[Owasp-board] OWASP Summer Code Sprint Proposal

Jim Manico jim.manico at owasp.org
Wed Apr 8 12:15:41 UTC 2015


Keep in mind that Johanna - as a volunteer - has been staring at and
evaluating projects for over two years with her team. She has been a
software developer for 20 years or so.

I feel her advice to us is unbiased and born from a great deal of industry
and OWASP experience.

The question is, what is best for OWASP? Her plan sounds pretty spot on in
terms of bettering OWASP. This is the kind of program I'd be •eager• to

This plan would help the •consumers• of OWASP. I feel the most important
part of the community are the ones we serve.

Jim Manico
(808) 652-3805

On Apr 8, 2015, at 7:05 AM, johanna curiel curiel <johanna.curiel at owasp.org>

I'm sorry but I cannot support this. Flagship projects are already
advanced, stable projects with a lot of development effort behind them and
a large team of volunteers to support them

Let me clarify something. After reviewing projects such as Flasghips, and I
have been doing this for about 2 years, these are , by most ,the product of
the *hard work of their leaders*, not of a *large* team of volunteers. Look
at the repository commits and you will see is, that there is not a *huge*
amount of people working on them, but a couple at most 1 or 2 during
different seasons or months. Their leaders have master the ability to
*engage* volunteer efforts thats is an accomplishment we should encourage
and give credit for.

Some of them have sponsors, some of them can afford to work on their
project more than others, but I hope your misconception of a huge team of
volunteers is corrected.Or even a huge budget. sk Abraham, Simon or
Azzedine Ramrari...

Hackademics is a lab project at the moment right? Well, LABS also get
benefits, maybe we should include them in this part. Not all of these are
active, some have not even had commits in 6 months or even an entire year
and most have only at max  1 contributor . That will make the list even
shorter for the projects that can actually participate.

OWASP board should ask : *why do we want to pump money on projects that
have hardly time to dedicate development efforts and why they fail at
getting volunteers?*

*Maybe thats the reason why Gsoc has make the participation limited to more
quality than quantity? (I'm just speculating)*

The tools and code classified as flagships is a different breed that LABS.
Thats the whole point of getting more benefits because they just work
harder than the rest. They don't get this projects off the ground just by
doing Gsoc. These initiatives can help them concrete and improve many
things to make them better, but lets keep in mind by no means, I mean that
they have reach this stage just because they have money or a battalion of
volunteers, that is a *huge* misconception

Tools [Reviewed February 2015]

   - OWASP Hackademic Challenges Project
   - OWASP Mantra Security Framework
   - OWASP O2 Platform <https://www.owasp.org/index.php/OWASP_O2_Platform>
   - OWASP WebGoat Project
   - O-Saft <https://www.owasp.org/index.php/O-Saft>
   - OWASP EnDe Project
   - OWASP Passfault <https://www.owasp.org/index.php/OWASP_Passfault>
   - OWASP Mobile Security Project
   - OWASP Xenotix XSS Exploit Framework
   - Code [Reviewed February 2015]
      - OWASP Enterprise Security API

On Wed, Apr 8, 2015 at 7:31 AM, Konstantinos Papapanagiotou <
Konstantinos at owasp.org> wrote:

> I'm sorry but I cannot support this. Flagship projects are already
> advanced, stable projects with a lot of development effort behind them and
> a large team of volunteers to support them. Yes, as an organization we
> should award them but at the same time and maybe even more importantly we
> should help smaller and not so advanced projects by giving them a chance to
> get some work done and also provide visibility. This is why this should be
> open to all projects.
> Kostas
> On Wednesday, April 8, 2015, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>> I thought you were not interested in getting involved with this.
>> No, I have always been interested, I have always shown my collaboration
>> and interested and offered my help before this discussion.
>> I was discouraged at some point, that is something different. I don't
>> behave in my interest *only* but in the interest of the entire team. *Thats
>> why I propose the following:*
>> I think we still need to run a similar program, because we don't know if
>> we will ever get Google the next time, no guarantees. Therefore I propose a
>> program, for only for Flagships.
>> *Why?*
>> We preach that these projects get more benefits as stated in the OWASP
>> project book,they have shown their handwork, they deserve it.In that case I
>> think a special program, for flagships to get students to work during the
>> summer is a perfect case.
>> we have in total 8 Flagship projects (Code/Tools)
>> Tools [Reviewed September 2014]
>>    - OWASP Zed Attack Proxy
>>    <https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project>==>
>>    Active
>>    - OWASP Web Testing Environment Project
>>    <https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>
>>    ==>Dormant
>>    - OWASP OWTF <https://www.owasp.org/index.php/OWASP_OWTF>==>Active
>>    - OWASP Dependency Check
>>    <https://www.owasp.org/index.php/OWASP_Dependency_Check>==>Active
>> Code [Reviewed November 2014]
>>    - OWASP ModSecurity Core Rule Set Project
>>    <https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project>
>>    ==>Active
>>    - OWASP CSRFGuard Project
>>    <https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project>
>>    ==>Active
>>    - OWASP AppSensor Project
>>    <https://www.owasp.org/index.php/OWASP_AppSensor_Project>==>Active
>> All these projects have the opportunity to apply for 1 slot
>> 6 projects are active, that makes 3000 x 6 = USD18,000
>> 1 is dormant and is an image(not really a code project)
>> if everyone gets a student, one slot , there is no fights who deserve
>> them, no need for org decision teams, no discussions.
>> Again, they all can submit a student of their choice and substantiate why.
>> The projects are responsible for doing their midterm evaluation and we
>> just need to do 2 checks:
>>    - Substantiation of why the student was chosen
>>    - Submission proposals completed
>>    - Students have submitted  a Student Participation Agreement and
>>    submit their Proof of Enrollment forms.
>>    - Must be submitted by end of April
>>    - End of the program make sure the code has been place in an pen
>>    repository
>> We only need staff support for paying the students at 2 points:
>>    - During the midterm evaluation
>>    - at the end of the internship
>> *IF you vote for this plan, I'll personal help move this forward and make
>> sure that all Flagships are updated with this info, so they can go ahead a
>> place a submission.This is my proposal, everyone is welcome to help.*
>> Regards
>> Johanna
>> On Wed, Apr 8, 2015 at 1:47 AM, Konstantinos Papapanagiotou <
>> Konstantinos at owasp.org> wrote:
>>> Hopefully next year we might get selected again by GSOC so we might not
>>> need this program. Or we might choose to run it in ay case, taking care
>>> that it doesn't happen the same time as GSOC, if selected.
>>> Kostas
>>> On Wed, Apr 8, 2015 at 5:12 AM, Jim Manico <jim.manico at owasp.org> wrote:
>>>> I think this is fair input Kevin.
>>>> What if we plan this year with the intention of making it a yearly
>>>> endeavor and roll it out in 2016? That way we are not rushing to spend
>>>> 30k and instead we do careful planning, get these funds formally in
>>>> the budget and then roll it out with more grace? I think that's better
>>>> for the foundation.
>>>> Aloha,
>>>> --
>>>> Jim Manico
>>>> @Manicode
>>>> (808) 652-3805
>>>> > On Apr 7, 2015, at 8:49 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
>>>> wrote:
>>>> >
>>>> > On Tue, Apr 7, 2015 at 9:32 PM, johanna curiel curiel
>>>> > <johanna.curiel at owasp.org> wrote:
>>>> > [...snip...]
>>>> >> Just keep in mind
>>>> >>
>>>> >> Running this program is a lot of work
>>>> >> Submissions, proposals forms etc, the entire workflow
>>>> >> Do we have enough volunteers to run this show?
>>>> >>
>>>> >>
>>>> >> With all due respect to Kostas, this is not something he can run
>>>> alone. The
>>>> >> Gsoc is run by Google and we only do a small portion as organisation
>>>> admin
>>>> >> and Mentoring, compared to the entire program
>>>> >> Here is an entire administration, back office, payment, revision of
>>>> progress
>>>> >> etc..so lets be honest, can we run this with a small bunch of
>>>> volunteers?
>>>> >> Are these volunteers committed?
>>>> >> Most people do not have time, so lets be realistic, especially and
>>>> >> considering we also have a responsibility with this money
>>>> >
>>>> > All good points and I have seriously doubted whether OWASP would be
>>>> > unable to do all of the things necessary to pull this off at least
>>>> for THIS
>>>> > SUMMER. Time certainly is not something that is on our side.  I fear
>>>> > that all we are seeing with respect to the # of volunteer hours is but
>>>> > the tip of the iceberg and it as you say that we are missing the much
>>>> > bigger effort that goes on behind the scenes. If we had a whole year
>>>> > to prepare for this, then, yeah, we probably could pull it off, but
>>>> with
>>>> > only a few months remaining until traditional summer break, I
>>>> personally
>>>> > don't see it as very realistic expectations.
>>>> >
>>>> > I'll go crawl back under my rock again now and just sit back and
>>>> watch,
>>>> > because I did not intend to participate as a GSoC (tor)mentor this
>>>> > yes so I will be sitting this out as well. However, I wish you all the
>>>> > best and applaud your good intentions.
>>>> >
>>>> > -kevin
>>>> > --
>>>> > Blog: http://off-the-wall-security.blogspot.com/
>>>> > NSA: All your crypto bit are belong to us.
>>>> > _______________________________________________
>>>> > Owasp-board mailing list
>>>> > Owasp-board at lists.owasp.org
>>>> > https://lists.owasp.org/mailman/listinfo/owasp-board
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150408/8aa174b2/attachment-0001.html>

More information about the Owasp-board mailing list