Is it time for ZAP to leave OWASP?

305 views
Skip to first unread message

psiinon

unread,
Dec 2, 2015, 4:28:03 AM12/2/15
to OWASP ZAP Developer Group
There have been a lot of discussions on the OWASP Leaders list about the nature of OWASP projects, including whether they should aim to "leave the OWASP nest" once they get to a certain stage.

I have a lot of sympathy for this perspective, and have indeed been wondering if now is the right time for ZAP to "go it alone".

In practical terms this should make very little difference - we would stay completely free and open source, and OWASP does not provided any day-to-day funding for ZAP (I think ZAP was awarded at least one grant that we might not have even claimed).

I believe that OWASP has been very beneficial to ZAP, but I'm not sure that OWASP is really set up to support projects that have grown to ZAP's size.

For info: ZAP is not and has never been 'owned' by OWASP. It belongs to the people who have contributed to it, ie many of the people on this list :)

So, the questions I'd be very interested in feedback on:
  • Do you think ZAP should leave OWASP?
  • Do you have any concerns if ZAP was to leave OWASP?
  • Should ZAP become completely independent or seek to become part of another suitable organisation, if so which?

Feel free to reply to me in person if for any reason you dont want to reply to the list.

Many thanks,

Simon

--
OWASP ZAP Project leader

Mário Areias

unread,
Dec 2, 2015, 5:35:35 AM12/2/15
to zaproxy...@googlegroups.com
Hi Simon,

My two cents: A partnership always have some costs involved, usually time, bureaucracy or cost. If there is no real benefit for both ZAP and OWASP to keep a partnership, then is time to move away.

One advantage I see to move away is to have our own domain and own website (maybe zap.io?) and own branding apart from OWASP.

Regarding become member of another organisation, the first that comes to my mind is Mozilla. Their mission is also related to security, so it seems a good fit:

Individuals’ security and privacy on the Internet are fundamental and must not be treated as optional.

Again, it should have a real benefit for both ZAP and Mozilla and I am not really sure how we could help each other, but might be worth investigate. 


Cheers,


Mário


--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Psa

unread,
Dec 2, 2015, 6:31:35 AM12/2/15
to OWASP ZAP Developer Group

Hey,

I think OWASP gives the project a lot of visibility - and vice versa!

Without OWASP, ZAP is just another tool that has to fight for coverage by google or in blogs in order to be referenced. Yes, you are known, but how long will this last when not being on the front-page anymore? As flagship project of OWASP on the other hand...

Then, OWASP needs projects like ZAP. Yes, there is  (too much?) bureaucracy, and personal issues between members, but still it's an organisation with a noble cause, run by mostly volunteers, trying to make the internet a better place. If you do not support this cause, move away, but if you still are behind this idealism, stay.

Staying at OWASP does not prevent you from anything (as far as I know). A dedicated more-professional web page, (commercial) support, a interactive community web site etc.why not? Personally, I would totally go for this... (and OWASP would also benefit).

I don't see a reason to leave OWASP other than "I do not agree with OWASP and I don't want to be part of this".

So, please choose wisely :)
/psa

Psa

unread,
Dec 2, 2015, 6:32:56 AM12/2/15
to OWASP ZAP Developer Group

PS. If you miss something, why not first ask for it?
Message has been deleted

johanna curiel

unread,
Dec 2, 2015, 7:24:12 AM12/2/15
to OWASP ZAP Developer Group
I think when people from outside see a project like ZAP, they tend to think the project has reached that level of sucess because of OWASP
The truth is very far from that

While owaps offers a very limited support to projects is quite ridicoulous
A wiki page? Thats for free
A Github? C'mon thats also free

You can indeed request some funding help up to max USD500...well I think Simon has hardly make use of this ;-P
Traveling up to USD1000,- ? That is if it gets approved and again the amount is very limted if you need to a conference overseas

So while there is help this help is the same for Chapters too. A chapter leader can ask the same funding for this and is also limited.

I think the real value from a community like OWASP is the people joining

However, I believe that most volunteers ZAP has is not because of OWASP, but is a good way to advertise and get new voluteers

BTW if ZAP is independend, then they can run and request their own Google Summer of Code and focus on getting sponsors for the project

Another consideration is, if ZAP can join under Mozilla's umbrella

Something to think about...But that partnership ZAP-OWASP has many imbalances

Psa

unread,
Dec 2, 2015, 7:39:48 AM12/2/15
to OWASP ZAP Developer Group

Are imbalances a bad thing  (as long as nobody has disadvantages)?

psiinon

unread,
Dec 2, 2015, 7:42:40 AM12/2/15
to OWASP ZAP Developer Group
Not necessarily :)

I'd like to stress that absolutely no decisions have been made yet, and I definitely dont want to rush into anything.

