[GPC] After AppSec Research

Dave Wichers dave.wichers at owasp.org
Mon Mar 21 12:41:11 EDT 2011


I believe the answers to all of these questions is yes, but we haven't had
such a large project come to OWASP before so I think we need to make sure.

OWASP has a project's committee which would be the best venue to get these
questions sorted out/answered properly.

I'm introducing them to this discussion and bowing out. But I'll monitor the
thread and if I'm asked for an opinion that I'll be happy to provide one.

-Dave

-----Original Message-----
From: David Rajchenbach-Teller [mailto:David.Teller at mlstate.com] 
Sent: Monday, March 21, 2011 6:10 AM
To: Dave Wichers
Subject: Re: After AppSec Research

	Hi Dave,
 Sorry for the lack clarity, I actually didn't mean OWASP project yet, just
open-source project for the moment. We tend to believe that this might be
one of the most important open-sourcing events of the year, given the amount
of work that has gone into the development of OPA (between 50 and 100
man.year, by my account).

However, since our last discussion, I've read  the OWASP Project guidelines
[1], and it seems that, if I understand it correctly, we could make OPA an
OWASP project (note the conditionals - I'm not the one who can give the
greenlight).  Just let me recapitulate to be sure that we're on the same
wavelength:
- making it an OWASP project does not require any transfer of ownership,
copyright, etc.;
- BSD, GPL and Affero GPL are acceptable licenses for the source code and
documentation;
- the project leader is in charge of accepting/rejecting contributions,
based on quality, compatibility with project objectives and compatibility
with project license;
- in this case, the project leader is essentially MLstate (or, more
precisely, one of our employees);
- the project needs a wiki, but can also have its own external website with,
say, examples, forums, etc. - but also commercial offers such as paying
support, books, etc.;
- the wiki can contain our logos (as sponsors/main authors);
- the leader is in charge of managing the wiki, the source repository (which
would probably be github, in any case), bug tracking, etc.;

Is that correct? As you can see, as much as we (and specially I) like
open-source, we'd like to be sure that we don't lose either the visibility
on the company or the ability to steer OPA towards high security standards -
and that's not just market-speech, we have a great team working on
constantly improving every aspect of OPA, and it would be a shame to waste
this work.

Best regards,
 David

[1] http://www.owasp.org/index.php/Guidelines_for_OWASP_Projects

On Mar 18, 2011, at 7:56 PM, Dave Wichers wrote:

> And you can ignore my comments about AppSec US. For some reason I had 
> in my head you were a U.S. company, which you are not. So AppSecEU 
> would be perfect.
> 
> -Dave
> 
> -----Original Message-----
> From: Dave Wichers [mailto:dave.wichers at owasp.org]
> Sent: Friday, March 18, 2011 2:49 PM
> To: 'David Rajchenbach-Teller'
> Subject: RE: After AppSec Research
> 
> That's awesome. And I assume you mean making it an OWASP project too?
> 
> I think AppSecEU would be great, but AppSecUS is in Sept. and might be 
> more interesting to your constituency, but you could 'announce' it/do 
> talks at both.
> 
> OWASP will be happy to promote your new project to all of our members 
> via our leaders list. And then conference talks will create more 
> visibility. We typically don't advertise outside of OWASP except via our
conferences.
> Obviously, it will be on our portal and if you can advance it to what 
> we refer to as a release quality project (which isn't that hard 
> actually), then that will help it stand out from the crowd of other OWASP
projects.
> 
> In addition, we have a Global Projects Committee and they may be able 
> to help you promote your project and solicit participants in your effort.
> 
> I can introduce you if you'd like.
> 
> I also need to introduce you to Paulo who can help you set up your 
> OWASP project page, mailing list, etc. Where is your code currently 
> housed by the way. In some open source repository yet? If not, I'd 
> recommend Google code, but we aren't majorly picky about where it is, 
> as long as its out in the open.
> 
> -Dave
> 
> -----Original Message-----
> From: David Rajchenbach-Teller [mailto:David.Teller at mlstate.com]
> Sent: Friday, March 18, 2011 1:47 PM
> To: Dave Wichers
> Subject: Re: After AppSec Research
> 
> 	Hi Dave,
> 
> Well, it took us quite some time and convincing, but we finally have 
> the green light for the open-sourcing. If things proceed as planned, 
> everything should be up and running before AppSecEU 2011. Which brings 
> me to a few
> points:
> - do you think that AppSecEU would be a good place for the official 
> announcement?
> - is there a chance that OWASP could give us a hand for gaining
visibility?
> - more generally, do you have suggestions on how to best give 
> visibility to OPA?
> 
> Thanks,
> David
> 
> On Jun 28, 2010, at 2:26 PM, Dave Wichers wrote:
> 
>> Excellent. Always glad to hear about new open source. Would you 
>> consider making it an OWASP project?? This could potentially bring 
>> more eyeballs as well as potential contributors to your effort.
>> 
>> If not, that's perfectly fine, but figured I would ask :-)
>> 
>> -Dave
>> 
>> -----Original Message-----
>> From: David Rajchenbach-Teller [mailto:David.Teller at mlstate.com]
>> Sent: Monday, June 28, 2010 4:28 AM
>> To: dave.wichers at owasp.org
>> Subject: After AppSec Research
>> 
>> 	Hi Dave,
>> Nice talking to you at AppSec Research last week. I realized after 
>> our conversation on language & paradigm change that I had forgotten 
>> to mention one important point: we are aiming to open-source our OPA 
>> technology. No definite date on this topic yet, but it's in the 
>> wheels. I sincerely hope that we can push the web towards saner
> foundations.
>> 
>> Best regards,
>> David
>> 
>> --
>> David Rajchenbach-Teller
>> Head of R&D
>> MLstate
>> 
>> 
> 
> --
> David Rajchenbach-Teller
> Head of R&D
> MLstate
> 
> 

--
David Rajchenbach-Teller
 Head of R&D
 MLstate




More information about the Global-projects-committee mailing list