[Owasp-board] Spoc 007 results, final data set. If all is OK will annouce this tomorrow to the participants

Jeff Williams jeff.williams at owasp.org
Mon Apr 30 03:58:49 UTC 2007

Okay folks - let's get a decision TODAY!  Please respond with your vote.  I
vote to go ahead with the plan Dinis has created.  If you don't care why,
stop here..otherwise.


I'm fine with sponsoring all projects.  I think in the future it would be
good if we forced ourselves to make some hard choices, but for this round I
think it's fine to sponsor them all.  I'd like to be choosing the best 20
from 100 applications, but we don't have that option.


I concur with the points made about managing the projects, but it really
doesn't take a lot of time (barely any really).  WebGoat was harder because
I had to run the damn thing.  But most are very easy.  It would help A LOT
if there were some strict rules about reporting status on the project weekly
or something.  Not many folks were updating their websites last go round.


On the Curphey sponsorship, I see the concern.  However, he has a lot to
lose by failing, and OWASP has a lot to gain if he succeeds.  We're really
not risking that much here since we don't pay until halfway and then upon


I also think the amount allocated (+7) is fine.





From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Dinis Cruz
Sent: Friday, April 27, 2007 8:53 PM
To: Andrew van der Stock
Cc: OWASP Board
Subject: Re: [Owasp-board] Spoc 007 results, final data set. If all is OK
will annouce this tomorrow to the participants


Hi Andrew

(Comments Inline)

On 4/27/07, Andrew van der Stock <vanderaj at owasp.org> wrote:


Dave and I have some concerns about mentoring so many projects. 

I agree that that is an issue, but if you look back at AoC it wasn't that
hard, and at the end of the day, the objective here is not for us to spend a
lot of time mentoring these projects, but to let people get on with it. 

In my view SpoC (and AoC,etc.) is just an way to get more active OWASP
participants. Look at the people that submitted applications? A lot of them
where not active OWASP contributors, but I bet that if the project is
successful they will become. 

I also consider that even if only 75% deliver on their projects, the SpoC
will be a success. 


Although it would be great to have that many projects, we simply don't have
that many resources to monitor so many projects. 

Note that in there there is a 2,500k allocated for somebody to manage the
logistics of SpoC. So a large part of the overhead can be covered by this

I also don't think that we will have to be very active in pushing the
projects (of course that in the projects that you are interested (PHP in
Andrew's case and OSG in mine) one is more than welcomed to be involved. 


I had difficulty finding the time to do a simple 1 hr task due to life and
work, let alone the regular mentoring 7 or 8 projects each would entail for
three months. 

Then don't monitor them these time around


In addition, I'm not sure we should send the message that sending in a quick
e-mail gets funding from us.

I don't think that is what happened. Most submissions had very high value
(especially when compared with AoC) and I think the fact that all
submissions had to be made publicly on the WIKI created an environment where
only serious proposals were sent. 

So the fact that we are sponsoring 100% of the applications is not due to
the fact that we have lowered our acceptance standards, but due to the fact
that all proposals had merit.  The applicants deserve a change to prove
their value. 


There were a few questionable submissions, and I'd like for us to discuss
these before we fund every project. Let's go through the list, and decide on
the really worthy projects. 

Is the current 7k shortfall really worth this discussion? The only proposal
that I think is a bit weaker is from Paulo Coimbra on the OWASP branding
project, but I know personally Paulo (he lives in London close to me) and
was planning to be involved in that project. 

I think that the 100% application acceptance is a great story and compliment
to our community (also a lot of the 2,500 USD projects are similar in value
so any choice we make outside the 100% will be controversial) 


The certification project is huge (and thus why we're paying $20k out). 



However, Mark Curphey is starting up his own business from scratch,
architecting and writing a big tool to do ISM management with two others,
writing a prolific blog, and building new content for his ISM community
portal. He's probably doing 18 hour days right now. I simply don't see how
he is going to have time in his busy schedule to do what he claims he wants
to do for this project. 

That is not our problem. If Mark Curphey made that proposal is because he is
committed to deliver it. Based on Mark's OWASP past contributions we have to
give him the benefit of the doubt. 

I also believe that Mark is seeing a lot of synergies between is new
start-up and this project (which is OK as long as he deliverers on his SpoC


Can we talk to Mark about him taking a small portion of the overall funds in
return for him *leading* and *mentoring* the project, and assigning him the
other person + 1 intern of his choosing to get it done with the remainder of
the money? That way we reduce the risk of this project not completing whilst
still spending the same amount. 

I disagree with this idea, and it would not work.

Mark as a vision for this project and we should give him the ability to
spend the time required to pull it off. 


We need that project, so failure is a risky proposition. 

The risk here is minimal. If Mark doesn't deliver that will be his last
OWASP sponsorship.

Yes we need that project, but we don't have anybody with Mark's profile that
wants to do it, so the only Risk here is if we don't take this opportunity
(remember that the only reason Mark is able to make this commitment and
participate in this project is because he is in a start-up and doesn't work
for an employer) 


Let's try to reduce the risk by assigning more folks to it, particularly
folks with more time than Mark, whilst letting Mark run it and keep the
quality and experience up. 

