[Owasp-board] OWASP Summer Code Sprint Proposal

Jim Manico jim.manico at owasp.org
Wed Apr 8 13:25:45 UTC 2015

I am trying to make suggestions as to what is best for OWASP. I am very
sorry that this is upsetting you to the point of wanting to leave the
foundation, that was not even remotely close to my intention, Kostas.

Is there a way we could continue to discuss this program and share ideas in
a way that would be less upsetting for all?

Jim Manico
(808) 652-3805

On Apr 8, 2015, at 8:09 AM, Konstantinos Papapanagiotou <
Konstantinos at owasp.org> wrote:


I have no doubts about Johanna's experience, skills or character. Myself
I've been a volunteer for OWASP since 2004. I have met great people in this
organization and I have the utmost respect for every volunteer that puts
effort for improving application security in any way and without personal
benefit. Of course we cannot agree on everything. That's what makes life
interesting. I'm a man that believes in equal opportunities for everyone
and this is why I'd like to see all projects submitting proposals. I'm not
a man that would say that "the board should do this or that" which I keep
hearing in this thread. I submit my proposals according to what I believe
is best for OWASP and at the same time I respect the board's decisions. If
I find myself disagreeing in a large scale with OWASP's strategy, I guess I
will move on and donate my precious volunteering time to something


On Wed, Apr 8, 2015 at 3:15 PM, Jim Manico <jim.manico at owasp.org> wrote:

> +1
> Keep in mind that Johanna - as a volunteer - has been staring at and
> evaluating projects for over two years with her team. She has been a
> software developer for 20 years or so.
> I feel her advice to us is unbiased and born from a great deal of industry
> and OWASP experience.
> The question is, what is best for OWASP? Her plan sounds pretty spot on in
> terms of bettering OWASP. This is the kind of program I'd be •eager• to
> fund.
> This plan would help the •consumers• of OWASP. I feel the most important
> part of the community are the ones we serve.
> Aloha,
> --
> Jim Manico
> @Manicode
> (808) 652-3805
> On Apr 8, 2015, at 7:05 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
> I'm sorry but I cannot support this. Flagship projects are already
> advanced, stable projects with a lot of development effort behind them and
> a large team of volunteers to support them
> Let me clarify something. After reviewing projects such as Flasghips, and
> I have been doing this for about 2 years, these are , by most ,the product
> of the *hard work of their leaders*, not of a *large* team of volunteers.
> Look at the repository commits and you will see is, that there is not a
> *huge* amount of people working on them, but a couple at most 1 or 2
> during different seasons or months. Their leaders have master the ability
> to *engage* volunteer efforts thats is an accomplishment we should
> encourage and give credit for.
> Some of them have sponsors, some of them can afford to work on their
> project more than others, but I hope your misconception of a huge team of
> volunteers is corrected.Or even a huge budget. sk Abraham, Simon or
> Azzedine Ramrari...
> Hackademics is a lab project at the moment right? Well, LABS also get
> benefits, maybe we should include them in this part. Not all of these are
> active, some have not even had commits in 6 months or even an entire year
> and most have only at max  1 contributor . That will make the list even
> shorter for the projects that can actually participate.
> OWASP board should ask : *why do we want to pump money on projects that
> have hardly time to dedicate development efforts and why they fail at
> getting volunteers?*
> *Maybe thats the reason why Gsoc has make the participation limited to
> more quality than quantity? (I'm just speculating)*
> The tools and code classified as flagships is a different breed that LABS.
> Thats the whole point of getting more benefits because they just work
> harder than the rest. They don't get this projects off the ground just by
> doing Gsoc. These initiatives can help them concrete and improve many
> things to make them better, but lets keep in mind by no means, I mean that
> they have reach this stage just because they have money or a battalion of
> volunteers, that is a *huge* misconception
> Tools [Reviewed February 2015]
>    - OWASP Hackademic Challenges Project
>    <https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project>
>    - OWASP Mantra Security Framework
>    <https://www.owasp.org/index.php/OWASP_Mantra_-_Security_Framework>
>    - OWASP O2 Platform <https://www.owasp.org/index.php/OWASP_O2_Platform>
>    - OWASP WebGoat Project
>    <https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project>
>    - O-Saft <https://www.owasp.org/index.php/O-Saft>
>    - OWASP EnDe Project
>    <https://www.owasp.org/index.php/Category:OWASP_EnDe>
>    - OWASP Passfault <https://www.owasp.org/index.php/OWASP_Passfault>
>    - OWASP Mobile Security Project
>    <https://www.owasp.org/index.php/OWASP_Mobile_Security_Project>
>    - OWASP Xenotix XSS Exploit Framework
>    <https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework>
>    - Code [Reviewed February 2015]
>       - OWASP Enterprise Security API
>       <https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API>
> On Wed, Apr 8, 2015 at 7:31 AM, Konstantinos Papapanagiotou <
> Konstantinos at owasp.org> wrote:
>> I'm sorry but I cannot support this. Flagship projects are already
>> advanced, stable projects with a lot of development effort behind them and
>> a large team of volunteers to support them. Yes, as an organization we
>> should award them but at the same time and maybe even more importantly we
>> should help smaller and not so advanced projects by giving them a chance to
>> get some work done and also provide visibility. This is why this should be
>> open to all projects.
>> Kostas
>> On Wednesday, April 8, 2015, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>> I thought you were not interested in getting involved with this.
>>> No, I have always been interested, I have always shown my collaboration
>>> and interested and offered my help before this discussion.
>>> I was discouraged at some point, that is something different. I don't
>>> behave in my interest *only* but in the interest of the entire team. *Thats
>>> why I propose the following:*
>>> I think we still need to run a similar program, because we don't know if
>>> we will ever get Google the next time, no guarantees. Therefore I propose a
>>> program, for only for Flagships.
>>> *Why?*
>>> We preach that these projects get more benefits as stated in the OWASP
>>> project book,they have shown their handwork, they deserve it.In that case I
>>> think a special program, for flagships to get students to work during the
>>> summer is a perfect case.
>>> we have in total 8 Flagship projects (Code/Tools)
>>> Tools [Reviewed September 2014]
