[Owasp-board] ESAPI

Josh Sokol josh.sokol at owasp.org
Fri Jan 18 15:23:32 UTC 2013


Who said anything about abandoning ESAPI?  The only suggestion that's been
made is changing the payment structure from a lump sum payment to an
individual to specific bug/feature targets (somethign I'd expect anyway)
with portions of that payment associated with them.  If nobody else steps
up and Kevin collects on all of them, then good for him.  But with a single
payment to Kevin, you're basically just ensuring that he is the only
developer on the project.  After all, why would anyone else work for free
when Kevin is getting paid to do the work?  That seems like a pretty bad
place to be for a "Flagship" project or whatever you want to call it.
Personally, I think the bounty model is the way to move forward with all
funded initiatives of the organization.  It creates specific attainable
goals, does not favor any one individual, and has solid criteria for
payment.  Sure, it creates a little additional overhead for the PM, but it
also allows us to be entirely open with how we are spending money and who
is benefiting from it.  Right now it just looks like someone really likes
Kevin and wants to give him $5k without even considering others for the
tasks.

~josh


On Fri, Jan 18, 2013 at 5:54 AM, Samantha Groves
<samantha.groves at owasp.org>wrote:

> Not at all. We are simply using this forum to discuss your idea and
> alternative solutions to the problem. I think overall, there are a few
> concerns, but that doesn't mean we can't move forward. At the end of the
> day, I believe this is a strategic decision which is why I felt it was a
> good idea to bring it up to the board. If the community decides to go in
> this direction, we will support the decision and move forward with
> implementation from an operations perspective, of course.
>
> SG
>
> On Thu, Jan 17, 2013 at 7:53 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>>
>> > That being said, I do agree with Jim that the quality of ESAPI must
>> > certainly be worked on. However, I feel that spending money on a problem
>> > that will only solve that problem in the short term is not a very
>> > sustainable or scalable solution. I would much rather spend my time
>> doing a
>> > bit of extra work developing a creative solution that will benefit all
>> of
>> > our projects instead of putting our time, effort and resources into a
>> quick
>> > fix that will only benefit one project and one project leader.
>>
>>
>> So the alternative is to leave ESAPI as is - a abandoned Flagship
>> project. That leaves us in a place of very low integrity as an
>> organization.
>>
>> - Jim
>>
>>
>>
>> >
>> > SG
>> >
>> > On Wed, Jan 16, 2013 at 11:53 PM, Jason Li <jason.li at owasp.org> wrote:
>> >
>> >> One note - no project is currently "Flagship".
>> >>
>> >> We have projects that we think are strategically valuable enough that
>> they
>> >> we should try to push them to that status.
>> >>
>> >> To Jim's point, the project (and really any project that we would want
>> to
>> >> be a Flagship project) needs some polish, support and love to really
>> be in
>> >> that class.
>> >>
>> >> There are several "strategic" projects that I believe OWASP should
>> look to
>> >> push to Flagship status, but if the project is not of sufficient
>> quality,
>> >> it should not be referred to as Flagship regardless of how strategic or
>> >> important the project is.
>> >>
>> >> -Jason
>> >>
>> >>
>> >> On Wednesday, January 16, 2013, Samantha Groves wrote:
>> >>
>> >>> Hello Seba and Jim,
>> >>>
>> >>> I certainly do think that ESAPI needs a committed project leader and a
>> >>> dedicated project support team to help take it to the next level of
>> >>> development. As ESAPI is one of our Flagship projects, I see nothing
>> wrong
>> >>> with giving the initiative an extra amount of support from the
>> foundation.
>> >>> That being said, the amount of support we choose to give this project
>> will
>> >>> need to be reproduced for at least all 15 Flagship projects. I
>> suggest we
>> >>> keep this in mind when discussing how to provide support to ESAPI.
>> >>>
>> >>> SG
>> >>>
>> >>> On Wed, Jan 16, 2013 at 6:13 AM, Seba <seba at owasp.org> wrote:
>> >>>
>> >>>> Hi Jim
>> >>>> sounds like a good suggestion for the short term
>> >>>> on longer term, ESAPI needs a committed project manager and
>> >>>> project/support team to evolve it in the de facto standard security
>> >>>> framework example/implementation supported by a reliable community
>> >>>>
>> >>>> Samantha: what are your thoughts?
>> >>>>
>> >>>> --seba
>> >>>>
>> >>>>
>> >>>> On Tue, Jan 15, 2013 at 9:25 PM, Jim Manico <jim.manico at owasp.org
>> >wrote:
>> >>>>
>> >>>>> We have 5k in funding for ESAPI. ESAPI for Java is the main version
>> of
>> >>>>> ESAPI.
>> >>>>>
>> >>>>> Most everyone who was on the project dropped out, myself included.
>> >>>>>
>> >>>>> Kevin Wall is the "last man standing" working on the project. And
>> >>>>> frankly, his code is the highest quality - by far - on the project.
>> >>>>>
>> >>>>> Can we spend some of the 5k in ESAPI funding to pay Kevin to finish
>> the
>> >>>>> next release?
>> >>>>>
>> >>>>> He did not ask for this, this is my suggestion to use funds to move
>> a
>> >>>>> key project along in support of our mission.
>> >>>>>
>> >>>>> - Jim
>> >>>>>
>> >>>>> _______________________________________________
>> >>>>> Owasp-board mailing list
>> >>>>> Owasp-board at lists.owasp.org
>> >>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> >>>>>
>> >>>>
>> >>>>
>> >>>
>> >>>
>> >>> --
>> >>>
>> >>> *Samantha Groves, MBA*****
>> >>>
>> >>> *OWASP Project Manager*
>> >>>
>> >>> *
>>
>> >>> *
>> >>>
>> >>> The OWASP Foundation
>> >>>
>> >>> London, United Kingdom
>> >>>
>> >>> Email: samantha.groves at owasp.org
>> >>>
>> >>> Skype: samanthahz
>> >>>
>> >>>
>> >>> Book a Meeting with Me <http://goo.gl/mZXdZ>
>> >>>
>> >>> OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>
>> >>>
>> >>> New Project Application Form<
>> https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dHZfWGhHZ0Z4UFFwZU42djBXcVVLSlE6MQ#gid=0
>> >
>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Owasp-board mailing list
>> > Owasp-board at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-board
>> >
>>
>>
>
>
> --
>
> *Samantha Groves, MBA*****
>
> *OWASP Project Manager*
>
> *
> *
>
> The OWASP Foundation
>
> London, United Kingdom
>
> Email: samantha.groves at owasp.org
>
> Skype: samanthahz
>
>
> Book a Meeting with Me <http://goo.gl/mZXdZ>
>
> OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>
>
> New Project Application Form<https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dHZfWGhHZ0Z4UFFwZU42djBXcVVLSlE6MQ#gid=0>
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20130118/2055f12c/attachment-0001.html>


More information about the Owasp-board mailing list