[Owasp-board] Projects reboot

Jason Li jason.li at owasp.org
Mon Mar 19 13:03:17 UTC 2012

I apologize that I have not responded earlier, but my OWASP time has been
limited lately and I've tried to be strategic in where I invest it.

While in principle, I support the concept of this idea, there are a lot of
logistical challenges and I do NOT support the idea in its current form.

The biggest challenge that I see is deciding what projects get interns. For
example, Eoin mentioned the Code Review guide, Development Guide, and ASVS
as documents needing some serious love and attention. Those projects have
had a lot of time and resources devoted to them already.  The three
projects in question had working sessions at the last summit and the folks
involved in those projects were prioritized in the initial Summit
attendee funding - and despite that, as far as I can tell, there's been
limited progress made.  Please bear in mind that the following is not meant
as an attack or criticism on anyone - but from the perspective of other
project leaders, why is OWASP going to give these projects additional
resources when there hasn't been much return on previous investment? It's
particularly challenging because the added resources on the project will
essentially indirectly serve to grow the greatness of project leaders that
aren't already making progress.

We have a host of projects that leaders are working hard on and pushing
concrete progress (OWASP BWA, WebGoat.NET, etc) and the obvious question in
those leader's minds is "why is the OWASP ASVS getting intern help when I'm
here busting my ass off doing this all by myself? What's *their* leader

These challenges are not insurmountable.

But I think that any support we provide to projects has to take into
consideration the level of effort by their leaders - we can't "reward" a
project that hasn't done anything for 6 months by giving them help - that
will just engender spurn from project leaders that are working hard.

There's also a very fine line we're treading. Back in 2009, the Board made
a decision to change the way we view funding for projects. Specifically,
the Board decided that people should not be paid to do work on OWASP
projects. That decision fundamentally changed how the GPC supports projects
and is one of the reasons that OWASP has not had a "Season of Code" since
2008. We have been towing that party line - so if we're going to have
interns working on projects, the Board is going to have to reconsider its
policy decisions.

I suggest that we take advantage of the Google Summer of Code effort and
create a parallel program to grow potential project support. We will
hopefully receive many many applicants and we know that Google will come
back and tell us that was can only accept 4-8 of them. I suggest that we
establish a funding pull to "match" Google so that we can accept an
additional 4-8 applicants. Those applicants won't be official GSoC
participants (i.e. GSoC t-shirt, recognized by Google, etc) but otherwise,
the program would follow the same eligibility rules, timelines, mentorship
guidelines, etc. (If approved, I will certainly reach out to Google and see
if they're willing to include these "unofficial" participants as well in
their promotional literature if we front the student stipend costs)

There are project leaders who took the time and answered Fabio's request
for project ideas and those projects are probably first in line for this
supplemental program. And we should encourage project leaders to add to the
list of ideas and convince students to apply.

I think that this implementation would be a step in the right direction
1) Allows us to slowly step back into "funding" development of OWASP
projects (should the Board decide that's a step they want to take)
2) Provides an established and proven "structure" for the funding
3) Lets us take advantage of some buzz around GSoC
4) Ensures that the projects that get "intern" help are the ones that are
making effort and took the time to actually think about how they would use
an intern

First and foremost is a frank Board discussion on whether or not OWASP will
shift it's earlier policies about paying people to do work on projects.
Admittedly, it's a fine line with a delicate balance and should not be
undertaken lightly. After all, we don't pay people to hold chapter meetings
or run conferences so why should we be paying people to be working on
projects? But there's definitely something to be said about growing

Note - please don't take this email and the fact that I've fleshed out some
implementation thoughts as an indication that I think it's a good idea. I
personally have yet to decide either way - I was simply brainstorming
logistically how I think it should be done were it to be done.


On Mon, Mar 12, 2012 at 6:35 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Perfect, Eoin. I support this. Great use of Foundation funds, IMO.
> Interns are also cheap. :)
> --
> Jim Manico
> VP, Security Architecture
> WhiteHat Security
> (808) 652-3805
> On Mar 12, 2012, at 11:18 PM, Eoin <eoin.keary at owasp.org> wrote:
> > Thanks jim,
> > My personal vision is I need someone to refactor and reformat the code
> review guide and also develop a owasp Id nomenclature. So u can get
> documents pushed to this person, they can take care of formatting, grammar
> etc. also I want someone to start x-ref the owasp eco system to bring it
> all together. I have a computer science undergrad student in mind who has
> taken a great interest in security etc.
> >
> > Make sense? Anyone?
> > Eoin.
> >
> >
> >
> >
> > On 12 Mar 2012, at 22:11, Jim Manico <jim.manico at owasp.org> wrote:
> >
> >> Eoin,
> >>
> >> Absolutely excellent idea. I think "projects" in general needs a huge
> >> reboot.  Interns will help, but I think more experts would be better.
> >>
> >> What if we rallied the entire community to help one major project at a
> >> time, and drive them to completion? Interns could help doc and do the
> >> dirty work.
> >>
> >> Or perhaps we need specific project goals next summit?
> >>
> >> I'd also expect these issues to be dealt with pro-actively by the
> >> projects committee. What are they up to?
> >>
> >> --
> >> Jim Manico
> >> (808) 652-3805
> >>
> >> On Mar 12, 2012, at 10:52 PM, Eoin <eoin.keary at owasp.org> wrote:
> >>
> >>> Hello board,
> >>> I believe many of our projects need a good reboot;
> >>> Examples are
> >>>
> >>> Dev guide
> >>> Testing guide
> >>> Code review guide
> >>> Cross ref guides with common numbering
> >>> Cross reference with ASVS.
> >>>
> >>> I believe we should employ some interns over the summer to help us get
> some life into the projects.
> >>>
> >>> I could certainly use one for the code review guide and also common
> numbering scheme.
> >>>
> >>> Who supports this idea?
> >>>
> >>> Eoin.
> >>>
> >>> _______________________________________________
> >>> Owasp-board mailing list
> >>> Owasp-board at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20120319/3d8ca4d3/attachment.html>

More information about the Owasp-board mailing list