[GPC] OWASP Ajax Security project

Jason Li jason.li at owasp.org
Fri May 29 17:55:30 EDT 2009


I just wanted to clarify a little bit of the history of SoC. This is
paraphrasing Dinis' oral history so he can correct me where I've gone
wrong.

The SoC idea was intended as a way to get OWASP more recognition and
also to attract new members to the OWASP community. Monetary grants
were never intended to "pay for" or cover the cost of the actual work
being done. Those grants were meant serve as a "reward" or sorts for
participants (as you know, the grant amounts in the past certainly
have not equated to the hours put in). The hope was that OWASP would
grow to the point that participating in SoC, and the positive
recognition associated with leading an OWASP SoC project would be
reward enough. Obviously this might be a little idealistic, and there
have been discussions about how to properly "reward" SoC participants.
Among the current proposals includes a guaranteed speaking slot at one
of the major OWASP conferences (either US or European conferences) and
prominent display in the to-be-redesigned OWASP Project website.

But SoC was never meant to pay OWASP community members for development
work and a majority of the OWASP Board feels that the longer we
continue to do so, the more we encourage that perception. The Board,
and Dinis in particular, is extremely adamant that OWASP should not be
on a path where OWASP project leaders expect to get paid for their
contributions. It runs contrary to the open and volunteer philosophy
of OWASP.

The 20k is still legitimate, but it needs to be clarified along with
the rest of the page regarding this new direction for SoC funds. The
20k remark is trying to indicate the limits on a proposal. As a
completely off the wall example, say the OWASP NeverNeverLand and
Wonderland chapters got together and said, "We're located very far
from the US, where OWASP servers are hosted, and it's prohibitively
slow for us to get access to OWASP materials. It would take us $12k to
arrange an adequate mirroring solution to improve access to the OWASP
website in our part of the world. We know that's a lot of money but
together between our combined regions, there are hundreds of millions
of developers that could use OWASP materials. Because of this, we feel
like it's a good use of OWASP funds." Obviously this is a silly
example, but that is type of proposal that we want to allow by
indicating large proposals will get more leeway in terms of budget.

