Thursday 19 April 2012

ROI on OWASP investment on Projects (ie paying leaders)

I was thinking about the crazy idea of paying OWASP leaders (still supported by a number of OWASP leaders) and I started wondering what was the ROI (Return of Investment) for OWASP and its community when OWASP did pay OWASP leaders (existing and new ones) to work.

For reference here are the projects sponsored in the past:

OWASP Autumn Of Code 2006  - 34,000$ USD invested on :
OWASP Spring Of Code 2007 - 117,500$ USD invested on:

OWASP Summer of Code 2008  $104,000 USD invested on
As you can see there were a LOT of projects that OWASP sponsored

From a pure ROI point of view, we need to ask: "How many of these projects are successful (or even active) today?" and "How much impact did these this investment actually had?"

If we look purely from a project deliverables point of view, although there were a number of solid deliveries I think one will struggle to come up with a positive balance (specially since some of the best things done to these projects happened after this sponsorship).

But if we look at this from the point of view of:

  • Bringing new energy to OWASP (namely OWASP leaders)
  • Improve the research on WebAppSecurity
  • Improving the connections and relationships between these OWASP Leaders
  • Empowering these OWASP Leaders to be involved in other areas (and projects) at OWASP (note how a lot of the most active OWASP leaders today were involved)
  • Creation of new Chapters (directly connected to a sponsored OWASP leader) , with some of these chapters also eventually organizing OWASP Conferences
I would say that the balance is massively positive!

So the question is: "if we want to achieve similar results today, should we pay OWASP leaders again or do something different?"

My view is that we need a new model, one that is based on the concept that 'OWASP cannot pay for OWASP leaders' and focused on empowering those leaders.

For more on this topic see: