[Owasp-board] FW: FW: Fwd: Google & OWASP Summer of Code 2008 - can we work together?

Dave Wichers dave.wichers at owasp.org
Mon Mar 17 00:45:52 UTC 2008

I guess there is some hope that Google will respond favorably to our Google summer of code submission.

Stay tuned.


-----Original Message-----
From: Matt Sommer [mailto:mms at google.com] 
Sent: Friday, March 14, 2008 2:51 PM
To: Dave Wichers
Cc: Matt Moore
Subject: Re: FW: [Owasp-board] Fwd: Google & OWASP Summer of Code 2008 - can we work together?

Hey Dave,

I saw this! Got the forward from my new boss (Matt Moore, who knows
Dinis from London apparently). Matt and I are chatting...

On Wed, Mar 12, 2008 at 5:03 PM, Dave Wichers <dave.wichers at owasp.org> wrote:
> Matt,
> We just submitted this and hope we get a positive response. If you can throw
> in a good word for us, that would be great. Do you know Chris or Leslie, or
> anyone else heavily involved in the Google Summer of Code effort?
> Thanks, Dave
> p.s. OWASP now has 2 employees. :-) Making progress …
> ---------- Forwarded message ----------
>  From: dinis cruz <dinis.cruz at owasp.org>
>  Date: Wed, Mar 12, 2008 at 11:14 PM
>  Subject: Google & OWASP Summer of Code 2008 - can we work together?
>  To: lhospo at gmail.com, cdibona at gmail.com
>  Cc: OWASP Board <owasp-board at lists.owasp.org>, Jeff Williams
> <jeff.williams at owasp.org>, Dave Wichers <dave.wichers at owasp.org>, Paulo
> Coimbra <paulo.coimbra at owasp.org>
>  Hello Chris and Leslie (got your details from
> http://groups.google.com/groups/profile).
>  As 'Program Manager - Open Source' (Leslie Hawthorn) and  'Open Source
> Programs Manager' (Chris DiBona) I believe you are the persons we (OWASP)
> need to talk to at Google.
>  I'm Dinis Cruz and I am representing the OWASP (Open Web Application
> Security Project) who I hope you have come across before (I think me and
> Chris swapped same emails a couple years ago).
>  OWASP is focused on Web Application Security and you can see more details
> about us on our website http://www.owasp.org
> (http://www.owasp.org/index.php/About_OWASP). OWASP manages  numerous Open
> Source projects (http://www.owasp.org/index.php/Category:OWASP_Project) and
> is represented through the world via our chapters
> (http://www.owasp.org/index.php/Category:OWASP_Chapter) and regular
> conferences
> (http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference). We also
> recently started publishing (as books) the best documents created by the
> OWASP documentation projects: http://stores.lulu.com/owasp
>  Although OWASP is a non-for-profit organization, we use the revenue
> generated by our conferences and our member's fees
> (http://www.owasp.org/index.php/Membership#Current_OWASP_Members) to support
> Open Source and OWASP projects with a sponsorship similar to your Google
> Summer of Code.
>  In the last two years we have successfully managed two OWASP Seasons of
> Code:
> OWASP Spring of Code 2007 -
> http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007 (SpoC 07), in which
> 21 projects were sponsored with a budget of US$117,500,
> see http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_:_Selection for
> a project list & 'sponsorship value'  and
> http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_-_Projects for the
> final deliverables
> OWASP Autumn of Code 2006 -
> http://www.owasp.org/index.php/OWASP_Autumn_Of_Code_2006 (AoC 06), in which
> 9 projects were sponsored with a budget of US$20,000.
> Earlier this month, we launched our 3rd sponsorship initiative called the
> OWASP Summer of Code 2008:
> http://www.owasp.org/index.php/OWASP_Summer_of_Code_2008
>  One note that I would like to make is the tremendous value-for-money that
> we (at OWASP) have with our sponsorship model. Since all information is open
> (from proposal to deliverables) and exposed for peer review, we are able to
> only 'pay for what is delivered' (this in practice means that 'below
> average' projects tend to be drooped by the sponsored candidates).
>  A practice that worked very well, was to accept a higher number of
> proposals, since we found that:
> there is a natural 10% to 20% cancellation rate (author could not deliver
> the proposed project) , but
> some projects massively over-deliver. See for example the work done on the
> OWASP Testing Guide
> (http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide)
> and the OWASP Top 10 for Ruby on Rails (see book
> http://www.lulu.com/content/1412042 and project page
> http://www.owasp.org/index.php/SpoC_007_-_Web_Application_Security_put_into_practice
> )
> Final comment on this OWASP introduction. Using help obtained via Google
> employees we met at past OWASP conferences, we have started to move some of
> OWASP's infrastructure to Google's web based services (owasp.org email for
> example is now hosted at mail.google.com/a/owasp.org and some OWASP's
> projects are now using Google Code). In fact, our last US conference was
> originally supposed to be hosted at Google's HQ, but it was logistically not
> possible, so we ended up at Ebay's.
>  So, here are the questions that I would like to ask you:
> Given that OWASP already has a fully mature sponsorship program, would it be
> possible to (for the most suitable proposals) to use a Google's Summer of
> Code sponsorship for the same project sponsored by the OWASP Summer of Code
> 2008? (we usually give sponsorships between $2,500 and $5,000).
> Although we put no limitations to the type of application that can be
> submitted, for the current initiative we are being more specific and are
> encouraging projects that fit areas we feel need to be addressed (see
> http://www.owasp.org/index.php/OWASP_Request_for_Proposal_List for a list of
> those projects/areas). Clearly some of these are major activities which
> require as much resources as possible working on them. Hence, it would be
> very beneficial if we could co-sponsor the successful applications.
> We try to be as transparent as possible with our selection criteria (see
> http://www.owasp.org/index.php/OWASP_Summer_of_Code_2008#Jury_and_Selection_Criteria).
> So as part of the applications' requirements we have mandated the public
> posting of all applications (see here for the first proposals for the
> current initiative
> http://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Applications , here
> for the final list of the previous one
> http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Applications) .
> After selection (by the OWASP board), all selection data will be published
> here: http://www.owasp.org/index.php/OWASP_Summer_0f_Code_2008_:_Selection
> so if we are to work together, do you want to also receive, rate and select
> the projects to sponsor, or do you want to re-use the choices made by OWASP?
> Can you advise us what is the best route forward?
> Should OWASP apply as an organization?
> (http://code.google.com/soc/2008/org_signup.html)
> Should OWASP help our applicants with a similar submission to the Google
> Summer of Code?
> Another interesting area in which we could work together would be the
> sponsorship of a couple projects  focused on the security of Google's Summer
> of Code projects. Part of OWASP's efforts is to educate the developer
> community on secure coding best practices (see for example
> http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project and
> http://www.owasp.org/index.php/Category:OWASP_Testing_Project) and since the
> participants of the Google Summer of Code are the next generation of
> developers, there are lots of  synergies that could be leveraged from
> OWASP/Google projects.
> Finally, due to OWASP's enormous growth over the last year, our current
> digital infrastructure needs to be reviewed, and given Google's move into
> providing such services (from web hosting, to email, to mailing lists, to
> document management, etc...) we would also like to talk to Google about the
> type of commercial services that Google can provide to OWASP.
> Thanks for your time, and please don't hesitate to contact us if you need
> further details or clarifications.
>  Best regards
>  Dinis Cruz
>  Chief OWASP Evangelist



More information about the Owasp-board mailing list