[Owasp-board] OWASP Summer of Code Sprint Proposal

Timo Goosen timo.goosen at owasp.org
Thu Apr 23 06:04:30 UTC 2015


I like the idea of making use of "developer mentors".

Where does one apply to be a mentor?

Regards.
Timo.

On Wed, Apr 22, 2015 at 7:53 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> FYI, I don't see this conversation being any different than the Community
> Engagement Funding that is used for things like OWASP on the Move:
>
> https://www.owasp.org/index.php/Funding
>
> If you look at the Funding Rules at the bottom, it stipulates:
>
>    - Primary funding would be deducted from the local chapter budget (if
>    the activity is supporting the local chapter).
>    - A chapter without sufficient funds (or initiative not tied to the
>    chapter) may request funding from the foundation "Community Engagement"
>    fund. These funds are available on a first come-first serve basis.
>
> This was an effort to try to encourage chapters to spend their chapter
> funds before using Foundation funds.  By doing this, we force them to spend
> money on the things they find value in (instead of what the Foundation is
> willing to pay for) and force them to spend down their "ring-fenced"
> funds.  The only difference I see between the Community Engagement Funding
> and the request for this Summer of Code Funding is that the Community
> Engagement Funding is budgeted for while the Summer of Code Funding is
> not.  I'm not arguing the value or whether it serves our mission.  What I'm
> arguing is that we need to encourage prioritization and spending money
> responsibly.  Simply giving projects with plenty of money in their account
> $1500+ does neither.
>
> ~josh
>
> On Wed, Apr 22, 2015 at 12:32 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> So, if a chapter had less than $1000 in the budget, and the money was
>> already planned/committed, should we allow them to use OWASP on the Move
>> funds or other community engagement funding for their efforts?  I see no
>> difference here.  The point is that chapters and projects have money to
>> spend and should be encouraged to do so.  Just because an account is at $0
>> doesn't mean they can't do anything.  It just means that they have to use
>> the global pool of funds available to them and there's nothing wrong with
>> that.  But there is something wrong with a chapter or a project keeping
>> money in their account solely because there *might* be something they would
>> want to spend it on later.  In order for me to vote in favor of this, it
>> needs to be in a manner that has projects spending their money first before
>> being gifted Foundation funds.
>>
>> ~josh
>>
>> On Wed, Apr 22, 2015 at 12:22 PM, Tobias <tobias.gondrom at owasp.org>
>> wrote:
>>
>>>  I tend to agree with Josh and Jim's suggestion on scope and funding.
>>> Incl. that projects could use some of their funding if available.
>>>
>>> (maybe as a small thought for a compromise on Josh's point: if a project
>>> has less than USD1000 in the budget, and that money is already
>>> planned/committed for another activity, we could exempt that amount.)
>>>
>>> What do others think?
>>>
>>> Best, Tobias
>>>
>>>
>>>
>>> On 22/04/15 17:39, Jim Manico wrote:
>>>
>>> Very reasonable. +1 Josh.
>>>
>>> --
>>> Jim Manico
>>> @Manicode
>>> (808) 652-3805
>>>
>>> On Apr 22, 2015, at 6:33 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>
>>>     Kostas,
>>>
>>>  I don't disagree that this is important for the Foundation's mission,
>>> but the devil is in the details.  This whole plan is a reaction to us not
>>> being accepted to the Google Summer of Code project.  It was not budgeted
>>> for 2015 and that means that we are taking money away from another budget
>>> in order to fund this.  In addition, this is not a project that OWASP has
>>> ever run itself in the past.  Because of this, I think we need to proceed,
>>> but proceed with caution and limit our liabilities.  So, I'm not really
>>> sure whose proposal is for what at this point, but my stipulations remain
>>> for support of any plan:
>>>
>>>  1) Limit funds to a reasonable amount of money.  I suggested $12k since
>>> that seems reasonable to me and just eats up one quarter of the funding we
>>> are taking from to make this work, leaving funds available for other
>>> project-related activities.
>>>
>>>  2) Projects must spend their account funds first before being able to
>>> use these funds.  I won't waiver on this.  AppSensor has $4069.73, ESAPI
>>> $2836.58, OpenSAMM $7323.40, and ZAP $9675.48 (
>>> https://docs.google.com/spreadsheet/pub?hl=en_US&key=0Atu4kyR3ljftdEdQWTczbUxoMUFnWmlTODZ2ZFZvaXc&hl=en_US&gid=3).
