[Owasp-board] Google & OWASP Summer of Code 2008 - can we work together?
dinis.cruz at owasp.org
Thu Mar 13 15:13:14 UTC 2008
Well, I don't think Leslie read the email, so I would give it a couple days
(let's see if Chris picks it up) before we craft an answer.
At this stage I would give her the benefit of the doubt of now knowing OWASP
and what we do.
On Thu, Mar 13, 2008 at 3:08 PM, Dave Wichers <dave.wichers at owasp.org>
> This is absurd. Alison looked and couldn't find any time limit on the
> submission date, but even if there was one, this seems crazy.
> What do we do now?
> -----Original Message-----
> From: lhawthorn at google.com [mailto:lhawthorn at google.com] On Behalf Of
> Sent: Wednesday, March 12, 2008 9:36 PM
> To: dinis cruz
> Cc: cdibona at gmail.com; OWASP Board; Jeff Williams; Dave Wichers; Paulo
> Subject: Re: Google & OWASP Summer of Code 2008 - can we work together?
> HI Dinis,
> We are indeed the right people. Unfortunately, the application
> deadline for Google Summer of Code was today at 19:00 UTC. Afraid we
> can't help you.
> On Wed, Mar 12, 2008 at 6:14 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
> > Hello Chris and Leslie (got your details from
> > http://groups.google.com/groups/profile).
> > As 'Program Manager - Open Source' (Leslie Hawthorn) and 'Open Source
> > Programs Manager' (Chris DiBona) I believe you are the persons we
> > need to talk to at Google.
> > I'm Dinis Cruz and I am representing the OWASP (Open Web Application
> > Security Project) who I hope you have come across before (I think me and
> > Chris swapped same emails a couple years ago).
> > OWASP is focused on Web Application Security and you can see more
> > about us on our website http://www.owasp.org
> > (http://www.owasp.org/index.php/About_OWASP). OWASP manages numerous
> > Source projects (http://www.owasp.org/index.php/Category:OWASP_Project)
> > is represented through the world via our chapters
> > (http://www.owasp.org/index.php/Category:OWASP_Chapter) and regular
> > conferences
> > (http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference). We
> > recently started publishing (as books) the best documents created by the
> > OWASP documentation projects: http://stores.lulu.com/owasp
> > Although OWASP is a non-for-profit organization, we use the revenue
> > generated by our conferences and our member's fees
> > (http://www.owasp.org/index.php/Membership#Current_OWASP_Members) to
> > Open Source and OWASP projects with a sponsorship similar to your Google
> > Summer of Code.
> > In the last two years we have successfully managed two OWASP Seasons of
> > Code:
> > OWASP Spring of Code 2007 -
> > http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007 (SpoC 07), in
> > 21 projects were sponsored with a budget of US$117,500,
> > see http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_:_Selection
> > a project list & 'sponsorship value' and
> > http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_-_Projects for
> > final deliverables
> > OWASP Autumn of Code 2006 -
> > http://www.owasp.org/index.php/OWASP_Autumn_Of_Code_2006 (AoC 06), in
> > 9 projects were sponsored with a budget of US$20,000.
> > Earlier this month, we launched our 3rd sponsorship initiative called
> > OWASP Summer of Code 2008:
> > http://www.owasp.org/index.php/OWASP_Summer_of_Code_2008
> > One note that I would like to make is the tremendous value-for-money
> > (at OWASP) have with our sponsorship model. Since all information is
> > (from proposal to deliverables) and exposed for peer review, we are able
> > only 'pay for what is delivered' (this in practice means that 'below
> > average' projects tend to be drooped by the sponsored candidates).
> > A practice that worked very well, was to accept a higher number of
> > proposals, since we found that:
> > there is a natural 10% to 20% cancellation rate (author could not
> > the proposed project) , but
> > some projects massively over-deliver. See for example the work done on
> > OWASP Testing Guide
> > and the OWASP Top 10 for Ruby on Rails (see book
> > http://www.lulu.com/content/1412042 and project page
> > )
> > Final comment on this OWASP introduction. Using help obtained via
> > employees we met at past OWASP conferences, we have started to move some
> > OWASP's infrastructure to Google's web based services (owasp.org email
> > example is now hosted at mail.google.com/a/owasp.org and some OWASP's
> > projects are now using Google Code). In fact, our last US conference was
> > originally supposed to be hosted at Google's HQ, but it was logistically
> > possible, so we ended up at Ebay's.
> > So, here are the questions that I would like to ask you:
> > Given that OWASP already has a fully mature sponsorship program, would
> > possible to (for the most suitable proposals) to use a Google's Summer
> > Code sponsorship for the same project sponsored by the OWASP Summer of
> > 2008? (we usually give sponsorships between $2,500 and $5,000).
> > Although we put no limitations to the type of application that can be
> > submitted, for the current initiative we are being more specific and are
> > encouraging projects that fit areas we feel need to be addressed (see
> > http://www.owasp.org/index.php/OWASP_Request_for_Proposal_List for a
> > those projects/areas). Clearly some of these are major activities which
> > require as much resources as possible working on them. Hence, it would
> > very beneficial if we could co-sponsor the successful applications.
> > We try to be as transparent as possible with our selection criteria (see
> > So as part of the applications' requirements we have mandated the public
> > posting of all applications (see here for the first proposals for the
> > current initiative
> > http://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Applications ,
> > for the final list of the previous one
> > http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Applications) .
> > After selection (by the OWASP board), all selection data will be
> > here:
> > so if we are to work together, do you want to also receive, rate and
> > the projects to sponsor, or do you want to re-use the choices made by
> > Can you advise us what is the best route forward?
> > Should OWASP apply as an organization?
> > (http://code.google.com/soc/2008/org_signup.html)
> > Should OWASP help our applicants with a similar submission to the Google
> > Summer of Code?
> > Another interesting area in which we could work together would be the
> > sponsorship of a couple projects focused on the security of Google's
> > of Code projects. Part of OWASP's efforts is to educate the developer
> > community on secure coding best practices (see for example
> > http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project and
> > http://www.owasp.org/index.php/Category:OWASP_Testing_Project) and since
> > participants of the Google Summer of Code are the next generation of
> > developers, there are lots of synergies that could be leveraged from
> > OWASP/Google projects.
> > Finally, due to OWASP's enormous growth over the last year, our current
> > digital infrastructure needs to be reviewed, and given Google's move
> > providing such services (from web hosting, to email, to mailing lists,
> > document management, etc...) we would also like to talk to Google about
> > type of commercial services that Google can provide to OWASP. Thanks for
> > your time, and please don't hesitate to contact us if you need further
> > details or clarifications.
> > Best regards
> > Dinis Cruz
> > Chief OWASP Evangelist
> Leslie Hawthorn
> Program Manager - Open Source
> Google Inc.
> I blog here:
> http://google-opensource.blogspot.com - http://www.hawthornlandings.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board