[GPC] [Owasp-leaders] Update Needed

Brad Causey bradcausey at owasp.org
Mon Jul 12 13:40:13 EDT 2010

Thanks Jason and Dinis,

We have a lot of work to do, and I think life got in the way lately.
I hope to have more free time to commit coming up in September.

-Brad Causey

"Si vis pacem, para bellum"

On Sun, Jul 11, 2010 at 4:42 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
> I think Jason makes a very good analysis of the GPC status. Currently it is
> failing by lack of activity/energy.
> In some ways, the GPC is suffering from the problem that I think most other
> Committees have:
> 1) Most Committee members are energised, focused and motivated in the areas
> that they have personal/professional interests, which in OWASP means
> 'Application Security tasks' and not 'Operational/Logistics tasks'
> 2) Lack of meetings, namely in-person events where the Committee members
> get together to 'work' on Committee items (there is a big limitation on what
> can be achived by conference calls (and some committees spend a LOT of
> energy+emails just in the process of BOOKING one of these calls :) ))
> 3) Lack of governance by OWASP Board which should regularly reorganize and
> promote these Committees (i.e. refocus its objectives, remove inactive
> committee members, move Committee members around and actively expose to the
> OWASP Community the great work that has been done). This is a lot of work
> and is literally (regurlarly) opening up lots of cans-of-worms, but, if we
> (OWASP Board) want to see more results from these Committees, we really need
> allocate resources and efforts into these areas.
> 4) Change of focus by existing Commitee members on other OWASP (or not)
> activities. For example a lot of Committees really suffered by the amount of
> time and effort that some of its key members allocated to the organization
> of OWASP conferences.
> Moving back to the GPC, as Jason describes really well in his email, there
> is a lot of value for OWASP in sorting out the OWASP Projects, creating a
> new website and gaining a LOT more visibility+control over what our projects
> are doing.
> So moving on, we need to do a reset of the GPC and my gut feeling is that
> we should change its scope and remove from it any operational requirements
> (i.e. map the projects, organize reviewers, populate wiki pages, etc...) and
> focus it on reviewing and managing 'OWASP Projects'.
> In fact the OWASP Google Hacking inquiry should be lead by the GPC, since
> it is a great case study for the need for GPC and the type of
> 'independent-review' activities that the GPC should be doing.
> Dinis Cruz
> On 9 July 2010 17:04, Jason Li <jason.li at owasp.org> wrote:
>> Board/GPC,
>> I'm afraid if I were to rate the Global Projects Committee's progress
>> objectively over the last 6 months, I would have to give us a failing
>> grade. To my knowledge, we have not been making regular meetings for
>> some time.
>> As a result, I think it's kind of fruitless to try and state
>> accomplishments (planned or otherwise) over the last or next month.
>> Let me instead outline where we are, how we got here, where we want to
>> go, and what we need help with.
>> Right now we're stuck at an impasse. Our current goal is to assess the
>> quality of all the OWASP projects based on the new version of the
>> assessment criteria we created. Our progress towards that goal has
>> been fairly non-existent. Honestly, I think the problem is just that
>> assessing projects is just not very appealing work. We all have a
>> limited bandwidth and the less appealing things just seem to fall
>> through. Unfortunately we don't have an army of reviewers like say,
>> Wikipedia, so this issue will continue to be a stumbling block for
>> reviewing projects going forward. As it is, new projects get started
>> almost weekly, so we keep falling further and further behind...
>> Why is reviewing the OWASP projects a critical path?
>> The ultimate goal is to redo the OWASP projects website so that we can
>> highlight our flagship projects in a fair and useful way. There's been
>> many ideas about this ranging from moving away from the Wiki and
>> establishing a new separate OWASP website filled with mature, reviewed
>> content that has been promoted from the Wiki, or a prime spotlight
>> location highlighting top projects on the existing Wiki, or any number
>> of other possibilities. But they are all predicated on having an
>> objective assessment on existing projects to determine which ones best
>> represent OWASP. The truth is that we don't know very much about the
>> existing OWASP projects that we have (the Google Hacking project is
>> case in point to this fact).
>> We didn't want to just start doing a "sample" of OWASP projects to
>> push forward in the highlighting effort as we were sure that would
>> just be labeled as "unfair" or "biased" towards certain heavyweight
