[Owasp-board] Spoc 007 results, final data set. If all is OK will annouce this tomorrow to the participants

Dinis Cruz dinis at ddplus.net
Mon Apr 30 22:11:58 UTC 2007


Thanks guys for the vote of confidence.

I will let the participants know and start organizing the anouncement
details.

Dinis


On 4/30/07, Andrew van der Stock <vanderaj at owasp.org> wrote:
>
> To achieve consensus, I will vote 'yay' to fund all of them as long as we
> strongly encourage the folks with basically overlapping projects to work
> together to achieve a single deliverable.
>
> In the next one, let's adopt a more stringent approach to acceptance as
> per my previous e-mail, but let's get this one up and running.
>
> Thanks,
> Andrew
>
>
> On 4/30/07 9:12 AM, "Dave Wichers" <dave.wichers at owasp.org> wrote:
>
>  OK,
>
> As I'm not that involved in this, other than dealing with the money, then
> if you guys are OK with committing to making this succeed, then I am OK with
> it. However, I tend to be more in Andrew's camp than Dinis/Jeff, just so you
> know which way I'm leaning.
>
> Andrew??
>
> -Dave
>
>
> *From:* owasp-board-bounces at lists.owasp.org [
> mailto:owasp-board-bounces at lists.owasp.org]<owasp-board-bounces at lists.owasp.org]>
> *On Behalf Of *Jeff Williams
> *Sent:* Sunday, April 29, 2007 11:59 PM
> *To:* 'OWASP Board'
> *Subject:* Re: [Owasp-board] Spoc 007 results, final data set. If all is
> OK will annouce this tomorrow to the participants
>
> Okay folks – let's get a decision TODAY!  Please respond with your vote.
>  I vote to go ahead with the plan Dinis has created. If you don't care why,
> stop here….otherwise…
>
> I'm fine with sponsoring all projects.  I think in the future it would be
> good if we forced ourselves to make some hard choices, but for this round I
> think it's fine to sponsor them all.  I'd like to be choosing the best 20
> from 100 applications, but we don't have that option.
>
> I concur with the points made about managing the projects, but it really
> doesn't take a lot of time (barely any really).  WebGoat was harder because
> I had to run the damn thing.  But most are very easy. It would help A LOT if
> there were some strict rules about reporting status on the project weekly or
> something.  Not many folks were updating their websites last go round.
>
> On the Curphey sponsorship, I see the concern.  However, he has a lot to
> lose by failing, and OWASP has a lot to gain if he succeeds. We're really
> not risking that much here since we don't pay until halfway and then upon
> completion.
>
> I also think the amount allocated (+7) is fine.
>
> --Jeff
>
>
>
> *From:* owasp-board-bounces at lists.owasp.org [
> mailto:owasp-board-bounces at lists.owasp.org]<owasp-board-bounces at lists.owasp.org]>
> *On Behalf Of *Dinis Cruz
> *Sent:* Friday, April 27, 2007 8:53 PM
> *To:* Andrew van der Stock
> *Cc:* OWASP Board
> *Subject:* Re: [Owasp-board] Spoc 007 results, final data set. If all is
> OK will annouce this tomorrow to the participants
>
> Hi Andrew
>
> (Comments Inline)
>
> On 4/27/07, *Andrew van der Stock* <vanderaj at owasp.org> wrote:
>
> Dinis,
>
> Dave and I have some concerns about mentoring so many projects.
>
>
> I agree that that is an issue, but if you look back at AoC it wasn't that
> hard, and at the end of the day, the objective here is not for us to spend a
> lot of time mentoring these projects, but to let people get on with it.
>
> In my view SpoC (and AoC,etc.) is just an way to get more active OWASP
> participants. Look at the people that submitted applications? A lot of them
> where not active OWASP contributors, but I bet that if the project is
> successful they will become.
>
> I also consider that even if only 75% deliver on their projects, the SpoC
> will be a success.
>
>
>
> Although it would be great to have that many projects, we simply don't
> have that many resources to monitor so many projects.
>
>
>
> Note that in there there is a 2,500k allocated for somebody to manage the
> logistics of SpoC. So a large part of the overhead can be covered by this
> person.
>
> I also don't think that we will have to be very active in pushing the
> projects (of course that in the projects that you are interested (PHP in
> Andrew's case and OSG in mine) one is more than welcomed to be involved.
>
>
>
> I had difficulty finding the time to do a simple 1 hr task due to life and
