[Owasp-board] Flagship Code Products

Sarah Baso sarah.baso at owasp.org
Sat Mar 29 00:07:21 UTC 2014


All -

I just want to chime in on this and point out a couple of things:  Samantha
has been doing her best (and an amazing job) trying to clean up the
Projects processes and workflows.

She is only one person though and most of this work that Jim is suggesting
requires volunteers (or paid work as Martin is suggesting and good for him
for bringing up the discussion that was started back in Hamburg but no
momentum thereafter).  I think the idea suggested was that OWASP take on
something like the GSOC model to incentivize people to get involved with
updating projects.... is that something we (OWASP) want to support?

Jim, while I understand you are frustrated it seems like this is
frustration with the community for lack of contribution (new
code/development) and project reviewing... Obviously there are really good
things going on with some projects and we want to continue to support that,
but we need an ecosystem to bring back some of the previous glory of old
projects that have lost their shine?  Great, let's energize the community
with a project sprint (as Michael suggested).

What I would add is let's set a few goals for the sprint and tangible
things for people to work for and work on - we also have a project summit
coming up in June and this can be leveraged for achieving our goals.

We are in the final stages of the portal implementation and will be putting
together the roll out to the community next week - there is nothing stoping
any of you from looking at and planning for a project sprint. Instead of
energy lamenting over sad and frumpy projects - let's come up with
solutions.

In regard to Demoting projects that are old/need work - seems like a good
idea, no point in allowing a project to get to a certain status and stay
there forever...

Last but not least - Jim for the company that doesn't want to pay because
we have old frumpy projects that need work, I hope you are pointing out all
of our successes over the past couple years (there are many) AND why not
have them support us and allocate money from their membership to the
project(s) that they think need work.  This would let us do more work on
the project (even if not paying directly for work) in that maybe travel can
be funded to a summit or other support work like project management can be
afforded for that project.

I think for a lot of volunteers they are willing to do pieces of work when
they have time, but don't always have the time and skill for project
management itself.  If we had some people - not even staff - but maybe paid
support or students that would manage the project status, needs, and
contributions maybe that is what many of these projects need.

Have a good weekend everyone and I look forward to seeing positive energy,
ideas, and momentum on this next week.

Regards,
Sarah Baso



On Fri, Mar 28, 2014 at 3:36 PM, Eoin Keary <eoin.keary at owasp.org> wrote:

> Demote. Certainly. We are only as good as our projects.
>
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 28 Mar 2014, at 16:12, Tobias <tobias.gondrom at owasp.org> wrote:
>
> Hi all,
>
> I agree with Jim, that we should be demoting inactive flagship projects
> more quickly into normal ones if they don't perform and I agree with
> Michael on the community approach.
>
> All the best, Tobias
>
>
> On 28/03/14 22:41, Michael Coates wrote:
>
> (On my morning walk with the dogs so apologies if I miss an item already
> mentioned in thread.)
>
> I'd like to propose a slight rewording of something Jim mentioned earlier.
> Instead of "I think the board needs to step in..." I think the answer is
> "the community should qlways feel inpowered to raise concerns, dive in and
> impact real change by helping out." So let's do that!
>
> So let's get Samantha and leaders on a new thread and ask what's working
> and what isn't with the current process? How can we help with what we
> currently have? Also let's provide feedback on how to make it better. I bet
> we could make a ton of progress with a good email thread.
>
> Then let's commit this energy to our review process(or whatever we have
> after some iterations) and get the right projects as flagship. I saw Jim's
> request for project review yesterday and filled it out. I'm committed to
> reviewing any number of projects and I bet others are too. Let's ask again
> here.
>
> My guess is Samantha has many areas that could use some community
> "passion" and several people have some great enhancement ideas to the
> project quality review.
>
> 10 day Owasp sprint on project levels? Let's see what we could knock out
> if we all focus on it.
>
> Anyone interested to join me?
> On Mar 28, 2014 7:27 AM, "Eoin Keary" <eoin.keary at owasp.org> wrote:
>
>>  Very generous of your chapter Josh.
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>>
>>
>> On 28 Mar 2014, at 14:07, Josh Sokol <josh.sokol at owasp.org> wrote:
>>
>>    I'm imagining you "hulk like angry" like the old skool game of
>> Rampage and it's pretty awesome.
>>
>>  To be fair, there are several other, bigger picture, reasons why I've
>> decided not to make SimpleRisk an OWASP project.  As a Board member I'm
>> held (and hold myself) to extra scrutiny and I don't feel comfortable
>> donating some of my code while withholding the other parts that I've deemed
>> "Enterprise functionality" for my paid-for SimpleRisk Extras.  And basing a
>> SaaS model off of an OWASP project feels kinda shady to me as well.  Maybe
>> this is a model that OWASP should consider supporting as it would
>> incentivize developers to bring their work to OWASP knowing that the extra
>> visibility can drive interest in their paid-for offerings, but I'm not
>> willing to let my name and reputation be the guinea pig for that trial.
>>
>>  Is there some way to focus the Google Summer of Code efforts on fixing
>> the bugs in the flagship projects to make them seaworthy again?  Could we
>> maybe figure out a way to assign point values and create a reward system to
>> incentivize independent developers to bring them up to snuff?  We need to
>> be realistic in that idealism and volunteerism will only get us so far in
>> fixing this problem and money is the thing that ultimately makes many
>> people get off their asses and do work.  I believe the OWASP Austin Chapter
>> is going to donate $10k of our chapter funds back to the OWASP Foundation.
>> Would it make sense to use that unexpected money toward this effort?
>>
>>  ~josh
>>
>>
>> On Fri, Mar 28, 2014 at 8:01 AM, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>>  I see code flagship projects as being
>>>
>>> Dependency Check
>>> OWASP HTML Sanitizer
>>> Maybe AntiSamy if they clean their bugs
>>> OWASP Java Encoder
>>> OWASP JSON Sanitizer
>>>
>>> THREE of these projects I am project manager of, I applied to get them
>>> reviewed last year and they are all still stuck in incubator stage. I'm
>>> miffed at best. There is so little benefit to doing all of this at OWASP I
>>> am inclined to shift them all to Apache where they will get real visibility
>>> and support. Josh once said he was not going to bring his project to OWASP
>>> and it made me HULK LIKE ANGRY but I finally see his point.
>>>
>>> - Jim
>>>
>>>
>>> On 3/28/14, 6:20 PM, Eoin Keary wrote:
>>>
>>> +1
>>> Flagships are IMHO
>>> Zap
>>> Testing guide
>>> Ciso
>>> SAMM
>>> Education/training
>>>
>>>
>>> Eoin Keary
>>> Owasp Global Board
>>> +353 87 977 2988 <%2B353%2087%20977%202988>
>>>
>>>
>>> On 28 Mar 2014, at 09:46, Jim Manico <jim.manico at owasp.org> wrote:
>>>
>>>   This makes me very sad.
>>>
>>> *Flagship Code Projects*
>>>
>>> * OWASP AntiSamy Project  <  Abandoned, had to pay someone to update the
>>> wiki, not project leads. Roadmap is from 2011, no updates, etc.
>>>
>>> * OWASP Enterprise Security API <  Abandoned, wiki out of date, old
>>> template, no code changes, we paid good money to have a codeathon in NYC
>>> and got... nothing.
>>>
>>> * WASP CSRFGuard Project <  Somewhat being maintained, abandoned by
>>> author but picked up by another leaders, but is a horrific design and only
>>> works on the most basic of websites. This is a bad bad design for complex
>>> web 2.0 applications (since it uses JavaScript to inject tokes into the DOM
>>> which is fraught with error).
>>>
>>> * OWASP ModSecurity Core Rule Set Project <  Awesome updates, wiki
>>> updated by project owner,
>>> https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
>>>
>>> I've been helping manage several production quality, highly scalable
>>> secure coding components (that were written by PhD level software
>>> engineers) and I'm sad to see them still stuck in incubator.  We also have
>>> projects like Dependency Check that are incredibly fantastic tools, still
>>> stuck in incubator.
>>>
>>> Samantha has been working hard on this, but every time I see our project
>>> list it really upsets me because when dev folks really try to use these
>>> components; it's so far from production quality that it makes us look
>>> really bad. No wonder we can't really get developers to be a part of our
>>> community or use our stuff.
>>>
>>> I am sure I will get flack for this, but I stand by my opinions that
>>> this is something that is critical to fix at OWASP. I was recently trying
>>> to get a software company to be the first top tier corporate sponsor, but
>>> as part of this, they looked at our flagship projects and wiki, saw how
>>> crusty they both were, and said "no way". Sad.
>>>
>>> - Jim
>>>
>>>   _______________________________________________
>>>
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>   _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
> _______________________________________________
> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>


-- 
Executive Director
OWASP Foundation

sarah.baso at owasp.org
+1.312.869.2779
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140328/e271057d/attachment-0001.html>


More information about the Owasp-board mailing list