[GPC] NEW PROJECT HAS BEEN SET UP/Security Analysis of Core J2EE Design Patterns

Matt Tesauro mtesauro at gmail.com
Mon Aug 3 10:49:08 EDT 2009


Rohit, 

     You raise an excellent point and particularly in your case, it may
be a cart - horse & communication problem. 

The idea for both of these items was for them to be added to projects
that have completed a stable release and were wanting to take their
project to the proverbial 'next level'.  They are the icing on the cake
of a release.

In the case of your project in particular, you already have a completed
deliverable - your involvement with OWASP was to continue work on
something that was already in a very usable state. (my perceptions here)

There also may be an issue of mis-communication, particularly as to when
these two items are required.  I'm wondering if you thought they were
necessary to start a project?  They definitely are not.  They are used
to evaluate a project's health (and have the ancillary benefit of
helping to spread the word about your project).  Project health !=
requirement for a project release to be evaluated.  Project health is a
new concept and not 100% complete at this moment.
http://www.owasp.org/index.php/Assessing_Project_Health

I apologize if this is unclear and caused you additional work.  Breaking
a OWASP project into two pieces (the project & its releases) is new to
OWASP and we've not been 100% clear on this message.   We need to better
emphasize that, while there are a bunch of 'blanks' to be filled about a
project, not _all_ of them need to be complete.  The slides & flyer
being perfect examples.

Also, thanks very much for your feedback.  It will help us clear up our
message to those starting projects.  Volunteers like yourself that do
the work and provide feedback help make OWASP better for everyone. 

Finally, Jason Li has done a ton of work to make gaps in a project
information tab less problematic from a project management perspective.
We'll take your comments to heart as we roll out this change in process.

