[Owasp-board] OWASP Summer of Code Sprint Proposal

Jim Manico jim.manico at owasp.org
Sat Apr 25 19:53:38 UTC 2015


Matt,

I know of folks still using OWASP WTE. :) Great work and thank you for 
putting some love back into that project.

So a polite counterpoint to even my own earlier comments - even some old 
unmaintained projects are of great value today. I still use Webscarab 
side-to-side with Zap.

Aloha,
Jim


On 4/25/15 9:35 AM, Matt Tesauro wrote:
> It should also be noted that OWASP hasn't done an event like the 
> Summer of Code over 6 years.  How many projects keep going without any 
> attention for 6+ years.  Chapters have face to face interaction on a 
> monthly/quarterly basis.  The same is not true for projects.  Project 
> leadership can be a rather lonely business.
>
> I find it ironic that I'm currently working on a new release of OWASP 
> WTE as I type this - which grew out of the OWASP LIve CD,  a project 
> with direct lineage to the 2008 SoC.
>
> Yeah, OWASP WTE will now be producing packaged AppSec tools in both 
> .deb and .rpm formats:
> https://github.com/mtesauro/owasp-wte/commit/defb42ecb0cf5d652fcdfb9bb1608fb94048e017
>
> Cheers!
>
> --
> -- Matt Tesauro
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>
> On Sat, Apr 25, 2015 at 1:47 PM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>     Another note is that if you look at all the projects this
>     250,000k$ funded in 2008...
>
>     https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008
>
>     ...most are now dead projects.
>
>     We do good at getting projects started but do poorly in bringing
>     these projects to maturity.
>
>     I really want us to make a big impact. I suggest we focus in on
>     our flagship and lab projects with big potential. I'd hate to fund
>     dozens of projects (again) that just die on the view a few years
>     after getting funding.
>
>     Regards,
>     --
>     Jim Manico
>     @Manicode
>     (808) 652-3805 <tel:%28808%29%20652-3805>
>
>     On Apr 25, 2015, at 4:32 AM, Jason Li <jason.li at owasp.org
>     <mailto:jason.li at owasp.org>> wrote:
>
>>     Josh,
>>
>>     I'm a little late to this thread, but I just wanted to point out
>>     that it is NOT the first time OWASP would be running this type of
>>     initiative ourselves. As an organization, we ran seasons of code
>>     for many years prior to Google accepting our application to
>>     participate in Google Summer of Code:
>>     https://www.owasp.org/index.php/OWASP_Autumn_Of_Code_2006
>>     ($34,000 budget)
>>     https://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007
>>     ($117,500 budget)
>>     https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008
>>     ($100,00 budget)
>>
>>     Obviously the organization budget and expenses have changed a lot
>>     since then. Those events were done back when Paulo and Kate were
>>     the only paid employees of OWASP and before chapters and projects
>>     had their own budgets. We've obviously grown a lot since then,
>>     and the goals are different this time around. But as an
>>     organization, we do have some history running this type of
>>     initiative ourselves.
>>
>>     -Jason
>>
>>     On Wed, Apr 22, 2015 at 8:31 AM, Josh Sokol <josh.sokol at owasp.org
>>     <mailto:josh.sokol at owasp.org>> wrote:
>>
>>          I would like to see a couple of changes:
>>
>>         1) I'm not sure it makes sense to use $30k of the project
>>         funding for this one initiative.  It consumes 60% of the
>>         funding for a far smaller percentage of our active projects.
>>         OWASP also has no history with running this initiative
>>         ourselves so I would prefer to limit our exposure here the
>>         first time around.  I would rather see us allocate $12,000,
>>         roughly 25% of the overall budget allocated to projects. 
>>         This burns our budget for one quarter, but leaves sufficient
>>         budget for the rest of the year.  It is enough to fully fund
>>         8 students at the $1500/student price tag which seems like a
>>         reasonable place for us to start this initiative.  If the
>>         initiative is successful, then I would consider increasing
>>         the funding when budgeting for next year.
>>
>>         2) I have not seen any stipulation here stating that projects
>>         must use their project funds before being able to use
>>         Foundation funds.  This is a requirement for all chapters
>>         using community engagement funding and should apply equally
>>         to the projects. Saying that project a with money can buy
>>         additional slots is not the same thing as saying that they
>>         need to use their funds first.  If we all agree that funds
>>         are allocated to be spent, not saved, then I see no reason
>>         why projects with funds should not be encouraged to spend
>>         funds in their account first and foremost.
>>
>>         I fully support the initiative, but would like to see these
>>         limitations placed on it before voting yes on it.
>>
>>         ~josh
>>
