[Owasp-board] Fwd: [Owasp_project_leader_list] Do you consider your project a Flagship status candidate?

johanna curiel curiel johanna.curiel at owasp.org
Sat Jun 7 22:32:33 UTC 2014


> OWASP committee--needs to come up with a list of definitive criteria of
what is required of a flagship product, how
is it going to be measured, and what (if any) are going to be the perks /
advantages of having a project labeled as flagship both to the community
and to
the project members themselves

I believe that the Project Health and Quality criteria was an approach to
this.
I think the Project Health Criteria definition is a very good one and this
has been sent by Samantha multiple times. This was the work of the Project
Review Advisory Board. Again the problem is volunteers don't have time to
review this, neither to spend time testing tools and verifying the quality,
thats why I proposed the QA approach.

*Kevin*, are you aware of the existence of the Project Health Criteria and
Quality Criteria created by this Advisory board last year? I was part of
that board.
This is now re-shape into a new group called the Project review Task force.

I think that we still need to define what kind of benefits does a flagship
project get, but one of them should be proper QA testing to improve its
quality.

Here some history about these developments:
http://owasp.blogspot.com/2013/11/owasp-project-review-criteria-and-2013.html


On Sat, Jun 7, 2014 at 3:22 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> I don't think it's necessarily a case of the concern just coming up now.
> My post on a new projects model (
> http://lists.owasp.org/pipermail/owasp-board/2014-April/013539.html)
> actually pre-dates that discussion and there were several other discussions
> even before that.  To summarize what happened, during the Board meeting
> where this decision was made, the staff indicated that they did not feel
> empowered to make the decision on the demotion of projects.  The Board vote
> on the demotion was meant to support the staff so that they (Samantha in
> particular) could push forward with a plan to bring quality back to the
> definition of an OWASP Flagship project.  To her credit, the page that you
> commented on was the culmination of that effort.  You had some fantastic
> feedback on it and, to me at least, it appears that it fell into the void.
> With Samantha's resignation, we've seen Johanna step up to lead the charge
> on defining what it means to be a Flagship code project and, for lack of
> anyone else leading, I've at least put a call for comments out there on
> defining what it means to be a Flagship documentation project.  Once we've
> come up with that set of criteria, I think our next step, as you alluded
> to, is defining what the perks are of being a Flagship project.  To me,
> this includes some level of support provided by the Foundation for
> consumers, helping to procure grant funding, rallying the community for
> contribution and support, translation assistance, etc.  Our long-term goal
> here needs to be a sustainable model where Flagship equates to guaranteed
> high quality output.  As Eoin said, bugs are expected with any product, but
> with Flagship, they shouldn't linger very long.  Flagship should be the
> Foundation's commitment to maintain a tool or document until it is no
> longer relevant, IMHO.
>
> ~josh
>
>
> On Sat, Jun 7, 2014 at 11:08 AM, Kevin W. Wall <kevin.w.wall at gmail.com>
> wrote:
>
>> I guess my question is why is this concern only coming up now?
>> I brought up this same issue back on May 7th on the discussion page of
>> <https://www.owasp.org/index.php/Talk:Governance/ProjectProgramModels>
>> that Samantha had asked everyone to comment on, but which seems as though
>> only myself and James McGovern made any comments on.
>>
>> And I think that's only the tip of the iceberg. I think someone--either
>> the
>> board or a designated OWASP committee--needs to come up with a list