>> OWASP projects (e.g. WebScarab, ESAPI, etc). Hence the desire to do
>> all the projects before moving forward rather than cherry pick a few.
>> Assuming we can get through the assessments, there's a lot of things
>> we'd like to do. We started with a very ambitious outline for what we
>> wanted to do with the OWASP Projects after the Summit
>> (
>> http://www.owasp.org/index.php/Global_Projects_Committee#Agenda_.28DRAFT.29
>> ).
>> We've more or less accomplished the first four points: Define Metrics
>> (creation of first OWASP Projects Survey), Apply Metrics
>> (administering of the first survey), Incorporate Results (analyzed and
>> debated results to form Assessment Criteria v2), Create Metadata
>> (formalized Assessment Criteria v2). We're now stuck on Capture
>> Metadata (perform the assessments).
>> The next couple stages are the ones that would really make a
>> difference in marketing OWASP projects. The first of these is to
>> Provide a Repository. We did some preliminary reconnaissance to try
>> and get a branded Google Code hosting solution, but we didn't get very
>> far. I think this is a critical piece to provide some consistency for
>> projects. It also provides us a safety net in cases where projects get
>> abandoned. By having an official OWASP repository, we'll always have
>> the code to a project even if a leader later decides to abandon it
>> (e.g. Google Hacking). The next of these is to revamp the project
>> website and migrate existing projects to the new site. That's a huge
>> undertaking that I think is extremely important to OWASP - but I'm not
>> even sure it's worth discussing until we get our ducks lined up in a
>> row with our existing projects.
>> So how do we get pass this block?
>> I'm open to suggestions on how we can either quickly assess projects
>> in a meaningful way or bypass the problem entirely by creatively doing
>> something else. I believe we had several discussions about putting the
>> carrot in front of the cart. For example, we could simply create a new
>> whiz bang website for OWASP and the "price of admission" to the
>> "endorsed" part of the website was for a project leader to push his
>> project through a mostly self-review process. But that has it's own
>> issues as self-review is not always accurate (again, Google Hacking
>> serves as a good example - Christian was fairly quick to fill out the
>> OWASP Projects Survey) and so there's always going to be a need for
>> external review. And that external review will be a bottleneck for
>> anyone trying to push to the next tier.
>> Ironically, the whole Google Hacking situation is a great lens to view
>> our efforts through. The problems OWASP is dealing with right now for
>> that project are exactly the problems we were thinking about when we
>> started our agenda... if we can only make some faster progress, we
>> might be able to preempt this kind of event in the future.
>> Any ideas are welcome.
>> -Jason
>> On Wed, Jun 23, 2010 at 4:42 AM, Brennan - OWASP <tomb at owasp.org> wrote:
>> > Committee Members,
>> > This morning from OWASP Europe - Sweden Matt and I quickly updated and
>> > simplified the Global Committee pages see:
>> > http://www.owasp.org/index.php/Global_Committee_Pages
>> > As we all look forward to summer BBQ's, travel etc.. is time for a
>> committee
>> > heath check as some have stalled.
>> > What we need from each of you is to reconnect with your committee team
>> > members, pick up the phone check in, send a email.  What we need is for
>> you
>> > to collaborate on activities and quickly report your status of your
>> > committee by JULY 9th 2010.
>> > On each of the committee wiki pages we added a status report for this to
>> > track progress and report monthly.  The realtime status will be used at
>> the
>> > July board meeting as we review the progress of each committee:
>> > http://www.owasp.org/index.php/OWASP_Board_Meetings
>> > =========
>> > Accomplishments for this Month
>> > •
>> > •
>> > •
>> > Planned for Next Month
>> > •
>> > •
>> > •
>> > Issues/Risks/Challenges
>> > •
>> > •
>> > •
>> > =========
>> > **NOTE ** - If it is time to pass the torch, add a new member, obtain
>> > clarification or support/approval to proceed etc.. this is a good time
>> to do
>> > so.   In September as you know we will gather for the OWASP AppSec USA
>> event
>> > http://www.owasp.org/index.php/AppSec_US_2010,_CA and showcase
>> achievements.
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Global-projects-committee mailing list
>> > Global-projects-committee at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/global-projects-committee
>> >
>> >
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/global-projects-committee/attachments/20100712/83b3d148/attachment.html 

More information about the Global-projects-committee mailing list