[Owasp-board] great chatting with you + research proposal

dinis cruz dinis.cruz at owasp.org
Thu Mar 12 06:51:16 UTC 2009


(also CCing OWASP Global Projects Committees )
Hey guys, couple points:

1) please see the email I just sent Jeffery about the questions he needs to
answer before we can take a position on this

2) this type of decision/position should first be made by the GPC - Global
Projects Committee (hey, of course the Board could overrule the GPC, but at
least it should be given a change to deal with this issue). For future
reference, can you guys always push project related decisions and questions
to the GPC? I know we (GPC) haven't act as quick on this one as we should
(although I was waiting for Jeffery's answers), but we need to empower and
delegate that committee, and this is exactly the kind of request that should
be handled by it. So please (Board members) don't vote on this (yet) since
we don't have all required information to make an informed decision

3) Due to the size of the proposal, this will need to be included as part of
the next Season of Code (SoC) since that is the only place at OWASP where we
have the required structure, controls and man-power to look after such
critical deliverable

4) I haven't heard any bad comments on the quality of the people and
proposal (although it will need to be make compatible with our current SoC
project management procedures), so (although I have not looked at the
proposal), my initial comment is "hey of course we should be supporting
this". Now the questions is: "How we are going to support this in a way that
it is fair to the other OWASP projects and compatible with our financial
capabilities"

5) We already have 2 major OWASP direct sponsorships grants (in addition to
SoC) which is EASPI and Arshan's ISWG (each earmarked with 24k USD for
2009). The direct sponsorship of a project like Jeffery would need to be
placed in context with those projects (and with SoC)

6) NOTE THAT THIS IS PROBABLY THE MOST IMPORTANT POINT HERE: Since this is a
project that the main beneficiaries are going to be our community (namely
corporate community) , given our current budget limitations, AND, the higher
amount requested (SoC grants have in 95% of the cases been 5k or below) , I
would suggest that we use this project as a experiment to see if we can get
DIRECT FUNDING FROM OUR COMMUNITY to pay for these 15k (in fact we probably
need 20k since we should throw a couple OWASP reviewers to it and cover
OWASP's project management costs). The idea here is to go to our community
and say: "OWASPers, here is a very valuable project to YOU, so if you are
interested in its outcomes, then you should sponsor it and contribute with
1k , 5k or 10k". This would actually be a very nice way to determine the
interest of our community in this project, and HEY, if the guy is able to
get the 15k/20k/30k required, then he should get them :)  .

7) finally, the reason WE need at OWASP to have (the beaurucratic :) )
guidelines like the Assessment Criteria (and other guidelines currently
under works (namely the project sponsorship one), is to be able to DEAL with
issues like this in an effective, pragmatic, fair and expedient way.
Remember that we have a global community and if we (in 2009) give (or not)
15k to a project like this via an 'unilateral and with no public
consultation' OWASP Board Decision, there is going to be a lot of questions
raised about the OWASP decision making process, independence, lack of
transparence and respect for the community.

I'm really excited for having projects like this submitted for OWASP support
(a massive improvement from the past), so my main focus is to make sure we
are able to: a) handle it properly, b) create a reference framework we can
use on further requests and c) make it happen :)

In a nutshell, the GPC is going to take this and will report to the OWASP
board once we have an update.

Dinis


2009/3/11 Jeff Williams <jeff.williams at owasp.org>

>  Guys – since we didn’t get to this on the call yesterday, could you all
> please vote on this?  To refresh your memory I’ve attached the proposal –
> it’s for $15k to do a big survey on appsec practices like those in BS-IMM,
> SAMM, CLASP, SDL, etc…
>
>
>
> While I think it would be useful, and Jeff Payne is very capable, I’m not
> totally sold on this.  How valuable do you think it would be to get this
> type of data for OWASP?  Should the pool be OWASP members, selected
> companies, or just anyone anonymously?
>
>
>
> --Jeff
>
>
>
>
>
>
>
> *From:* Jeff Williams [mailto:jeff.williams at owasp.org]
> *Sent:* Friday, March 06, 2009 1:01 AM
> *To:* 'OWASP Foundation Board List'
> *Cc:* 'Jeffery Payne'
> *Subject:* FW: great chatting with you + research proposal
>
>
>
> Hi Board,
>
>
>
> I’m forwarding a proposal from Jeff Payne (formerly of Cigital) who is
> proposing to lead a survey to gather data about how real companies are
> dealing with application security.  Could you all please review and be
> prepared to discuss at the board meeting next week?
>
>
>
> Thanks,
>
>
>
> --Jeff
>
>
>
>
>
> *From:* Jeffery Payne [mailto:jeff.payne at coveros.com]
> *Sent:* Thursday, March 05, 2009 1:51 PM
> *To:* Jeff Williams
> *Subject:* great chatting with you + research proposal
>
>
>
> Hi Jeff,
>
>
>
> It was great catching up with you last week!  It sounds like things are
> great and I'd love to figure out how we can work together on training and
> other activities going forward.  Will you be at the upcoming DHS Software
> Assurance Forum?  I'm speaking on Wed and will be there then as well as
> attending the DHS / OWASP event on Friday.
>
>
>
> Also, I've enclosed a grant proposal for the application security survey
> that I mentioned to you.  I think this is a GREAT initiative that can not
> only continue to position OWASP as the go to place for application security
> resources but also raise the visibility of the entire app sec community.  I
> could not tell from the web site who I was supposed to send this to so I
> thought I'd send it to you directly.  A couple of questions: 1) how long
> does it take to get a decision on grant proposals?  2) when can we start
> ;-)  Seriously, the person I want to work with me on this comes off her
> previous project March 30 and I'd love to get her engaged before she is
> sucked into something else.  Not sure if your turnaround time on a decision
> is that quick or not.
>
>
>
> Best regards,
>
>
>
> jeff
>
> --
> Jeffery Payne
> Chief Executive Officer
> Coveros, Inc.
>
> jeff.payne at coveros.com
> 703-431-2920
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20090312/21a3df39/attachment-0002.html>


More information about the Owasp-board mailing list