Friday 4 December 2015

Proposed new strategy for OWASP projects - They are Research Projects

(variation of an email send to the owasp leaders list)

I think a key problem is the expectation that OWASP should ever be able to develop professional, best in class and 'secure' apps.

These conversations always tend to have a base on the idea that OWASP 'should not have a lot of projects' and 'only focus on a couple high-value/high-quality ones'. This never gains traction because that goes completely the model and culture of OWASP projects.

The reality is that really good a solid projects at OWASP are the exception and the outliers.

What worries me is that we still have this idea that most OWASP projects should have a kind of amazing 'quality and reliability' (and everything else should be ditched/not-supported)

That is just not going to happen (apart from a couple cases like Top 10, ZAP, Testing guide, ASVS,OSAMM, which should be seen as exceptions and outliers).   the reality is that once a project gains a certain level of quality and momentum they kinda become self-sufficient and don't need THAT much from OWASP.

My view is that OWASP projects should be seen as 'research projects' designed to push the research on Application Security a bit further. OWASP should be encouraging this research and promoting it!

We should NOT encourage the idea that OWASP project's code should be used in production! Because frankly, OWASP and its community is not in a position to deliver on that promise. 

What I propose is that OWASP continues to support innovation on its projects (which are one of the key pillars of OWASP) and move away from the idea that OWASP projects should have the 'burden' to be 'production level'. 

In fact, we should encourage successful projects to fly away and move into its own space (website, funding, team). 

OWASP projects also need dedicated staff and resources so that the review and management workflows (of which I have personal experience in helping Paulo,  Samantha and Johanna) have a chance to work.

Just to be clear, what I'm proposing is:
  • Increase support for all OWASP projects
  • Keep pushing them to have more and more quality
  • Understand that ALL owasp projects are really 'RESEARCH' projects 
  • Promote the ideas that: 1) OWASP projects should NOT be used in production, 2) they are RESEARCH driven ideas and 3) that they represent a particular OWASP project leader views or coding skills
  • Support the process of mapping the health of projects and providing metrics on the status of the projects
  • Promote the move of 'flagship' projects into its own home. Of course always with some connection to OWASP, but with a level of independence to make what ever 'security claims' they wants
  • an OWASP Summit focused on OWASP Projects would be the best investment that OWASP can do in 2016
Small clarification, in my mind 'leaving owasp' is more like a 'child leaving home' vs a divorce

For example, I wouldn't expect ZAP to be suddenly completely divorced from Owasp or its community.

There would always be a connection and collaboration between them. I would also expect ZAP to show it's roots and connection to OWASP (especially in integrations with other Owasp projects). Simon would still be an Owasp leader

Ironically if ZAP was much widely used by developers , it would expose Owasp to a much wider audience