-Jason

On Fri, May 29, 2009 at 4:30 PM, Boberski, Michael [USA]
<boberski_michael at bah.com> wrote:
> Jason that really needs to be clarified on the SoC page. The "20k" mention is still there, even!!
>
> I also think, respectfully to the larger audience, that's a HUGE mistake.
>
> The funds were never enough to cover the work. A couple grand is a nice "award" type amount and a positive way to start off a relationship.
>
> Mike B.
>
>
> -----Original Message-----
> From: li.jason.c at gmail.com [mailto:li.jason.c at gmail.com] On Behalf Of Jason Li
> Sent: Friday, May 29, 2009 4:25 PM
> To: Boberski, Michael [USA]
> Cc: paulo.coimbra at owasp.org; global-projects-committee at lists.owasp.org
> Subject: Re: [GPC] OWASP Ajax Security project
>
> Michael,
>
> I meant to follow up on this earlier - sorry about that.
>
> The direction the Board has decided to go with SoC funds is that they shouldn't be use to pay for technical work by our community members.
> The hope is to get away from using money as the incentive for our community members to become more active and involved. Rather, they would like the funds to be used for things that the OWASP community could not otherwise produce - for example, physical books for promotion, graphic design costs for documentation, design work for templates, etc.
>
> The SoC money would be allocated to the budgets for accepted projects and the budgets would be presumed for "operating costs" so to speak as opposed to "development costs".
>
> It's a huge change in direction to be sure.
>
> -Jason
>
> On Fri, May 22, 2009 at 4:18 PM, Boberski, Michael [USA] <boberski_michael at bah.com> wrote:
>> If no one is going to get paid anything for SoC, you should say that on the website.
>>
>> That 20k mention is still hanging around, too.
>>
>> What are you going to do with all the SoC money?
>>
>> Sorry if I missed something, the turn this thread went caught my eye.
>>
>> Mike B.
>>
>>
>> -----Original Message-----
>> From: global-projects-committee-bounces at lists.owasp.org
>> [mailto:global-projects-committee-bounces at lists.owasp.org] On Behalf
>> Of Paulo Coimbra
>> Sent: Friday, May 22, 2009 4:12 PM
>> To: 'Jason Li'
>> Cc: global-projects-committee at lists.owasp.org
>> Subject: Re: [GPC] OWASP Ajax Security project
>>
>> I meant other costs/investments than the costs of leadership and/or software developing/research work. If we say "Joint proposals (up to 20k) are highly encouraged" and SoC 09 budget is =< 90K it does mean that we are counting on allocating funds and that the universe of approved proposals is limited. Is that right?
>>
>> Are we also considering the approval of projects without budget? If yes, does it make sense? Would the expectancy of having the non funded projects committed with the program's duties be realistic?
>>
>>
>> Paulo Coimbra,
>> OWASP Project Manager
>>
>>> >-----Original Message-----
>>> >From: li.jason.c at gmail.com [mailto:li.jason.c at gmail.com] On Behalf
>>> >Of Jason Li
>>> >Sent: sexta-feira, 22 de Maio de 2009 19:07
>>> >To: paulo.coimbra at owasp.org
>>> >Cc: global-projects-committee at lists.owasp.org
>>> >Subject: Re: [GPC] OWASP Ajax Security project
>>> >
>>> >Based on the recent Board decision regarding the use of OWASP money
>>> >for SoC this time around, SoC money will be used solely for expenses
>>> >and not to "pay" project contributors. It seems to me that under
>>> >that philosophy, we will be able to accept many proposals without
>>> >needing to award any monetary grant. In effect, we're just using SoC
>>> >as a vehicle to solicit proposals and establish a framework to
>>> >choose the best proposals.
>>> >
>>> >In fact, I see the "new" SoC mentality to essentially be a large
>>> >series of Requests for Proposals (RFPs).
>>> >
>>> >So I don't think there is a danger that someone submits a proposal
>>> >to take over a project and we are unable to "award" them project
>>> >leadership. But in routing the proposals through SoC, we get to see
>>> >their proposed vision for the project (especially if we end up in a
>>> >situation with more than one volunteer) rather than just simply
>>> >handing off the project to someone who's spoken up first.
>>> >
>>> >-Jason
>>> >
>>> >
>>> >On Fri, May 22, 2009 at 2:01 PM, Paulo Coimbra
>>> ><paulo.coimbra at owasp.org> wrote:
>>> >> My answers are below inline.
>>> >>
>>> >>
>>> >>
>>> >> Thanks,
>>> >>
>>> >>
>>> >>
>>> >> Paulo
>>> >>
>>> >>
>>> >>
>>> >> From: li.jason.c at gmail.com [mailto:li.jason.c at gmail.com] On Behalf
>>> >Of Jason
>>> >> Li
>>> >> Sent: sexta-feira, 22 de Maio de 2009 18:26
>>> >> To: paulo.coimbra at owasp.org
>>> >> Cc: global-projects-committee at lists.owasp.org
>>> >> Subject: Re: [GPC] OWASP Ajax Security project
>>> >>
>>> >>
>>> >>
>>> >> I admit I haven't been tracking very carefully, but have we gotten
>>> >any
>>> >> conflicting volunteers for projects?
>>> >>
>>> >>
>>> >>
>>> >> [pc] I have been trying and keeping this spreadsheet
>>> >>
>>> >https://spreadsheets.google.com/a/owasp.org/ccc?key=rHFvhU15v3S3myFq
>>> >S
>>> >W
>>> >QVXyg&hl=en
>>> >> permanently updated. Of course, something can have failed me but
>>> >otherwise
>>> >> we just have Anurag's proposal to assume the Ajax leadership.