>>> All of these would easily have the ability to fund work if it were a
>>> priority and have elected not to do so.  Other projects have significant
>>> funds as well totaling over $39,544 currently "ring-fenced" for the
>>> projects.
>>>
>>>  So, I support the initiative, but for me to vote in favor of it I need
>>> for those two things to be incorporated into the plan.  I'm just one person
>>> though so maybe you'll have the support you need without me if you decide
>>> to proceed with the current proposal as written.
>>>
>>>  ~josh
>>>
>>> On Wed, Apr 22, 2015 at 11:01 AM, Konstantinos Papapanagiotou <
>>> Konstantinos at owasp.org> wrote:
>>>
>>>> Josh,
>>>>
>>>>  When putting together this proposal, I tried to make it a win case
>>>> for all parties. This is why I believe it's very important for the
>>>> foundation's mission: we reach out to students and universities, get work
>>>> done on our projects and "recruit" enthusiastic contributors that will most
>>>> likely keep volunteering in the future.
>>>> Being a project leader myself, I think the initial proposal will get
>>>> more support from the project leaders. At the same time Fabio's approach is
>>>> equally or even more appealing and better balanced. I would like to have
>>>> support from a vast majority of the board if possible, so if you feel more
>>>> comfortable with Fabio's approach, we can adopt it.
>>>>
>>>>  Kostas
>>>>
>>>>
>>>> On Wednesday, April 22, 2015, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>>
>>>>>  So, if projects can already spend their money any way they want
>>>>> (obviously with some caveats), and they haven't prioritized paying others
>>>>> to help with the code (whether they are students or professionals), then
>>>>> why should the Foundation care to spend it's money on something that the
>>>>> projects don't value enough to spend their money on?  I draw a lot of
>>>>> parallels here between projects and chapters because the conversation
>>>>> around money ultimately comes down to a discussion about the "ring-fenced
>>>>> funds" in our accounts.  Basically, funds that are currently allocated to a
>>>>> chapter or project, but aren't in active use, and can't be used for
>>>>> something else.  And with rules in place (and others being added) designed
>>>>> to make the chapters spend their money to avoid this situation, I see no
>>>>> reason why we should treat the projects any differently.  If a project has
>>>>> money, they need to spend it.  In addition, if it we made the assumption
>>>>> that it was important to invest money in our projects for such an
>>>>> initiative, and some projects already have this money and aren't spending
>>>>> it in this way, then I would choose to instead fund the projects who do not
>>>>> have the money to even make this choice.  In other words, we should be
>>>>> allocating this money to the projects who don't have money, not the ones
>>>>> that do.  If we cannot agree that the projects need to spend their account
>>>>> funds first, then we cannot agree that this money should be allocated at
>>>>> all.  Based on this, my vote will be "no" if a vote is requested.
>>>>>
>>>>>  ~josh
>>>>>
>>>>> On Wed, Apr 22, 2015 at 7:42 AM, Konstantinos Papapanagiotou <
>>>>> Konstantinos at owasp.org> wrote:
>>>>>
>>>>>> Projects can already spend their money any way they want. As a
>>>>>> project leader, why should I give my budget to this initiative, go through
>>>>>> all this process and not hire instead a professional developer?
>>>>>> I believe that this should be an organization-level initiative that
>>>>>> can include projects with no budget; driven as an OWASP initiative not a
>>>>>> (for example) ZAP-OWTF-Hackademic side-project. Projects that have budget
>>>>>> can go out on their own and look for students or developers in a probably
>>>>>> more effective way.
>>>>>>
>>>>>>  Kostas
>>>>>>
>>>>>>
>>>>>> On Wednesday, April 22, 2015, Josh Sokol <josh.sokol at owasp.org>
>>>>>> wrote:
>>>>>>
>>>>>>>   I would like to see a couple of changes:
>>>>>>>
>>>>>>> 1) I'm not sure it makes sense to use $30k of the project funding
>>>>>>> for this one initiative.  It consumes 60% of the funding for a far smaller
>>>>>>> percentage of our active projects.  OWASP also has no history with running
>>>>>>> this initiative ourselves so I would prefer to limit our exposure here the
>>>>>>> first time around.  I would rather see us allocate $12,000, roughly 25% of
>>>>>>> the overall budget allocated to projects.  This burns our budget for one
>>>>>>> quarter, but leaves sufficient budget for the rest of the year.  It is
>>>>>>> enough to fully fund 8 students at the $1500/student price tag which seems
>>>>>>> like a reasonable place for us to start this initiative.  If the initiative
>>>>>>> is successful, then I would consider increasing the funding when budgeting
>>>>>>> for next year.
