Tuesday 10 April 2012

Why large OWASP projects start to stale (and who should pay for the work)

A critical evolution-stage that is happening with a significant number of OWASP (and other FOSS) projects is the moment when the project grows so large that any key change requires a substantial amount of work.

Another problem is the fact that most successful projects are the result of only a small number of key contributors (also called the projects-leader) who after a significant personal time-commitment, move on into other projects/initiatives/ideas.

Most of our guides have that problem, so does WebGoat, WebScarab, ESAPI, O2, etc...

In fact, for a while there was a lot of effort put into 'normalizing' the references between the multiple guides, which is A MASSIVE piece of work (btw, this probably can only be done if you got 5 to 10 key players in the same location for 1 week (with a good amount of preparation work)).

It is just a reality that when OpenSource projects grow, they need commercial support that pays for contributors to work on it.

And here is the catch, OWASP can't be the one that pays for it (it can pay for the operational support, project management, mini-summits, infrastructure, etc.. but not the salaries of the contributors).

It should be the companies (or groups) that benefit from that project that should come up with the money and hire the key contributors.

In fact, that already happens a lot today at OWASP. There are a huge amount of OWASP contributions that is already funded by commercial companies that get value from those projects.

In a way we just need to formalize and operationalize this model.