>>> >>
>>
>> [pc]
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>> >>
>>> >>
>>> >> In other words, is there a project out there that appears
>>> >> abandoned
>>> >that
>>> >> more than one person has volunteered to take over?
>>> >>
>>> >>
>>> >>
>>> >> [pc] As above, I think not - at least until now.
>>> >>
>>> >>
>>> >>
>>> >> Either way, I think our best course of action is to have anyone
>>> >interested
>>> >> in taking over a project submit a proposal to SoC to become the
>>> >> new
>>> >project
>>> >> leader. That allows us to objectively determine whether they
>>> >> should
>>> >be
>>> >> handed the project.
>>> >>
>>> >>
>>> >>
>>> >> [pc]  I am not sure. What would happen if a proposal was refused
>>> >> in
>>> >terms of
>>> >> SoC for monetary reasons and we needed a leadership for the
>>> >> project
>>> >in
>>> >> question?
>>> >>
>>> >>
>>> >>
>>> >> Thoughts?
>>> >>
>>> >> --
>>> >>
>>> >> -Jason Li-
>>> >>
>>> >> -jason.li at owasp.org-
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> On Fri, May 22, 2009 at 1:20 PM, Paulo Coimbra
>>> ><paulo.coimbra at owasp.org>
>>> >> wrote:
>>> >>
>>> >>> Dear Anurag Agarwal,
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>> Thanks for volunteering to assume the OWASP Ajax Security project
>>> >>
>>> >>> leadership. The decision belongs to the Global Projects Committee
>>> >as a
>>> >>
>>> >>> whole and so I am copying carbon them. I am sure your due answer
>>> >won't
>>> >>> take long.
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>> I take the opportunity to inform you that I am dealing with the
>>> >>
>>> >>> proposal that you have kindly sent off and very soon I will get
>>> >back
>>> >>
>>> >>> to you with more information and details.
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>> Many thanks, regards,
>>> >>
>>> >>>
>>> >>
>>> >>> Paulo Coimbra,
>>> >>
>>> >>>
>>> >>
>>> >>> OWASP Project Manager
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>> Committee,
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>> For your information please below Anurag Agarwal's background:
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>> Anurag Agarwal is a web application security evangelist and
>>> >Director
>>> >>
>>> >>> of Education Services at WhiteHat Security. He has 14 years of
>>> >>
>>> >>> experience designing, developing, managing and (5+ years)
>>> >>> securing
>>> >web
>>> >>
>>> >>> applications and has worked for companies like Citigroup, Cisco,
>>> >HSBC
>>> >>
>>> >>> Bank, GE Medical Systems, etc. He is CISSP certified and a Sun
>>> >>
>>> >>> Certified Java Developer. He is an active contributor to the web
>>> >>
>>> >>> application security field and has written several articles on
>>> >secure
>>> >>
>>> >>> design and coding, spoken at various conferences and maintains a
>>> >>
>>> >>> website (http://www.attacklabs.com), where he has published
>>> >>> several
>>> >>
>>> >>> proof of concepts on various attacks. He is associated with WASC
>>> >and
>>> >>
>>> >>> OWASP and has a blog on web application security at
>>> >>
>>> >>> http://myappsecurity.blogspot.com
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>> Technical Architect : Chander Singh
>>> >(chander.singh at myappsecurity.com)
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>> Specific activities and roles:
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>> Project Management and external interface - Anurag Agarwal Design
>>> >and
>>> >>
>>> >>> Development - Anurag Agarwal and Chander Singh Maintenance -
>>> >Chander
>>> >>
>>> >>> Singh
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>> Thanks,
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>> Paulo Coimbra,
>>> >>
>>> >>>
>>> >>
>>> >>> OWASP Project Manager
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>> From: Anurag Agarwal [mailto:anurag.agarwal at yahoo.com]
>>> >>
>>> >>> Sent: segunda-feira, 18 de Maio de 2009 16:57
>>> >>
>>> >>> To: Paulo Coimbra (OWASP)
>>> >>
>>> >>> Subject: OWASP Ajax Security project
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>> Hi Paulo - I would be interested in leading OWASP Ajax Security
>>> >>
>>> >>> project in case the current leader is not interested. Let me know
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>> Cheers,
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>> Anurag Agarwal
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>> Web: www.attacklabs.com , www.myappsecurity.com
>>> >>
>>> >>>
>>> >>
>>> >>> Email : anurag.agarwal at yahoo.com
>>> >>
>>> >>>
>>> >>
>>> >>> Blog : http://myappsecurity.blogspot.com
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>>
>>> >>
>>> >>> _______________________________________________
>>> >>
>>> >>> Global-projects-committee mailing list
>>> >>
>>> >>> Global-projects-committee at lists.owasp.org
>>> >>
>>> >>> https://lists.owasp.org/mailman/listinfo/global-projects-committe
>>> >>> e
>>> >>
>>> >>>
>>> >>
>>> >>>
>>
>> _______________________________________________
>> Global-projects-committee mailing list
>> Global-projects-committee at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/global-projects-committee
>>
>


More information about the Global-projects-committee mailing list