[Owasp-board] ESAPI Project's assessment

Dave Wichers dave.wichers at owasp.org
Mon Feb 2 23:38:36 UTC 2009


I’ll be one. I’ve already reviewed almost all of it so I just need to
document my results on the wiki.

 

-Dave

 

From: paulo coimbra [mailto:pcoimbra at owasp.org] On Behalf Of Paulo Coimbra
Sent: Monday, February 02, 2009 1:44 PM
To: 'Dave Wichers'; tomb at owasp.org; 'Sebastien Deleersnyder'; 'dinis cruz'
Cc: 'OWASP Foundation Board List'
Subject: RE: ESAPI Project's assessment

 

Hi Dave, Tom, Sebastien and Dinis,

 

As you already know the ESAPI assessment process has been triggered. 

 

Please check out the following two links: 

https://www.owasp.org/index.php/Project_Information:_OWASP_Enterprise_Securi
ty_API_Project 

https://www.owasp.org/index.php/OWASP_Enterprise_Security_API_Project_-_Asse
ssment_Frame.  

 

Therefore, so as to evaluate the current ESAPI quality status, we are
looking for three reviewers to assume the First, Second and Board Member
reviewer roles. Can we count on three of you to do so? I thank you in
advance. 

 

Regards,

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

From: Jeff Williams [mailto:jeff.williams at owasp.org] 
Sent: sábado, 31 de Janeiro de 2009 13:55
To: paulo.coimbra at owasp.org; 'Dave Wichers'
Cc: 'OWASP Foundation Board List'
Subject: RE: ESAPI Project's assessment

 

Hi Paulo,

 

We can do that no problem.  Thanks!

 

--Jeff

 

Jeff Williams, Chair

The <http://www.owasp.org/>  OWASP Foundation

work: 410-707-1487

main: 301-604-4882

 

From: paulo coimbra [mailto:pcoimbra at owasp.org] On Behalf Of Paulo Coimbra
Sent: Friday, January 30, 2009 12:10 PM
To: 'Dave Wichers'; jeff.williams at owasp.org
Cc: 'OWASP Foundation Board List'
Subject: RE: EASPI Project's assessment

 

Dave,

 

I thank you response and will be waiting for Jeff’s say. 

 

Regarding the review question, we will do as you decide. However, to me,
since we have established the assessment criteria and it is in force, every
project should be formally checked against it to make sure that all the
criteria have been accomplished. 

 

I also see advantages in having the reviewers’ assessment easily and
publicly accessible - as we have here
https://www.owasp.org/index.php/Category:OWASP_Live_CD_Project, for example.

 

Furthermore, given the EASPI prestige, if we followed clearly the rules to
upgrade its quality status, it would help us to set up an example worth
respecting.

 

Thanks,

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

From: Dave Wichers [mailto:dave.wichers at owasp.org] 
Sent: sexta-feira, 30 de Janeiro de 2009 16:14
To: paulo.coimbra at owasp.org; jeff.williams at owasp.org
Cc: 'OWASP Foundation Board List'
Subject: RE: EASPI Project's assessment

 

Please ask the other board members to review if necessary. However, ESAPI
has been one of the most heavily reviewed projects at OWASP, so this may not
be absolutely necessary.

 

Jeff will  have to answer your first question.

 

-Dave

 

From: paulo coimbra [mailto:pcoimbra at owasp.org] On Behalf Of Paulo Coimbra
Sent: Friday, January 30, 2009 7:38 AM
To: 'Dave Wichers'; jeff.williams at owasp.org
Cc: 'OWASP Foundation Board List'
Subject: RE: EASPI Project's assessment

 

Hi Jeff, Dave,

 

As my email, below, hasn’t been answered yet, allow me please, I must repeat
the two main questions that I still have, namely:

 

-          Would you both agree with the upload of a frame like this one
<https://www.owasp.org/index.php/Category:OWASP_Wapiti_Project>
https://www.owasp.org/index.php/Category:OWASP_Wapiti_Project into the EASPI
project’s page so as to support the reviewers’ evaluation? 

-          Can I invite two of the three remaining OWASP Board members to
perform the ESAPI reviewers’ role? 

 

Thanks, regards,

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

From: Paulo Coimbra [mailto:paulo.coimbra at owasp.org] 
Sent: sexta-feira, 16 de Janeiro de 2009 15:46
To: 'Dave Wichers'; 'jeff.williams at owasp.org'
Cc: 'OWASP Foundation Board List'
Subject: EASPI Project's assessment

 

Dave,

 

Last Wednesday we’ve Google chatted and you asked “When you get a moment,
can you also review the ESAPI project to see what 'release' quality criteria
it is missing (if any)?”-

 

However, as can be inferred from the Curriculum that I sent out when I was
offered the project manager job and as I told before, I don’t have the
needed technical qualification to evaluate the projects’ quality. As my only
adequate tool to deal with my current OWASP duties is my management
background, my actions and understanding are limited to process procedures.
For example, I can’t even accurately answer the very first criterion -
“Solves a core application security documentation/process need” - of our
assessment
<https://www.owasp.org/index.php/Category:OWASP_Project_Assessment#Release_Q
uality_Documentation_Criteria>  process. 

 

Nevertheless, as you had asked for it, even thinking as previously said, I
took a stab and did the assessment that can be seen here
http://spreadsheets.google.com/ccc?key=pAX6n7m2zaTWJtelVmV_oMQ.  

 

Anyway, to me, in accordance with our assessment criteria and as we have
been made since we first established it, so as to classify properly the
EASPI project, we should select two reviewers and, after that, ask them to
review the project and evaluate it accordingly with their own judgment.

 

If you agree with my previous assertion, would you, and Jeff, agree as well
with the upload of a frame like this one
https://www.owasp.org/index.php/Category:OWASP_Wapiti_Project into the EASPI
page so as to support the reviewers’ evaluation? 

 

Thanks, regards,

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20090202/dba17bc5/attachment-0002.html>


More information about the Owasp-board mailing list