[Owasp-board] Flagship Code Products

Tobias tobias.gondrom at owasp.org
Fri Mar 28 16:12:40 UTC 2014


Hi all,

I agree with Jim, that we should be demoting inactive flagship projects
more quickly into normal ones if they don't perform and I agree with
Michael on the community approach.

All the best, Tobias


On 28/03/14 22:41, Michael Coates wrote:
>
> (On my morning walk with the dogs so apologies if I miss an item
> already mentioned in thread.)
>
> I'd like to propose a slight rewording of something Jim mentioned
> earlier. Instead of "I think the board needs to step in..." I think
> the answer is "the community should qlways feel inpowered to raise
> concerns, dive in and impact real change by helping out." So let's do
> that!
>
> So let's get Samantha and leaders on a new thread and ask what's
> working and what isn't with the current process? How can we help with
> what we currently have? Also let's provide feedback on how to make it
> better. I bet we could make a ton of progress with a good email thread.
>
> Then let's commit this energy to our review process(or whatever we
> have after some iterations) and get the right projects as flagship. I
> saw Jim's request for project review yesterday and filled it out. I'm
> committed to reviewing any number of projects and I bet others are
> too. Let's ask again here.
>
> My guess is Samantha has many areas that could use some community
> "passion" and several people have some great enhancement ideas to the
> project quality review.
>
> 10 day Owasp sprint on project levels? Let's see what we could knock
> out if we all focus on it.
>
> Anyone interested to join me?
>
> On Mar 28, 2014 7:27 AM, "Eoin Keary" <eoin.keary at owasp.org
> <mailto:eoin.keary at owasp.org>> wrote:
>
>     Very generous of your chapter Josh.
>
>     Eoin Keary
>     Owasp Global Board
>     +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>
>
>     On 28 Mar 2014, at 14:07, Josh Sokol <josh.sokol at owasp.org
>     <mailto:josh.sokol at owasp.org>> wrote:
>
>>     I'm imagining you "hulk like angry" like the old skool game of
>>     Rampage and it's pretty awesome.
>>
>>     To be fair, there are several other, bigger picture, reasons why
>>     I've decided not to make SimpleRisk an OWASP project.  As a Board
>>     member I'm held (and hold myself) to extra scrutiny and I don't
>>     feel comfortable donating some of my code while withholding the
>>     other parts that I've deemed "Enterprise functionality" for my
>>     paid-for SimpleRisk Extras.  And basing a SaaS model off of an
>>     OWASP project feels kinda shady to me as well.  Maybe this is a
>>     model that OWASP should consider supporting as it would
>>     incentivize developers to bring their work to OWASP knowing that
>>     the extra visibility can drive interest in their paid-for
>>     offerings, but I'm not willing to let my name and reputation be
>>     the guinea pig for that trial.
>>
>>     Is there some way to focus the Google Summer of Code efforts on
>>     fixing the bugs in the flagship projects to make them seaworthy
>>     again?  Could we maybe figure out a way to assign point values
>>     and create a reward system to incentivize independent developers
>>     to bring them up to snuff?  We need to be realistic in that
>>     idealism and volunteerism will only get us so far in fixing this
>>     problem and money is the thing that ultimately makes many people
>>     get off their asses and do work.  I believe the OWASP Austin
>>     Chapter is going to donate $10k of our chapter funds back to the
>>     OWASP Foundation.  Would it make sense to use that unexpected
>>     money toward this effort?
>>
>>     ~josh
>>
>>
>>     On Fri, Mar 28, 2014 at 8:01 AM, Jim Manico <jim.manico at owasp.org
>>     <mailto:jim.manico at owasp.org>> wrote:
>>
>>         I see code flagship projects as being
>>
>>         Dependency Check
>>         OWASP HTML Sanitizer
>>         Maybe AntiSamy if they clean their bugs
>>         OWASP Java Encoder
>>         OWASP JSON Sanitizer
>>
>>         THREE of these projects I am project manager of, I applied to
>>         get them reviewed last year and they are all still stuck in
>>         incubator stage. I'm miffed at best. There is so little
>>         benefit to doing all of this at OWASP I am inclined to shift
>>         them all to Apache where they will get real visibility and
>>         support. Josh once said he was not going to bring his project
>>         to OWASP and it made me HULK LIKE ANGRY but I finally see his
>>         point.
>>
>>         - Jim
>>
>>
>>         On 3/28/14, 6:20 PM, Eoin Keary wrote:
>>>         +1
>>>         Flagships are IMHO
>>>         Zap
>>>         Testing guide
>>>         Ciso
>>>         SAMM
>>>         Education/training
>>>
>>>
>>>         Eoin Keary
>>>         Owasp Global Board
>>>         +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>>>
>>>
>>>         On 28 Mar 2014, at 09:46, Jim Manico <jim.manico at owasp.org
>>>         <mailto:jim.manico at owasp.org>> wrote:
>>>
>>>>         This makes me very sad.
>>>>
>>>>         _Flagship Code Projects_
>>>>
>>>>         * OWASP AntiSamy Project  <  Abandoned, had to pay someone
>>>>         to update the wiki, not project leads. Roadmap is from
>>>>         2011, no updates, etc.
>>>>
>>>>         * OWASP Enterprise Security API <  Abandoned, wiki out of
>>>>         date, old template, no code changes, we paid good money to
>>>>         have a codeathon in NYC and got... nothing.
>>>>
>>>>         * WASP CSRFGuard Project <  Somewhat being maintained,
>>>>         abandoned by author but picked up by another leaders, but
>>>>         is a horrific design and only works on the most basic of
>>>>         websites. This is a bad bad design for complex web 2.0
>>>>         applications (since it uses JavaScript to inject tokes into
>>>>         the DOM which is fraught with error).
>>>>
>>>>         * OWASP ModSecurity Core Rule Set Project <  Awesome
>>>>         updates, wiki updated by project owner,
>>>>         https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
>>>>
>>>>         I've been helping manage several production quality, highly
>>>>         scalable secure coding components (that were written by PhD
>>>>         level software engineers) and I'm sad to see them still
>>>>         stuck in incubator.  We also have projects like Dependency
>>>>         Check that are incredibly fantastic tools, still stuck in
>>>>         incubator.
>>>>
>>>>         Samantha has been working hard on this, but every time I
>>>>         see our project list it really upsets me because when dev
>>>>         folks really try to use these components; it's so far from
>>>>         production quality that it makes us look really bad. No
>>>>         wonder we can't really get developers to be a part of our
>>>>         community or use our stuff.
>>>>
>>>>         I am sure I will get flack for this, but I stand by my
>>>>         opinions that this is something that is critical to fix at
>>>>         OWASP. I was recently trying to get a software company to
>>>>         be the first top tier corporate sponsor, but as part of
>>>>         this, they looked at our flagship projects and wiki, saw
>>>>         how crusty they both were, and said "no way". Sad.
>>>>
>>>>         - Jim
>>>>         _______________________________________________
>>>>
>>>>         Owasp-board mailing list
>>>>         Owasp-board at lists.owasp.org
>>>>         <mailto:Owasp-board at lists.owasp.org>
>>>>         https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>         _______________________________________________
>>         Owasp-board mailing list
>>         Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>     _______________________________________________
>>     Owasp-board mailing list
>>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-board
>
>     _______________________________________________
>     Owasp-board mailing list
>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140329/1392cf56/attachment.html>


More information about the Owasp-board mailing list