Two years ago, I started what became known as the BLT Lettuce Project with a very simple goal: make it easier for newcomers to OWASP to find their way.
I’ve been part of OWASP for over a decade. Every year, like clockwork, we see a wave of students arriving for Google Summer of Code, along with many others who are simply curious and looking for a place to start. They all ask the same question in different ways:
“Where do I begin?”
OWASP is an incredible ecosystem of projects, but to someone new, it can feel overwhelming. Repositories, documentation, Slack channels, mailing lists, project pages—it’s a lot to navigate without a guide.
In a conversation with Jason, we realized something important: the best place to meet people at that moment was right where they already were—Slack.
So we built a simple idea.
A welcome message.
A guided path.
A way to gently point people toward the right resources, projects, and information without requiring them to understand the entire OWASP structure first.
That idea became Lettuce.
⸻
From Idea to First Commit
The concept quickly moved from conversation to code.
The first commit landed on February 29, 2024, marking the start of the initial prototype.
On March 13, 2024, Jason sent me a refined summary of the project via Slack—helping crystallize the vision and direction that Lettuce would take from that point forward.
I built the initial prototype, and with the help of some GSoC students, we refined it and launched. It wasn’t complex. It didn’t need to be.
Lettuce did one thing very well:
it helped people get oriented.
⸻
Quiet Launch, Real Impact
The first public introduction of Lettuce happened organically.
It was posted to Slack on June 19, 2024, at 8:03 PM—no announcement campaign, no marketing push.
Since then, it has quietly helped nearly 6,000 newcomers get their first introduction to OWASP in a way that felt approachable rather than overwhelming.
No fanfare.
No marketing.
Just utility.
⸻
The Growing Pains
During our GSoC journey, we ran into practical issues. Hosting reliability. Servers going down. Maintenance challenges—the kind of problems every early project encounters.
To keep the experience stable for users, we temporarily moved the Slack functionality into the main BLT project, where it has been running reliably for some time.
The original vision, however, was always for Lettuce to stand on its own.
⸻
A Parallel Problem: Project Freshness
As I became more involved on the OWASP Project Committee, another recurring issue became impossible to ignore: stale projects.
Projects that were abandoned.
Projects that hadn’t been updated in years.
Projects that newcomers would discover—only to find no clear signal of whether they were active or safe to contribute to.
I decided to try my hand at addressing it by building a project freshness prototype, inspired in part by Simon Bennetts’ work on an OWASP projects dashboard
The result was a very lightweight, project-list-based approach—not meant to judge projects, but to provide signals and visibility so contributors could make informed decisions.
That work directly influenced how I thought about onboarding, discovery, and guidance—and it fed back into the evolving vision for Lettuce.
⸻
Returning to the Original Vision
We are now in the process of separating Lettuce back out into a dedicated, standalone project.
We’re also restoring the original name—because it still fits perfectly:
Lettuce → “Let us get started.”
But more importantly, we’re returning to Jason’s original vision:
Not just a welcome message, but a structured, hierarchical guide through OWASP’s project ecosystem.
A way for newcomers and GSoC contributors to:
- Discover projects that match their interests
- Understand where and how to contribute
- Navigate repositories without confusion
- Feel confident instead of lost
⸻
Beyond OWASP
What we learned from Lettuce is that this problem is not unique to OWASP.
Any organization with many repositories, many projects, and a steady influx of new contributors faces the same challenge:
Onboarding at scale.
That’s where Lettuce is headed next.
A reusable approach that other GSoC organizations and large open-source communities can adopt—guiding newcomers through Slack or similar platforms, while surfacing healthy, active projects and clear paths to contribution.
⸻
Why This Matters
Lettuce was never about building something flashy.
It was about solving a very real, very human problem we observed year after year:
People want to contribute. They just don’t know where to start.
And sometimes, the simplest ideas—meeting people where they are and giving them a clear first step—end up helping thousands.
That’s the story of Lettuce.
Top comments (0)