>>>    - OWASP Zed Attack Proxy
>>>    <https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project>==>
>>>    Active
>>>    - OWASP Web Testing Environment Project
>>>    <https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>
>>>    ==>Dormant
>>>    - OWASP OWTF <https://www.owasp.org/index.php/OWASP_OWTF>==>Active
>>>    - OWASP Dependency Check
>>>    <https://www.owasp.org/index.php/OWASP_Dependency_Check>==>Active
>>> Code [Reviewed November 2014]
>>>    - OWASP ModSecurity Core Rule Set Project
>>>    <https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project>
>>>    ==>Active
>>>    - OWASP CSRFGuard Project
>>>    <https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project>
>>>    ==>Active
>>>    - OWASP AppSensor Project
>>>    <https://www.owasp.org/index.php/OWASP_AppSensor_Project>==>Active
>>> All these projects have the opportunity to apply for 1 slot
>>> 6 projects are active, that makes 3000 x 6 = USD18,000
>>> 1 is dormant and is an image(not really a code project)
>>> if everyone gets a student, one slot , there is no fights who deserve
>>> them, no need for org decision teams, no discussions.
>>> Again, they all can submit a student of their choice and substantiate
>>> why.
>>> The projects are responsible for doing their midterm evaluation and we
>>> just need to do 2 checks:
>>>    - Substantiation of why the student was chosen
>>>    - Submission proposals completed
>>>    - Students have submitted  a Student Participation Agreement and
>>>    submit their Proof of Enrollment forms.
>>>    - Must be submitted by end of April
>>>    - End of the program make sure the code has been place in an pen
>>>    repository
>>> We only need staff support for paying the students at 2 points:
>>>    - During the midterm evaluation
>>>    - at the end of the internship
>>> *IF you vote for this plan, I'll personal help move this forward and
>>> make sure that all Flagships are updated with this info, so they can go
>>> ahead a place a submission.This is my proposal, everyone is welcome to
>>> help.*
>>> Regards
>>> Johanna
>>> On Wed, Apr 8, 2015 at 1:47 AM, Konstantinos Papapanagiotou <
>>> Konstantinos at owasp.org> wrote:
>>>> Hopefully next year we might get selected again by GSOC so we might not
>>>> need this program. Or we might choose to run it in ay case, taking care
>>>> that it doesn't happen the same time as GSOC, if selected.
>>>> Kostas
>>>> On Wed, Apr 8, 2015 at 5:12 AM, Jim Manico <jim.manico at owasp.org>
>>>> wrote:
>>>>> I think this is fair input Kevin.
>>>>> What if we plan this year with the intention of making it a yearly
>>>>> endeavor and roll it out in 2016? That way we are not rushing to spend
>>>>> 30k and instead we do careful planning, get these funds formally in
>>>>> the budget and then roll it out with more grace? I think that's better
>>>>> for the foundation.
>>>>> Aloha,
>>>>> --
>>>>> Jim Manico
>>>>> @Manicode
>>>>> (808) 652-3805
>>>>> > On Apr 7, 2015, at 8:49 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
>>>>> wrote:
>>>>> >
>>>>> > On Tue, Apr 7, 2015 at 9:32 PM, johanna curiel curiel
>>>>> > <johanna.curiel at owasp.org> wrote:
>>>>> > [...snip...]
>>>>> >> Just keep in mind
>>>>> >>
>>>>> >> Running this program is a lot of work
>>>>> >> Submissions, proposals forms etc, the entire workflow
>>>>> >> Do we have enough volunteers to run this show?
>>>>> >>
>>>>> >>
>>>>> >> With all due respect to Kostas, this is not something he can run
>>>>> alone. The
>>>>> >> Gsoc is run by Google and we only do a small portion as
>>>>> organisation admin
>>>>> >> and Mentoring, compared to the entire program
>>>>> >> Here is an entire administration, back office, payment, revision of
>>>>> progress
>>>>> >> etc..so lets be honest, can we run this with a small bunch of
>>>>> volunteers?
>>>>> >> Are these volunteers committed?
>>>>> >> Most people do not have time, so lets be realistic, especially and
>>>>> >> considering we also have a responsibility with this money
>>>>> >
>>>>> > All good points and I have seriously doubted whether OWASP would be
>>>>> > unable to do all of the things necessary to pull this off at least
>>>>> for THIS
>>>>> > SUMMER. Time certainly is not something that is on our side.  I fear
>>>>> > that all we are seeing with respect to the # of volunteer hours is
>>>>> but
>>>>> > the tip of the iceberg and it as you say that we are missing the much
>>>>> > bigger effort that goes on behind the scenes. If we had a whole year
>>>>> > to prepare for this, then, yeah, we probably could pull it off, but
>>>>> with
>>>>> > only a few months remaining until traditional summer break, I
>>>>> personally
>>>>> > don't see it as very realistic expectations.
>>>>> >
>>>>> > I'll go crawl back under my rock again now and just sit back and
>>>>> watch,
>>>>> > because I did not intend to participate as a GSoC (tor)mentor this
>>>>> > yes so I will be sitting this out as well. However, I wish you all
>>>>> the
>>>>> > best and applaud your good intentions.
>>>>> >
>>>>> > -kevin
>>>>> > --
>>>>> > Blog: http://off-the-wall-security.blogspot.com/
>>>>> > NSA: All your crypto bit are belong to us.
>>>>> > _______________________________________________
>>>>> > Owasp-board mailing list
>>>>> > Owasp-board at lists.owasp.org
>>>>> > https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150408/fcf35c87/attachment-0001.html>

More information about the Owasp-board mailing list