I want Mark to work with other SpoC projects (and maybe if the synergies are
correct he might even 'coordinate' them), but I don't want to change the
budgets allocated to the projects 


Lastly, I think you've over-counted some money in our overall budget. OWASP
has paid for an intern ($10k) which we had planned to come out of the SpoC
funds, and therefore our overall budget has a $10k hole in it. 

Yap, sorry about that. I fixed that on the last version of the  results 


We will need to trim by at least this amount, and preferably by a bit more
to take into account quality control and lack of mentoring resources. 

with the adjustments, we are now only 7k short (from the 91k originally
planned) which is not a large amount and one that I recommend that we accept
(see my other email for the financial details). Currently the total OWASP
investment for SpoC is at 98k (maybe a couple more 100s USD for the

I am happy to have a call about this tomorrow (if required) since I really
want to send the results to the participants as soon as possible.




On 4/27/07 1:37 PM, "Andrew van der Stock" <vanderaj at owasp.org> wrote:

Here are my ratings. I don't think it changes our funding positions.
However, I was thinking that all like projects are bundled together.


*	Mateo and Mark's project should be combined as they will have
overlapping concerns. 
*	Przemyslaw 'rezos' Skowron and NSRAV should be combined. They are
doing pretty much the same thing.

I don't mind the original funding allocation being disbursed, but I think
having four projects when two will do will help us monitor the projects more
carefully, and give those projects a greater chance of success with more

What FOSS projects are we allocating to? My wishlist would include:

PHP - we may have an "in" with Zend on this one as well! 
XAMPP (a PHP developer distro which is extraordinarily weak at security)
Apache Foundation - I can't think of a more deserving donation (Tomcat,
Apache, too many to list etc)

What are yours?


On 4/26/07 7:33 PM, "Dinis Cruz" <dinis at ddplus.net> wrote:

Ok guys, using the data set from mine and Jeffs ratings, here is the final
Spoc sponsorhip allocations:

Proposal ID Project OWASP Sponsorship
Mark Curphey The OWASP Web Security Certification Framework 20000 
---- 10x 1000USD to FOSS projects we all use 10000 
Mateo OWASP Certification Project 5000 
Eoin Keary Code review Project 5000 
Boris OWASP Site Generator 5000 
EdFinkler A comprehensive input retrieval/filtering system for PHP 5000 
NSRAV Security Research Group Attacks Reference Guide 5000 
Arshan Dabirsiaghi OWASP The Anti-Samy Project     5000 
Sebastien Deleersnyder OWASP Education Project 5000 
Eric Sheridan and Dr. Goran Trajkovski The Scholastic Application Security
Assessment Project 5000 
Caseydk Security throughout the SDLC 3000 
Bunyamin Demir OWASP WeBekci Project 2500 
Erwin Geirnaert OWASP Java Project 2500 
Boris OWASP Tiger 2500 
Joshua Perrymon OWASP LiveCD Project 2500 
Erwin Geirnaert OWASP WebGoat Solutions Guide 2500 
Denis Python Tainted Mode 2500 
Jim Best Practices & Countermeasures   2500 
Josh Sweeney OWASP LiveCD Education Project 2500 
Heiko Web Application Security put into practice 2500 
Przemyslaw 'rezos' Skowron Refresh Attacks list 2500 
Boris OWASP Report Generator 2500 
Darren Edmonds WebScarab NG Security Test Automation 2500 
Subere OWASP JBroFuzz Project 2500 
Paulo Coimbra OWASP brand 2500 
Paolo Perego Owasp Orizon Project 2500 
Bernardo sqlmap 2500 
Buanzo Enigform: Firefox Addon for OpenPGP signing of HTTP requests 2500 
(TBD) Help with SpoC project management 2500 

Total 118000 
which means that all proposals submited were accepted (an amazing sucess
story) and acording to my numbers (please double check them) we are only 2k
over our initial 91K invesment, and still have 20k to alocate:

Total Investment 


Payer Project Initial budget Allocated Still Available 

OWASP Any 91000 91000 0 
9000 9000 0 
SPI SiteGen 9000 3000 6000 
Cenzic SiteGen 3000 2000 1000 

Metr 3000 0 3000 

SDL 3000 3000 0 
Vigilar Certification 8000 8000 0 
SANS Questions 5000 
Fortify Source code 5000 0 5000 

Totals 136000 116000 20000 

Total Allocated - Total investment = 


If none of you complain, I will email the participants and the owasp-leaders
this information tomorrow, and start working on the press-release and final
operational details.

very exited about what is going to be created by this iniciative 



Owasp-board mailing list
Owasp-board at lists.owasp.org



Owasp-board mailing list
Owasp-board at lists.owasp.org


Dinis Cruz
Chief OWASP Evangelist, Are you a member yet?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070429/1c01f503/attachment-0002.html>

More information about the Owasp-board mailing list