>>         On Mon, Apr 20, 2015 at 6:00 PM, Fabio Cerullo
>>         <fcerullo at owasp.org <mailto:fcerullo at owasp.org>> wrote:
>>
>>             Hi
>>
>>             I fully endorse this initiative and think is aligned with
>>             our mission and strategic goals.
>>
>>             I appreciate the comments regarding the budgeting and we
>>             could lower them to a level which everyone feels
>>             comfortable with.. What about 10 slots at USD 1500 each..
>>             Total budget USD 15000
>>
>>             Paul, I think the proposal by Kostas supports that
>>             approach. Any project leader could decide to get an
>>             additional slot/s by using their project funds. The only
>>             clarification is that Summer of Code is about 'code' so
>>             the documentation projects are out of scope.
>>
>>             Is everyone satisfied with the overall contents of the
>>             proposal? Can we bring this to a vote by the Board and
>>             move forward?
>>
>>             Thanks Kostas for putting this together.
>>
>>             Regards,
>>
>>             Fabio
>>
>>             Sent from my iPhone
>>
>>             On 20 Apr 2015, at 14:39, Paul Ritchie
>>             <paul.ritchie at owasp.org <mailto:paul.ritchie at owasp.org>>
>>             wrote:
>>
>>>             Hi Josh, all:
>>>
>>>             So you are suggesting that a couple of the well funded
>>>             Projects like AppSensor, OpenSAMM, ZAP, etc., could make
>>>             a decision to 'sponsor' a student under the Summer of
>>>             Code program to the tune or $1500 or $3000 or whatever
>>>             they wanted to contribute.  And, they could ensure that
>>>             those funds were used on student work benefiting their
>>>             project.
>>>
>>>             I like that approach.  Funded projects support their own
>>>             work effort, and then the Foundation could support other
>>>             high-value student proposals that focus on new projects
>>>             or under-funded projects.
>>>             Paul
>>>
>>>             Best Regards, Paul Ritchie
>>>             OWASP Interim Executive Director
>>>             paul.ritchie at owasp.org <mailto:paul.ritchie at owasp.org>
>>>
>>>
>>>             On Mon, Apr 20, 2015 at 1:21 PM, Josh Sokol
>>>             <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>>>
>>>                 I think we should treat it like we do the chapters. 
>>>                 If a project has money in their account, then they
>>>                 are not eligible for Foundation funds until that
>>>                 money has been allocated. I'd also agree that $30k
>>>                 of unbudgeted funds is a lot to spend like this
>>>                 considering I don't see any reason to hurry here. It
>>>                 literally means robbing another budgeted project in
>>>                 order to account for this.  That said, I support the
>>>                 idea, in concept. Maybe the projects with some money
>>>                 can front it for their slots, the Foundation can use
>>>                 this as an experiment for our own program, and we
>>>                 can see how it goes. Minimal risk with a high reward
>>>                 and we can budget for more next year?
>>>
>>>                 ~josh
>>>
>>>                 On Mon, Apr 20, 2015 at 2:59 PM, Tobias
>>>                 <tobias.gondrom at owasp.org
>>>                 <mailto:tobias.gondrom at owasp.org>> wrote:
>>>
>>>                     Well, I don't know.
>>>
>>>                     IMHO the criteria should be based on quality of
>>>                     proposal and bang for the buck for OWASP.
>>>
>>>                     incubator/lab/flagship seems not so useful. E.g.
>>>                     if we get three good in one category, I would
>>>                     not see a point selecting one from another one
>>>                     just to serve all categories.
>>>
>>>                     Cheers, Tobias
>>>
>>>
>>>
>>>                     On 20/04/15 19:49, johanna curiel curiel wrote:
>>>>                     >Not sure we need to split this in incubator/lab/flagship categories.
>>>>
>>>>                     Tobias, this could be a option If we would like
>>>>                     to provide a fair chance to all project
>>>>                     categories. Woudl you suggest other criteria
>>>>                     for selection?
>>>>
>>>>                     cheers
>>>>
>>>>                     Johanna
>>>>
>>>>                     On Mon, Apr 20, 2015 at 2:44 PM, Tobias
>>>>                     <tobias.gondrom at owasp.org
>>>>                     <mailto:tobias.gondrom at owasp.org>> wrote:
>>>>
>>>>                         3 x 2500USD sounds reasonable.
>>>>
>>>>                         Not sure we need to split this in
>>>>                         incubator/lab/flagship categories.
>>>>
>>>>                         Best, Tobias
>>>>
>>>>
>>>>
>>>>                         On 20/04/15 19:39, johanna curiel curiel wrote:
>>>>>                         Consider maybe a small pilot with 3 types
