[Owasp-board] OWASP Top 10

Josh Sokol josh.sokol at owasp.org
Fri Apr 18 00:21:20 UTC 2014


Matt,

Maybe you misunderstood me.  I'm not talking about any sort of punitive
actions against Aspect or Dave or Jeff or anyone.  I'm just saying that
it's reasonable to expect that OWASP projects provide their source code.
And to be fair, the OWASP Top 10 2013 isn't a past project.  In theory,
this will be used up until the 2016 Top 10 is released.  The key to open
source is making the source available so that others can pick up where you
left off, branch, modify, and use the code without limitations.  Without
the source of the Top 10 2013, we are putting any future non-commercial
efforts at a disadvantage as they will not have the pre-existing foundation
to work from.  This is a problem.  This is why I feel that it's reasonable
to expect that they provide their source code.  My comparison to the Google
Hacking Project is merely to show that they (the people involved with the
project) are well aware of this requirement as they have been directly
involved in enforcing the consequences on others who did not publish their
source.

~josh


On Sun, Apr 13, 2014 at 9:40 PM, Matt Tesauro <matt.tesauro at owasp.org>wrote:

> Josh, I reviewed the Project Leaders Handbook prior to my email and that
> is why I used the wording "create an explicit policy".
>
> Look, I totally believe that any project which does analysis of data at
> OWASP _should_ have that data open so it can be reviewed by anyone.  I'm on
> your side here - if there really are sides.
>
> The thing that I think both of you are missing is that:
>
> (1) The Project Leader Handbook at best tangentially handles this
> situation.  If you want this not to happen again, update the policy
> to explicitly handle it.  Your the board, its what boards do.  Write policy
> which empowers the staff to act on that policy.
>
> (2) Unless you want to appear to be a board which arbitrary applies policy
> to projects you have some dispute with, create said policy and enforce it
> going forward.  It is impossible to follow the rules which don't exist.
>  OWASP has gotten too large to do enforcement via cultural norms.  Write
> policy and work off that policy.  If there are projects that don't follow
> the new policy, then you have a framework to constructively discuss how to
> get them where they now need to be.  Otherwise, from a project leaders
> perspective, it feels like arbitrary enforcement.
>
> I know if someone told me there was some problem with WTE because of some
> undocumented obligation, especially if I had not been required to do so for
> years, I'd feel far more a victim that part of the community.  I sure don't
> want that for me and I'd not want that done to any project leader.
>
> Josh - just like you've aggressively advocated for Chapters (and thanks
> for that), I'm doing the same for projects.  I don't want to see a
> precedent where what hasn't bee a problem for years is suddenly a problem
> which must be addressed yesterday.
>
> I share Jim's feelings about previous boards failing to act on the 2013
> Top 10.   It sucks but that's how things happened.  You can't change the
> past but you can set a correct course for future projects and provide a
> path for ones off course to make any needed correction in reasonable time.
>
>
> --
> -- Matt Tesauro
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>
>
> On Sun, Apr 13, 2014 at 4:48 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> Matt,
>>
>> Please take a look at the OWASP Project Leader Handbook:
>>
>> https://www.owasp.org/images/d/d8/PROJECT_LEADER-HANDBOOK_2014.pdf
>>
>> Specifically section 3.1 on Openness:
>>
>> "Project source code must be made openly available"
>>
>> Its in the 2013 handbook as well though I'd argue that this standard has
>> gone back many years earlier as Christian Heinrich was suspended for
>> failing to publish the source code for his OWASP project and Jeff and Dave
>> were amongst those who set that standard.  While I see nothing wrong with
>> Eoin being the one to go to them requesting it, I also see no issue with
>> him trying to avoid a confrontation by asking Samantha to do it instead.
>> Enforcement should be part of her job, especially if its in the Project
>> Leader Handbook.  And its far nicer than the Board appointing a group of
>> people for inquiry on the openness of the project.
>>
>> ~josh
>> >  I also don't think that it's unreasonable to ask that our project
>> manager ensure that this exists before publishing any project to any one of
>> the project categories.
>>
>> I fully agree with this going forward.  But you are asking for this
>> retrospectively for the Top 10 2013.
>>
>> If this is a standard that all projects should make according to the
>> board, then the board should create an explicit policy to that effect and
>> let the staff the enforce it going forward.  That would provide Samantha
>> the mechanism she needs to make sure _future_ projects don't violate this
>> policy.  It can also be used to correct any projects that are outside of
>> this policy without being enforced after the project has already created a
>> deliverable, in an ad hoc manner.
>>
>> However, I still contend that we've spent more time discussing who should
>> ask when a simple email from Eoin to Dave and/or the Top 10 list would
>> solve this issue.  It is simple, direct and transparent.
>>
>> --
>> -- Matt Tesauro
>> OWASP WTE Project Lead
>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>> http://AppSecLive.org - Community and Download site
>> OWASP OpenStack Security Project Lead
>> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>>
>>
>> On Sun, Apr 13, 2014 at 3:34 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>
>>> I don't think that it's unreasonable to ask for the "source" (ie. how
>>> the document was generated) for a purported open source project.  I also
>>> don't think that it's unreasonable to ask that our project manager ensure
>>> that this exists before publishing any project to any one of the project
>>> categories.
>>>
>>> ~josh
>>>
>>>
>>> On Sun, Apr 13, 2014 at 3:22 PM, Eoin Keary <eoin.keary at owasp.org>wrote:
>>>
>>>> Dancing? Asking for information on how a project is made, which is
>>>> allegedly opensource is a valid request.
>>>> Reason I'm asking Samantha is she is paid staff to manage projects for
>>>> OWASP.
>>>> Simple really.
>>>>
>>>>
>>>> Eoin Keary
>>>> Owasp Global Board
>>>> +353 87 977 2988
>>>>
>>>>
>>>> On 13 Apr 2014, at 19:44, Michael Coates <michael.coates at owasp.org>
>>>> wrote:
>>>>
>>>> Eoin,
>>>>
>>>> Are we dancing around the elephant in the room? We know there are many
>>>> calls for the top 10 to be more open. I hope people will join the project
>>>> and push the top 10 process from it's beginning and create a very open 2015
>>>> top 10 with all these ideas  - we just need to get into the process at the
>>>> beginning, not the end .
>>>>
>>>> I guess my question is this - why not just ask the project mailing list
>>>> for this information directly? Or are they not responding or refusing?
>>>>
>>>> I don't think we have a model or expectation that a request to project
>>>> X should flow through Samantha to simply relay that same request to the
>>>> project mailing list.
>>>>
>>>> Perhaps I'm missing something - help me understand?
>>>>
>>>>
>>>> --
>>>> Michael Coates
>>>> @_mwc
>>>>
>>>>
>>>>
>>>> On Sun, Apr 13, 2014 at 4:41 AM, Eoin Keary <eoin.keary at owasp.org>wrote:
>>>>
>>>>> Hi Samantha,
>>>>> I am formally requesting that as projects manager you obtain the data,
>>>>> work papers and associated statistic model for the owasp top 10. This is a
>>>>> core owasp project and needs to be assessed such that we can leverage it
>>>>> for other endeavours.
>>>>> Thanks in advance.
>>>>> Eoin.
>>>>>
>>>>>
>>>>> Eoin Keary
>>>>> Owasp Global Board
>>>>> +353 87 977 2988
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140417/aa3c5779/attachment-0001.html>


More information about the Owasp-board mailing list