[Owasp-board] OWASP Summer Code Sprint Proposal

Konstantinos Papapanagiotou Konstantinos at owasp.org
Wed Apr 8 13:02:07 UTC 2015

Personally, I would mostly be concerned to find out what those projects
need in order to boost development.
Of course, once more you've got it all wrong for GSOC, as it is open to all
open source organizations, regardless of quality, size, or any other
criteria. And actually this year they had to limit the number of accepted
organizations and they did so by excluding large and successful orgs
exactly because they know that such kinds of orgs are very likely to keep
on developing their projects anyway.
Awarding successful projects is in my opinion equally important to giving
incentives to not so active projects in order to develop. Otherwise OWASP
will become a 10 flagship project organization. Unless that's our strategy.
I don't know.

I'm also puzzled as I didn't see you voice such concerns when people posted
ideas about GSOC projects last year. In detail, there were projects that
didn't have a single line of code (I don't call this simply dormant, I call
it a "dead" project) and yet they submitted GSOC proposals that practically
involved building the first version of the project. And these projects got
a GSOC slot and now they have their first codebase. Why all projects could
participate last year and now only flagship?


On Wed, Apr 8, 2015 at 3:05 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> I'm sorry but I cannot support this. Flagship projects are already
> advanced, stable projects with a lot of development effort behind them and
> a large team of volunteers to support them
> Let me clarify something. After reviewing projects such as Flasghips, and
> I have been doing this for about 2 years, these are , by most ,the product
> of the *hard work of their leaders*, not of a *large* team of volunteers.
> Look at the repository commits and you will see is, that there is not a
> *huge* amount of people working on them, but a couple at most 1 or 2
> during different seasons or months. Their leaders have master the ability
> to *engage* volunteer efforts thats is an accomplishment we should
> encourage and give credit for.
> Some of them have sponsors, some of them can afford to work on their
> project more than others, but I hope your misconception of a huge team of
> volunteers is corrected.Or even a huge budget. sk Abraham, Simon or
> Azzedine Ramrari...
> Hackademics is a lab project at the moment right? Well, LABS also get
> benefits, maybe we should include them in this part. Not all of these are
> active, some have not even had commits in 6 months or even an entire year
> and most have only at max  1 contributor . That will make the list even
> shorter for the projects that can actually participate.
> OWASP board should ask : *why do we want to pump money on projects that
> have hardly time to dedicate development efforts and why they fail at
> getting volunteers?*
> *Maybe thats the reason why Gsoc has make the participation limited to
> more quality than quantity? (I'm just speculating)*
> The tools and code classified as flagships is a different breed that LABS.
> Thats the whole point of getting more benefits because they just work
> harder than the rest. They don't get this projects off the ground just by
> doing Gsoc. These initiatives can help them concrete and improve many
> things to make them better, but lets keep in mind by no means, I mean that
> they have reach this stage just because they have money or a battalion of
> volunteers, that is a *huge* misconception
> Tools [Reviewed February 2015]
>    - OWASP Hackademic Challenges Project
>    <https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project>
>    - OWASP Mantra Security Framework
>    <https://www.owasp.org/index.php/OWASP_Mantra_-_Security_Framework>
>    - OWASP O2 Platform <https://www.owasp.org/index.php/OWASP_O2_Platform>
>    - OWASP WebGoat Project
>    <https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project>
>    - O-Saft <https://www.owasp.org/index.php/O-Saft>
>    - OWASP EnDe Project
>    <https://www.owasp.org/index.php/Category:OWASP_EnDe>
>    - OWASP Passfault <https://www.owasp.org/index.php/OWASP_Passfault>
>    - OWASP Mobile Security Project
>    <https://www.owasp.org/index.php/OWASP_Mobile_Security_Project>
>    - OWASP Xenotix XSS Exploit Framework
>    <https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework>
>    - Code [Reviewed February 2015]
>       - OWASP Enterprise Security API
>       <https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API>
> On Wed, Apr 8, 2015 at 7:31 AM, Konstantinos Papapanagiotou <
> Konstantinos at owasp.org> wrote:
>> I'm sorry but I cannot support this. Flagship projects are already
>> advanced, stable projects with a lot of development effort behind them and
>> a large team of volunteers to support them. Yes, as an organization we
>> should award them but at the same time and maybe even more importantly we
>> should help smaller and not so advanced projects by giving them a chance to
>> get some work done and also provide visibility. This is why this should be
>> open to all projects.
>> Kostas
>> On Wednesday, April 8, 2015, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>> I thought you were not interested in getting involved with this.
>>> No, I have always been interested, I have always shown my collaboration
>>> and interested and offered my help before this discussion.
>>> I was discouraged at some point, that is something different. I don't
>>> behave in my interest *only* but in the interest of the entire team. *Thats
>>> why I propose the following:*
>>> I think we still need to run a similar program, because we don't know if
>>> we will ever get Google the next time, no guarantees. Therefore I propose a
