[Owasp-board] Google & OWASP Summer of Code 2008 - can we work together?
dinis.cruz at owasp.org
Wed Mar 12 23:14:53 UTC 2008
Hello Chris and Leslie (got your details from
As 'Program Manager - Open Source' (Leslie Hawthorn) and 'Open Source
Programs Manager' (Chris DiBona) I believe you are the persons we (OWASP)
need to talk to at Google.
I'm Dinis Cruz and I am representing the OWASP (Open Web Application
Security Project) who I hope you have come across before (I think me and
Chris swapped same emails a couple years ago).
OWASP is focused on Web Application Security and you can see more details
about us on our website http://www.owasp.org (
http://www.owasp.org/index.php/About_OWASP). OWASP manages numerous Open
Source projects (http://www.owasp.org/index.php/Category:OWASP_Project) and
is represented through the world via our chapters (
http://www.owasp.org/index.php/Category:OWASP_Chapter) and regular
We also recently started publishing (as books) the best documents created by
the OWASP documentation projects: http://stores.lulu.com/owasp
Although OWASP is a non-for-profit organization, we use the revenue
generated by our conferences and our member's fees (
http://www.owasp.org/index.php/Membership#Current_OWASP_Members) to support
Open Source and OWASP projects with a sponsorship similar to your Google
Summer of Code.
In the last two years we have successfully managed two OWASP Seasons of
- OWASP Spring of Code
http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007 (SpoC 07), in
which 21 projects were sponsored with a budget of US$117,500,
a project list & 'sponsorship value' and
the final deliverables
- OWASP Autumn of Code
06), in which 9 projects were sponsored with a budget of US$20,000.
Earlier this month, we launched our 3rd sponsorship initiative called the
OWASP Summer of Code 2008:
One note that I would like to make is the tremendous value-for-money that we
(at OWASP) have with our sponsorship model. Since all information is open
(from proposal to deliverables) and exposed for peer review, we are able to
only 'pay for what is delivered' (this in practice means that 'below
average' projects tend to be drooped by the sponsored candidates).
A practice that worked very well, was to accept a higher number of
proposals, since we found that:
- there is a natural 10% to 20% cancellation rate (author could not
deliver the proposed project) , but
- some projects massively over-deliver. See for example the work done
on the OWASP Testing Guide (
and the OWASP Top 10 for Ruby on Rails (see book
http://www.lulu.com/content/1412042 and project page
Final comment on this OWASP introduction. Using help obtained via Google
employees we met at past OWASP conferences, we have started to move some of
OWASP's infrastructure to Google's web based services (owasp.org email for
example is now hosted at mail.google.com/a/owasp.org and some OWASP's
projects are now using Google Code). In fact, our last US conference was
originally supposed to be hosted at Google's HQ, but it was logistically not
possible, so we ended up at Ebay's.
So, here are the questions that I would like to ask you:
- Given that OWASP already has a fully mature sponsorship program,
would it be possible to (for the most suitable proposals) to use a Google's
Summer of Code sponsorship for the same project sponsored by the OWASP
Summer of Code 2008? (we usually give sponsorships between $2,500 and
- Although we put no limitations to the type of application that can
be submitted, for the current initiative we are being more specific and are
encouraging projects that fit areas we feel need to be addressed (see
http://www.owasp.org/index.php/OWASP_Request_for_Proposal_List for a
list of those projects/areas). Clearly some of these are major activities
which require as much resources as possible working on them. Hence, it
would be very beneficial if we could co-sponsor the successful applications.
- We try to be as transparent as possible with our selection criteria
So as part of the applications' requirements we have mandated the public
posting of all applications (see here for the first proposals for the
here for the final list of the previous one
. After selection (by the OWASP board), all selection data will be
- so if we are to work together, do you want to also receive,
rate and select the projects to sponsor, or do you want to re-use the
choices made by OWASP?
- Can you advise us what is the best route forward?
- Should OWASP apply as an organization? (
- Should OWASP help our applicants with a similar submission to
the Google Summer of Code?
- Another interesting area in which we could work together would
be the sponsorship of a couple projects focused on the security of
Google's Summer of Code projects. Part of OWASP's efforts is to educate the
developer community on secure coding best practices (see for example
since the participants of the Google Summer of Code are the next generation
of developers, there are lots of synergies that could be leveraged from
- Finally, due to OWASP's enormous growth over the last year, our
current digital infrastructure needs to be reviewed, and given Google's move
into providing such services (from web hosting, to email, to mailing lists,
to document management, etc...) we would also like to talk to Google about
the type of commercial services that Google can provide to OWASP.
Thanks for your time, and please don't hesitate to contact us if you need
further details or clarifications.
Chief OWASP Evangelist
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board