[Owasp-board] OWASP Summer Code Sprint Proposal

johanna curiel curiel johanna.curiel at owasp.org
Wed Apr 8 13:23:15 UTC 2015


 I'm not a man that would say that "the board should do this or that" which
I keep hearing in this thread.

Kostas, this initiative is asking 30,000 USD, the people responsible for
the final decision is the board. This is the reason why a board exist and
is involved.


Lets put it this way, just an example, if you were able to get a sponsor to
give you this money, no questions asked, well then you wont have me or the
board probably involved influencing these decisions.

On Wed, Apr 8, 2015 at 9:12 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

>  they did so by excluding large and successful orgs exactly because they
> know that such kinds of orgs are very likely to keep on developing their
> projects anyway.\
>
> Well let me tell you , there are some big ones that still are there, such
> as R who has been from the beginning and are running a
> very successful program since 2005
>
> I'm also puzzled as I didn't see you voice such concerns when people
> posted ideas about GSOC projects last year. In detail, there were projects
> that didn't have a single line of code (I don't call this simply dormant, I
> call it a "dead" project) and yet they submitted GSOC proposals that
> practically involved building the first version of the project.
>
> Well it was at the time the chance for everyone right? That is what is
> was, no one setup rules or forbid anyone for participating...
>
>  Why all projects could participate last year and now only flagship?
>
> Maybe because we are now paying instead of Google... ;-)
>
> On Wed, Apr 8, 2015 at 9:02 AM, Konstantinos Papapanagiotou <
> Konstantinos at owasp.org> wrote:
>
>> Personally, I would mostly be concerned to find out what those projects
>> need in order to boost development.
>> Of course, once more you've got it all wrong for GSOC, as it is open to
>> all open source organizations, regardless of quality, size, or any other
>> criteria. And actually this year they had to limit the number of accepted
>> organizations and they did so by excluding large and successful orgs
>> exactly because they know that such kinds of orgs are very likely to keep
>> on developing their projects anyway.
>> Awarding successful projects is in my opinion equally important to giving
>> incentives to not so active projects in order to develop. Otherwise OWASP
>> will become a 10 flagship project organization. Unless that's our strategy.
>> I don't know.
>>
>> I'm also puzzled as I didn't see you voice such concerns when people
>> posted ideas about GSOC projects last year. In detail, there were projects
>> that didn't have a single line of code (I don't call this simply dormant, I
>> call it a "dead" project) and yet they submitted GSOC proposals that
>> practically involved building the first version of the project. And these
>> projects got a GSOC slot and now they have their first codebase. Why all
>> projects could participate last year and now only flagship?
>>
>> Kostas
>>
>>
>> On Wed, Apr 8, 2015 at 3:05 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> I'm sorry but I cannot support this. Flagship projects are already
>>> advanced, stable projects with a lot of development effort behind them and
>>> a large team of volunteers to support them
>>>
>>> Let me clarify something. After reviewing projects such as Flasghips,
>>> and I have been doing this for about 2 years, these are , by most ,the
>>> product of the *hard work of their leaders*, not of a *large* team of
>>> volunteers. Look at the repository commits and you will see is, that there
>>> is not a *huge* amount of people working on them, but a couple at most
>>> 1 or 2 during different seasons or months. Their leaders have master the
>>> ability to *engage* volunteer efforts thats is an accomplishment we
>>> should encourage and give credit for.
>>>
>>> Some of them have sponsors, some of them can afford to work on their
>>> project more than others, but I hope your misconception of a huge team of
>>> volunteers is corrected.Or even a huge budget. sk Abraham, Simon or
>>> Azzedine Ramrari...
>>>
>>> Hackademics is a lab project at the moment right? Well, LABS also get
>>> benefits, maybe we should include them in this part. Not all of these are
>>> active, some have not even had commits in 6 months or even an entire year
>>> and most have only at max  1 contributor . That will make the list even
>>> shorter for the projects that can actually participate.
>>>
>>> OWASP board should ask : *why do we want to pump money on projects that
>>> have hardly time to dedicate development efforts and why they fail at
>>> getting volunteers?*
>>>
>>> *Maybe thats the reason why Gsoc has make the participation limited to
