[Owasp-board] Updated ASVS presentation for Beta page

Paulo Coimbra paulo.coimbra at owasp.org
Tue Dec 9 17:04:50 UTC 2008


I also think that the idea of splitting the project info across tabs will be
a good solution.  

 

However, until we reach a new paradigm and in accordance with Dave's
request, I propose the following methodology
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verifica
tion_Standard_Project_Proposal to deal with new projects and with the
completed OWASP SoC 08 projects. 

 

I also took a stab at the question of licences and, using Jeff's and Dinis'
inputs, uploaded the following content
https://www.owasp.org/index.php/Category:OWASP_Opensource_licenses. 

 

Thanks,

 

Paulo Coimbra,

OWASP <https://www.owasp.org/index.php/Main_Page>  Project Manager

 

From: dinis cruz [mailto:dinis.cruz at owasp.org] 
Sent: segunda-feira, 8 de Dezembro de 2008 19:15
To: Dave Wichers
Cc: Jeff Williams; paulo.coimbra at owasp.org; Laurence Casey
Subject: Re: Updated ASVS presentation for Beta page

 

Yap, I think the idea to add tabs to each project will be a great solution
(if we can get that to work).

 

In some ways this would allow us to align those pages with its target
audiences. So for example, 

*	the home page tab would be focused on the project's clients/users
and should look as professional and clean as possible (with a big focus on
what those user's want)
*	the project management tab would be guided by the current project
development focus, its sponsors (like SoC) and the data created by the
implementation of our Project Assessment Criteria. This tab is basically the
perfect host for the work Paulo has been doing
*	the development tab should have information for the project
contributors/participants
*	the documentation tab is an interesting one since there is going to
be documentation for users and document for developers.

There are still some issues to sort out, but this is definitely the way to
go. 

 

One thing we should make very clear, is that this type of structure (tab) is
dependent on the size/maturity of the project (since smaller/newer projects
should be perfectly ok with with a simpler template like the one Paulo
currently uses)

 

I'm going to forward this email to the Global Project Committee and so that
they are involved in this process

 

Dinis Cruz

 

2008/12/5 Dave Wichers <dave.wichers at owasp.org>

Larry, Jeff, and I kind of like the model that the http://www.hdiv.org/ site
is showing. Larry is going to see if he can find or create a tabbing system
for media wiki. If he can, I'd like to try it on the ASVS page and Jeff
could take a crack at the ESAPI page so we've done both a document and a
tool project and once we get those stabilized/agreed to, we can start
rolling out this pattern across all the OWASP projects.

 

Dins/Paulo - do you like the idea of splitting this info across tabs? If so,
we'd just need to agree on what all the data is that we need and how to
organize it.

 

-Dave

 

From: Dave Wichers [mailto:dave.wichers at owasp.org] 
Sent: Friday, December 05, 2008 2:14 PM
To: Jeff Williams; 'dinis cruz'


Cc: paulo.coimbra at owasp.org
Subject: RE: Updated ASVS presentation for Beta page

 

It has not, and you bring up good points. I want the table at the top to be
as short as possible and contain info that most people would be interested
in. Other details can be pushed down the page or to other pages.

 

I don't see much on the spring site that I like, but I do like the 2nd one.
They have sub tabs across the middle of the page like:

 

 <http://www.hdiv.org/index.htm> Home
<http://sourceforge.net/project/showfiles.php?group_id=139104> Download
<http://www.hdiv.org/documentation.htm> Documentation
<http://www.hdiv.org/support.htm> Support  <http://www.hdiv.org/contact.htm>
Contact 

 

It would be cool for us to have a standard set of tabs across the top of
each project page and then each tab could have the standard information we
expect for each project.

 

Can something like this be done with Media wiki?

 

-Dave

 

 

From: Jeff Williams [mailto:jeff.williams at aspectsecurity.com] 

Sent: Friday, December 05, 2008 1:16 PM

To: dinis cruz; Dave Wichers


Cc: paulo.coimbra at owasp.org

Subject: RE: Updated ASVS presentation for Beta page

 

I haven't followed this whole discussion completely, but the "home page" for
a project should be primarily focused on the "consumer" for it.  Many of our
pages suck and we should look at other open source projects to see how they
advertise their project:

 

-          http://static.springframework.org/spring-security/site/

-          http://www.hdiv.org/

 

I'd like to see quality, project management, license, etc. on a supporting
page for the project.  Perhaps a "Project Information" page.  It could be
summarized (very briefly) on the first page if it looks nice.

 

Sorry for responding without having read all the history - perhaps this has
been covered already.

 

--Jeff

 

Jeff Williams, CEO

Aspect Security <http://www.aspectsecurity.com/> 

work: 410-707-1487

main: 301-604-4882

 

From: dinis cruz [mailto:dinis.cruz at owasp.org] 
Sent: Friday, December 05, 2008 11:31 AM
To: Dave Wichers
Cc: paulo.coimbra at owasp.org; Jeff Williams
Subject: Re: Updated ASVS presentation for Beta page

 

Thanks Dave for taking a stab and cleaning up the page (and it is good that
Mike is happy).