>> of definitive criteria of what is required of a flagship product, how
>> is it going
>> to be measured, and what (if any) are going to be the perks / advantages
>> of having a project labeled as flagship both to the community and to
>> the project members themselves. I'm not opposed to starting with a clean
>> slate (versus starting with the ProjectProgramModels wiki page that
>> Samantha created), but I think it's imperative that everyone is on the
>> same page before we start out trying to determine which programs
>> qualify for flagship status and which don't and inevitably end up
>> getting accused by some of bias.
>>
>> -kevin
>>
>> -kevin
>>
>> On Sat, Jun 7, 2014 at 4:27 AM, Jim Manico <jim.manico at owasp.org> wrote:
>> > Well done, thank you Josh.
>> >
>> >
>> > --
>> > Jim Manico
>> > @Manicode
>> > (808) 652-3805
>> >
>> > On Jun 6, 2014, at 9:40 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>> >
>> > I just put it out there on the leaders list along with a few other
>> > suggestions to get the ball rolling on this.  I doubt I'm the most
>> qualified
>> > person either to tackle Flagship documentation projects, but I'm happy
>> to
>> > give it a shot and hopefully the rest of the community will engage.
>> >
>> > ~josh
>> >
>> >
>> > On Fri, Jun 6, 2014 at 10:29 PM, Jim Manico <jim.manico at owasp.org>
>> wrote:
>> >>
>> >> Agreed. Josh, would you mind starting that conversation on the leaders
>> >> list?
>> >>
>> >>
>> >>
>> >> Aloha,
>> >>
>> >> Jim
>> >>
>> >>
>> >>
>> >> From: owasp-board-bounces at lists.owasp.org
>> >> [mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Sarah Baso
>> >> Sent: Wednesday, June 04, 2014 9:31 AM
>> >> To: Josh Sokol
>> >> Cc: OWASP Board List; johanna curiel curiel
>> >> Subject: Re: [Owasp-board] Fwd: [Owasp_project_leader_list] Do you
>> >> consider your project a Flagship status candidate?
>> >>
>> >>
>> >>
>> >> All - I would suggest we have an open discussion with the leaders
>> >> regarding how we would evaluate quality of documentation projects
>> including
>> >> use of proprietary information and data validation and much more...
>> >>
>> >>
>> >>
>> >> Johanna has let me know that while she feels qualified to help with
>> >> setting criteria and a framework for evaluating quality of code
>> libraries
>> >> and tools, she would like someone else to take on putting together the
>> >> process for documentation projects.
>> >>
>> >>
>> >>
>> >> I think this is a great discussion for us to be having!
>> >>
>> >>
>> >>
>> >> Sarah
>> >>
>> >>
>> >>
>> >> On Wed, Jun 4, 2014 at 12:25 PM, Josh Sokol <josh.sokol at owasp.org>
>> wrote:
>> >>
>> >> I tend to agree, Eoin.  Two primary concerns:
>> >>
>> >> 1) Are the materials going into these open source guides not
>> proprietary?
>> >> We need validation before making a documentation project Flagship that
>> it is
>> >> truly open source.
>> >>
>> >> 2) Do we have enough insight and documentation on how the guide was
>> >> created that someone else could replicate it in the future?  Leaders
>> will
>> >> come and go, but labeling something as Flagship, at least to me,
>> indicates
>> >> some level of long-term support.
>> >>
>> >> ~josh
>> >>
>> >>
>> >>
>> >> On Wed, Jun 4, 2014 at 1:14 PM, Eoin Keary <eoin.keary at owasp.org>
>> wrote:
>> >>
>> >> I believe new releases of guides need to be reviewed before they are
>> >> published as final edition and flagship.
>> >>
>> >> I am happy to review either the code review or testing guide as I was
>> >> involved in both as lead at points in time.
>> >>
>> >> I am keen about quality of such guides given they provide direction to
>> >> 1000's of Dev/test/QA For many years to come.
>> >>
>> >>
>> >>
>> >> I am happy to volunteer as a reviewer for any of the guides once a
>> >> complete editable document is available.
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> Eoin Keary
>> >>
