For reference here are the projects sponsored in the past:
OWASP Autumn Of Code 2006 - 34,000$ USD invested on :
- WebScarab NG ,
- Live CD ,
- CAL9000 ,
- SiteGenerator and ORG ,
- Pantera ,
- Web Goat ,
- Testing Guide ,
- OWASP .NET Tools ,.
- OWASP Website and Branding
OWASP Spring Of Code 2007 - 117,500$ USD invested on:
- The OWASP Web Security Certification Framework ,
- SqlMap ,
- OWASP Site Generator ,
- Attacks Reference Guide ,
- The Scholastic Application Security Assessment Project,
- Inspekt: Input filtering and validation library for PHP ,
- Code review Project ,
- OWASP Certification Project ,
- OWASP Education Project ,
- OWASP The Anti-Samy Project ,
- Security throughout the SDLC ,
- OWASP WebGoat Solutions Guide ,
- OWASP WeBekci Project ,
- Python Tainted Mode ,
- WebScarab NG Security Test Automation ,
- Refresh Attacks list ,
- Best Practices & Countermeasures ,
- OWASP brand ,
- Web Application Security put into practice ,
- OWASP JBroFuzz Project ,
- Owasp Orizon Project ,
- Enigform: Firefox Addon for OpenPGP signing of HTTP requests ,
- OWASP LiveCD Education Project ,
- OWASP Java Project ,
- OWASP LiveCD Project ,
- Interim @ Aspect Offices ,
- Help with SpoC project management ,
- OWASP Corporate Application Security Rating Guide
OWASP Summer of Code 2008 $104,000 USD invested on
- 100% Completion
- OWASP Testing Guide v3
- OWASP Ruby on Rails Security Guide v2
- OWASP Live CD 2008 Project
- OWASP Code review guide, V1.1
- OWASP AntiSamy .NET
- OWASP .NET Project Leader
- OWASP Source Code Review OWASP Projects
- OWASP AppSensor - Detect and Respond to Attacks from Within the Application
- OWASP Backend Security Project
- OWASP Securing WebGoat using ModSecurity
- OWASP Teachable Static Analysis Workbench Dmitry Kozlov
- OWASP Access Control Rules Tester
- OWASP Skavenger Matthias Rohr
- OWASP Online code signing and integrity verification service for open source community (OpenSign Server)
- OWASP Code Crawler
- OWASP OpenPGP Extensions for HTTP - Enigform and mod_openpgp
- OWASP Application Security Verification Standard
- OWASP Classic ASP Security Project
- OWASP UI Component Verification Project (a.k.a. OWASP JSP Testing Tool)
- OWASP SQL Injector Benchmarking Project (SQLiBENCH)
- OWASP Spanish Project
- OWASP Internationalization Guidelines Project
- GTK+ GUI for w3af project
- OWASP Book Cover & Sleeve Design
- OWASP Individual & Corporate Member Packs, Conference Attendee Packs Brief
- Above 50% Completion
- OWASP Orizon Project
- OWASP Application Security Desk Reference (ASDR)
- OWASP Application Security Tool Benchmarking Environment and Site Generator refresh
- OWASP Education Project
- OWASP Python Static Analysis
- Below 50% Completion
From a pure ROI point of view, we need to ask: "How many of these projects are successful (or even active) today?" and "How much impact did these this investment actually had?"
If we look purely from a project deliverables point of view, although there were a number of solid deliveries I think one will struggle to come up with a positive balance (specially since some of the best things done to these projects happened after this sponsorship).
But if we look at this from the point of view of:
- Bringing new energy to OWASP (namely OWASP leaders)
- Improve the research on WebAppSecurity
- Improving the connections and relationships between these OWASP Leaders
- Empowering these OWASP Leaders to be involved in other areas (and projects) at OWASP (note how a lot of the most active OWASP leaders today were involved)
- Creation of new Chapters (directly connected to a sponsored OWASP leader) , with some of these chapters also eventually organizing OWASP Conferences
I would say that the balance is massively positive!
So the question is: "if we want to achieve similar results today, should we pay OWASP leaders again or do something different?"
My view is that we need a new model, one that is based on the concept that 'OWASP cannot pay for OWASP leaders' and focused on empowering those leaders.
For more on this topic see:
