[GPC] OWASP Ajax Security project

Paulo Coimbra paulo.coimbra at owasp.org
Sun May 31 18:00:03 EDT 2009


Regarding this issue, with the exception of the 20K question already
answered by Jason, I am in the same page as Michael. 

 

In addition, and forgive me if I am repeating myself,  I also believe we
haven't yet produced a clear definition to support the proposed new SoC
strategy to allocate funds and so we are sometimes using the same concepts
to refer different realities. For an example, I use the lexicon "operating
costs" and "development costs" with these meanings
http://en.wikipedia.org/wiki/Operating_cost  and
http://www.ider.herts.ac.uk/school/courseware/costs/development_costs.html
which are different and almost opposite to the ones used below.

 

Tomorrow I will come up with a couple of other questions that in my
perspective should be answered if we are to change the SoC's former
philosophy. If you find any pertinence in it I will try and come up with a
contribution to answer at least a few of them as well. 

 

Thanks,

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

From: li.jason.c at gmail.com [mailto:li.jason.c at gmail.com] On Behalf Of Jason
Li
Sent: sexta-feira, 29 de Maio de 2009 22:56
To: Boberski, Michael [USA]
Cc: paulo.coimbra at owasp.org; global-projects-committee at lists.owasp.org
Subject: Re: [GPC] OWASP Ajax Security project

 

I just wanted to clarify a little bit of the history of SoC. This is
paraphrasing Dinis' oral history so he can correct me where I've gone wrong.

 

The SoC idea was intended as a way to get OWASP more recognition and also to
attract new members to the OWASP community. Monetary grants were never
intended to "pay for" or cover the cost of the actual work being done. Those
grants were meant serve as a "reward" or sorts for participants (as you
know, the grant amounts in the past certainly have not equated to the hours
put in). The hope was that OWASP would grow to the point that participating
in SoC, and the positive recognition associated with leading an OWASP SoC
project would be reward enough. Obviously this might be a little idealistic,
and there have been discussions about how to properly "reward" SoC
participants.

Among the current proposals includes a guaranteed speaking slot at one of
the major OWASP conferences (either US or European conferences) and
prominent display in the to-be-redesigned OWASP Project website.

 

But SoC was never meant to pay OWASP community members for development work
and a majority of the OWASP Board feels that the longer we continue to do
so, the more we encourage that perception. The Board, and Dinis in
particular, is extremely adamant that OWASP should not be on a path where
OWASP project leaders expect to get paid for their contributions. It runs
contrary to the open and volunteer philosophy of OWASP.

 

The 20k is still legitimate, but it needs to be clarified along with the
rest of the page regarding this new direction for SoC funds. The 20k remark
is trying to indicate the limits on a proposal. As a completely off the wall
example, say the OWASP NeverNeverLand and Wonderland chapters got together
and said, "We're located very far from the US, where OWASP servers are
hosted, and it's prohibitively slow for us to get access to OWASP materials.
It would take us $12k to arrange an adequate mirroring solution to improve
access to the OWASP website in our part of the world. We know that's a lot
of money but together between our combined regions, there are hundreds of
millions of developers that could use OWASP materials. Because of this, we
feel like it's a good use of OWASP funds." Obviously this is a silly
example, but that is type of proposal that we want to allow by indicating
large proposals will get more leeway in terms of budget.

 

-Jason

 

On Fri, May 29, 2009 at 4:30 PM, Boberski, Michael [USA]
<boberski_michael at bah.com> wrote:

> Jason that really needs to be clarified on the SoC page. The "20k" mention
is still there, even!!

> 

> I also think, respectfully to the larger audience, that's a HUGE mistake.

> 

> The funds were never enough to cover the work. A couple grand is a nice
"award" type amount and a positive way to start off a relationship.

> 

> Mike B.

> 

> 

> -----Original Message-----

> From: li.jason.c at gmail.com [mailto:li.jason.c at gmail.com] On Behalf Of 

> Jason Li

> Sent: Friday, May 29, 2009 4:25 PM

> To: Boberski, Michael [USA]

> Cc: paulo.coimbra at owasp.org; global-projects-committee at lists.owasp.org

> Subject: Re: [GPC] OWASP Ajax Security project

> 

> Michael,

> 

> I meant to follow up on this earlier - sorry about that.

> 

> The direction the Board has decided to go with SoC funds is that they
shouldn't be use to pay for technical work by our community members.

> The hope is to get away from using money as the incentive for our
community members to become more active and involved. Rather, they would
like the funds to be used for things that the OWASP community could not
otherwise produce - for example, physical books for promotion, graphic
design costs for documentation, design work for templates, etc.

> 

> The SoC money would be allocated to the budgets for accepted projects and
the budgets would be presumed for "operating costs" so to speak as opposed
to "development costs".

> 

> It's a huge change in direction to be sure.

> 

> -Jason

> 

> On Fri, May 22, 2009 at 4:18 PM, Boberski, Michael [USA]
<boberski_michael at bah.com> wrote:

>> If no one is going to get paid anything for SoC, you should say that on
the website.

>> 

>> That 20k mention is still hanging around, too.

>> 

>> What are you going to do with all the SoC money?

>> 

>> Sorry if I missed something, the turn this thread went caught my eye.

>> 

>> Mike B.

>> 

>> 

>> -----Original Message-----

>> From: global-projects-committee-bounces at lists.owasp.org

>> [mailto:global-projects-committee-bounces at lists.owasp.org] On Behalf 

>> Of Paulo Coimbra

>> Sent: Friday, May 22, 2009 4:12 PM

>> To: 'Jason Li'

>> Cc: global-projects-committee at lists.owasp.org

>> Subject: Re: [GPC] OWASP Ajax Security project

>> 

>> I meant other costs/investments than the costs of leadership and/or
software developing/research work. If we say "Joint proposals (up to 20k)
are highly encouraged" and SoC 09 budget is =< 90K it does mean that we are
counting on allocating funds and that the universe of approved proposals is
limited. Is that right?

>> 

>> Are we also considering the approval of projects without budget? If yes,
does it make sense? Would the expectancy of having the non funded projects
committed with the program's duties be realistic?

>> 

>> 

>> Paulo Coimbra,

>> OWASP Project Manager

>> 

>>> >-----Original Message-----

>>> >From: li.jason.c at gmail.com [mailto:li.jason.c at gmail.com] On Behalf 

>>> >Of Jason Li

>>> >Sent: sexta-feira, 22 de Maio de 2009 19:07

>>> >To: paulo.coimbra at owasp.org

>>> >Cc: global-projects-committee at lists.owasp.org

>>> >Subject: Re: [GPC] OWASP Ajax Security project

>>> >

>>> >Based on the recent Board decision regarding the use of OWASP money 

>>> >for SoC this time around, SoC money will be used solely for 

>>> >expenses and not to "pay" project contributors. It seems to me that 

>>> >under that philosophy, we will be able to accept many proposals 

>>> >without needing to award any monetary grant. In effect, we're just 

>>> >using SoC as a vehicle to solicit proposals and establish a 

>>> >framework to choose the best proposals.

>>> >

>>> >In fact, I see the "new" SoC mentality to essentially be a large 

>>> >series of Requests for Proposals (RFPs).

>>> >

>>> >So I don't think there is a danger that someone submits a proposal 

>>> >to take over a project and we are unable to "award" them project 

>>> >leadership. But in routing the proposals through SoC, we get to see 

>>> >their proposed vision for the project (especially if we end up in a 

>>> >situation with more than one volunteer) rather than just simply 

>>> >handing off the project to someone who's spoken up first.

>>> >

>>> >-Jason

>>> >

>>> >

>>> >On Fri, May 22, 2009 at 2:01 PM, Paulo Coimbra 

>>> ><paulo.coimbra at owasp.org> wrote:

>>> >> My answers are below inline.

>>> >>

>>> >>

>>> >>

>>> >> Thanks,

>>> >>

>>> >>

>>> >>

>>> >> Paulo

>>> >>

>>> >>

>>> >>

>>> >> From: li.jason.c at gmail.com [mailto:li.jason.c at gmail.com] On 

>>> >> Behalf

>>> >Of Jason

>>> >> Li

>>> >> Sent: sexta-feira, 22 de Maio de 2009 18:26

>>> >> To: paulo.coimbra at owasp.org

>>> >> Cc: global-projects-committee at lists.owasp.org

>>> >> Subject: Re: [GPC] OWASP Ajax Security project

>>> >>

>>> >>

>>> >>

>>> >> I admit I haven't been tracking very carefully, but have we 

>>> >> gotten

>>> >any

>>> >> conflicting volunteers for projects?

>>> >>

>>> >>

>>> >>

>>> >> [pc] I have been trying and keeping this spreadsheet

>>> >>

>>> >https://spreadsheets.google.com/a/owasp.org/ccc?key=rHFvhU15v3S3myF

>>> >q

>>> >S

>>> >W

>>> >QVXyg&hl=en

>>> >> permanently updated. Of course, something can have failed me but

>>> >otherwise

>>> >> we just have Anurag's proposal to assume the Ajax leadership.

>>> >>

>> 

>> [pc]

>> 

>> 

>> 

>> 

>> 

>> 

>> 

>> 

>> 

>> 

>> 

>> 

>> 

>> 

>> 

>> 

>> 

>> 

>> 

>> 

>> 

>> 

>> 

>>> >>

>>> >>

>>> >> In other words, is there a project out there that appears 

>>> >> abandoned

>>> >that

>>> >> more than one person has volunteered to take over?

>>> >>

>>> >>

>>> >>

>>> >> [pc] As above, I think not - at least until now.

>>> >>

>>> >>

>>> >>

>>> >> Either way, I think our best course of action is to have anyone

>>> >interested

>>> >> in taking over a project submit a proposal to SoC to become the 

>>> >> new

>>> >project

>>> >> leader. That allows us to objectively determine whether they 

>>> >> should

>>> >be

>>> >> handed the project.