>>>>>>>
>>>>>>> 2) I have not seen any stipulation here stating that projects must
>>>>>>> use their project funds before being able to use Foundation funds.  This is
>>>>>>> a requirement for all chapters using community engagement funding and
>>>>>>> should apply equally to the projects.  Saying that project a with money can
>>>>>>> buy additional slots is not the same thing as saying that they need to use
>>>>>>> their funds first.  If we all agree that funds are allocated to be spent,
>>>>>>> not saved, then I see no reason why projects with funds should not be
>>>>>>> encouraged to spend funds in their account first and foremost.
>>>>>>>
>>>>>>> I fully support the initiative, but would like to see these
>>>>>>> limitations placed on it before voting yes on it.
>>>>>>>
>>>>>>>  ~josh
>>>>>>>
>>>>>>> On Mon, Apr 20, 2015 at 6:00 PM, Fabio Cerullo <fcerullo at owasp.org>
>>>>>>> wrote:
>>>>>>>
>>>>>>>>  Hi
>>>>>>>>
>>>>>>>>  I fully endorse this initiative and think is aligned with our
>>>>>>>> mission and strategic goals.
>>>>>>>>
>>>>>>>>  I appreciate the comments regarding the budgeting and we could
>>>>>>>> lower them to a level which everyone feels comfortable with.. What about 10
>>>>>>>> slots at USD 1500 each.. Total budget USD 15000
>>>>>>>>
>>>>>>>>  Paul, I think the proposal by Kostas supports that approach. Any
>>>>>>>> project leader could decide to get an additional slot/s by using their
>>>>>>>> project funds. The only clarification is that Summer of Code is about
>>>>>>>> 'code' so the documentation projects are out of scope.
>>>>>>>>
>>>>>>>>  Is everyone satisfied with the overall contents of the proposal?
>>>>>>>> Can we bring this to a vote by the Board and move forward?
>>>>>>>>
>>>>>>>>  Thanks Kostas for putting this together.
>>>>>>>>
>>>>>>>>  Regards,
>>>>>>>>
>>>>>>>>  Fabio
>>>>>>>>
>>>>>>>> Sent from my iPhone
>>>>>>>>
>>>>>>>> On 20 Apr 2015, at 14:39, Paul Ritchie <paul.ritchie at owasp.org>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>   Hi Josh, all:
>>>>>>>>
>>>>>>>>  So you are suggesting that a couple of the well funded Projects
>>>>>>>> like AppSensor, OpenSAMM, ZAP, etc., could make a decision to 'sponsor' a
>>>>>>>> student under the Summer of Code program to the tune or $1500 or $3000 or
>>>>>>>> whatever they wanted to contribute.  And, they could ensure that those
>>>>>>>> funds were used on student work benefiting their project.
>>>>>>>>
>>>>>>>>  I like that approach.  Funded projects support their own work
>>>>>>>> effort, and then the Foundation could support other high-value student
>>>>>>>> proposals that focus on new projects or under-funded projects.
>>>>>>>> Paul
>>>>>>>>
>>>>>>>>   Best Regards, Paul Ritchie
>>>>>>>> OWASP Interim Executive Director
>>>>>>>> paul.ritchie at owasp.org
>>>>>>>>
>>>>>>>>
>>>>>>>> On Mon, Apr 20, 2015 at 1:21 PM, Josh Sokol <josh.sokol at owasp.org>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>>  I think we should treat it like we do the chapters.  If a
>>>>>>>>> project has money in their account, then they are not eligible for
>>>>>>>>> Foundation funds until that money has been allocated.  I'd also agree that
>>>>>>>>> $30k of unbudgeted funds is a lot to spend like this considering I don't
>>>>>>>>> see any reason to hurry here.  It literally means robbing another budgeted
>>>>>>>>> project in order to account for this.  That said, I support the idea, in
>>>>>>>>> concept.  Maybe the projects with some money can front it for their slots,
>>>>>>>>> the Foundation can use this as an experiment for our own program, and we
>>>>>>>>> can see how it goes.  Minimal risk with a high reward and we can budget for
>>>>>>>>> more next year?
>>>>>>>>>
>>>>>>>>>  ~josh
>>>>>>>>>
>>>>>>>>> On Mon, Apr 20, 2015 at 2:59 PM, Tobias <tobias.gondrom at owasp.org>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>>  Well, I don't know.
>>>>>>>>>>
>>>>>>>>>> IMHO the criteria should be based on quality of proposal and bang
>>>>>>>>>> for the buck for OWASP.
