It's not a novel concept: Pay someone to do work. Dinis Cruz thinks it can work in the often-freewheeling open source world, too.
Cruz is the project leader for the recently announced Open Web Application Security Project (OWASP) Autumn of Code, an initiative to sponsor eight individuals to work on existing OWASP Projects. The goal is to "get solid, professional deliverables," Cruz said.
"OWASP has a common problem that most open source projects have –- they are driven by individuals and the time they have available," Cruz said. "The better the person is, the more busy he is, and you're not able to get very clear deliverables."
Cruz said OWASP is taking a page from Google's "Summer of Code" initiative, launched in 2005, which mentors students in open source software development.
By delivering product, Cruz said OWASP will be better positioned to attract corporate sponsors for its projects. In the past, the organization has experienced "aborted cases" of sponsorship because potential sponsors "didn't see clear deliverables," Cruz said.
"We [OWASP] basically haven't fulfilled a lot of our potential," Cruz said. "We haven't gained that level of corporate users because we don't have clear deliverable products. Take the [OWASP] Top 10 [security vulnerabilities]. We should be producing it once a year, but the amount of work it takes to do it is not easy to come by. It depends on a cosmic sequence of events where the right people are available at the right time."
Managing an open source project and bringing it to completion is much more difficult than managing an in-house project, said Jim Johnson, chairman of The Standish Group, a West Yarmouth, Mass.-based research and consulting company focused on IT project management. "It's much harder to manage volunteer people. You have to have skills that normal project managers don't have, because you don't have any hammers." For instance, he said, there is no fear of getting fired if a deliverable isn't met. "You have to get people to do it because it's fun. It requires a more skilled individual to pull that off."
OWASP is asking looking for candidates to apply by Sept. 18, 2006, and it will publish selected projects on Sept. 25, 2006. There are no restrictions on who can apply; however, candidates must have the potential to accomplish the project's objectives and the commitment to dedicate the time required to complete it by Dec. 31, 2006.
Candidates may submit a proposal for any of the existing OWASP projects. Those include the following:
- Helping to complete and release V2.0 of WebScarab, a tool for performing security testing on Web applications and Web services
- Writing more lessons for WebGoat, an online training environment for hands-on learning about application security, and integrate it with SiteGenerator and release it as a product
- Helping to complete and release the Pantera Web Assessment Studio Project, a project focused on combining automated capabilities with complete manual testing
- Completing the OWASP Top 10 2007
- Completing the OWASP Testing Guide
- Working on aspects of the Honeycomb Project, a guide to the building blocks of application security, and helping to release the Honeycomb user's guide
- Completing and releasing all OWASP .NET Web tools
Cruz is writing the selection criteria and will discuss potential candidates with the individual OWASP project leaders. Selected candidates are expected to commence work on Oct. 15, 2006. Of the eight projects to be sponsored, four candidates will be paid $3,500 and four will be paid $5,000. There is an optional $500 for the project leader.
Will the model of paying for services work for open source projects? "It isn't a whole lot of money," Johnson, "and I don't know if geeks respond to money that well. Some of stuff they want done, a lot of geeks don't want to do, like documentation and testing."
Cruz maintains this model is a variation of what typically goes on in the open source world. "With several of my open source projects I've been paid by my employees to spend time on it. For most open source projects, somebody is paying for that guy or girl's time. Of course there are some who will say contributions should be free, but I'm taking a pragmatic view. We want deliverables. We want to pay people who can commit. I think the model can work."
By completing OWASP projects, members will be able to use the products to make their companies more secure, and to create more secure software, Cruz said. In addition, he said, "I'm betting on the fact that once companies realize and look at all OWASP is doing, they'll say 'I should join, and if I join I will sponsor a project. Once you have success stories, that argument is easy to make -- if you want to take a project to the next level, you should sponsor it."
Today OWASP has 17 corporate members, 40 individual paying members, and over 4,000 mailing list subscribers. Its Web site gets roughly 400,000 page views per month (not including SourceForge downloads), and has had 568,000 downloads of tools and documents (approximately 14,000 per month). According to the organization, both WebGoat and WebScarab are nearing 100,000 downloads, and the OWASP Guide and Top Ten are well over 100,000 downloads.