>>> program, for only for Flagships.
>>> *Why?*
>>> We preach that these projects get more benefits as stated in the OWASP
>>> project book,they have shown their handwork, they deserve it.In that case I
>>> think a special program, for flagships to get students to work during the
>>> summer is a perfect case.
>>> we have in total 8 Flagship projects (Code/Tools)
>>> Tools [Reviewed September 2014]
>>>    - OWASP Zed Attack Proxy
>>>    <https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project>==>
>>>    Active
>>>    - OWASP Web Testing Environment Project
>>>    <https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>
>>>    ==>Dormant
>>>    - OWASP OWTF <https://www.owasp.org/index.php/OWASP_OWTF>==>Active
>>>    - OWASP Dependency Check
>>>    <https://www.owasp.org/index.php/OWASP_Dependency_Check>==>Active
>>> Code [Reviewed November 2014]
>>>    - OWASP ModSecurity Core Rule Set Project
>>>    <https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project>
>>>    ==>Active
>>>    - OWASP CSRFGuard Project
>>>    <https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project>
>>>    ==>Active
>>>    - OWASP AppSensor Project
>>>    <https://www.owasp.org/index.php/OWASP_AppSensor_Project>==>Active
>>> All these projects have the opportunity to apply for 1 slot
>>> 6 projects are active, that makes 3000 x 6 = USD18,000
>>> 1 is dormant and is an image(not really a code project)
>>> if everyone gets a student, one slot , there is no fights who deserve
>>> them, no need for org decision teams, no discussions.
>>> Again, they all can submit a student of their choice and substantiate
>>> why.
>>> The projects are responsible for doing their midterm evaluation and we
>>> just need to do 2 checks:
>>>    - Substantiation of why the student was chosen
>>>    - Submission proposals completed
>>>    - Students have submitted  a Student Participation Agreement and
>>>    submit their Proof of Enrollment forms.
>>>    - Must be submitted by end of April
>>>    - End of the program make sure the code has been place in an pen
>>>    repository
>>> We only need staff support for paying the students at 2 points:
>>>    - During the midterm evaluation
>>>    - at the end of the internship
>>> *IF you vote for this plan, I'll personal help move this forward and
>>> make sure that all Flagships are updated with this info, so they can go
>>> ahead a place a submission.This is my proposal, everyone is welcome to
>>> help.*
>>> Regards
>>> Johanna
>>> On Wed, Apr 8, 2015 at 1:47 AM, Konstantinos Papapanagiotou <
>>> Konstantinos at owasp.org> wrote:
>>>> Hopefully next year we might get selected again by GSOC so we might not
>>>> need this program. Or we might choose to run it in ay case, taking care
>>>> that it doesn't happen the same time as GSOC, if selected.
>>>> Kostas
>>>> On Wed, Apr 8, 2015 at 5:12 AM, Jim Manico <jim.manico at owasp.org>
>>>> wrote:
>>>>> I think this is fair input Kevin.
>>>>> What if we plan this year with the intention of making it a yearly
>>>>> endeavor and roll it out in 2016? That way we are not rushing to spend
>>>>> 30k and instead we do careful planning, get these funds formally in
>>>>> the budget and then roll it out with more grace? I think that's better
>>>>> for the foundation.
>>>>> Aloha,
>>>>> --
>>>>> Jim Manico
>>>>> @Manicode
>>>>> (808) 652-3805
>>>>> > On Apr 7, 2015, at 8:49 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
>>>>> wrote:
>>>>> >
>>>>> > On Tue, Apr 7, 2015 at 9:32 PM, johanna curiel curiel
>>>>> > <johanna.curiel at owasp.org> wrote:
>>>>> > [...snip...]
>>>>> >> Just keep in mind
>>>>> >>
>>>>> >> Running this program is a lot of work
>>>>> >> Submissions, proposals forms etc, the entire workflow
>>>>> >> Do we have enough volunteers to run this show?
>>>>> >>
>>>>> >>
>>>>> >> With all due respect to Kostas, this is not something he can run
>>>>> alone. The
>>>>> >> Gsoc is run by Google and we only do a small portion as
>>>>> organisation admin
>>>>> >> and Mentoring, compared to the entire program
>>>>> >> Here is an entire administration, back office, payment, revision of
>>>>> progress
>>>>> >> etc..so lets be honest, can we run this with a small bunch of
>>>>> volunteers?
>>>>> >> Are these volunteers committed?
>>>>> >> Most people do not have time, so lets be realistic, especially and
>>>>> >> considering we also have a responsibility with this money
>>>>> >
>>>>> > All good points and I have seriously doubted whether OWASP would be
>>>>> > unable to do all of the things necessary to pull this off at least
>>>>> for THIS
>>>>> > SUMMER. Time certainly is not something that is on our side.  I fear
>>>>> > that all we are seeing with respect to the # of volunteer hours is
>>>>> but
>>>>> > the tip of the iceberg and it as you say that we are missing the much
>>>>> > bigger effort that goes on behind the scenes. If we had a whole year
>>>>> > to prepare for this, then, yeah, we probably could pull it off, but
>>>>> with
>>>>> > only a few months remaining until traditional summer break, I
>>>>> personally
>>>>> > don't see it as very realistic expectations.
>>>>> >
>>>>> > I'll go crawl back under my rock again now and just sit back and
>>>>> watch,
>>>>> > because I did not intend to participate as a GSoC (tor)mentor this
>>>>> > yes so I will be sitting this out as well. However, I wish you all
>>>>> the
>>>>> > best and applaud your good intentions.
>>>>> >
>>>>> > -kevin
>>>>> > --
>>>>> > Blog: http://off-the-wall-security.blogspot.com/
>>>>> > NSA: All your crypto bit are belong to us.
>>>>> > _______________________________________________
>>>>> > Owasp-board mailing list
>>>>> > Owasp-board at lists.owasp.org
>>>>> > https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150408/dd390f5b/attachment-0001.html>

More information about the Owasp-board mailing list