I'm really keen to hear what everyone thinks about the options we have.

ZAP is first and foremost a community project (as opposed to an OWASP one;) so your views are extremely important.

Cheers,

Simon

Colm O'Flaherty

unread,
Dec 2, 2015, 7:49:16 AM12/2/15
to zaproxy...@googlegroups.com

All the code that I contributed was on the basis of it being contributed to owasp. I don't much like the idea of handing that over for free to some other organisation, without there being clear benefits, and without understand what will happen that code.

I also don't currently see the benefit of jumping ship, to be honest. Maybe that will  change as specific organisations or structure emerges.

Being seen to be associated with owasp has marketing benefits for the project. Without that brand, you need to start with a completely new brand, or fall under some other brand. From a purely marketing perspective, that's not an easy thing to do.

Colm

--

psiinon

unread,
Dec 2, 2015, 8:02:47 AM12/2/15
to OWASP ZAP Developer Group, colm.p.o...@gmail.com
Which is exactly why we are having this discussion.

And its perfectly reasonable to ask what benefits would result in any move.

Please note that OWASP has never 'owned' ZAP in any way - ZAP belongs to all of its contributors, which definitely includes you Colm as someone who has made lots of very valuable contributions.
The licensing statements we include with ZAP code mostly state something like "Copyright 2015 The ZAP Development Team" - I dont see that changing whatever direction we go in.
If we did align ourselves with another organisation (and that has definitely not been decided) then we would not be 'handling over the code to free' to that organisation.
I certainly dont think that I, or anyone else, can re-assign code donated to the ZAP project to another organisation without the express permission of everyone who has contributed. And I dont intend to do that.

By the way, all ZAP code uses the Apache v2.0 license, so we have in reality 'handed over the code to free' to anyone who abides by that license ;)

Cheers,

Simon
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-develop+unsubscribe@googlegroups.com.

Ailton Caetano

unread,
Dec 2, 2015, 8:16:40 AM12/2/15
to zaproxy-develop
I agree with Johanna about the project's maintenance. I personally contribute (ok, it is a very little one) with the project because i like the tool, not because of OWASP's name behind it. I admit that i came to know about the project because of the flagship. Being related to them really helped the tool to gain traction with the community.

But now ZAP has his own fans. ZAP has a name of itself. I think that the tool would gain even more contributers if we could get some more support. If OWASP is unable to help us with that, then we should really thank them for the time we spent together and bid them farewell. As we see in nature, the egg gives essential protection to the new being, but it also hinders is growth, and sometime it will need to break free from the shell to be able to reach its full potential. The egg or womb means protection, but it also means you cannot go past that point.

About the matter if we should move into another sponsorship or not, i think that ZAP would benefit much from attending conferences/devcamps/summerswintersofcode and the like, and for that we need some funding. Besides Mozilla, we could take a look at 

[-] Linux Foundation 
   - their Core Infrastructure Initiative saved the GnuPG developer from bankruptcy and the tool from being abandoned - maybe they have some other initiative that fits in with ZAPs objective

[-] Free Software Foundation
   - I would say that Stallman's crew might simpathize with us, but our Apache license might be a problem for them. I don't know if they require projects to be GPL/LGPL or something like that, but it might be worth a shot.


Anyone knows about other foundations that i have forgot?


Therefore, my opinion is that the tool needs some more help (be it funding or something else) to be able to reach its next stage. There are some institutions that foster open source projects out there, we just need to know which one suits us best.


Kind Regards,

Ailton Caetano

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.

Adrien de Beaupre

unread,
Dec 2, 2015, 8:20:51 AM12/2/15
to zaproxy...@googlegroups.com
Howdy all,

I think that a clear list of pros and cons might be in order.
Are there any negatives to being an OWASP project?
How about positives?
What alternatives are there? 

Cheers,
Adrien


--

Colm O'Flaherty

unread,
Dec 2, 2015, 8:46:46 AM12/2/15
to psiinon, OWASP ZAP Developer Group
I broadly agree. That's about as good as it gets :)

My main point is that there is "value" for an organisation in being seen to be the "manager" or "owner" of a project such as ZAP (note the quotes, since they wouldn't necessarily be either, in fact). That's worth something, and I think we need to be protective of it, and to use it for the benefit of the project.  I'd be wary of any agreement to change structure without knowing the specifics of what the proposed structure is, and the benefits and pitfalls. "What can the new organisation / structure do for us" would be my main query.

