[Owasp-board] Flagship Code Products

Michael Coates michael.coates at owasp.org
Fri Mar 28 16:35:38 UTC 2014


It sounds like the community portal is about to roll out in the coming
days. Perhaps we should defer the beginning of our spring just a few days
to leverage this platform.


--
Michael Coates
@_mwc



On Sat, Mar 29, 2014 at 1:12 AM, Tobias <tobias.gondrom at owasp.org> wrote:

>  Hi all,
>
> I agree with Jim, that we should be demoting inactive flagship projects
> more quickly into normal ones if they don't perform and I agree with
> Michael on the community approach.
>
> All the best, Tobias
>
>
>
> On 28/03/14 22:41, Michael Coates wrote:
>
> (On my morning walk with the dogs so apologies if I miss an item already
> mentioned in thread.)
>
> I'd like to propose a slight rewording of something Jim mentioned earlier.
> Instead of "I think the board needs to step in..." I think the answer is
> "the community should qlways feel inpowered to raise concerns, dive in and
> impact real change by helping out." So let's do that!
>
> So let's get Samantha and leaders on a new thread and ask what's working
> and what isn't with the current process? How can we help with what we
> currently have? Also let's provide feedback on how to make it better. I bet
> we could make a ton of progress with a good email thread.
>
> Then let's commit this energy to our review process(or whatever we have
> after some iterations) and get the right projects as flagship. I saw Jim's
> request for project review yesterday and filled it out. I'm committed to
> reviewing any number of projects and I bet others are too. Let's ask again
> here.
>
> My guess is Samantha has many areas that could use some community
> "passion" and several people have some great enhancement ideas to the
> project quality review.
>
> 10 day Owasp sprint on project levels? Let's see what we could knock out
> if we all focus on it.
>
> Anyone interested to join me?
> On Mar 28, 2014 7:27 AM, "Eoin Keary" <eoin.keary at owasp.org> wrote:
>
>>  Very generous of your chapter Josh.
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>>
>>
>> On 28 Mar 2014, at 14:07, Josh Sokol <josh.sokol at owasp.org> wrote:
>>
>>    I'm imagining you "hulk like angry" like the old skool game of
>> Rampage and it's pretty awesome.
>>
>>  To be fair, there are several other, bigger picture, reasons why I've
>> decided not to make SimpleRisk an OWASP project.  As a Board member I'm
>> held (and hold myself) to extra scrutiny and I don't feel comfortable
>> donating some of my code while withholding the other parts that I've deemed
>> "Enterprise functionality" for my paid-for SimpleRisk Extras.  And basing a
>> SaaS model off of an OWASP project feels kinda shady to me as well.  Maybe
>> this is a model that OWASP should consider supporting as it would
>> incentivize developers to bring their work to OWASP knowing that the extra
>> visibility can drive interest in their paid-for offerings, but I'm not
>> willing to let my name and reputation be the guinea pig for that trial.
>>
>>  Is there some way to focus the Google Summer of Code efforts on fixing
>> the bugs in the flagship projects to make them seaworthy again?  Could we
>> maybe figure out a way to assign point values and create a reward system to
>> incentivize independent developers to bring them up to snuff?  We need to
>> be realistic in that idealism and volunteerism will only get us so far in
>> fixing this problem and money is the thing that ultimately makes many
>> people get off their asses and do work.  I believe the OWASP Austin Chapter
>> is going to donate $10k of our chapter funds back to the OWASP Foundation.
>> Would it make sense to use that unexpected money toward this effort?
>>
>>  ~josh
>>
>>
>> On Fri, Mar 28, 2014 at 8:01 AM, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>>  I see code flagship projects as being
>>>
>>> Dependency Check
>>> OWASP HTML Sanitizer
>>> Maybe AntiSamy if they clean their bugs
>>> OWASP Java Encoder
>>> OWASP JSON Sanitizer
>>>
>>> THREE of these projects I am project manager of, I applied to get them
>>> reviewed last year and they are all still stuck in incubator stage. I'm
>>> miffed at best. There is so little benefit to doing all of this at OWASP I
>>> am inclined to shift them all to Apache where they will get real visibility
>>> and support. Josh once said he was not going to bring his project to OWASP
>>> and it made me HULK LIKE ANGRY but I finally see his point.
>>>
>>> - Jim
>>>
>>>
>>> On 3/28/14, 6:20 PM, Eoin Keary wrote:
>>>
>>> +1
>>> Flagships are IMHO
>>> Zap
>>> Testing guide
>>> Ciso
>>> SAMM
>>> Education/training
>>>
>>>
>>> Eoin Keary
>>> Owasp Global Board
>>> +353 87 977 2988 <%2B353%2087%20977%202988>
>>>
>>>
>>> On 28 Mar 2014, at 09:46, Jim Manico <jim.manico at owasp.org> wrote:
>>>
>>>   This makes me very sad.
>>>
>>> *Flagship Code Projects*
>>>
>>> * OWASP AntiSamy Project  <  Abandoned, had to pay someone to update the
>>> wiki, not project leads. Roadmap is from 2011, no updates, etc.
>>>
>>> * OWASP Enterprise Security API <  Abandoned, wiki out of date, old
>>> template, no code changes, we paid good money to have a codeathon in NYC
>>> and got... nothing.
>>>
>>> * WASP CSRFGuard Project <  Somewhat being maintained, abandoned by
>>> author but picked up by another leaders, but is a horrific design and only
>>> works on the most basic of websites. This is a bad bad design for complex
>>> web 2.0 applications (since it uses JavaScript to inject tokes into the DOM
>>> which is fraught with error).
>>>
>>> * OWASP ModSecurity Core Rule Set Project <  Awesome updates, wiki
>>> updated by project owner,
>>> https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
>>>
>>> I've been helping manage several production quality, highly scalable
>>> secure coding components (that were written by PhD level software
>>> engineers) and I'm sad to see them still stuck in incubator.  We also have
>>> projects like Dependency Check that are incredibly fantastic tools, still
>>> stuck in incubator.
>>>
>>> Samantha has been working hard on this, but every time I see our project
>>> list it really upsets me because when dev folks really try to use these
>>> components; it's so far from production quality that it makes us look
>>> really bad. No wonder we can't really get developers to be a part of our
>>> community or use our stuff.
>>>
>>> I am sure I will get flack for this, but I stand by my opinions that
>>> this is something that is critical to fix at OWASP. I was recently trying
>>> to get a software company to be the first top tier corporate sponsor, but
>>> as part of this, they looked at our flagship projects and wiki, saw how
>>> crusty they both were, and said "no way". Sad.
>>>
>>> - Jim
>>>
>>>   _______________________________________________
>>>
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>   _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
> _______________________________________________
> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140329/bce15bbb/attachment.html>


More information about the Owasp-board mailing list