How OWASP Works

How OWASP Works

The Open Web Application Security Project (OWASP) is the name for all the activities of the OWASP Foundation. The OWASP Foundation is a 501(c)3 non-profit organization incorporated in the United States of America. OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards. The OWASP community facilitates conferences, local chapters, articles, and message forums. Participation in OWASP is free and open to all, as are all the materials we produce.

Management

OWASP projects are managed using a collaborative, consensus-based process. We do not have a hierarchical structure. Rather, different groups of contributors have different rights and responsibilities in the organization. OWASP is a meritocracy where these rights and responsibilities follow from the skills and contributions of participants. This document outlines our general structure. Individual projects define their own rules to add additional structure to their development processes.

Users

The most important participants are the people who use our documentation, tools, and standards. The majority of our participants start out as users and guide their participation from the user's perspective. Users contribute to the OWASP projects by providing feedback to project members in the form of bug reports and feature suggestions. Users participate in the OWASP community by helping other users on mailing lists and user support forums.

Project Members

A user who contributes to a project in the form of code or documentation becomes a project member. They take extra steps to participate in a project, are active on the project mailing list, participate in discussions, provide comments, enhancements, documentation, suggestions, and criticism. Project members are noted in project credits. Project and Chapter Leaders The OWASP Leaders is the group of individuals who take responsibility for the long-term direction of the projects in their area. There is a single Project Leader for each project which is commissioned directly by the OWASP Foundation Board of Directors. The OWASP Leaders are responsible for making decisions about technical direction, project priorities, schedule, and releases. Collectively, the OWASP Leaders can be thought of as the management of the OWASP Foundation.

OWASP Board

The OWASP Board provides guidance to the OWASP Leaders on market direction, fundraising, strategic direction, and vision.

The board is currently made up of:


 * Jeff Williams (Chair)
 * Dave Wichers (Conference Chair and holder of the OWASP books)
 * Dinis Cruz (Chief Evangelist)
 * Andrew van der Stock (Executive Director)

Moving forward
In coming months we will be adopting a proper constitution that allows member involvement in the technical direction for OWASP.

As part of that, the OWASP board and project leaders of 'release quality' projects will become directly elected (rather than the current appointments / meritocracy model).

The goals are to ensure that we have governance and technical direction separated as this provides continuity of the Foundation and means that no one person can directly "overlord" the entire community, and the community has a direct say at least annually to change things.

The object is to improve the the transparency process for the OWASP Foundation via:


 * Separation of powers, governance and technical direction
 * Direct election democracy for board and core by members

However, leaders should continute to be a meritocracy based upon efforts contributed to OWASP.

There are effectively two models we can look at.


 * Wikipedia
 * http://wikimediafoundation.org/wiki/Home
 * Wikipedia has an interesting history, where the founder started with a select number of trusted friends / lieutenants. There have been recent changes with more elected folks coming on board, so it will be interesting to see how the change in leadership affects the Wikipedia Foundation long term.


 * Foundation 501(c)(3) entity with bylaws
 * Board of Trustees, akin to –board. Elected
 * Officers, nominated by board from its own numbers
 * Members edit materials
 * As Wikipedia only has two functions (system administration and keeping Wikipedia alive) and is not project based, I’m not sure how well this model will work for us.
 * BSD / Apache
 * http://www.netbsd.org/Foundation/
 * http://www.apache.org/foundation/how-it-works.html
 * As Apache adopted the *BSD governance model, they are very similar. Apache is a very similar project to us in many ways, but with far greater scaling – it has > 800 committers and > 50 active projects, > 100 incubated projects. Therefore, I think the Apache / BSD model will work for us with minimal changes.
 * Foundation, a 501(c)(3) entity with bylaws
 * board (exactly like -board), elected
 * core (technical direction, no equivalent today), elected
 * Program Management Committees (akin to -leaders), a meritocracy
 * Apache - appointed Office bearers (finance, etc), nominated by board.
 * NetBSD runs office bearers as Program Management Committees (finance committee, communications committee,etc).

About_OWASP