Friday 16 November 2012

Improved Wikipedia funding page, why OWASP needs something similar, and who buys OWASP Corporate Memberships

Just went to Wikipedia and saw this:

which just sounded fair (and much better that looking at Jimmy's eyes :) ), so I clicked on the Please Help Button and used Paypal to help with £20:

and since it was so easy to retweet, I also did that too :)

I think it is very important for Wikipedia to have a funding model that keeps it ad free and comes directly from it's users (which means that the 'Wikipedia Users' are the 'Wikipedia Customers' instead of being the 'Wikipedia Product' (which btw, is what users are for Google, Facebook, Twitter, etc..)).

In fact that is why it was such an easy decision for me to 'help' (which is a better word than 'donate') since I value Wikipedia's services (provided by its operational machine) and I want to be Wikipedia's Customer not its Product

Now OWASP really needs to figure out a similar model, since the current membership model works OKish but creates massive conflicts of interrest.

Ideally OWASP should be funded by its users, not by the companies that provides services to its users.

Of course that there are some exceptions (like Mozilla) but if you look at the shopping list of logos that is the membership page that is a massive security product/vendor collection.

And btw, I think the time as come to remove the OWASP Membership logos from the HomePage, its getting ridiculous:

Are we really THAT independent and vendor neutral?

Here is an interesting question (since OWASP generates revenue and is profitable): WHO and WHAT are OWASP's product? I.e. what is OWASP really selling? 

As an OWASP Leader, am I the product? or the customer?
As an OWASP User, am I the product? or the customer?
As an OWASP Corporate Member, am I the product? or the customer?
As an OWASP AppSec Conference or Chapter speaker, am I the product? or the customer?
As an OWASP AppSec Conference or Chapter attendee, am I the product? or the customer?

This actually takes me to another really interesting question which is 'What is the drive behind an OWASP Corporate Memberships' (the 5k USD one)?

My theory is that in most cases (90%+) these memberships are directly connected to an OWASP leader (I don't think this analysis has been done, but from all the OWASP leaders I know, this fells right). Important questions to answer are:

  • "what is the time-delta between 'somebody' becoming an OWASP leader, and the company he/she is working for, becoming an OWASP Corporate member?"
  • "how many OWASP Corporate members exists that have NO OWASP leader(s) in its payroll?'
  • "how many lapsed (or not renewed) OWASP Corporate Memberships happened from companies whose past (in payroll) OWASP Leader(s) are not 'active at OWASP' any more?"
  • "how many OWASP Corporate members exists from companies that provide NO security services or products"
  • "how many OWASP Corporate members exists from 'development organisations'  (i.e. companies or groups focused on writing secure code)" (for example it doesn't look like Etsy is a member)

What is important about this idea, is that IF OWASP memberships are a direct or 'natural' consequence/evolution of an OWASP Leader existence, that would mean that OWASP's lack of focus on its leaders, is not only 'the wrong thing to do' but a very bad business decision.

One of the things I tried most when I was a board member was to get OWASP to take more care about its leaders, and it was always an up-hill battle because there is this view that 'hey the leaders contribute because they want' (I remember having to argue hard for the concepts of 'OWASP Leaders are given free OWASP Memberships' and 'OWASP Leaders can go for free to any OWASP conference').

It is critical for OWASP's future to look after its leaders much better than it currently does, and if you look at my list on I wish that OWASP in 2014 .... you will see that most are 'OWASP leaders focused'.

Focusing on OWASP Leaders is a win-win situation and what makes sense from a commercial point of view!

The more OWASP invests and looks after its leaders, the:

  • better projects OWASP will have
  • better presenters OWASP will have
  • more Corporate memberships will exist
  • more value OWASP will be providing to its key target audiences: developers/companies who want to write/buy/use secure code