>>> more quality than quantity? (I'm just speculating)*
>>>
>>> The tools and code classified as flagships is a different breed that
>>> LABS. Thats the whole point of getting more benefits because they just work
>>> harder than the rest. They don't get this projects off the ground just by
>>> doing Gsoc. These initiatives can help them concrete and improve many
>>> things to make them better, but lets keep in mind by no means, I mean that
>>> they have reach this stage just because they have money or a battalion of
>>> volunteers, that is a *huge* misconception
>>>
>>> Tools [Reviewed February 2015]
>>>
>>>    - OWASP Hackademic Challenges Project
>>>    <https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project>
>>>    - OWASP Mantra Security Framework
>>>    <https://www.owasp.org/index.php/OWASP_Mantra_-_Security_Framework>
>>>    - OWASP O2 Platform
>>>    <https://www.owasp.org/index.php/OWASP_O2_Platform>
>>>    - OWASP WebGoat Project
>>>    <https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project>
>>>    - O-Saft <https://www.owasp.org/index.php/O-Saft>
>>>    - OWASP EnDe Project
>>>    <https://www.owasp.org/index.php/Category:OWASP_EnDe>
>>>    - OWASP Passfault <https://www.owasp.org/index.php/OWASP_Passfault>
>>>    - OWASP Mobile Security Project
>>>    <https://www.owasp.org/index.php/OWASP_Mobile_Security_Project>
>>>    - OWASP Xenotix XSS Exploit Framework
>>>    <https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework>
>>>    - Code [Reviewed February 2015]
>>>       - OWASP Enterprise Security API
>>>       <https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API>
>>>
>>>
>>> On Wed, Apr 8, 2015 at 7:31 AM, Konstantinos Papapanagiotou <
>>> Konstantinos at owasp.org> wrote:
>>>
>>>> I'm sorry but I cannot support this. Flagship projects are already
>>>> advanced, stable projects with a lot of development effort behind them and
>>>> a large team of volunteers to support them. Yes, as an organization we
>>>> should award them but at the same time and maybe even more importantly we
>>>> should help smaller and not so advanced projects by giving them a chance to
>>>> get some work done and also provide visibility. This is why this should be
>>>> open to all projects.
>>>>
>>>> Kostas
>>>>
>>>>
>>>> On Wednesday, April 8, 2015, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>>> I thought you were not interested in getting involved with this.
>>>>>
>>>>> No, I have always been interested, I have always shown my
>>>>> collaboration and interested and offered my help before this discussion.
>>>>> I was discouraged at some point, that is something different. I don't
>>>>> behave in my interest *only* but in the interest of the entire team. *Thats
>>>>> why I propose the following:*
>>>>>
>>>>> I think we still need to run a similar program, because we don't know
>>>>> if we will ever get Google the next time, no guarantees. Therefore I
>>>>> propose a program, for only for Flagships.
>>>>>
>>>>> *Why?*
>>>>> We preach that these projects get more benefits as stated in the OWASP
>>>>> project book,they have shown their handwork, they deserve it.In that case I
>>>>> think a special program, for flagships to get students to work during the
>>>>> summer is a perfect case.
>>>>>
>>>>> we have in total 8 Flagship projects (Code/Tools)
>>>>> Tools [Reviewed September 2014]
>>>>>
>>>>>    - OWASP Zed Attack Proxy
>>>>>    <https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project>==>
>>>>>    Active
>>>>>    - OWASP Web Testing Environment Project
>>>>>    <https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>
>>>>>    ==>Dormant
>>>>>    - OWASP OWTF <https://www.owasp.org/index.php/OWASP_OWTF>==>Active
>>>>>    - OWASP Dependency Check
>>>>>    <https://www.owasp.org/index.php/OWASP_Dependency_Check>==>Active
>>>>>
>>>>> Code [Reviewed November 2014]
>>>>>
>>>>>    - OWASP ModSecurity Core Rule Set Project
>>>>>    <https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project>
>>>>>    ==>Active
>>>>>    - OWASP CSRFGuard Project
>>>>>    <https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project>
>>>>>    ==>Active
>>>>>    - OWASP AppSensor Project
>>>>>    <https://www.owasp.org/index.php/OWASP_AppSensor_Project>==>Active
>>>>>
>>>>>
>>>>> All these projects have the opportunity to apply for 1 slot
>>>>>
>>>>> 6 projects are active, that makes 3000 x 6 = USD18,000
>>>>> 1 is dormant and is an image(not really a code project)
>>>>>
>>>>> if everyone gets a student, one slot , there is no fights who deserve
>>>>> them, no need for org decision teams, no discussions.
>>>>>
>>>>> Again, they all can submit a student of their choice and substantiate
>>>>> why.
>>>>> The projects are responsible for doing their midterm evaluation and we
