I like about this model is that is as empowering as I think one can make it.

Basically this model:

  • Empowers OWASP leaders to spend funds on OWASP projects
  • Puts a very 'light' moderation/control system in place, where proposals are approved by default  (in 1 day for < $500  and 7 days for < $5000)
  • Creates a chain of trust beween the multiple parties
  • Can be this simple due to the key 'OWASP leaders cannot be paid' rule
  • It is based on trust and reputation
  • It is designed to be simple to use and could be easy abused
  • It is a grass-roots, bottom up approach (i.e. done from the OWASP Community to the OWASP Community)

Now you might think that such system would be abused. My experience in implementing very similar solutions (at OWASP and other places) has shown me that in an open environment, it is very hard to abuse the system in a way that doesn't (eventually) backfire.

The only places I've seem 'abuses' is when the information is not clearly presented, attributed and linked

In a way, a system like this shows how hard it is to get stuff done at an organisation like OWASP. Even when just about ALL barriers of entry are removed, and it is really simple to 'do it',  it takes a lot of effort to create something.

And the reason is simple. There is always a good crowd that has 'ideas' on what should happen. But the hard part is to actually 'do it' (or create a good brief so that it can be delegated/contracted-out).

Another key concept about this model is that it is not done by the OWASP Board or Committee. I think it is very important that initiatives like this happen from the 'bottom-up' and not from the 'top-down'. That said, I have asked both OWASP Board and GPC (Global Projects Committee) to provide some seed funds, since that is the equivalent of directly investing on OWASP projects.

And you, dear reader (maybe from a company that likes what OWASP is doing or a leader of an OWASP Chapter ),  if you have funds that you would to see put to a good use , please allocated some of it to this project :)

What do you think? Any comments, ideas, criticisms, suggestions, etc...?


OWASP GSD (Get Stuff Done) project is focused on enabling and empowering other OWASP Projects with funds, resources, energy and ideas.
The first initiative is the 'Funds Available for OWASP Projects' (see details and rules-of-engagement below)
  • Project Leader: Dinis Cruz
  • Proposals Review Team: Dennis Groves, Daniel Cuthbert, Dinis Cruz ... (more to be announced)

Initiative: Funds Available for OWASP Projects

What: OWASP Project Sponsorship model where OWASP Leaders can spend up-to the current allocated budget on OWASP Projects
  • Funds are to be used on OWASP Projects
  • Funds to be personally allocated by an OWASP Leader (who takes responsibility for its use and execution)
  • OWASP leaders are free to spend the funds on OWASP Projects in anyway they feel relevant, with only the following KEY restrictions:
    • They can't pay another OWASP leaders or a company that an OWASP leader is directly connected to
    • For amounts less than $500 they add its description to the respective OWASP WIKI page 24h before they commit to make the expense
    • For amounts less than $5000 they add its description to the respective OWASP WIKI 7 days before they commit to make the expense
    • If there are no comments or objections by the 'Proposals Review Team', the funds are automatically approved
    • If a member of the 'Proposals Review Team' objects or asks for more information, the funds are NOT approved (until further clarifications)
  • Each expense item is mapped to an individual OWASP leader and multiple OWASP Leaders can work together.
  • Payments will be made by Alison on Invoice submission (by paypal or direct bank transfer)
In 6 months time, a review of the outcomes will be done and see these rules need to be changed

Current Funds Available

  • Total: 0 USD
  • Sponsors: none yet (these could be OWASP Chapters, OWASP Members or 3rd party companies/organizations)

Proposed Use of Funds Available

  • None


For Participants:
  • What is an OWASP Leader? : Everybody in the owasp-leaders list
  • Can these funds be used on other OWASP innitiatives (Chapters, Conferences, Summits, etc..) : Nope this is only for OWASP Projects
  • What happens if the 'Proposals Review Team' objects or asks questions : The OWASP Leader behind the proposal needs to come back with a better idea or answer :)
  • Is there some kind of 'Gamification theory' behind this idea? : Yes :)

For Members of the 'Proposals Review Team':
  • What should I do if I like a proposal? : Nothing (unless you have time to help that proposal). Note that proposals with no 'doubts' are approved by default
  • What should I do if I have doubts about a proposal? : Write a comment and raise your doubts/questions. Note that proposals with (at least one ) 'doubt' comment and NOT approved by default