[Owasp-board] Spoc 007 results, final data set. If all is OK will annouce this tomorrow to the participants

Dinis Cruz dinis at ddplus.net
Sat Apr 28 00:52:51 UTC 2007


Hi Andrew

(Comments Inline)

On 4/27/07, Andrew van der Stock <vanderaj at owasp.org> wrote:
>
>  Dinis,
>
> Dave and I have some concerns about mentoring so many projects.
>

I agree that that is an issue, but if you look back at AoC it wasn't that
hard, and at the end of the day, the objective here is not for us to spend a
lot of time mentoring these projects, but to let people get on with it.

In my view SpoC (and AoC,etc.) is just an way to get more active OWASP
participants. Look at the people that submitted applications? A lot of them
where not active OWASP contributors, but I bet that if the project is
successful they will become.

I also consider that even if only 75% deliver on their projects, the SpoC
will be a success.

Although it would be great to have that many projects, we simply don't have
> that many resources to monitor so many projects.
>

Note that in there there is a 2,500k allocated for somebody to manage the
logistics of SpoC. So a large part of the overhead can be covered by this
person.

I also don't think that we will have to be very active in pushing the
projects (of course that in the projects that you are interested (PHP in
Andrew's case and OSG in mine) one is more than welcomed to be involved.

I had difficulty finding the time to do a simple 1 hr task due to life and
> work, let alone the regular mentoring 7 or 8 projects each would entail for
> three months.
>

Then don't monitor them these time around

In addition, I'm not sure we should send the message that sending in a quick
> e-mail gets funding from us.
>

I don't think that is what happened. Most submissions had very high value
(especially when compared with AoC) and I think the fact that all
submissions had to be made publicly on the WIKI created an environment where
only serious proposals were sent.

So the fact that we are sponsoring 100% of the applications is not due to
the fact that we have lowered our acceptance standards, but due to the fact
that all proposals had merit.  The applicants deserve a change to prove
their value.

There were a few questionable submissions, and I'd like for us to discuss
> these before we fund every project. Let's go through the list, and decide on
> the really worthy projects.
>

Is the current 7k shortfall really worth this discussion? The only proposal
that I think is a bit weaker is from Paulo Coimbra on the OWASP branding
project, but I know personally Paulo (he lives in London close to me) and
was planning to be involved in that project.

I think that the 100% application acceptance is a great story and compliment
to our community (also a lot of the 2,500 USD projects are similar in value
so any choice we make outside the 100% will be controversial)

The certification project is huge (and thus why we're paying $20k out).
>

yap

However, Mark Curphey is starting up his own business from scratch,
> architecting and writing a big tool to do ISM management with two others,
> writing a prolific blog, and building new content for his ISM community
> portal. He's probably doing 18 hour days right now. I simply don't see how
> he is going to have time in his busy schedule to do what he claims he wants
> to do for this project.
>

That is not our problem. If Mark Curphey made that proposal is because he is
committed to deliver it. Based on Mark's OWASP past contributions we have to
give him the benefit of the doubt.

I also believe that Mark is seeing a lot of synergies between is new
start-up and this project (which is OK as long as he deliverers on his SpoC
commitments)

Can we talk to Mark about him taking a small portion of the overall funds in
> return for him *leading* and *mentoring* the project, and assigning him the
> other person + 1 intern of his choosing to get it done with the remainder of
> the money? That way we reduce the risk of this project not completing whilst
> still spending the same amount.
>

I disagree with this idea, and it would not work.

Mark as a vision for this project and we should give him the ability to
spend the time required to pull it off.

We need that project, so failure is a risky proposition.
>

The risk here is minimal. If Mark doesn't deliver that will be his last
OWASP sponsorship.

Yes we need that project, but we don't have anybody with Mark's profile that
wants to do it, so the only Risk here is if we don't take this opportunity
(remember that the only reason Mark is able to make this commitment and
participate in this project is because he is in a start-up and doesn't work
for an employer)

Let's try to reduce the risk by assigning more folks to it, particularly
> folks with more time than Mark, whilst letting Mark run it and keep the
> quality and experience up.
>

I want Mark to work with other SpoC projects (and maybe if the synergies are
correct he might even 'coordinate' them), but I don't want to change the
budgets allocated to the projects

Lastly, I think you've over-counted some money in our overall budget. OWASP
> has paid for an intern ($10k) which we had planned to come out of the SpoC
> funds, and therefore our overall budget has a $10k hole in it.
>

Yap, sorry about that. I fixed that on the last version of the  results

We will need to trim by at least this amount, and preferably by a bit more
> to take into account quality control and lack of mentoring resources.
>

with the adjustments, we are now only 7k short (from the 91k originally
planned) which is not a large amount and one that I recommend that we accept
(see my other email for the financial details). Currently the total OWASP
investment for SpoC is at 98k (maybe a couple more 100s USD for the
t-shirts)

I am happy to have a call about this tomorrow (if required) since I really
want to send the results to the participants as soon as possible.