-- Matt Tesauro

On Sun, 2009-08-02 at 22:50 -0500, Sethi, Rohit wrote:
> Hi Paulo, this is now completed and links are available from the home
> page:
> http://www.owasp.org/index.php/Category:OWASP_Security_Analysis_of_Core_J2EE_Design_Patterns_Project
> 
>  
> 
> To Matt & Paulo, I would urge you reconsider how many docs you require
> from a new project. I appreciate you are adding quality standards and
> consistency to OWASP. Just because this is a volunteer effort doesn’t
> mean we (project leaders) should be allowed to skimp on important
> processes. That said, asking for a PowerPoint, a one page word doc &
> PDF for the release, a one page word doc & PDF for the project, a full
> PDF and word doc of the release, and fully completed bios for each of
> the contributors, on top of completing the project itself starts to
> have the feel of red tape. 
> 
>  
> 
> I might be wrong, and perhaps most project leads will have no problem
> completing all of these steps, but if you are finding resistance from
> other project leaders then I think you should re-consider the
> requirements for a new project. The PDF and word doc versions of the
> full project text before it’s in release stage seem especially
> counterintuitive since the projects are wiki-based and are likely to
> change several times before they reach release.
> 
>  
> 
> Cheers,
> 
>  
> 
> Rohit Sethi
> 
> Director, Professional Services
> 
> Security Compass
> 
> http://www.securitycompass.com
> 
> Direct : 888-777-2211 ext. 102
> 
> Mobile: 732.546.4473
> 
> 
>  
> 
> From: Paulo Coimbra [mailto:paulo.coimbra at owasp.org] 
> Sent: July-27-09 1:00 PM
> To: Sethi, Rohit; 'Matt Tesauro'
> Cc: 'Jim Manico'; 'Global Projects Committee'
> Subject: RE: [GPC] NEW PROJECT HAS BEEN SET UP/Security Analysis of
> Core J2EE Design Patterns
> 
> 
>  
> 
> Rohit,
> 
>  
> 
> As said in my previous email, we will need a positive response to the
> following pre-assessment question:
> 
> “3. Is the document available as a PDF (Portable Document Format) and
> an editable (.Doc) format on the project site? Please point out the
> link(s).”
> 
>  
> 
> http://www.owasp.org/index.php/Category:OWASP_Security_Analysis_of_Core_J2EE_Design_Patterns_Project_-_First_Release_-_Assessment#tab=Project_Leader_for_this_Release
> 
>  
> 
> Thanks,
> 
>  
> 
> Paulo Coimbra,
> 
> OWASP Project Manager
> 
> 
>  
> 
> From: Sethi, Rohit [mailto:rohit at securitycompass.com] 
> Sent: segunda-feira, 27 de Julho de 2009 03:52
> To: Matt Tesauro
> Cc: paulo.coimbra at owasp.org; 'Jim Manico'; 'Global Projects Committee'
> Subject: RE: [GPC] NEW PROJECT HAS BEEN SET UP/Security Analysis of
> Core J2EE Design Patterns
> 
> 
>  
> 
> Perfect! Thank you
> 
>  
> 
> Please see PPT attached.
> 
>  
> 
> Paulo I believe that completes all of the necessary tasks for the
> release, prior to review.
> 
>  
> 
> Thanks,
> 
>  
> 
> Rohit Sethi
> 
> Director, Professional Services
> 
> Security Compass
> 
> http://www.securitycompass.com
> 
> Direct : 888-777-2211 ext. 102
> 
> Mobile: 732.546.4473
> 
>  
> 
>  
> 
> -----Original Message-----
> 
> From: Matt Tesauro [mailto:mtesauro at gmail.com]
> 
> Sent: July-26-09 10:38 PM
> 
> To: Sethi, Rohit
> 
> Cc: paulo.coimbra at owasp.org; 'Jim Manico'; 'Global Projects Committee'
> 
> Subject: Re: [GPC] NEW PROJECT HAS BEEN SET UP/Security Analysis of
> Core J2EE Design Patterns
> 
>  
> 
> Sethi, Rohit wrote:
> 
> > Hi Paulo. In response to below:
> 
> > 
> 
> > *         I've requested that the contributors add their wiki info.
> I 
> 
> > can't really enforce this so I'm taking that off my task list
> 
> > 
> 
> > *         Not sure what's required of the 3x slide. Do you have an 
> 
> > example of one I can work off of?
> 
> For some examples, look at the short slide desks that were used as
> project overviews at the OWASP Summit 2008.  e.g below is the one for
> OWASP Orizon:
> 
> https://www.owasp.org/images/9/9b/OWASP_EU_Summit_2008_The_Owasp_Orizon_Project.ppt
> 
>  
> 
> The summit page is here:
> 
> http://www.owasp.org/index.php/OWASP_EU_Summit_2008
> 
>  
> 
> I'd use the OWASP Education slide template for the look/feel of the
> slides.  The idea was to provide the education project with slides
> explaining the various projects that OWASP offers.  So an OWASPer
> could combine several projects slides into a review of a category of
> OWASP offerings (like tools/docs for developers).  The template is
> here:
> 
> http://www.owasp.org/index.php/Category:OWASP_Presentations#Welcome_to_the_OWASP_Presentations_Program
> 
>  
> 
> > 
> 
> > *         Project flyer is attached. I didn't know what template to
> use 
> 
> > so I threw together a simple OWASP template; please feel free to 
> 
> > replace with a more professionally designed template. I don't
> really 
> 
> > see any value in doing a separate release flyer here since it will
> be 
> 
> > the same as the project flyer.
> 
> I would suspect that for your project the project one would work for
> the releases.  The only thing to watch for is to make sure that the
> important changes/additions in new releases make it into the flyer in
> future.
> 
>  
> 
> -- Matt Tesauro
> 
> OWASP Live CD Project Lead
> 
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> 
> http://AppSecLive.org - Community and Download site
> 
>  
> 
> > 
> 
> > *         Link to first release: 
> 
> >
> http://www.owasp.org/index.php/Category:OWASP_Security_Analysis_of_Cor
> 
> > e_J2EE_Design_Patterns_Project
> 
> > (same as main project link)
> 
> > 
> 
> > *Rohit Sethi*
> 
> > *Director, Professional Services*
> 
> > *Security Compass*
> 
> > http://www.securitycompass.com <http://www.securitycompass.com/> 
> 
> > Direct : 888-777-2211 ext. 102
> 
> > Mobile: 732.546.4473
> 
> > 
> 
> [snip]
> 
> 



More information about the Global-projects-committee mailing list