>>> >>

>>> >>

>>> >>

>>> >> [pc]  I am not sure. What would happen if a proposal was refused 

>>> >> in

>>> >terms of

>>> >> SoC for monetary reasons and we needed a leadership for the 

>>> >> project

>>> >in

>>> >> question?

>>> >>

>>> >>

>>> >>

>>> >> Thoughts?

>>> >>

>>> >> --

>>> >>

>>> >> -Jason Li-

>>> >>

>>> >> -jason.li at owasp.org-

>>> >>

>>> >>

>>> >>

>>> >>

>>> >>

>>> >>

>>> >>

>>> >> On Fri, May 22, 2009 at 1:20 PM, Paulo Coimbra

>>> ><paulo.coimbra at owasp.org>

>>> >> wrote:

>>> >>

>>> >>> Dear Anurag Agarwal,

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>> Thanks for volunteering to assume the OWASP Ajax Security 

>>> >>> project

>>> >>

>>> >>> leadership. The decision belongs to the Global Projects 

>>> >>> Committee

>>> >as a

>>> >>

>>> >>> whole and so I am copying carbon them. I am sure your due answer

>>> >won't

>>> >>> take long.

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>> I take the opportunity to inform you that I am dealing with the

>>> >>

>>> >>> proposal that you have kindly sent off and very soon I will get

>>> >back

>>> >>

>>> >>> to you with more information and details.

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>> Many thanks, regards,

>>> >>

>>> >>>

>>> >>

>>> >>> Paulo Coimbra,

>>> >>

>>> >>>

>>> >>

>>> >>> OWASP Project Manager

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>> Committee,

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>> For your information please below Anurag Agarwal's background:

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>> Anurag Agarwal is a web application security evangelist and

>>> >Director

>>> >>

>>> >>> of Education Services at WhiteHat Security. He has 14 years of

>>> >>

>>> >>> experience designing, developing, managing and (5+ years) 

>>> >>> securing

>>> >web

>>> >>

>>> >>> applications and has worked for companies like Citigroup, Cisco,

>>> >HSBC

>>> >>

>>> >>> Bank, GE Medical Systems, etc. He is CISSP certified and a Sun

>>> >>

>>> >>> Certified Java Developer. He is an active contributor to the web

>>> >>

>>> >>> application security field and has written several articles on

>>> >secure

>>> >>

>>> >>> design and coding, spoken at various conferences and maintains a

>>> >>

>>> >>> website (http://www.attacklabs.com), where he has published 

>>> >>> several

>>> >>

>>> >>> proof of concepts on various attacks. He is associated with WASC

>>> >and

>>> >>

>>> >>> OWASP and has a blog on web application security at

>>> >>

>>> >>> http://myappsecurity.blogspot.com

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>> Technical Architect : Chander Singh

>>> >(chander.singh at myappsecurity.com)

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>> Specific activities and roles:

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>> Project Management and external interface - Anurag Agarwal 

>>> >>> Design

>>> >and

>>> >>

>>> >>> Development - Anurag Agarwal and Chander Singh Maintenance -

>>> >Chander

>>> >>

>>> >>> Singh

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>> Thanks,

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>> Paulo Coimbra,

>>> >>

>>> >>>

>>> >>

>>> >>> OWASP Project Manager

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>> From: Anurag Agarwal [mailto:anurag.agarwal at yahoo.com]

>>> >>

>>> >>> Sent: segunda-feira, 18 de Maio de 2009 16:57

>>> >>

>>> >>> To: Paulo Coimbra (OWASP)

>>> >>

>>> >>> Subject: OWASP Ajax Security project

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>> Hi Paulo - I would be interested in leading OWASP Ajax Security

>>> >>

>>> >>> project in case the current leader is not interested. Let me 

>>> >>> know

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>> Cheers,

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>> Anurag Agarwal

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>> Web: www.attacklabs.com , www.myappsecurity.com

>>> >>

>>> >>>

>>> >>

>>> >>> Email : anurag.agarwal at yahoo.com

>>> >>

>>> >>>

>>> >>

>>> >>> Blog : http://myappsecurity.blogspot.com

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>>

>>> >>

>>> >>> _______________________________________________

>>> >>

>>> >>> Global-projects-committee mailing list

>>> >>

>>> >>> Global-projects-committee at lists.owasp.org

>>> >>

>>> >>> https://lists.owasp.org/mailman/listinfo/global-projects-committ

>>> >>> e

>>> >>> e

>>> >>

>>> >>>

>>> >>

>>> >>>

>> 

>> _______________________________________________

>> Global-projects-committee mailing list 

>> Global-projects-committee at lists.owasp.org

>> https://lists.owasp.org/mailman/listinfo/global-projects-committee

>> 

> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/global-projects-committee/attachments/20090531/b14be300/attachment-0001.html 


More information about the Global-projects-committee mailing list