>>>>> just need to do 2 checks:
>>>>>
>>>>>    - Substantiation of why the student was chosen
>>>>>    - Submission proposals completed
>>>>>    - Students have submitted  a Student Participation Agreement and
>>>>>    submit their Proof of Enrollment forms.
>>>>>    - Must be submitted by end of April
>>>>>    - End of the program make sure the code has been place in an pen
>>>>>    repository
>>>>>
>>>>> We only need staff support for paying the students at 2 points:
>>>>>
>>>>>    - During the midterm evaluation
>>>>>    - at the end of the internship
>>>>>
>>>>>
>>>>> *IF you vote for this plan, I'll personal help move this forward and
>>>>> make sure that all Flagships are updated with this info, so they can go
>>>>> ahead a place a submission.This is my proposal, everyone is welcome to
>>>>> help.*
>>>>>
>>>>>
>>>>> Regards
>>>>>
>>>>> Johanna
>>>>>
>>>>>
>>>>> On Wed, Apr 8, 2015 at 1:47 AM, Konstantinos Papapanagiotou <
>>>>> Konstantinos at owasp.org> wrote:
>>>>>
>>>>>> Hopefully next year we might get selected again by GSOC so we might
>>>>>> not need this program. Or we might choose to run it in ay case, taking care
>>>>>> that it doesn't happen the same time as GSOC, if selected.
>>>>>>
>>>>>> Kostas
>>>>>>
>>>>>> On Wed, Apr 8, 2015 at 5:12 AM, Jim Manico <jim.manico at owasp.org>
>>>>>> wrote:
>>>>>>
>>>>>>> I think this is fair input Kevin.
>>>>>>>
>>>>>>> What if we plan this year with the intention of making it a yearly
>>>>>>> endeavor and roll it out in 2016? That way we are not rushing to
>>>>>>> spend
>>>>>>> 30k and instead we do careful planning, get these funds formally in
>>>>>>> the budget and then roll it out with more grace? I think that's
>>>>>>> better
>>>>>>> for the foundation.
>>>>>>>
>>>>>>> Aloha,
>>>>>>> --
>>>>>>> Jim Manico
>>>>>>> @Manicode
>>>>>>> (808) 652-3805
>>>>>>>
>>>>>>> > On Apr 7, 2015, at 8:49 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
>>>>>>> wrote:
>>>>>>> >
>>>>>>> > On Tue, Apr 7, 2015 at 9:32 PM, johanna curiel curiel
>>>>>>> > <johanna.curiel at owasp.org> wrote:
>>>>>>> > [...snip...]
>>>>>>> >> Just keep in mind
>>>>>>> >>
>>>>>>> >> Running this program is a lot of work
>>>>>>> >> Submissions, proposals forms etc, the entire workflow
>>>>>>> >> Do we have enough volunteers to run this show?
>>>>>>> >>
>>>>>>> >>
>>>>>>> >> With all due respect to Kostas, this is not something he can run
>>>>>>> alone. The
>>>>>>> >> Gsoc is run by Google and we only do a small portion as
>>>>>>> organisation admin
>>>>>>> >> and Mentoring, compared to the entire program
>>>>>>> >> Here is an entire administration, back office, payment, revision
>>>>>>> of progress
>>>>>>> >> etc..so lets be honest, can we run this with a small bunch of
>>>>>>> volunteers?
>>>>>>> >> Are these volunteers committed?
>>>>>>> >> Most people do not have time, so lets be realistic, especially and
>>>>>>> >> considering we also have a responsibility with this money
>>>>>>> >
>>>>>>> > All good points and I have seriously doubted whether OWASP would be
>>>>>>> > unable to do all of the things necessary to pull this off at least
>>>>>>> for THIS
>>>>>>> > SUMMER. Time certainly is not something that is on our side.  I
>>>>>>> fear
>>>>>>> > that all we are seeing with respect to the # of volunteer hours is
>>>>>>> but
>>>>>>> > the tip of the iceberg and it as you say that we are missing the
>>>>>>> much
>>>>>>> > bigger effort that goes on behind the scenes. If we had a whole
>>>>>>> year
>>>>>>> > to prepare for this, then, yeah, we probably could pull it off,
>>>>>>> but with
>>>>>>> > only a few months remaining until traditional summer break, I
>>>>>>> personally
>>>>>>> > don't see it as very realistic expectations.
>>>>>>> >
>>>>>>> > I'll go crawl back under my rock again now and just sit back and
>>>>>>> watch,
>>>>>>> > because I did not intend to participate as a GSoC (tor)mentor this
>>>>>>> > yes so I will be sitting this out as well. However, I wish you all
>>>>>>> the
>>>>>>> > best and applaud your good intentions.
>>>>>>> >
>>>>>>> > -kevin
>>>>>>> > --
>>>>>>> > Blog: http://off-the-wall-security.blogspot.com/
>>>>>>> > NSA: All your crypto bit are belong to us.
>>>>>>> > _______________________________________________
>>>>>>> > Owasp-board mailing list
>>>>>>> > Owasp-board at lists.owasp.org
>>>>>>> > https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>> _______________________________________________
>>>>>>> Owasp-board mailing list
>>>>>>> Owasp-board at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Owasp-board mailing list
>>>>>> Owasp-board at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>
>>>>>>
>>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150408/65099b46/attachment-0001.html>


More information about the Owasp-board mailing list