[Owasp-board] Google & OWASP Summer of Code 2008 - can we work together?

dinis cruz dinis.cruz at owasp.org
Thu Mar 13 15:13:14 UTC 2008


Well, I don't think Leslie read the email, so I would give it a couple days
(let's see if Chris picks it up) before we craft an answer.

At this stage I would give her the benefit of the doubt of now knowing OWASP
and what we do.

Dinis

On Thu, Mar 13, 2008 at 3:08 PM, Dave Wichers <dave.wichers at owasp.org>
wrote:

> This is absurd. Alison looked and couldn't find any time limit on the
> submission date, but even if there was one, this seems crazy.
>
> What do we do now?
>
> -Dave
>
> -----Original Message-----
> From: lhawthorn at google.com [mailto:lhawthorn at google.com] On Behalf Of
> Leslie
> Hawthorn
> Sent: Wednesday, March 12, 2008 9:36 PM
> To: dinis cruz
> Cc: cdibona at gmail.com; OWASP Board; Jeff Williams; Dave Wichers; Paulo
> Coimbra
> Subject: Re: Google & OWASP Summer of Code 2008 - can we work together?
>
> HI Dinis,
>
> We are indeed the right people.  Unfortunately, the application
> deadline for Google Summer of Code was today at 19:00 UTC.  Afraid we
> can't help you.
>
> Cheers,
> LH
>
> On Wed, Mar 12, 2008 at 6:14 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
> >  Hello Chris and Leslie (got your details from
> > http://groups.google.com/groups/profile).
> >
> > As 'Program Manager - Open Source' (Leslie Hawthorn) and  'Open Source
> > Programs Manager' (Chris DiBona) I believe you are the persons we
> (OWASP)
> > need to talk to at Google.
> >
> >  I'm Dinis Cruz and I am representing the OWASP (Open Web Application
> > Security Project) who I hope you have come across before (I think me and
> > Chris swapped same emails a couple years ago).
> >
> >  OWASP is focused on Web Application Security and you can see more
> details
> > about us on our website http://www.owasp.org
> > (http://www.owasp.org/index.php/About_OWASP). OWASP manages  numerous
> Open
> > Source projects (http://www.owasp.org/index.php/Category:OWASP_Project)
> and
> > is represented through the world via our chapters
> > (http://www.owasp.org/index.php/Category:OWASP_Chapter) and regular
> > conferences
> > (http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference). We
> also
> > recently started publishing (as books) the best documents created by the
> > OWASP documentation projects: http://stores.lulu.com/owasp
> >
> >  Although OWASP is a non-for-profit organization, we use the revenue
> > generated by our conferences and our member's fees
> > (http://www.owasp.org/index.php/Membership#Current_OWASP_Members) to
> support
> > Open Source and OWASP projects with a sponsorship similar to your Google
> > Summer of Code.
> >
> >  In the last two years we have successfully managed two OWASP Seasons of
> > Code:
> >
> > OWASP Spring of Code 2007 -
> > http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007 (SpoC 07), in
> which
> > 21 projects were sponsored with a budget of US$117,500,
> > see http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_:_Selection
> for
> > a project list & 'sponsorship value'  and
> > http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_-_Projects for
> the
> > final deliverables
> > OWASP Autumn of Code 2006 -
> > http://www.owasp.org/index.php/OWASP_Autumn_Of_Code_2006 (AoC 06), in
> which
> > 9 projects were sponsored with a budget of US$20,000.
> > Earlier this month, we launched our 3rd sponsorship initiative called
> the
> > OWASP Summer of Code 2008:
> > http://www.owasp.org/index.php/OWASP_Summer_of_Code_2008
> >
> > One note that I would like to make is the tremendous value-for-money
> that
> we
> > (at OWASP) have with our sponsorship model. Since all information is
> open
> > (from proposal to deliverables) and exposed for peer review, we are able
> to
> > only 'pay for what is delivered' (this in practice means that 'below
> > average' projects tend to be drooped by the sponsored candidates).
> >
> > A practice that worked very well, was to accept a higher number of
> > proposals, since we found that:
> >
> > there is a natural 10% to 20% cancellation rate (author could not
> deliver
> > the proposed project) , but
> >
> > some projects massively over-deliver. See for example the work done on
> the
> > OWASP Testing Guide
> >
> (
> http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Testin
> g_Guide)
> > and the OWASP Top 10 for Ruby on Rails (see book
> > http://www.lulu.com/content/1412042 and project page
> >
>
> http://www.owasp.org/index.php/SpoC_007_-_Web_Application_Security_put_into_
> practice
> > )
> >
> >  Final comment on this OWASP introduction. Using help obtained via
> Google
> > employees we met at past OWASP conferences, we have started to move some
> of
> > OWASP's infrastructure to Google's web based services (owasp.org email
> for
> > example is now hosted at mail.google.com/a/owasp.org and some OWASP's
> > projects are now using Google Code). In fact, our last US conference was
> > originally supposed to be hosted at Google's HQ, but it was logistically
> not
> > possible, so we ended up at Ebay's.
> >
> >
> >  So, here are the questions that I would like to ask you:
> >
> > Given that OWASP already has a fully mature sponsorship program, would
> it
> be
> > possible to (for the most suitable proposals) to use a Google's Summer
> of
> > Code sponsorship for the same project sponsored by the OWASP Summer of
> Code
> > 2008? (we usually give sponsorships between $2,500 and $5,000).
> > Although we put no limitations to the type of application that can be
> > submitted, for the current initiative we are being more specific and are
> > encouraging projects that fit areas we feel need to be addressed (see
> > http://www.owasp.org/index.php/OWASP_Request_for_Proposal_List for a
> list
> of
> > those projects/areas). Clearly some of these are major activities which
> > require as much resources as possible working on them. Hence, it would
> be
> > very beneficial if we could co-sponsor the successful applications.
> >
> > We try to be as transparent as possible with our selection criteria (see
> >
>
> http://www.owasp.org/index.php/OWASP_Summer_of_Code_2008#Jury_and_Selection_
> Criteria).
> > So as part of the applications' requirements we have mandated the public
> > posting of all applications (see here for the first proposals for the
> > current initiative
> > http://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Applications ,
> here
> > for the final list of the previous one
> > http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Applications) .
> > After selection (by the OWASP board), all selection data will be
> published
> > here:
> http://www.owasp.org/index.php/OWASP_Summer_0f_Code_2008_:_Selection
> > so if we are to work together, do you want to also receive, rate and
> select
> > the projects to sponsor, or do you want to re-use the choices made by
> OWASP?
> > Can you advise us what is the best route forward?
> > Should OWASP apply as an organization?
> > (http://code.google.com/soc/2008/org_signup.html)
> >
> > Should OWASP help our applicants with a similar submission to the Google
> > Summer of Code?
> >
> > Another interesting area in which we could work together would be the
> > sponsorship of a couple projects  focused on the security of Google's
> Summer
> > of Code projects. Part of OWASP's efforts is to educate the developer
> > community on secure coding best practices (see for example
> > http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project and
> > http://www.owasp.org/index.php/Category:OWASP_Testing_Project) and since
> the
> > participants of the Google Summer of Code are the next generation of
> > developers, there are lots of  synergies that could be leveraged from
> > OWASP/Google projects.
> > Finally, due to OWASP's enormous growth over the last year, our current
> > digital infrastructure needs to be reviewed, and given Google's move
> into
> > providing such services (from web hosting, to email, to mailing lists,
> to
> > document management, etc...) we would also like to talk to Google about
> the
> > type of commercial services that Google can provide to OWASP. Thanks for
> > your time, and please don't hesitate to contact us if you need further
> > details or clarifications.
> >
> >  Best regards
> >
> >  Dinis Cruz
> >  Chief OWASP Evangelist
>
>
>
> --
> Leslie Hawthorn
> Program Manager - Open Source
> Google Inc.
>
> http://code.google.com/opensource/
>
> I blog here:
>
> http://google-opensource.blogspot.com - http://www.hawthornlandings.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20080313/95e36587/attachment-0002.html>


More information about the Owasp-board mailing list