Dinis

Thanks,
> Andrew
>
>
> On 4/27/07 1:37 PM, "Andrew van der Stock" <vanderaj at owasp.org> wrote:
>
> Here are my ratings. I don't think it changes our funding positions.
> However, I was thinking that all *like* projects are bundled together.
>
> E.g.
>
>
>    - Mateo and Mark's project should be combined as they will have
>    overlapping concerns.
>    - Przemyslaw 'rezos' Skowron and NSRAV should be combined. They are
>    doing pretty much the same thing.
>
>
> I don't mind the original funding allocation being disbursed, but I think
> having four projects when two will do will help us monitor the projects more
> carefully, and give those projects a greater chance of success with more
> resources.
>
> What FOSS projects are we allocating to? My wishlist would include:
>
> PHP – we may have an "in" with Zend on this one as well!
> XAMPP (a PHP developer distro which is extraordinarily weak at security)
> Apache Foundation – I can't think of a more deserving donation (Tomcat,
> Apache, too many to list etc)
>
> What are yours?
>
> Thanks,
> Andrew
>
> On 4/26/07 7:33 PM, "Dinis Cruz" <dinis at ddplus.net> wrote:
>
> Ok guys, using the data set from mine and Jeffs ratings, here is the final
> Spoc sponsorhip allocations:
>
> *Proposal ID* Project * OWASP Sponsorship
> Mark Curphey* *The OWASP Web Security Certification Framework* *20000*
> *----* *10x 1000USD to FOSS projects we all use* *10000*
> *Mateo* *OWASP Certification Project* *5000*
> *Eoin Keary* *Code review Project* *5000*
> *Boris* *OWASP Site Generator* *5000*
> *EdFinkler* *A comprehensive input retrieval/filtering system for PHP* *
> 5000*
> *NSRAV Security Research Group* *Attacks Reference Guide* *5000*
> *Arshan Dabirsiaghi* *OWASP The Anti-Samy Project     5000*
> *Sebastien Deleersnyder* *OWASP Education Project* *5000*
> *Eric Sheridan and Dr. Goran Trajkovski* *The Scholastic Application
> Security Assessment Project* *5000*
> *Caseydk* *Security throughout the SDLC* *3000*
> *Bunyamin Demir* OWASP WeBekci Project 2500
> *Erwin Geirnaert* OWASP Java Project 2500
> *Boris* OWASP Tiger 2500
> *Joshua Perrymon* OWASP LiveCD Project 2500
> *Erwin Geirnaert* OWASP WebGoat Solutions Guide 2500
> *Denis* Python Tainted Mode 2500
> *Jim* Best Practices & Countermeasures   2500
> *Josh Sweeney* OWASP LiveCD Education Project 2500
> *Heiko* Web Application Security put into practice 2500
> *Przemyslaw 'rezos' Skowron* Refresh Attacks list 2500
> *Boris* OWASP Report Generator 2500
> *Darren Edmonds* WebScarab NG Security Test Automation 2500
> *Subere* OWASP JBroFuzz Project 2500
> *Paulo Coimbra* OWASP brand 2500
> *Paolo Perego* Owasp Orizon Project 2500
> *Bernardo* sqlmap 2500
> *Buanzo* Enigform: Firefox Addon for OpenPGP signing of HTTP requests 2500
> (TBD) Help with SpoC project management 2500
>
>
>
>
> *Total* *118000*
> which means that all proposals submited were accepted (an amazing sucess
> story) and acording to my numbers (please double check them) we are only 2k
> over our initial 91K invesment, and still have 20k to alocate:
>
>
>
>
> *Total Investment*
>
>
>
> *118000*
>
>
>
> *
> *
>
>
>
> *
> *
> *Payer* *Project* *Initial budget* *Allocated* *Still Available*
>
>
>
> *
> *
> *OWASP* Any 91000 *91000* 0
> *EDS*
> 9000 *9000* 0
> *SPI* SiteGen 9000 *3000* 6000
> *Cenzic* SiteGen 3000 *2000* 1000
> *
> *Metr 3000 *0* 3000
> *
> *SDL 3000 *3000* 0
> *Vigilar* Certification 8000 *8000* 0
> *SANS* Questions 5000
> 5000
> *Fortify* Source code 5000 *0* 5000
>
>
>
>
>
>
>
>
>
>
>
> *Totals* *136000* *116000* *20000*
>
>
>
>
>
>
>
>
>
>
> Total Allocated – Total investment =
>
> *-2,000*
>
> If none of you complain, I will email the participants and the
> owasp-leaders this information tomorrow, and start working on the
> press-release and final operational details.
>
> very exited about what is going to be created by this iniciative
>
> Dinis
>
> ------------------------------
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
> ------------------------------
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>


-- 
Dinis Cruz
Chief OWASP Evangelist, Are you a member yet?
http://www.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070428/d5f0ebd3/attachment-0002.html>


More information about the Owasp-board mailing list