>>>>>                         of projects:
>>>>>                         1 Incubator, 1 LAB, 1 Flagship
>>>>>
>>>>>                         Do a pre selection of the most active on
>>>>>                         each category  and then select at random
>>>>>                         the participating one.
>>>>>
>>>>>                         just an idea
>>>>>
>>>>>                         Total for the pilot 9,000USD (3 x 3000USD) or
>>>>>                         USD2500x 3 = 7500USD
>>>>>
>>>>>                         regards
>>>>>
>>>>>                         Johanna
>>>>>
>>>>>                         On Mon, Apr 20, 2015 at 2:21 PM, Jim
>>>>>                         Manico <jim.manico at owasp.org
>>>>>                         <mailto:jim.manico at owasp.org>> wrote:
>>>>>
>>>>>                             A suggestion. Because this is the
>>>>>                             first time OWASP is directly funding
>>>>>                             this initiative, can we start with a
>>>>>                             smaller financial amount, measure
>>>>>                             success, and then consider larger
>>>>>                             funding next year? I want to see how
>>>>>                             we do first and would feel more
>>>>>                             comfortable with a smaller experiment.
>>>>>
>>>>>                             - Jim
>>>>>
>>>>>
>>>>>
>>>>>                             On 4/19/15 8:27 AM, Konstantinos
>>>>>                             Papapanagiotou wrote:
>>>>>>                             Dear board,
>>>>>>
>>>>>>                             Following recent conversations I
>>>>>>                             would like to formally submit a
>>>>>>                             proposal for the OWASP Summer of Code
>>>>>>                             Sprint, requesting a budget of $30,000.
>>>>>>
>>>>>>                             The details of the proposal can be
>>>>>>                             found here:
>>>>>>                             https://docs.google.com/document/d/1FTC-zh__i6ft6uyZRw4rZHxOA44U6T7i33r8RkN0AXk/edit?usp=sharing
>>>>>>
>>>>>>                             I believe that such initiatives are
>>>>>>                             important for our mission as they
>>>>>>                             combine project contributions and
>>>>>>                             reaching out to students who are
>>>>>>                             future developers.
>>>>>>
>>>>>>                             Looking forward to your comments,
>>>>>>
>>>>>>                             Kostas
>>>>>>
>>>>>>
>>>>>>                             _______________________________________________
>>>>>>                             Owasp-board mailing list
>>>>>>                             Owasp-board at lists.owasp.org  <mailto:Owasp-board at lists.owasp.org>
>>>>>>                             https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>>                             _______________________________________________
>>>>>                             Owasp-board mailing list
>>>>>                             Owasp-board at lists.owasp.org
>>>>>                             <mailto:Owasp-board at lists.owasp.org>
>>>>>                             https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>                         _______________________________________________
>>>>>                         Owasp-board mailing list
>>>>>                         Owasp-board at lists.owasp.org  <mailto:Owasp-board at lists.owasp.org>
>>>>>                         https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>
>>>
>>>                     _______________________________________________
>>>                     Owasp-board mailing list
>>>                     Owasp-board at lists.owasp.org
>>>                     <mailto:Owasp-board at lists.owasp.org>
>>>                     https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>>
>>>                 _______________________________________________
>>>                 Owasp-board mailing list
>>>                 Owasp-board at lists.owasp.org
>>>                 <mailto:Owasp-board at lists.owasp.org>
>>>                 https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>>             _______________________________________________
>>>             Owasp-board mailing list
>>>             Owasp-board at lists.owasp.org
>>>             <mailto:Owasp-board at lists.owasp.org>
>>>             https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>
>>         _______________________________________________
>>         Owasp-board mailing list
>>         Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>     _______________________________________________
>>     Owasp-board mailing list
>>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-board
>
>     _______________________________________________
>     Owasp-board mailing list
>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-board
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150425/ab32ed5f/attachment-0001.html>


More information about the Owasp-board mailing list