> work, let alone the regular mentoring 7 or 8 projects each would entail for
> three months.
>
>
>
> Then don't monitor them these time around
>
>
>
> In addition, I'm not sure we should send the message that sending in a
> quick e-mail gets funding from us.
>
>
>
> I don't think that is what happened. Most submissions had very high value
> (especially when compared with AoC) and I think the fact that all
> submissions had to be made publicly on the WIKI created an environment where
> only serious proposals were sent.
>
> So the fact that we are sponsoring 100% of the applications is not due to
> the fact that we have lowered our acceptance standards, but due to the fact
> that all proposals had merit.  The applicants deserve a change to prove
> their value.
>
>
>
> There were a few questionable submissions, and I'd like for us to discuss
> these before we fund every project. Let's go through the list, and decide on
> the really worthy projects.
>
>
>
> Is the current 7k shortfall really worth this discussion? The only
> proposal that I think is a bit weaker is from Paulo Coimbra on the OWASP
> branding project, but I know personally Paulo (he lives in London close to
> me) and was planning to be involved in that project.
>
> I think that the 100% application acceptance is a great story and
> compliment to our community (also a lot of the 2,500 USD projects are
> similar in value so any choice we make outside the 100% will be
> controversial)
>
>
>
> The certification project is huge (and thus why we're paying $20k out).
>
>
>
> yap
>
>
>
> However, Mark Curphey is starting up his own business from scratch,
> architecting and writing a big tool to do ISM management with two others,
> writing a prolific blog, and building new content for his ISM community
> portal. He's probably doing 18 hour days right now. I simply don't see how
> he is going to have time in his busy schedule to do what he claims he wants
> to do for this project.
>
>
>
> That is not our problem. If Mark Curphey made that proposal is because he
> is committed to deliver it. Based on Mark's OWASP past contributions we have
> to give him the benefit of the doubt.
>
> I also believe that Mark is seeing a lot of synergies between is new
> start-up and this project (which is OK as long as he deliverers on his SpoC
> commitments)
>
>
>
> Can we talk to Mark about him taking a small portion of the overall funds
> in return for him *leading* and *mentoring* the project, and assigning him
> the other person + 1 intern of his choosing to get it done with the
> remainder of the money? That way we reduce the risk of this project not
> completing whilst still spending the same amount.
>
>
>
> I disagree with this idea, and it would not work.
>
> Mark as a vision for this project and we should give him the ability to
> spend the time required to pull it off.
>
>
>
> We need that project, so failure is a risky proposition.
>
>
>
> The risk here is minimal. If Mark doesn't deliver that will be his last
> OWASP sponsorship.
>
> Yes we need that project, but we don't have anybody with Mark's profile
> that wants to do it, so the only Risk here is if we don't take this
> opportunity (remember that the only reason Mark is able to make this
> commitment and participate in this project is because he is in a start-up
> and doesn't work for an employer)
>
>
>
> Let's try to reduce the risk by assigning more folks to it, particularly
> folks with more time than Mark, whilst letting Mark run it and keep the
> quality and experience up.
>
>
>
> I want Mark to work with other SpoC projects (and maybe if the synergies
> are correct he might even 'coordinate' them), but I don't want to change the
> budgets allocated to the projects
>
>
>
> Lastly, I think you've over-counted some money in our overall budget.
> OWASP has paid for an intern ($10k) which we had planned to come out of the
> SpoC funds, and therefore our overall budget has a $10k hole in it.
>
>
>
> Yap, sorry about that. I fixed that on the last version of the  results
>
>
>
> We will need to trim by at least this amount, and preferably by a bit more
> to take into account quality control and lack of mentoring resources.
>
>
>
> with the adjustments, we are now only 7k short (from the 91k originally
> planned) which is not a large amount and one that I recommend that we accept
> (see my other email for the financial details). Currently the total OWASP
