[Owasp-board] Spoc 007 results, final data set. If all is OK will annouce this tomorrow to the participants

Andrew van der Stock vanderaj at owasp.org
Mon Apr 30 15:08:09 UTC 2007


To achieve consensus, I will vote Œyay¹ to fund all of them as long as we
strongly encourage the folks with basically overlapping projects to work
together to achieve a single deliverable.

In the next one, let¹s adopt a more stringent approach to acceptance as per
my previous e-mail, but let¹s get this one up and running.

Thanks,
Andrew


On 4/30/07 9:12 AM, "Dave Wichers" <dave.wichers at owasp.org> wrote:

> OK,
>  
> As I¹m not that involved in this, other than dealing with the money, then if
> you guys are OK with committing to making this succeed, then I am OK with it.
> However, I tend to be more in Andrew¹s camp than Dinis/Jeff, just so you know
> which way I¹m leaning.
>  
> Andrew??
>  
> -Dave
>  
> 
> From: owasp-board-bounces at lists.owasp.org
> [mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Jeff Williams
> Sent: Sunday, April 29, 2007 11:59 PM
> To: 'OWASP Board'
> Subject: Re: [Owasp-board] Spoc 007 results, final data set. If all is OK will
> annouce this tomorrow to the participants
>  
> Okay folks ­ let¹s get a decision TODAY!  Please respond with your vote.  I
> vote to go ahead with the plan Dinis has created. If you don¹t care why, stop
> hereŠ.otherwiseŠ
>  
> I¹m fine with sponsoring all projects.  I think in the future it would be good
> if we forced ourselves to make some hard choices, but for this round I think
> it¹s fine to sponsor them all.  I¹d like to be choosing the best 20 from 100
> applications, but we don¹t have that option.
>  
> I concur with the points made about managing the projects, but it really
> doesn¹t take a lot of time (barely any really).  WebGoat was harder because I
> had to run the damn thing.  But most are very easy. It would help A LOT if
> there were some strict rules about reporting status on the project weekly or
> something.  Not many folks were updating their websites last go round.
>  
> On the Curphey sponsorship, I see the concern.  However, he has a lot to lose
> by failing, and OWASP has a lot to gain if he succeeds. We¹re really not
> risking that much here since we don¹t pay until halfway and then upon
> completion.
>  
> I also think the amount allocated (+7) is fine.
>  
> --Jeff
>  
>  
> 
> From: owasp-board-bounces at lists.owasp.org
> [mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Dinis Cruz
> Sent: Friday, April 27, 2007 8:53 PM
> To: Andrew van der Stock
> Cc: OWASP Board
> Subject: Re: [Owasp-board] Spoc 007 results, final data set. If all is OK will
> annouce this tomorrow to the participants
>  
> Hi Andrew
> 
> (Comments Inline)
> 
> On 4/27/07, Andrew van der Stock <vanderaj at owasp.org> wrote:
> 
> Dinis,
> 
> Dave and I have some concerns about mentoring so many projects.
> 
> 
> I agree that that is an issue, but if you look back at AoC it wasn't that
> hard, and at the end of the day, the objective here is not for us to spend a
> lot of time mentoring these projects, but to let people get on with it.
> 
> In my view SpoC (and AoC,etc.) is just an way to get more active OWASP
> participants. Look at the people that submitted applications? A lot of them
> where not active OWASP contributors, but I bet that if the project is
> successful they will become.
> 
> I also consider that even if only 75% deliver on their projects, the SpoC will
> be a success. 
>>  
>> 
>> Although it would be great to have that many projects, we simply don't have
>> that many resources to monitor so many projects.
> 
> 
> Note that in there there is a 2,500k allocated for somebody to manage the
> logistics of SpoC. So a large part of the overhead can be covered by this
> person.
> 
> I also don't think that we will have to be very active in pushing the projects
> (of course that in the projects that you are interested (PHP in Andrew's case
> and OSG in mine) one is more than welcomed to be involved.
>>  
>> 
>> I had difficulty finding the time to do a simple 1 hr task due to life and
>> work, let alone the regular mentoring 7 or 8 projects each would entail for
>> three months. 
> 
> 
> Then don't monitor them these time around
>>  
>> 
>> In addition, I'm not sure we should send the message that sending in a quick
>> e-mail gets funding from us.
> 
> 
> I don't think that is what happened. Most submissions had very high value
