[GPC] NEW PROJECT HAS BEEN SET UP/Security Analysis of Core J2EE Design Patterns

Sethi, Rohit rohit at securitycompass.com
Mon Aug 3 12:30:50 EDT 2009


Hi Matt,

Looks I was a bit confused. I was under the impression owasp would not help in promoting the project until it was in alpha quality. Admittedly I didn't really understand what the level of quality metrics meant - personallly I'd hesitate to use a project that's not in release quality because in my mind that means its not ready for wide use. I'm not sure if other people feel the same way.

I applaud the effort you guys in the gpc are putting towards cleaning up projects and making them consistent. Having once run a charity, I can appreciate that its difficult to get volunteers to complete "unsexy" tasks like writing project summaries or creating ppt decks. Still, I think its a bit confusing to say that not having these ancilliary ppt, pdf and doc files all factor into project "quality". If somebody has written a tool that has undergone extensive peer review and is used in production at many organizations but doesn't have a pdf for the owasp education project, does it really mean the tool is not release quality? 

Clearly articulating the impact of different quality levels will help to some extent. Unfortunately, most users are lazy and won't even read the definitions - they'll simply see a project and make implicit judgements based on its quality rating (eg this project isn't even alpha quality, do I really want to use it?). 

My main point is that you should reconsider how much you ask of volunteer project leaders initially as it may end up being a detterent to contributions, particularly if those requirements do not materially affect the actual project quality.

Cheers, 

Rohit

----- Original Message -----
From: Matt Tesauro <mtesauro at gmail.com>
To: Sethi, Rohit
Cc: paulo.coimbra at owasp.org <paulo.coimbra at owasp.org>; 'Jim Manico' <jim.manico at owasp.org>; 'Global Projects Committee' <global-projects-committee at lists.owasp.org>
Sent: Mon Aug 03 09:49:08 2009
Subject: RE: [GPC] NEW PROJECT HAS BEEN SET UP/Security Analysis of Core J2EE Design Patterns

Rohit, 

     You raise an excellent point and particularly in your case, it may
be a cart - horse & communication problem. 

The idea for both of these items was for them to be added to projects
that have completed a stable release and were wanting to take their
project to the proverbial 'next level'.  They are the icing on the cake
of a release.

In the case of your project in particular, you already have a completed
deliverable - your involvement with OWASP was to continue work on
something that was already in a very usable state. (my perceptions here)

There also may be an issue of mis-communication, particularly as to when
these two items are required.  I'm wondering if you thought they were
necessary to start a project?  They definitely are not.  They are used
to evaluate a project's health (and have the ancillary benefit of
helping to spread the word about your project).  Project health !=
requirement for a project release to be evaluated.  Project health is a
new concept and not 100% complete at this moment.
http://www.owasp.org/index.php/Assessing_Project_Health

I apologize if this is unclear and caused you additional work.  Breaking
a OWASP project into two pieces (the project & its releases) is new to
OWASP and we've not been 100% clear on this message.   We need to better
emphasize that, while there are a bunch of 'blanks' to be filled about a
project, not _all_ of them need to be complete.  The slides & flyer
being perfect examples.

Also, thanks very much for your feedback.  It will help us clear up our
message to those starting projects.  Volunteers like yourself that do
the work and provide feedback help make OWASP better for everyone. 

Finally, Jason Li has done a ton of work to make gaps in a project
information tab less problematic from a project management perspective.
We'll take your comments to heart as we roll out this change in process.