 

The only issue I can see on that table is where do we put in the information
about the review process of that page? Ideally they should the last reviews
(which in the SoC's world would be the 100% mark) which ironically are the
ones missing on this project.

 

I think that those reviews are quite useful (even for new comers to OWASP
projects) since they provide a 3rd party view of the project (and the
self-analysis) at the point/date the project was reviewed to upgrade/keep
its Project Quality Status. 

 

You are right that we don't need all those percentages in there, but we
should link to those reviews.

 

Paulo, it might be a very good idea, to write a 'where are we at today'
email explaining the past/current situation, and send it to the Tools &
Projects Committee

 

Just FYI, I believe Paulo is about to board a plane (small EU trip) so
should only be online later today (our time)

 

Dinis 

 

2008/12/5 Dave Wichers <dave.wichers at owasp.org>

Guys,

 

I took a stab at an update to the ASVS page and Mike is happy 'enough' with
it. Check out: https://www.owasp.org/index.php/ASVS 

 

I've changed the 3rd row to be key project information and included the
release level and project type as additional info and removed the reviewers.
I also don't think the board rep is needed here.

 

What other 'standard' information do we want to include in the information
block like this for documentation projects?

 

Once we get this figured out, we can create a similar block for tools
projects.

 

This page doesn't use a template yet, but once we figure this out, I think
it should be converted to a template.

 

Paulo - I didn't change your existing template at all, so you can still use
it to document the SoC status for this project. I do link to the template in
the Project Sponsors section so people can still get to the full details if
they are interested.

 

-Dave

 

p.s. Paulo - if you have time, can you call me to discuss? Or we can do a
Google chat conversation? You sounded concerned about this and I want to
make sure we are all happy about where this is going.

 

From: Paulo Coimbra [mailto:pcoimbra at owasp.org] On Behalf Of Paulo Coimbra
Sent: Thursday, December 04, 2008 5:13 PM
To: Dave Wichers; 'Dinis Cruz'
Cc: Jeff Williams
Subject: RE: Updated ASVS presentation for Beta page

 

Dave,

 

To be honest, your opinion has surprised me a lot. I always thought about
that methodology as a general one, not as a frame built to support the SoC.
As I said below, I was even asked to spread it over all OWASP Projects.
However, my time now is 22:10.  If you don't mind, I will fully answer you
later, after having had time to organize definitely my ideas about the
issue.

 

Thanks,

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

From: Dave Wichers [mailto:dave.wichers at aspectsecurity.com] 

Sent: quinta-feira, 4 de Dezembro de 2008 22:02
To: Dinis Cruz
Cc: Jeff Williams; paulo.coimbra at owasp.org
Subject: FW: Updated ASVS presentation for Beta page

 

Any of you object to this?

 

-Dave

 

From: Dave Wichers 
Sent: Thursday, December 04, 2008 5:02 PM
To: 'Boberski, Michael [USA]'; Jeff Williams; Mike Boberski
Cc: paulo.coimbra at owasp.org
Subject: RE: Updated ASVS presentation for Beta page

 

Paulo,

 

Once a project has completed its season of code, I would think that it would
be appropriate to archive off the 2nd half of the table to somewhere else.

 

I would suggest that we move this to a page like: ASVS_2008SoC_Status, we
put whatever summer of code status info we want on that page, including the
2nd half of this table (or maybe the whole table)? And then link to this
table from a spot on the main project page (where we indicate this project
was initiated during the OWASP Summer of Code 2008. Somewhere near the
bottom of the page.

 

I would also move the Beta info above the Alpha info near the bottom.

 

I also noticed there is an Aspect logo reference that isn't rendering right.
Can you fix that, and also include the Booz Allen Hamilton logo, if Mike
wants to provide one?

 

Paulo, I actually think this kind of cleanup should be done on all the
Season of Code pages that have been completed. Lets work out the template
with this project, and then we can have someone go do this on all the Season
of Code project pages.

 

-Dave

 

From: Boberski, Michael [USA] [mailto:boberski_michael at bah.com] 

Sent: Thursday, December 04, 2008 4:54 PM
To: Jeff Williams; Dave Wichers; Mike Boberski

Subject: FW: Updated ASVS presentation for Beta page
Importance: High

 

Sigh. A little help, guys?

 

Perhaps a compromise:

 

Propose for the short term, make ASVS like T10, Guide. 

 

In the long term, commit to putting dashboard status information near the
top but in a different form, perhaps on the right in white boxes, to match
the left hand side? In their current form, contents as a percentage of
screen realestate are meaningless for all but those working on the project.

