[Owasp-board] OWASP Top 10

Josh Sokol josh.sokol at owasp.org
Sun Apr 13 21:48:33 UTC 2014


Matt,

Please take a look at the OWASP Project Leader Handbook:

https://www.owasp.org/images/d/d8/PROJECT_LEADER-HANDBOOK_2014.pdf

Specifically section 3.1 on Openness:

"Project source code must be made openly available"

Its in the 2013 handbook as well though I'd argue that this standard has
gone back many years earlier as Christian Heinrich was suspended for
failing to publish the source code for his OWASP project and Jeff and Dave
were amongst those who set that standard.  While I see nothing wrong with
Eoin being the one to go to them requesting it, I also see no issue with
him trying to avoid a confrontation by asking Samantha to do it instead.
Enforcement should be part of her job, especially if its in the Project
Leader Handbook.  And its far nicer than the Board appointing a group of
people for inquiry on the openness of the project.

~josh
>  I also don't think that it's unreasonable to ask that our project
manager ensure that this exists before publishing any project to any one of
the project categories.

I fully agree with this going forward.  But you are asking for this
retrospectively for the Top 10 2013.

If this is a standard that all projects should make according to the board,
then the board should create an explicit policy to that effect and let the
staff the enforce it going forward.  That would provide Samantha the
mechanism she needs to make sure _future_ projects don't violate this
policy.  It can also be used to correct any projects that are outside of
this policy without being enforced after the project has already created a
deliverable, in an ad hoc manner.

However, I still contend that we've spent more time discussing who should
ask when a simple email from Eoin to Dave and/or the Top 10 list would
solve this issue.  It is simple, direct and transparent.

--
-- Matt Tesauro
OWASP WTE Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site
OWASP OpenStack Security Project Lead
https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project


On Sun, Apr 13, 2014 at 3:34 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> I don't think that it's unreasonable to ask for the "source" (ie. how the
> document was generated) for a purported open source project.  I also don't
> think that it's unreasonable to ask that our project manager ensure that
> this exists before publishing any project to any one of the project
> categories.
>
> ~josh
>
>
> On Sun, Apr 13, 2014 at 3:22 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>
>> Dancing? Asking for information on how a project is made, which is
>> allegedly opensource is a valid request.
>> Reason I'm asking Samantha is she is paid staff to manage projects for
>> OWASP.
>> Simple really.
>>
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>>
>>
>> On 13 Apr 2014, at 19:44, Michael Coates <michael.coates at owasp.org>
>> wrote:
>>
>> Eoin,
>>
>> Are we dancing around the elephant in the room? We know there are many
>> calls for the top 10 to be more open. I hope people will join the project
>> and push the top 10 process from it's beginning and create a very open 2015
>> top 10 with all these ideas  - we just need to get into the process at the
>> beginning, not the end .
>>
>> I guess my question is this - why not just ask the project mailing list
>> for this information directly? Or are they not responding or refusing?
>>
>> I don't think we have a model or expectation that a request to project X
>> should flow through Samantha to simply relay that same request to the
>> project mailing list.
>>
>> Perhaps I'm missing something - help me understand?
>>
>>
>> --
>> Michael Coates
>> @_mwc
>>
>>
>>
>> On Sun, Apr 13, 2014 at 4:41 AM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>
>>> Hi Samantha,
>>> I am formally requesting that as projects manager you obtain the data,
>>> work papers and associated statistic model for the owasp top 10. This is a
>>> core owasp project and needs to be assessed such that we can leverage it
>>> for other endeavours.
>>> Thanks in advance.
>>> Eoin.
>>>
>>>
>>> Eoin Keary
>>> Owasp Global Board
>>> +353 87 977 2988
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140413/2155b48b/attachment.html>


More information about the Owasp-board mailing list