[Owasp-board] ESAPI

Tom Brennan tomb at owasp.org
Thu Jan 17 16:05:18 UTC 2013


Like the bounties on projects personally. Aligned with strategic annual investments for projects (budgeted investment) this measurable with results.


On Jan 17, 2013, at 10:58 AM, Josh Sokol <josh.sokol at owasp.org> wrote:

> Complex?  I would think that the project already has a list of bugs and features that we'd like to further develop.  It wouldn't take much to assign a value to those based on a very basic LOE which I'd imagine Kevin could provide fairly easily.  And in terms of a committed PM, I thought that OWASP hired someone (Samantha?) to help run the project initiatives.  Seems like that role could very easily be amended to support this for projects we deem valuable enough to put a bounty on.  Seems to me like the problem here is that you have one guy willing to do the work because right now he's doing it for free.  If you place a bounty on the work (either dev or QA), I'm guessing that you'll have a line of people wanting to collect on it.  Might even be a potential source of (minor) revenue for a company who has spare contractor hours.  Trust me....if the idea were that complex, then Metasploit wouldn't be using it for exploit bounties.  The hardest part is guesstimating at LOE and assigning a dollar value to that.
> 
> ~josh
> 
> 
> On Wed, Jan 16, 2013 at 10:04 AM, Dave Wichers <dave.wichers at owasp.org> wrote:
>> This sounds a little complex to me. I wouldn’t object to it in the long term but this also requires a committed PM to define the tasks and set the bounties and Kevin is kind of the last man standing right now.
>> 
>>  
>> 
>> So, in the short term I’d suggest we pay him the $5K.
>> 
>>  
>> 
>> In the longer term, we could ask him to see if he wants to define tasks and set bounties for them. But then someone would have to verify they were implemented correctly and award the bounties, which probably would be Kevin.
>> 
>>  
>> 
>> I don’t’ know if Chris Schmidt would be willing to volunteer his time to at least review such deliveries. I know he doesn’t have serious time to develop on ESAPI anymore because (we (Aspect)) have him buried in getting our first commercial software product out the door.
>> 
>>  
>> 
>> -Dave
>> 
>>  
>> 
>> From: owasp-board-bounces at lists.owasp.org [mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Josh Sokol
>> Sent: Wednesday, January 16, 2013 9:37 AM
>> To: Samantha Groves
>> Cc: OWASP Foundation Board List
>> Subject: Re: [Owasp-board] ESAPI
>> 
>>  
>> 
>> I'm concerned about the approach of paying for people rather than for features.  I'm sure Kevin is doing a lot, but giving him $X to do something seems like we're favoring the individual to do something.  Wouldn't it be better if we took an approach similar to Metasploit's exploit bounties and listed a set of features we wanted and how much we were willing to pay for them?  Individuals could then sign up for them and complete them in order to collect the bounty.  We could even issue a bounty for code review of the completed code to ensure quality.  If Kevin is as good as you say, then he should have no problem collecting on some of these bounties, but at least this approach doesn't favor any individual and still allows us to pay for specific contributions to specific projects.  Thoughts?
>> 
>> ~josh
>> 
>>  
>> 
>> On Wed, Jan 16, 2013 at 5:19 AM, Samantha Groves <samantha.groves at owasp.org> wrote:
>> 
>> Hello Seba and Jim,
>> 
>>  
>> 
>> I certainly do think that ESAPI needs a committed project leader and a dedicated project support team to help take it to the next level of development. As ESAPI is one of our Flagship projects, I see nothing wrong with giving the initiative an extra amount of support from the foundation. That being said, the amount of support we choose to give this project will need to be reproduced for at least all 15 Flagship projects. I suggest we keep this in mind when discussing how to provide support to ESAPI.
>> 
>>  
>> 
>> SG
>> 
>>  
>> 
>> On Wed, Jan 16, 2013 at 6:13 AM, Seba <seba at owasp.org> wrote:
>> 
>> Hi Jim
>> 
>> sounds like a good suggestion for the short term
>> 
>> on longer term, ESAPI needs a committed project manager and project/support team to evolve it in the de facto standard security framework example/implementation supported by a reliable community
>> 
>>  
>> 
>> Samantha: what are your thoughts?
>> 
>>  
>> 
>> --seba
>> 
>>  
>> 
>> On Tue, Jan 15, 2013 at 9:25 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> 
>> We have 5k in funding for ESAPI. ESAPI for Java is the main version of ESAPI.
>> 
>> Most everyone who was on the project dropped out, myself included.
>> 
>> Kevin Wall is the "last man standing" working on the project. And frankly, his code is the highest quality - by far - on the project.
>> 
>> Can we spend some of the 5k in ESAPI funding to pay Kevin to finish the next release?
>> 
>> He did not ask for this, this is my suggestion to use funds to move a key project along in support of our mission.
>> 
>> - Jim
>> 
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> 
>>  
>> 
>> 
>> 
>> 
>>  
>> 
>> --
>> 
>> Samantha Groves, MBA
>> OWASP Project Manager
>>  
>> The OWASP Foundation
>> London, United Kingdom
>> Email: samantha.groves at owasp.org
>> Skype: samanthahz 
>>  
>> Book a Meeting with Me
>> OWASP Contact US Form
>> New Project Application Form
>>  
>>  
>> 
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> 
> 
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20130117/4274ab3f/attachment.html>


More information about the Owasp-board mailing list