[Owasp-board] Flagship Code Products

Dennis Groves dennis.groves at owasp.org
Mon Mar 31 00:45:38 UTC 2014


I disagree with your framing this as a big mess.

While the projects are certainly important - the boards role is doing
things like I am to bring projects, money and sponsorship to OWASP. As well
as working out the long term strategy for OWASP.

And, while I recognize that you may feel this is the most imperative thing
- it is really an operations issue; and so you are meddling in operations
instead of doing the board level functions which you are responsible for.



Dennis


On Sun, Mar 30, 2014 at 5:36 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Yes but the OpenSAMM was the only one widely distributed and it confused
> all the project teams. Something serious is amiss here, not to mention
> Joannes comments that the advisory board is not really happening and there
> is little actionable guidance being given. Time for the board to step in
> and clean up this mess.
>
>
> --
> Jim Manico
> @Manicode
> (808) 652-3805
>
> On Mar 30, 2014, at 2:23 PM, Dennis Groves <dennis.groves at owasp.org>
> wrote:
>
> That is why OpenSAMM is only one of several questionnaires developed for
> rating project maturity and quality.
> The other questionnaires address your concerns.
>
> Dennis
>
>
> On Sun, Mar 30, 2014 at 5:20 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> It's a bad idea Dennis in my opinion. None of the OpenSAMM items address
>> things like is the project being maintained, are bugs being fixed (code
>> projects), are we doing internationalization (doc projects) are vendor
>> neutrality items addressed and many other qualitative measurements that
>> make a project flagship. Most project leaders (you know, the ones who do
>> the actual work) find this form to be very confusing when trying to measure
>> a project.
>>
>> Also, a project may only address one tiny area of OpenSAMM but do it
>> *really well* and would therefor be worthy of flagship or other positive
>> status. The opposite is true, a project may address all of OpenSAMM but be
>> be poor quality and not worthy of anything but incubator.
>>
>> OpenSAMM is a fine way to categorize a project, but not rate it for
>> quality.
>>
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>>
>> On Mar 30, 2014, at 12:30 PM, Dennis Groves <dennis.groves at owasp.org>
>> wrote:
>>
>> I personally proposed the use of our very own best of breed application
>> maturity model known as OpenSAMM. And it was adopted by the technical team
>> for use in evaluation of the projects.
>>
>> OpenSAMM intentional or not is based on the Capability Maturity Model;
>> and the capability maturity model is a standard created by Carnegie Mellon
>> University and required by many DOD and U.S. Government contracts,
>> especially software development. The CMM is the result of several PhD level
>> sciences coming together in an interdisciplinary model.
>>
>> By standing on this bedrock of history, we promote our own derivative of
>> the CMM, a project known as OpenSAMM; and this is a great idea because we
>> want to promote the adoption of OWASP and the use of its projects. And
>> OpenSAMM is rooted in this history of great science and is one of our very
>> best projects because of this heritage, not to mention all the love and
>> attention that was given to it.
>>
>> Second, CMM is based on a scientific method known as the Rarsh Model,
>> which allows you to statistically analyse the question, allowing you to
>> identify the subset of data where people are talking from experience.
>>
>> Third, it defines a set of four buckets; Governance, development,
>> verification and operations - and for the very same reason we can use
>> OpenSAMM from everything to an SDLC to evaluating the maturity of an entire
>> enterprise security management system of a company (as I have done
>> literally hundreds of times, this our flavour of a CMM and it is much, much
>> more than an SDLC tool as I demonstrated now twice.)
>>
>> In the case of OWASP we derived all three values from using OpenSAMM as
>> the basis for the project evaluation criteria. However, it should also be
>> understood that it was only one of several questionnaires used in
>> evaluating the project maturity.
>>
>> I also hope you will understand that OpenSAMM is much more than an SDLC
>> tool; but that it inherits much of the science that went into the CMM and
>> CMMI and can be used similarly.
>>
>> And as a side note additional value was derived as well, we learned that
>> most projects did not fall into the Governance or Operational categories,
>> but into the development and verification catagories.
>>
>> In other words - OWASP is failing to give complete advice about how to
>> deal with cyber-security!  (Opportunities for growth!)
>>
>> We are over focused on development and verification - this is stuff
>> *everybody* has advice for. (Pen-Testing and Development)
>>
>> This has allowed us to branch out into areas where there is less
>> competition such as the CISO guide (which I personally partially-funded,
>> from one of my chapters) and the operational project I am working on now
>> with BCS and GNU to start and fund a new OWASP project. Because we can
>> create unique value in those spaces, keeping OWASP relevant!
>>
>> In order to remain relevant OWASP requires a long-game strategy (the
>> project evaluations are part of that), we will not remain relevant if we
>> keep playing in the same sandbox with everybody else. The project
>> evaluations were part of understanding what that strategy maybe and how to
>> expand our current offerings.
>>
>> This is basic education for MBA's (like Samantha) and business management
>> like the awesome OWASP Foundation Staff (Sarah and her team).
>>
>> What is most disappointing to me is that there are people in this thread
>> calling community activities stupid; and not seeking to understand why
>> something was done and what value it created.
>>
>> Dennis
>>
>> --
>> Dennis Groves, MSc
>> Email me, or schedule a meeting.
>> This email is licensed under a CC BY-ND 3.0 license.
>> Stand up for your freedom to install free software.
>> Please do not send me Microsoft Office/Apple iWork documents.
>> Send OpenDocument instead!
>>
>>
>
>
> --
> Dennis Groves <http://about.me/dennis.groves>, MSc
> Email me, <dennis.groves at owasp.org> or schedule a meeting<http://goo.gl/8sPIy>
> .
> *This email is licensed under a CC BY-ND 3.0
> <http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB> license.*
> Stand up for your freedom to install free software.<http://www.fsf.org/campaigns/secure-boot/statement>
> Please do not send me Microsoft Office/Apple iWork documents.
> Send OpenDocument <http://fsf.org/campaigns/opendocument/> instead!
>
> <http://www.owasp.org/>
>
>


-- 
Dennis Groves <http://about.me/dennis.groves>, MSc
Email me, <dennis.groves at owasp.org> or schedule a meeting<http://goo.gl/8sPIy>
.
*This email is licensed under a CC BY-ND 3.0
<http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB> license.*
Stand up for your freedom to install free
software.<http://www.fsf.org/campaigns/secure-boot/statement>
Please do not send me Microsoft Office/Apple iWork documents.
Send OpenDocument <http://fsf.org/campaigns/opendocument/> instead!

<http://www.owasp.org/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140330/9b572c2d/attachment.html>


More information about the Owasp-board mailing list