> (especially when compared with AoC) and I think the fact that all submissions
> had to be made publicly on the WIKI created an environment where only serious
> proposals were sent.
> 
> So the fact that we are sponsoring 100% of the applications is not due to the
> fact that we have lowered our acceptance standards, but due to the fact that
> all proposals had merit.  The applicants deserve a change to prove their
> value. 
>>  
>> 
>> There were a few questionable submissions, and I'd like for us to discuss
>> these before we fund every project. Let's go through the list, and decide on
>> the really worthy projects.
> 
> 
> Is the current 7k shortfall really worth this discussion? The only proposal
> that I think is a bit weaker is from Paulo Coimbra on the OWASP branding
> project, but I know personally Paulo (he lives in London close to me) and was
> planning to be involved in that project.
> 
> I think that the 100% application acceptance is a great story and compliment
> to our community (also a lot of the 2,500 USD projects are similar in value so
> any choice we make outside the 100% will be controversial)
>>  
>> 
>> The certification project is huge (and thus why we're paying $20k out).
> 
> 
> yap 
>>  
>> 
>> However, Mark Curphey is starting up his own business from scratch,
>> architecting and writing a big tool to do ISM management with two others,
>> writing a prolific blog, and building new content for his ISM community
>> portal. He's probably doing 18 hour days right now. I simply don't see how he
>> is going to have time in his busy schedule to do what he claims he wants to
>> do for this project.
> 
> 
> That is not our problem. If Mark Curphey made that proposal is because he is
> committed to deliver it. Based on Mark's OWASP past contributions we have to
> give him the benefit of the doubt.
> 
> I also believe that Mark is seeing a lot of synergies between is new start-up
> and this project (which is OK as long as he deliverers on his SpoC
> commitments)
>>  
>> 
>> Can we talk to Mark about him taking a small portion of the overall funds in
>> return for him *leading* and *mentoring* the project, and assigning him the
>> other person + 1 intern of his choosing to get it done with the remainder of
>> the money? That way we reduce the risk of this project not completing whilst
>> still spending the same amount.
> 
> 
> I disagree with this idea, and it would not work.
> 
> Mark as a vision for this project and we should give him the ability to spend
> the time required to pull it off.
>>  
>> 
>> We need that project, so failure is a risky proposition.
> 
> 
> The risk here is minimal. If Mark doesn't deliver that will be his last OWASP
> sponsorship.
> 
> Yes we need that project, but we don't have anybody with Mark's profile that
> wants to do it, so the only Risk here is if we don't take this opportunity
> (remember that the only reason Mark is able to make this commitment and
> participate in this project is because he is in a start-up and doesn't work
> for an employer) 
>>  
>> 
>> Let's try to reduce the risk by assigning more folks to it, particularly
>> folks with more time than Mark, whilst letting Mark run it and keep the
>> quality and experience up.
> 
> 
> I want Mark to work with other SpoC projects (and maybe if the synergies are
> correct he might even 'coordinate' them), but I don't want to change the
> budgets allocated to the projects
>>  
>> 
>> Lastly, I think you've over-counted some money in our overall budget. OWASP
>> has paid for an intern ($10k) which we had planned to come out of the SpoC
>> funds, and therefore our overall budget has a $10k hole in it.
> 
> 
> Yap, sorry about that. I fixed that on the last version of the  results
>>  
>> 
>> We will need to trim by at least this amount, and preferably by a bit more to
>> take into account quality control and lack of mentoring resources.
> 
> 
> with the adjustments, we are now only 7k short (from the 91k originally
> planned) which is not a large amount and one that I recommend that we accept
> (see my other email for the financial details). Currently the total OWASP
> investment for SpoC is at 98k (maybe a couple more 100s USD for the t-shirts)
> 
> I am happy to have a call about this tomorrow (if required) since I really
> want to send the results to the participants as soon as possible.
> 
> Dinis
>>  
>> 
>> Thanks,