> investment for SpoC is at 98k (maybe a couple more 100s USD for the
> t-shirts)
>
> I am happy to have a call about this tomorrow (if required) since I really
> want to send the results to the participants as soon as possible.
>
> Dinis
>
>
>
> Thanks,
> Andrew
>
>
>
>
> On 4/27/07 1:37 PM, "Andrew van der Stock" <vanderaj at owasp.org> wrote:
>
>
> Here are my ratings. I don't think it changes our funding positions.
> However, I was thinking that all *like* projects are bundled together.
>
> E.g.
>
>    - Mateo and Mark's project should be combined as they will have
>    overlapping concerns.
>    - Przemyslaw 'rezos' Skowron and NSRAV should be combined. They are
>    doing pretty much the same thing.
>
>
> I don't mind the original funding allocation being disbursed, but I think
> having four projects when two will do will help us monitor the projects more
> carefully, and give those projects a greater chance of success with more
> resources.
>
> What FOSS projects are we allocating to? My wishlist would include:
>
> PHP – we may have an "in" with Zend on this one as well!
> XAMPP (a PHP developer distro which is extraordinarily weak at security)
> Apache Foundation – I can't think of a more deserving donation (Tomcat,
> Apache, too many to list etc)
>
> What are yours?
>
> Thanks,
> Andrew
>
> On 4/26/07 7:33 PM, "Dinis Cruz" <dinis at ddplus.net> wrote:
> Ok guys, using the data set from mine and Jeffs ratings, here is the final
> Spoc sponsorhip allocations:
>
> *Proposal ID* Project *OWASP Sponsorship
> Mark Curphey* *The OWASP Web Security Certification Framework* *20000*
> *----* *10x 1000USD to FOSS projects we all use* *10000*
> *Mateo* *OWASP Certification Project* *5000*
> *Eoin Keary* *Code review Project* *5000*
> *Boris* *OWASP Site Generator* *5000*
> *EdFinkler* *A comprehensive input retrieval/filtering system for PHP 5000
> *
> *NSRAV Security Research Group* *Attacks Reference Guide* *5000*
> *Arshan Dabirsiaghi* *OWASP The Anti-Samy Project     5000*
> *Sebastien Deleersnyder* *OWASP Education Project* *5000*
> *Eric Sheridan and Dr. Goran Trajkovski* *The Scholastic Application
> Security Assessment Project 5000*
> *Caseydk* *Security throughout the SDLC* *3000*
> *Bunyamin Demir* OWASP WeBekci Project 2500
> *Erwin Geirnaert* OWASP Java Project 2500
> *Boris* OWASP Tiger 2500
> *Joshua Perrymon* OWASP LiveCD Project 2500
> *Erwin Geirnaert* OWASP WebGoat Solutions Guide 2500
> *Denis* Python Tainted Mode 2500
> *Jim* Best Practices & Countermeasures   2500
> *Josh Sweeney* OWASP LiveCD Education Project 2500
> *Heiko* Web Application Security put into practice 2500
> *Przemyslaw 'rezos' Skowron* Refresh Attacks list 2500
> *Boris* OWASP Report Generator 2500
> *Darren Edmonds* WebScarab NG Security Test Automation 2500
> *Subere* OWASP JBroFuzz Project 2500
> *Paulo Coimbra* OWASP brand 2500
> *Paolo Perego* Owasp Orizon Project 2500
> *Bernardo* sqlmap 2500
> *Buanzo* Enigform: Firefox Addon for OpenPGP signing of HTTP requests 2500
> (TBD) Help with SpoC project management 2500
>
>
>
>
> *Total* *118000*
> which means that all proposals submited were accepted (an amazing sucess
> story) and acording to my numbers (please double check them) we are only 2k
> over our initial 91K invesment, and still have 20k to alocate:
>
>
>
>
> *Total Investment*
>
>
>
> *118000*
>
>
>
> *
> *
>
>
>
> *
> *
> *Payer* *Project* *Initial budget* *Allocated* *Still Available*
>
>
>
> *
> *
> *OWASP* Any 91000 *91000* 0
> *EDS*
> 9000 *9000* 0
> *SPI* SiteGen 9000 *3000* 6000
> *Cenzic* SiteGen 3000 *2000* 1000
> *
> *Metr 3000 *0* 3000
> *
> *SDL 3000 *3000* 0
> *Vigilar* Certification 8000 *8000* 0
> *SANS* Questions 5000
> 5000
> *Fortify* Source code 5000 *0* 5000
>
>
>
>
>
>
>
>
>
>
>
> *Totals* *136000* *116000* *20000*
>
>
>
>
>
>
>
>
>
>
> Total Allocated – Total investment =
>
> *-2,000*
>
> If none of you complain, I will email the participants and the
> owasp-leaders this information tomorrow, and start working on the
> press-release and final operational details.
>
> very exited about what is going to be created by this iniciative
>
> Dinis
>
> ------------------------------
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-board
>
> ------------------------------
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070430/757ed4e9/attachment-0002.html>


More information about the Owasp-board mailing list