 

The only other work around I have is to put it on a Booz Allen intranet
share. The full page of blue boxes are not presentable to people who put
extreme value on presentation.

 

Mike B.

 

 

  _____  

From: Paulo Coimbra [mailto:pcoimbra at owasp.org] On Behalf Of Paulo Coimbra


Sent: Thursday, December 04, 2008 4:35 PM
To: Boberski, Michael [USA]
Cc: 'Pierre Parrend'; 'OWASP Foundation Board List'

Subject: RE: Updated ASVS presentation for Beta page
Importance: High

Mike,

 

I thank the files you have sent.

 

Regarding the frame, I surely don't want to be inflexible - it's neither my
approach nor OWASP culture - but, on the one hand, I have clear instructions
from OWASP Board to spread it out over all OWASP Projects and, on the other
hand, the frame constitutes the core of a methodology to assess
(https://www.owasp.org/index.php/Category:OWASP_Project_Assessment) OWASP
Projects and to place them accordingly in the OWASP Projects page -
https://www.owasp.org/index.php/Category:OWASP_Project.   

 

By the way, I take the opportunity to ask you, and your reviewers (Jeff and
Pierre), if you are kind enough to perform your reviews. As far as I can
understand from the established rules, only after this has been done, the
project can be considered an OWASP Beta Quality Project. It will allow me as
well to request your deserved payment. 

 

Many thanks,

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

From: Boberski, Michael [USA] [mailto:boberski_michael at bah.com] 
Sent: quinta-feira, 4 de Dezembro de 2008 20:50


To: paulo.coimbra at owasp.org

Cc: dinis.cruz at owasp.org; Jeff Williams
Subject: RE: Updated ASVS presentation for Beta page

 

Paulo, attached should be a zip with the graphics files.

 

I don't mean to be too terribly difficult, but I'm not a fan of those big
blue tables remaining at all. The goal is to spread adoption of this, so it
needs to look more product-like than project-like. They are hard to read and
their contents as a percentage of screen realestate are meaningless for all
but those working on the project. T10, Guide, ESAPI, those have it right in
my mind.

 

I am going to be emailing this URL to 20k people after sending them one
paragraph of explanation in a working group email. How many are going to
scroll past the page-long set of blue tables to read further? 

 

Sorry to rant, but I feel rather strongly about this.

 

Mike B.

 

 

  _____  

From: Paulo Coimbra [mailto:pcoimbra at owasp.org] On Behalf Of Paulo Coimbra
Sent: Thursday, December 04, 2008 3:29 PM
To: Boberski, Michael [USA]
Cc: dinis.cruz at owasp.org
Subject: RE: Updated ASVS presentation for Beta page

Mike,

 

Please see below my inline answers. Thank you.

 

Paulo Coimbra,

OWASP Project Manager

 

 

> >-----Original Message-----

> >From: Boberski, Michael [USA] [mailto:boberski_michael at bah.com]

> >Sent: quinta-feira, 4 de Dezembro de 2008 19:17

> >To: paulo.coimbra at owasp.org; Paulo Coimbra

> >Subject: RE: Updated ASVS presentation for Beta page

> >

> >Paulo, the ASVS page is looking good! Forgive me for peeking, I'm

> >excited.

 

[pc] I am still working on it. 

 

> >

> >Are the blue tables going to be either deleted or moved to some other

> >page?

 

[pc] No, the 'blue tables' will not be deleted or moved. On the contrary, we
intend to spread out this kind of frame, which aims to be an OWASP
standardization effort, over ALL OWASP Projects. 

 

> >

> >Do you need any graphics files from me for the diagram or the logos?

> >

 

[pc] Yes, please. Thank you.

 

> >Mike B.

> >

> >

> >-----Original Message-----

> >From: Boberski, Michael [USA]

> >Sent: Thursday, December 04, 2008 11:52 AM

> >To: 'paulo.coimbra at owasp.org'; 'Paulo Coimbra'

> >Cc: 'Jeff Williams'; 'Mike Boberski'; 'Dave Wichers'

> >Subject: Updated ASVS presentation for Beta page

> >

> >

> >Paulo, an updated version of the ASVS presentation to post to the new

> >project page should be attached.

> >

> >The formatting was changed compared to the old one, and there were

> >some

> >small additional edits like updating the requirements count. I don't

> >think the Alpha version of the presentation that's currently on the

> >SoC

> >ASVS page needs to be posted to the new Beta page.

> >

> >Please let me know if you need anything from me!

> >

> >You should have:

> >

> >  1. One word doc w/draft of the Beta site's contents

> >

> >  2. One word and one pdf of the Alpha draft with the new bug

> >

> >  3. One word and one pdf of the final Beta draft

> >

> >  4. One powerpoint w/updated presentation

> >

> >Thanks a million,

> >

> >Mike B.

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20081209/96ed4d1e/attachment-0002.html>


More information about the Owasp-board mailing list