[Owasp-board] [GPC] Update Needed

dinis cruz dinis.cruz at owasp.org
Sun Jul 11 09:42:36 UTC 2010

(removed the individual emails and CCed the respective lists (for future
reference the owasp-board list is moderated for non-subscribers so you can
send emails like this to it and they wil be approved by Paulo or Kate))
(after reading the email before sending, I decided to also CCing the
owasp-leaders since this is an OWASP-wide issue and relevant to most OWASP
leaders (see Tom's and Jason's email below for reference))

I think Jason makes a very good analysis of the GPC status. Currently it is
failing by lack of activity/energy.

In some ways, the GPC is suffering from the problem that I think most other
Committees have:

1) Most Committee members are energised, focused and motivated in the areas
that they have personal/professional interests, which in OWASP means
'Application Security tasks' and not 'Operational/Logistics tasks'

2) Lack of meetings, namely in-person events where the Committee members get
together to 'work' on Committee items (there is a big limitation on what can
be achived by conference calls (and some committees spend a LOT of
energy+emails just in the process of BOOKING one of these calls :) ))

3) Lack of governance by OWASP Board which should regularly reorganize and
promote these Committees (i.e. refocus its objectives, remove inactive
committee members, move Committee members around and actively expose to the
OWASP Community the great work that has been done). This is a lot of work
and is literally (regurlarly) opening up lots of cans-of-worms, but, if we
(OWASP Board) want to see more results from these Committees, we really need
allocate resources and efforts into these areas.

4) Change of focus by existing Commitee members on other OWASP (or not)
activities. For example a lot of Committees really suffered by the amount of
time and effort that some of its key members allocated to the organization
of OWASP conferences.

Moving back to the GPC, as Jason describes really well in his email, there
is a lot of value for OWASP in sorting out the OWASP Projects, creating a
new website and gaining a LOT more visibility+control over what our projects
are doing.

So moving on, we need to do a reset of the GPC and my gut feeling is that we
should change its scope and remove from it any operational requirements
(i.e. map the projects, organize reviewers, populate wiki pages, etc...) and
focus it on reviewing and managing 'OWASP Projects'.

In fact the OWASP Google Hacking inquiry should be lead by the GPC, since it
is a great case study for the need for GPC and the type of
'independent-review' activities that the GPC should be doing.

Dinis Cruz

On 9 July 2010 17:04, Jason Li <jason.li at owasp.org> wrote:

> Board/GPC,
> I'm afraid if I were to rate the Global Projects Committee's progress
> objectively over the last 6 months, I would have to give us a failing
> grade. To my knowledge, we have not been making regular meetings for
> some time.
> As a result, I think it's kind of fruitless to try and state
> accomplishments (planned or otherwise) over the last or next month.
> Let me instead outline where we are, how we got here, where we want to
> go, and what we need help with.
> Right now we're stuck at an impasse. Our current goal is to assess the
> quality of all the OWASP projects based on the new version of the
> assessment criteria we created. Our progress towards that goal has
> been fairly non-existent. Honestly, I think the problem is just that
> assessing projects is just not very appealing work. We all have a
> limited bandwidth and the less appealing things just seem to fall
> through. Unfortunately we don't have an army of reviewers like say,
> Wikipedia, so this issue will continue to be a stumbling block for
> reviewing projects going forward. As it is, new projects get started
> almost weekly, so we keep falling further and further behind...
> Why is reviewing the OWASP projects a critical path?
> The ultimate goal is to redo the OWASP projects website so that we can
> highlight our flagship projects in a fair and useful way. There's been
> many ideas about this ranging from moving away from the Wiki and
> establishing a new separate OWASP website filled with mature, reviewed
> content that has been promoted from the Wiki, or a prime spotlight
> location highlighting top projects on the existing Wiki, or any number
> of other possibilities. But they are all predicated on having an
> objective assessment on existing projects to determine which ones best
> represent OWASP. The truth is that we don't know very much about the
> existing OWASP projects that we have (the Google Hacking project is
> case in point to this fact).
> We didn't want to just start doing a "sample" of OWASP projects to
> push forward in the highlighting effort as we were sure that would
> just be labeled as "unfair" or "biased" towards certain heavyweight
> OWASP projects (e.g. WebScarab, ESAPI, etc). Hence the desire to do
> all the projects before moving forward rather than cherry pick a few.
> Assuming we can get through the assessments, there's a lot of things
> we'd like to do. We started with a very ambitious outline for what we
> wanted to do with the OWASP Projects after the Summit
> (
> http://www.owasp.org/index.php/Global_Projects_Committee#Agenda_.28DRAFT.29
> ).
> We've more or less accomplished the first four points: Define Metrics
> (creation of first OWASP Projects Survey), Apply Metrics
> (administering of the first survey), Incorporate Results (analyzed and
> debated results to form Assessment Criteria v2), Create Metadata
> (formalized Assessment Criteria v2). We're now stuck on Capture
> Metadata (perform the assessments).
> The next couple stages are the ones that would really make a
> difference in marketing OWASP projects. The first of these is to
> Provide a Repository. We did some preliminary reconnaissance to try
> and get a branded Google Code hosting solution, but we didn't get very
> far. I think this is a critical piece to provide some consistency for
> projects. It also provides us a safety net in cases where projects get
> abandoned. By having an official OWASP repository, we'll always have
> the code to a project even if a leader later decides to abandon it
> (e.g. Google Hacking). The next of these is to revamp the project
> website and migrate existing projects to the new site. That's a huge
> undertaking that I think is extremely important to OWASP - but I'm not
> even sure it's worth discussing until we get our ducks lined up in a
> row with our existing projects.
> So how do we get pass this block?
> I'm open to suggestions on how we can either quickly assess projects
> in a meaningful way or bypass the problem entirely by creatively doing
> something else. I believe we had several discussions about putting the
> carrot in front of the cart. For example, we could simply create a new
> whiz bang website for OWASP and the "price of admission" to the
> "endorsed" part of the website was for a project leader to push his
> project through a mostly self-review process. But that has it's own
> issues as self-review is not always accurate (again, Google Hacking
> serves as a good example - Christian was fairly quick to fill out the
> OWASP Projects Survey) and so there's always going to be a need for
> external review. And that external review will be a bottleneck for
> anyone trying to push to the next tier.
> Ironically, the whole Google Hacking situation is a great lens to view
> our efforts through. The problems OWASP is dealing with right now for
> that project are exactly the problems we were thinking about when we
> started our agenda... if we can only make some faster progress, we
> might be able to preempt this kind of event in the future.
> Any ideas are welcome.
> -Jason
> On Wed, Jun 23, 2010 at 4:42 AM, Brennan - OWASP <tomb at owasp.org> wrote:
> > Committee Members,
> > This morning from OWASP Europe - Sweden Matt and I quickly updated and
> > simplified the Global Committee pages see:
> > http://www.owasp.org/index.php/Global_Committee_Pages
> > As we all look forward to summer BBQ's, travel etc.. is time for a
> committee
> > heath check as some have stalled.
> > What we need from each of you is to reconnect with your committee team
> > members, pick up the phone check in, send a email.  What we need is for
> you
> > to collaborate on activities and quickly report your status of your
> > committee by JULY 9th 2010.
> > On each of the committee wiki pages we added a status report for this to
> > track progress and report monthly.  The realtime status will be used at
> the
> > July board meeting as we review the progress of each committee:
> > http://www.owasp.org/index.php/OWASP_Board_Meetings
> > =========
> > Accomplishments for this Month
> > •
> > •
> > •
> > Planned for Next Month
> > •
> > •
> > •
> > Issues/Risks/Challenges
> > •
> > •
> > •
> > =========
> > **NOTE ** - If it is time to pass the torch, add a new member, obtain
> > clarification or support/approval to proceed etc.. this is a good time to
> do
> > so.   In September as you know we will gather for the OWASP AppSec USA
> event
> > http://www.owasp.org/index.php/AppSec_US_2010,_CA and showcase
> achievements.
> >
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Global-projects-committee mailing list
> > Global-projects-committee at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/global-projects-committee
> >
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100711/b55ff968/attachment-0002.html>

More information about the Owasp-board mailing list