>> Andrew
>> 
>> 
>> 
>> 
>> On 4/27/07 1:37 PM, "Andrew van der Stock" <vanderaj at owasp.org> wrote:
>>> 
>>> Here are my ratings. I don't think it changes our funding positions.
>>> However, I was thinking that all like projects are bundled together.
>>> 
>>> E.g. 
>>> * Mateo and Mark's project should be combined as they will have overlapping
>>> concerns. 
>>> * Przemyslaw 'rezos' Skowron and NSRAV should be combined. They are doing
>>> pretty much the same thing.
>>> 
>>> I don't mind the original funding allocation being disbursed, but I think
>>> having four projects when two will do will help us monitor the projects more
>>> carefully, and give those projects a greater chance of success with more
>>> resources. 
>>> 
>>> What FOSS projects are we allocating to? My wishlist would include:
>>> 
>>> PHP ­ we may have an "in" with Zend on this one as well!
>>> XAMPP (a PHP developer distro which is extraordinarily weak at security)
>>> Apache Foundation ­ I can't think of a more deserving donation (Tomcat,
>>> Apache, too many to list etc)
>>> 
>>> What are yours?
>>> 
>>> Thanks,
>>> Andrew
>>> 
>>> On 4/26/07 7:33 PM, "Dinis Cruz" <dinis at ddplus.net> wrote:
>>> Ok guys, using the data set from mine and Jeffs ratings, here is the final
>>> Spoc sponsorhip allocations:
>>> 
>>> Proposal ID Project OWASP Sponsorship
>>> Mark Curphey The OWASP Web Security Certification Framework 20000
>>> ---- 10x 1000USD to FOSS projects we all use 10000
>>> Mateo OWASP Certification Project 5000
>>> Eoin Keary Code review Project 5000
>>> Boris OWASP Site Generator 5000
>>> EdFinkler A comprehensive input retrieval/filtering system for PHP 5000
>>> NSRAV Security Research Group Attacks Reference Guide 5000
>>> Arshan Dabirsiaghi OWASP The Anti-Samy Project     5000
>>> Sebastien Deleersnyder OWASP Education Project 5000
>>> Eric Sheridan and Dr. Goran Trajkovski The Scholastic Application Security
>>> Assessment Project 5000
>>> Caseydk Security throughout the SDLC 3000
>>> Bunyamin Demir OWASP WeBekci Project 2500
>>> Erwin Geirnaert OWASP Java Project 2500
>>> Boris OWASP Tiger 2500
>>> Joshua Perrymon OWASP LiveCD Project 2500
>>> Erwin Geirnaert OWASP WebGoat Solutions Guide 2500
>>> Denis Python Tainted Mode 2500
>>> Jim Best Practices & Countermeasures   2500
>>> Josh Sweeney OWASP LiveCD Education Project 2500
>>> Heiko Web Application Security put into practice 2500
>>> Przemyslaw 'rezos' Skowron Refresh Attacks list 2500
>>> Boris OWASP Report Generator 2500
>>> Darren Edmonds WebScarab NG Security Test Automation 2500
>>> Subere OWASP JBroFuzz Project 2500
>>> Paulo Coimbra OWASP brand 2500
>>> Paolo Perego Owasp Orizon Project 2500
>>> Bernardo sqlmap 2500
>>> Buanzo Enigform: Firefox Addon for OpenPGP signing of HTTP requests 2500
>>> (TBD) Help with SpoC project management 2500
>>> 
>>> 
>>> 
>>> 
>>> Total 118000 
>>> which means that all proposals submited were accepted (an amazing sucess
>>> story) and acording to my numbers (please double check them) we are only 2k
>>> over our initial 91K invesment, and still have 20k to alocate:
>>> 
>>> 
>>> 
>>> 
>>> Total Investment
>>> 
>>> 
>>> 
>>> 118000 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> Payer Project Initial budget Allocated Still Available
>>> 
>>> 
>>> 
>>> 
>>> 
>>> OWASP Any 91000 91000 0
>>> EDS 
>>> 9000 9000 0 
>>> SPI SiteGen 9000 3000 6000
>>> Cenzic SiteGen 3000 2000 1000
>>> 
>>> Metr 3000 0 3000
>>> 
>>> SDL 3000 3000 0
>>> Vigilar Certification 8000 8000 0
>>> SANS Questions 5000
>>> 5000 
>>> Fortify Source code 5000 0 5000
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> Totals 136000 116000 20000
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> Total Allocated ­ Total investment =
>>> 
>>> -2,000 
>>> 
>>> If none of you complain, I will email the participants and the owasp-leaders
>>> this information tomorrow, and start working on the press-release and final
>>> operational details.
>>> 
>>> very exited about what is going to be created by this iniciative
>>> 
>>> Dinis 
>>> 
>>> 
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> http://lists.owasp.org/mailman/listinfo/owasp-board
>>>  
>>> 
>>> 
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> http://lists.owasp.org/mailman/listinfo/owasp-board
>>  
> 
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070430/2163f5f9/attachment-0002.html>


More information about the Owasp-board mailing list