Discussions

News: Open source group to pay people to work on app security projects

  1. The Open Web Application Security Project (OWASP) has a problem. People who said they would work on projects haven't been delivering the work. And that has resulted in the loss of corporate sponsorship for several of those projects, according to OWASP's Dinis Cruz. "OWASP has a common problem that most open source projects have –- they are driven by individuals and the time they have available," Cruz said. "The better the person is, the more busy he is, and you're not able to get very clear deliverables." In hopes of remedying that, OWASP will pay people to work on their projects, including helping to complete and release V2.0 of WebScarab, a tool for performing security testing on Web applications and Web services; completing the OWASP Top 10 2007; and completing the OWASP Testing Guide. Of the eight projects to be sponsored, four candidates will be paid $3,500 and four will be paid $5,000. There is an optional $500 for the project leader. Will this tactic work? It's uncertain. They aren't offering a whole lot of money, and it's questionable if developers, programmers and researchers will respond to money that well. In addition, some of the things OWASP wants done, a lot of people don't want to do, such as documentation and testing.
  2. Some times ago , another company named OpenLogic tried the same way , does any one has a news from them ? if openlogic strategy worked then this OWASP tactic wil works
  3. Don't want to test?[ Go to top ]

    In addition, some of the things OWASP wants done, a lot of people don't want to do, such as documentation and testing.
    Don't want to test? Really? Hmm.. How do you know your code works if you don't have tests? I wouldn't want these developers on my team!
  4. Re: Don't want to test?[ Go to top ]

    +1 :)
  5. Re: Don't want to test?[ Go to top ]

    Don't want to test? Really? Hmm.. How do you know your code works if you don't have tests? I wouldn't want these developers on my team!
    You ship whatever you have and tell customers to fix bugs themselves as they have the source, doh.
  6. Re: Don't want to test?[ Go to top ]

    Don't want to test? Really? Hmm.. How do you know your code works if you don't have tests? I wouldn't want these developers on my team!
    You ship whatever you have and tell customers to fix bugs themselves as they have the source, doh.
    Yup, seen that time and again with open source projects. Found a bug once in an OS project, and reported it on their support forum. Was told to either fix it myself (it was in a language I've no experience with, we were using the binaries) or to first donate a hefty sum and they might look at it for me.
  7. Re: Don't want to test?[ Go to top ]

    > In addition, some of the things OWASP wants done, a lot of
    > people don't want to do, such as documentation and testing.


    Don't want to test? Really? Hmm.. How do you know your code works if you don't have tests? I wouldn't want these developers on my team!
    Like it or not, may people in OSS do it as a hobby. Creating new "features" is far more fun than is testing, documenting, and bugfixing, which they do all their days at work.
  8. People don't want to work for free? Imagine that.
  9. Coding time should be compensated with "download royalties" Otherwise the owners of the open source setup will turn around and sell your hard work and retire rich(case in point, JBoss:)
  10. I've blogged about this here. Paying a developer to work on an open source project isn't novel, but paying for short-term work is new/different. I believe that the short-term focus will likely cause problems in the project community. Pay me to work on something vs. on something that I really care about are two very different things.