The other question in my mind (and it is just an idle thought at this point) is that of: what organisation / structure best aligns with what we've been trying to achieve.  Historically, OWASP has been an extremely good match in that respect.  I'm curious to see what suggestions people have.

I guess for me, how I feel about it depends on the specifics of the proposed organisation / structure.  I'm actually fairly neutral about OWASP in general: I'm not a member at the moment, and I do appreciate that being associated with OWASP brings both benefits, but also beaurocracy (for the project).  I don't see any real deal-breakers with the current arrangement though.  Maybe others do, however.  

I should also point out that I'm also not actively contributing to ZAP, since the move to GitHub, so this question currently affects me less than some of the others .

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.

psiinon

unread,
Dec 2, 2015, 9:42:12 AM12/2/15
to OWASP ZAP Developer Group, psi...@gmail.com, colm.p.o...@gmail.com
For info I've also started a discussion on the OWASP leaders list: http://lists.owasp.org/pipermail/owasp-leaders/2015-December/015733.html

Its just possible that this discussion might result in changes to OWASP such that makes it much more beneficial for ZAP (and projects like it) to stay with OWASP.

Please keep the feedback and thoughts coming!

Many thanks,

Simon
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-develop+unsubscribe@googlegroups.com.

An Pedus

unread,
Dec 2, 2015, 9:59:40 AM12/2/15
to OWASP ZAP Developer Group
Hi all,

I already see different ideas around the qquestion asked by Simon.
From my side I need to add that the fact that ZAP is residing under the OWASP tree helps me a lot!
It helps because customers to whom I'm showing my reports too like the OWASP standard.

We are currently rolling ZAP out within all our development teams to use and again the name OWASP helped me to convince management to use een open source tool for security testing and not a paid one...
It wasn't the only reason but it really pushed them over to the good side :-)

So I would stay in the OWASP "barn" if this doesn't bring you any negative things.

Regards,
An

Op woensdag 2 december 2015 10:28:03 UTC+1 schreef psiinon:

johanna curiel

unread,
Dec 2, 2015, 11:10:11 AM12/2/15
to OWASP ZAP Developer Group, psi...@gmail.com, colm.p.o...@gmail.com
I think the major problem at the moment is that there are many 'fake' projects at OWASP, projects with absolutly no content and nothing new to bring to the table
many people are abusing the owasp name just for the sake of their marketing and CV promo
This is damaging inderectly  ZAP, thats why I worked to help clean up this issue

But as more people want to keep starting to obtain flaghsip status with poor projects, and no infrasctruture to actually evaluate them properly
Some of these projects will damage OWASP image. Why do you think we did not obtain Google Summer of Code this year?
Google went and decided to sponsor really small projects like PEEPPDF for example.
Nmap was born from a GSOC project and has been sponsored since then.

Dave rushed us to do an evaluation of his project just to obtain LAB status so he could go do marketing at the APPSEC and thats when Contrast started his venom campaigh

Reality is there will be no changes for projects as they need more funding and more staff to help support projects properly
The actual staff has no clue about programming , software development or even security.

If you can leave with that reality then you can be aware of what to expect in the future
Right now the entire staff & contractors consume 30% of the whole budget
APPSEC conferences and events 50% of the entire budget! Hey thats 80% already

And projects? Somewhere less than 10% from the orange section in 'Expenses'
https://www.owasp.org/images/7/7e/2014_OWASP_Annual_Report_Final.pdf

Some board members just care about their conferences and dont want to do absolutly nothing to really build a better platform for projects
Some are doing nothing to improve projects when I complaint so many times about this.

Many incubator projects dye after a year, Just as John Lita could not get traction and he expected more support from OWASP, there support is just not there

Like I said, some petty cash, the rest of the work is up to the leader

Simon: I think you need to focus what is best for ZAP but keep  participating through OWASP at their conferences and chapters
So you benefit from where OWASP spends his 80% of the budget

As you know , there is no platform just a name ;-)
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.

David A. Wheeler

unread,
Dec 3, 2015, 11:35:04 PM12/3/15
to zaproxy-develop
I will say that it is somewhat easier to convince organizations to *fund* developers to work on ZAP if it's associated with something larger like OWASP. I'm speaking from experience.

--- David A. Wheeler

psiinon

unread,
Dec 4, 2015, 5:33:55 AM12/4/15
to OWASP ZAP Developer Group, dwhe...@dwheeler.com
Thanks everyone for all the great feedback - keep it coming :)
Reply all
Reply to author
Forward
0 new messages