-- Matt Tesauro

On Sun, 2009-08-02 at 22:50 -0500, Sethi, Rohit wrote:
> Hi Paulo, this is now completed and links are available from the home
> page:
> http://www.owasp.org/index.php/Category:OWASP_Security_Analysis_of_Core_J2EE_Design_Patterns_Project
> 
>  
> 
> To Matt & Paulo, I would urge you reconsider how many docs you require
> from a new project. I appreciate you are adding quality standards and
> consistency to OWASP. Just because this is a volunteer effort doesn’t
> mean we (project leaders) should be allowed to skimp on important
> processes. That said, asking for a PowerPoint, a one page word doc &
> PDF for the release, a one page word doc & PDF for the project, a full
> PDF and word doc of the release, and fully completed bios for each of
> the contributors, on top of completing the project itself starts to
> have the feel of red tape. 
> 
>  
> 
> I might be wrong, and perhaps most project leads will have no problem
> completing all of these steps, but if you are finding resistance from
> other project leaders then I think you should re-consider the
> requirements for a new project. The PDF and word doc versions of the
> full project text before it’s in release stage seem especially
> counterintuitive since the projects are wiki-based and are likely to
> change several times before they reach release.
> 
>  
> 
> Cheers,
> 
>  
> 
> Rohit Sethi
> 
> Director, Professional Services
> 
> Security Compass
> 
> http://www.securitycompass.com
> 
> Direct : 888-777-2211 ext. 102
> 
> Mobile: 732.546.4473
> 
> 
>  
> 
> From: Paulo Coimbra [mailto:paulo.coimbra at owasp.org] 
> Sent: July-27-09 1:00 PM
> To: Sethi, Rohit; 'Matt Tesauro'
> Cc: 'Jim Manico'; 'Global Projects Committee'
> Subject: RE: [GPC] NEW PROJECT HAS BEEN SET UP/Security Analysis of
> Core J2EE Design Patterns
> 
> 
>  
> 
> Rohit,
> 
>  
> 
> As said in my previous email, we will need a positive response to the
> following pre-assessment question:
> 
> “3. Is the document available as a PDF (Portable Document Format) and
> an editable (.Doc) format on the project site? Please point out the
> link(s).”
> 
>  
> 
> http://www.owasp.org/index.php/Category:OWASP_Security_Analysis_of_Core_J2EE_Design_Patterns_Project_-_First_Release_-_Assessment#tab=Project_Leader_for_this_Release
> 
>  
> 
> Thanks,
> 
>  
> 
> Paulo Coimbra,
> 
> OWASP Project Manager
> 
> 
>  
> 
> From: Sethi, Rohit [mailto:rohit at securitycompass.com] 
> Sent: segunda-feira, 27 de Julho de 2009 03:52
> To: Matt Tesauro
> Cc: paulo.coimbra at owasp.org; 'Jim Manico'; 'Global Projects Committee'
> Subject: RE: [GPC] NEW PROJECT HAS BEEN SET UP/Security Analysis of
> Core J2EE Design Patterns
> 
> 
>  
> 
> Perfect! Thank you
> 
>  
> 
> Please see PPT attached.
> 
>  
> 
> Paulo I believe that completes all of the necessary tasks for the
> release, prior to review.
> 
>  
> 
> Thanks,
> 
>  
> 
> Rohit Sethi
> 
> Director, Professional Services
> 
> Security Compass
> 
> http://www.securitycompass.com
> 
> Direct : 888-777-2211 ext. 102
> 
> Mobile: 732.546.4473
> 
>  
> 
>  
> 
> -----Original Message-----
> 
> From: Matt Tesauro [mailto:mtesauro at gmail.com]
> 
> Sent: July-26-09 10:38 PM
> 
> To: Sethi, Rohit
> 
> Cc: paulo.coimbra at owasp.org; 'Jim Manico'; 'Global Projects Committee'
> 
> Subject: Re: [GPC] NEW PROJECT HAS BEEN SET UP/Security Analysis of
> Core J2EE Design Patterns
> 
>  
> 
> Sethi, Rohit wrote:
> 
> > Hi Paulo. In response to below:
> 
> > 
> 
> > *         I've requested that the contributors add their wiki info.
> I 
> 
> > can't really enforce this so I'm taking that off my task list
> 
> > 
> 
> > *         Not sure what's required of the 3x slide. Do you have an 
> 
> > example of one I can work off of?
> 
> For some examples, look at the short slide desks that were used as
> project overviews at the OWASP Summit 2008.  e.g below is the one for
> OWASP Orizon:
> 
> https://www.owasp.org/images/9/9b/OWASP_EU_Summit_2008_The_Owasp_Orizon_Project.ppt
> 
>  
> 
> The summit page is here:
> 
> http://www.owasp.org/index.php/OWASP_EU_Summit_2008
> 
>  
> 
> I'd use the OWASP Education slide template for the look/feel of the
> slides.  The idea was to provide the education project with slides
> explaining the various projects that OWASP offers.  So an OWASPer
> could combine several projects slides into a review of a category of
> OWASP offerings (like tools/docs for developers).  The template is
> here:
> 
> http://www.owasp.org/index.php/Category:OWASP_Presentations#Welcome_to_the_OWASP_Presentations_Program
> 
>  
> 
> > 
> 
> > *         Project flyer is attached. I didn't know what template to
> use 
> 
> > so I threw together a simple OWASP template; please feel free to 
> 
> > replace with a more professionally designed template. I don't
> really 
> 
> > see any value in doing a separate release flyer here since it will
> be 
> 
> > the same as the project flyer.
> 
> I would suspect that for your project the project one would work for
> the releases.  The only thing to watch for is to make sure that the
> important changes/additions in new releases make it into the flyer in
> future.
> 
>  
> 
> -- Matt Tesauro
> 
> OWASP Live CD Project Lead
> 
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> 
> http://AppSecLive.org - Community and Download site
> 
>  
> 
> > 
> 
> > *         Link to first release: 
> 
> >
> http://www.owasp.org/index.php/Category:OWASP_Security_Analysis_of_Cor
> 
> > e_J2EE_Design_Patterns_Project
> 
> > (same as main project link)
> 
> > 
> 
> > *Rohit Sethi*
> 
> > *Director, Professional Services*
> 
> > *Security Compass*
> 
> > http://www.securitycompass.com <http://www.securitycompass.com/> 
> 
> > Direct : 888-777-2211 ext. 102
> 
> > Mobile: 732.546.4473
> 
> > 
> 
> [snip]
> 
> 



More information about the Global-projects-committee mailing list