>> >> Owasp Global Board
>> >>
>> >> +353 87 977 2988
>> >>
>> >>
>> >>
>> >>
>> >> On 4 Jun 2014, at 18:48, Jim Manico <jim.manico at owasp.org> wrote:
>> >>
>> >> Board,
>> >>
>> >>
>> >>
>> >> Someone from the testing guide and OWASP Top Ten wanted to know how
>> >> •documentation projects• could reapply for flagship status. The current
>> >> project eval reboot is for tools and libraries, documentation projects
>> are
>> >> out of scope right now.
>> >>
>> >>
>> >>
>> >> Any thoughts here?
>> >>
>> >>
>> >>
>> >> Aloha,
>> >>
>> >> --
>> >>
>> >> Jim Manico
>> >>
>> >> @Manicode
>> >>
>> >> (808) 652-3805
>> >>
>> >>
>> >> Begin forwarded message:
>> >>
>> >> From: johanna curiel curiel <johanna.curiel at owasp.org>
>> >> Date: June 4, 2014 at 6:25:48 AM HST
>> >> To: "owasp-leaders at lists.owasp.org" <owasp-leaders at lists.owasp.org>,
>> >> "owasp_project_leader_list at lists.owasp.org"
>> >> <owasp_project_leader_list at lists.owasp.org>,
>> >> "owasp-projects-task-force at googlegroups.com"
>> >> <owasp-projects-task-force at googlegroups.com>, Enrico Branca
>> >> <enrico.branca at owasp.org>
>> >> Subject: [Owasp_project_leader_list] Do you consider your project a
>> >> Flagship status candidate?
>> >>
>> >> Hi Leaders
>> >>
>> >>
>> >>
>> >> In the process of reviewing projects at Quality assurance level for
>> Tools
>> >> and Code projects, I want to make sure we do not exclude those
>> projects that
>> >> right now are officially LABS and consider themselves ready for a
>> review
>> >> process to become Flagship.
>> >>
>> >>
>> >>
>> >> Keep reading if you want your project to be a flagship candidate.
>> >>
>> >>
>> >>
>> >> The process will have these important components:
>> >>
>> >>
>> >>
>> >> Code Analysis (SWAMP) (if written in Java, C++ or C): I would need your
>> >> permission to load the project into SWAMP
>> >> Functional testing:Deploy the tool/Code in Virtual servers with a full
>> >> configured test environment. Project leaders will have access to these
>> >> Access to JIRA to review test cases
>> >> Analysis and use of Unit tests - Code coverage
>> >>
>> >>
>> >>
>> >> Make sure you understand what are the minimum qualifications to become
>> >> flagship
>> >>
>> >> See attached document Project Health Criteria. We are using Ohloh as a
>> >> measuring mechanism on activity and hopefully Enrico's tool will help
>> us
>> >> with that part too.
>> >>
>> >>
>> >>
>> >> Please contact the OWASP Project task force to add you to this list
>> >>
>> >>
>> >>
>> >> A preliminary analysis will be done to verify the actual Project Health
>> >> Criteria and continue with the process of evaluation for flagship
>> >>
>> >>
>> >>
>> >> Regards
>> >>
>> >>
>> >>
>> >> Johanna
>> >>
>> >>
>> >>
>> >> <Master File- Projects Assessment Criteria V7.xlsx>
>> >>
>> >> _______________________________________________
>> >> Owasp-board mailing list
>> >> Owasp-board at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-board
>> >>
>> >>
>> >> _______________________________________________
>> >> Owasp-board mailing list
>> >> Owasp-board at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-board
>> >>
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> Owasp-board mailing list
>> >> Owasp-board at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-board
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >>
>> >> Executive Director
>> >>
>> >> OWASP Foundation
>> >>
>> >>
>> >>
>> >> sarah.baso at owasp.org
>> >> +1.312.869.2779
>> >>
>> >>
>> >>
>> >
>> >
>> > _______________________________________________
>> > Owasp-board mailing list
>> > Owasp-board at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-board
>> >
>>
>>
>>
>> --
>> Blog: http://off-the-wall-security.blogspot.com/
>> NSA: All your crypto bit are belong to us.
>>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140607/2f6d6b77/attachment-0001.html>


More information about the Owasp-board mailing list