Difference between revisions of "Governance/ProjectProgramModels"

From OWASP
Jump to: navigation, search
(Additional Comments)
Line 111: Line 111:
 
= Additional Comments =
 
= Additional Comments =
 
Use this space to provide additional comments on any of the existing text. For example, perhaps you disagree with something that is above. Please note your thoughts in this section.
 
Use this space to provide additional comments on any of the existing text. For example, perhaps you disagree with something that is above. Please note your thoughts in this section.
#
+
 
 +
# James McGovern - I can't quite tell if this model will provide service equally to builders vs breakers vs defenders. Has OWASP looked at models that are role-aligned? For example stuff that CISOs care about vs developers vs project managers, etc

Revision as of 14:19, 6 May 2014

Purpose

OWASP needs help from our community to define an OWASP Projects Program model that will meet the needs of our leaders. To do so we are engaging the community to discuss and flush out different options. We would like to have a vote on this to ensure that the community has a say in how the foundation moves forward.

The Options

Please feel free to add additional bullets to any of the cells. Please do not remove existing items.

Option 1 - Flagships get majority of resources to increase quality. 2 - Develop two separate programs: Quality focused and Innovation focused 3 - Community project review centric model
Summary Description

Drop the Lab designation, and only have Incubator and Flagship projects. Flagship project status would be determined by community vote, and our resources would go towards developing Flagship projects, based on community input. Incubators would get less attention and support.

  • Keeps both Flagships and Incubators under the same program (as official "OWASP Projects").
  • Would remove resources from Incubators and funnel the majority of resources into the Flagship Projects.

Separate focus of OWASP projects into two separate programs. One will focus on increasing the quality of a handful of projects selected by the community, and the other program will focus on developing a platform for new leaders that facilitates innovation, research, and testing.

  • Takes two community requests (increase quality, platform for innovation), and separate each request into to programs.
  • Allows the foundation to have clearly defined goals for each program.

This is the approach we are currently using. This approach requires that the community conduct project reviews to graduate projects, and it requires a twice yearly project audit to demote projects that are currently inactive.

  • Current approach
  • Requires a large task force of community reviewers to make sure our project graduation process is functioning efficiently.
How are Flagships Selected? Community Vote Community Vote Community Project Health and Quality Reviews
New Project Designations
  • Official OWASP Project: Projects that OWASP actively maintains and promotes. In reality, these are what flagship projects should be under the current system. The majority of our resources and time should be used to improve the quality and sustain these projects.
  • OWASP Supported Projects: These would be similar to what the incubators are under our current system. Encourages innovation and it allows starting members to become engaged and involved. These can be managed in the same way we manage incubators now.
  • OWASP Sunset Projects: Projects like ESAPI or WebScarab would fit under this title. These are projects that are still being used by consumers, but that we will not directly support as they are not actively maintained or being worked on.
  • OWASP Flagship Project: Projects that OWASP actively maintains and promotes. The majority of our resources and time would be used to improve the quality and sustain these projects.
  • OWASP Incubator Projects: These would be all of the rest of our projects. These can be managed in the same way we manage incubators and lab projects now.
  • OWASP Sunset Projects: This is the same as Proposal 1. Projects like ESAPI or WebScarab would fit under this title. These are projects that are still being used by consumers, but that we will not directly support as they are not actively maintained or being worked on.
  • OWASP Flagship Project: Projects that OWASP actively maintains (but does not manage) and promotes.
  • OWASP Lab Projects: Projects with beta or stable release that wish to graduate to Lab.
  • OWASP Incubator Projects: All new projects, managed the same way we manage incubators projects now.
  • OWASP Sunset Projects: Projects like ESAPI or WebScarab would fit under this title. These are projects that are still being used by consumers, but that we will not directly support as they are not actively maintained or being worked on.
Project Quality

Consolidate Foundation resources to help improve quality of Flagship projects only. This will give the majority of our resources to a handful of projects.

  • Flagship Project Program: As mentioned above, these projects would be the ones OWASP actively maintains and seeks to increase the quality of. We can re-name this program (if necessary). Recommended that we limit the number of projects in this program for any given year (i.e. no more than 6 projects). Additionally, Flagship projects would be voted on by the community (which projects should be flagship).
  • Primary Goal of the Program: To increase the quality of a select few number of OWASP projects selected by our community stakeholders and consumers.
  • OWASP Projects Program: This would be similar to what we have now which is a platform for research and innovation. All projects under this platform would have the same designation unless they are sunset or inactive projects. They would get the same benefits they do now and the same opportunities.
  • Primary Goal of the Program: To maintain a research and innovation platform for our community to test ideas and theories.

The foundation has no direct influence over the quality of the project. The quality of the project is dependent on the project leader’s individual time, resources, and output.

Project Reviews

The Foundation facilitates a technical review of the community selected "Official" projects once a year, and the Incubator projects only get reviewed if they ask for one. The reviews are conducted by the community for supported projects.

  • For the OWASP Projects Program, we would only conduct reviews for those projects that ask for them. The reviews will be primarily to give feedback to the leader about their research/ideas and on their project health.
  • For the Flagship Program, reviews would be mandatory, and I recommend the new technical person conduct them. I further recommend they be done every quarter for each project. It is far more manageable since we would only have 6 or so projects in this program.

Project reviews are only done for those projects that want reviews, or that would like to graduate to the next level.

Resources and Funding

The majority of our resources and funding will go towards the development of higher quality Official OWASP projects. Supported projects will still have access to resources, but they will be minimal.

Each program would need to have their own budget. The Flagship program would only spend their funds on items that increase project quality. It would be required that flagship submit a detailed project plan and budget. The Projects Program would have a budget that would fund items like project dev work, the project summit, OSS, marketing/design costs, etc.

All projects get access to funding; however, Flagships get priority for funding for project development work. Funding items like project dev work, the project summit, OSS, marketing/design costs, etc are still available to all projects.

Positives of this approach
  1. Simplifies the process from an operational perspective as we would be primarily focusing on increasing the quality of a very small community selected group of projects.
  2. Increases community involvement.
  3. Incentivizes Leaders to make their projects user friendly, high quality, and highly volunteer engaged.
  1. Separates two different focus areas into two separate programs.
  2. Increases community involvement.
  3. Incentivizes Leaders to make their projects user friendly, high quality, and highly volunteer engaged.
  1. No adaptation needed in the operational and financial plan for 2014
Negatives of this approach
  1. Community vote might turn into a popularity contest.
  2. OWASP Official projects will take the majority of resources from all other projects.
  3. We will still have two separate focus areas under one program.
  4. Project development work will still be dependent on volunteer resources.
  1. Will require an additional foundation hire to manage Flagship Project Program.
  2. Project development work will still be dependent on volunteer resources.
  1. The model requires too many resources to manage efficiently.
  2. Foundation has no direct influence over project quality. Foundation can only suggest improvements.
Any other considerations
  1. ...
  1. ...

Additional Comments

Use this space to provide additional comments on any of the existing text. For example, perhaps you disagree with something that is above. Please note your thoughts in this section.

  1. James McGovern - I can't quite tell if this model will provide service equally to builders vs breakers vs defenders. Has OWASP looked at models that are role-aligned? For example stuff that CISOs care about vs developers vs project managers, etc