[Owasp-board] ESAPI for Javascript Review

Jason Li jason.li at owasp.org
Thu Apr 14 22:04:03 UTC 2011


Well, this certainly conflicts directly with what I just said yesterday on
the GPC mailing list in response to a request for funding to further develop
CSRFGuard:

The Board made a very deliberate decision back in 2009, one that I did not
initially support but now actually agree with, that OWASP should *not* be in
the business of paying project leaders to work on projects (as we have in
previous Seasons of Code). The reasons for this are many and *I don't want
this email thread to be derailed in a philosophical debate on the merits of
such a strategy*.
I'd rather focus on what we *can* do.
The direction of project funding is to provide support for projects to be
better exposed, promoted and received. To that end, we can certainly send
out messages to the OWASP community and highlight the project through all
our normal means (Podcast, Newsletter, etc) to gain help it gain some
visibility (which in turn may generate some interest). Long term, we're
working out plans to have resources available for graphic design and
technical writing review, but we do not yet have rules of engagement for
such resources (let alone the actual human resources identified to provide
those services). We're also working on getting a limited number of
conference speaking slots reserved for OWASP project leaders to highlight
their projects, but this effort is still underway (we are currently
targeting AppSecUSA 2011).
If there's something specific that you guys have in mind to support the
project along similar lines of project support, we can review the request.

(see full thread
https://lists.owasp.org/pipermail/global-projects-committee/2011-April/002053.html
)

It's great to hear the output for the ESAPI JavaScript project, and I agree
that $500 is a relatively small amount in comparison to the time and effort
put in by the authors. But there's a reason why the Board wanted to move
away from Seasons of Code and paying for OWASP work of this nature.

Does the Board want to reverse that policy?  I'm certain that there would be
a ton of interest if we re-opened that door, but I don't think OWASP is in a
financial position to go down that path right now.

-Jason, GPC Chair
Board mailing list lurker

On Thu, Apr 14, 2011 at 5:17 PM, Dave Wichers <dave.wichers at owasp.org>wrote:

> All,
>
>
>
> In the interests of full disclosure, I met with Mario Heiderich at the
> OWASP summit and we got to talking about getting some of his students to
> work on OWASP projects. He found a student (Marcus Niemietz) that was
> interested in reviewing the ESAPI for Javascript project and he (the
> student) was wondering whether we were willing to provide him a small
> payment for his effort and I agreed (using my board member budget). The
> amount was to be determined after he did the work.
>
>
>
> He has produced the attached paper and Chris Schmidt’s (the project lead)
> initial review was very positive. As such, I have agreed to pay him $500. He
> spent 100 hours on this effort from what I understand, and so this seems
> small compensation for his good work.
>
>
>
> I’m also hoping we can find some more of Marios’ students to work as either
> volunteers or low cost interns on more OWASP projects but I’m still working
> on that.
>
>
>
> Anyway, since I spent $500 of OWASP’s money I figured I would let you all
> know. I think this is the first of my board member discretionary budget that
> I have ever spent.
>
>
>
> -Dave
>
>
>
> p.s. I’m wondering if this discretionary budget will be going away and
> delegated to the committees from now on??
>
>
>
> *From:* schafos at googlemail.com [mailto:schafos at googlemail.com] *On Behalf
> Of *Marcus Niemietz
> *Sent:* Thursday, April 14, 2011 2:50 PM
> *To:* Dave Wichers
> *Cc:* Mario Heiderich; Chris Schmidt; Jeff Williams
> *Subject:* Re: College students or others working on OWASP projects like
> ESAPI
>
>
>
> Hi Dave, Chris, and Jeff,
>
>
>
> In addition to the mail of Mario I send you my paper "JavaScript-based
> ESAPI: An In-Depth Overview" (attachment).
>
>
>
> Regards,
>
> Marcus Niemietz
>
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20110414/7bae50f5/attachment-0002.html>


More information about the Owasp-board mailing list