>>>>>>>>>>
>>>>>>>>>> incubator/lab/flagship seems not so useful. E.g. if we get three
>>>>>>>>>> good in one category, I would not see a point selecting one from another
>>>>>>>>>> one just to serve all categories.
>>>>>>>>>>
>>>>>>>>>> Cheers, Tobias
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 20/04/15 19:49, johanna curiel curiel wrote:
>>>>>>>>>>
>>>>>>>>>> >Not sure we need to split this in incubator/lab/flagship
>>>>>>>>>> categories.
>>>>>>>>>>
>>>>>>>>>>  Tobias, this could be a option If we would like to provide a
>>>>>>>>>> fair chance to all project categories. Woudl you suggest other criteria for
>>>>>>>>>> selection?
>>>>>>>>>>
>>>>>>>>>>  cheers
>>>>>>>>>>
>>>>>>>>>>  Johanna
>>>>>>>>>>
>>>>>>>>>> On Mon, Apr 20, 2015 at 2:44 PM, Tobias <tobias.gondrom at owasp.org
>>>>>>>>>> > wrote:
>>>>>>>>>>
>>>>>>>>>>>  3 x 2500USD sounds reasonable.
>>>>>>>>>>>
>>>>>>>>>>> Not sure we need to split this in incubator/lab/flagship
>>>>>>>>>>> categories.
>>>>>>>>>>>
>>>>>>>>>>> Best, Tobias
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 20/04/15 19:39, johanna curiel curiel wrote:
>>>>>>>>>>>
>>>>>>>>>>> Consider maybe a small pilot with 3 types of projects:
>>>>>>>>>>> 1 Incubator, 1 LAB, 1 Flagship
>>>>>>>>>>>
>>>>>>>>>>>  Do a pre selection of the most active on each category  and
>>>>>>>>>>> then select at random the participating one.
>>>>>>>>>>>
>>>>>>>>>>>  just an idea
>>>>>>>>>>>
>>>>>>>>>>>  Total for the pilot 9,000USD (3 x 3000USD) or
>>>>>>>>>>> USD2500x 3 = 7500USD
>>>>>>>>>>>
>>>>>>>>>>>  regards
>>>>>>>>>>>
>>>>>>>>>>>  Johanna
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Apr 20, 2015 at 2:21 PM, Jim Manico <
>>>>>>>>>>> jim.manico at owasp.org> wrote:
>>>>>>>>>>>
>>>>>>>>>>>>  A suggestion. Because this is the first time OWASP is directly
>>>>>>>>>>>> funding this initiative, can we start with a smaller financial amount,
>>>>>>>>>>>> measure success, and then consider larger funding next year? I want to see
>>>>>>>>>>>> how we do first and would feel more comfortable with a smaller experiment.
>>>>>>>>>>>>
>>>>>>>>>>>> - Jim
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 4/19/15 8:27 AM, Konstantinos Papapanagiotou wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>    Dear board,
>>>>>>>>>>>>
>>>>>>>>>>>>  Following recent conversations I would like to formally submit
>>>>>>>>>>>> a proposal for the OWASP Summer of Code Sprint, requesting a budget of
>>>>>>>>>>>> $30,000.
>>>>>>>>>>>>
>>>>>>>>>>>>  The details of the proposal can be found here:
>>>>>>>>>>>> https://docs.google.com/document/d/1FTC-zh__i6ft6uyZRw4rZHxOA44U6T7i33r8RkN0AXk/edit?usp=sharing
>>>>>>>>>>>>
>>>>>>>>>>>>  I believe that such initiatives are important for our mission
>>>>>>>>>>>> as they combine project contributions and reaching out to students who are
>>>>>>>>>>>> future developers.
>>>>>>>>>>>>
>>>>>>>>>>>>  Looking forward to your comments,
>>>>>>>>>>>>
>>>>>>>>>>>>  Kostas
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>  _______________________________________________
>>>>>>>>>>>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> Owasp-board mailing list
>>>>>>>>>>>> Owasp-board at lists.owasp.org
>>>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Owasp-board mailing list
>>>>>>>>>> Owasp-board at lists.owasp.org
>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Owasp-board mailing list
>>>>>>>>> Owasp-board at lists.owasp.org
>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>>>
>>>>>>>>>
>>>>>>>>   _______________________________________________
>>>>>>>> Owasp-board mailing list
>>>>>>>> Owasp-board at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>
>>>   _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>>
>>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150423/1ca9c2d8/attachment-0001.html>


More information about the Owasp-board mailing list