[Owasp-board] OWASP Summer of Code Sprint Proposal

Jim Manico jim.manico at owasp.org
Sat Apr 25 20:11:30 UTC 2015


Maybe so, Kostas...

AppSensor is something I have had a close eye on for some time.  I think 
it's a critical project. The work from 2008 was documentation and 
accoutrements. My opinion as an observer of AppSensor and user of 
AppSensor for *years* is that the real work was done in 2014 from John 
Melton who single-handedly took on the coding of AppSensor 2.0. Until 
then it was not (even close to) production quality.

Respectfully,
Jim



On 4/25/15 10:07 AM, Konstantinos Papapanagiotou wrote:
> What I wanted to point out was that Appsensor is in the list of 
> projects for the owasp summer of code 2008, long before version 2.0 
> and look how it has evolved. Maybe we wouldn't have Appsensor now if 
> it wasn't funded at that time.
>
> Kostas
>
>
> On Saturday, April 25, 2015, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>     This is not a risk we *have* to take. This is a risk we should
>     discuss and resolve as a team.
>
>     - Jim
>
>     > Look at Appsensor for example.
>
>     Well, the original developer of AppSensor dumped the project
>     (which was cool) but did not maintain it. John Melton then
>     single-handed made version 2.0 and maintains it. The quality is
>     also incredibly professional. My point is that AppSensor 2.0
>     Flagship largely happened because one VERY senior Java developer
>     decided to dig in do the work outside of of the GSOC. A junior
>     developer is the last person who should be building projects of
>     that nature (secure coding libraries).
>
>
>
>     On 4/25/15 9:33 AM, Konstantinos Papapanagiotou wrote:
>>     I'm afraid that this is a risk we have to take Jim. Maybe one of
>>     those new, small projects becomes the next flagship in 5 years
>>     time. Look at Appsensor for example.
>>
>>     We *have to* encourage new contributions from enthusiasts
>>     otherwise we risk becoming a foundation of the elite. Is that
>>     where you would like to drive OWASP to?
>>
>>     Kostas
>>
>>
>>     On Saturday, April 25, 2015, Jim Manico <jim.manico at owasp.org
>>     <javascript:_e(%7B%7D,'cvml','jim.manico at owasp.org');>> wrote:
>>
>>         Another note is that if you look at all the projects this
>>         250,000k$ funded in 2008...
>>
>>         https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008
>>
>>         ...most are now dead projects.
>>
>>         We do good at getting projects started but do poorly in
>>         bringing these projects to maturity.
>>
>>         I really want us to make a big impact. I suggest we focus in
>>         on our flagship and lab projects with big potential. I'd hate
>>         to fund dozens of projects (again) that just die on the view
>>         a few years after getting funding.
>>
>>         Regards,
>>         --
>>         Jim Manico
>>         @Manicode
>>         (808) 652-3805
>>
>>         On Apr 25, 2015, at 4:32 AM, Jason Li <jason.li at owasp.org> wrote:
>>
>>>         Josh,
>>>
>>>         I'm a little late to this thread, but I just wanted to point
>>>         out that it is NOT the first time OWASP would be running
>>>         this type of initiative ourselves. As an organization, we
>>>         ran seasons of code for many years prior to Google accepting
>>>         our application to participate in Google Summer of Code:
>>>         https://www.owasp.org/index.php/OWASP_Autumn_Of_Code_2006
>>>         ($34,000 budget)
>>>         https://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007
>>>         ($117,500 budget)
>>>         https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008
>>>         ($100,00 budget)
>>>
>>>         Obviously the organization budget and expenses have changed
>>>         a lot since then. Those events were done back when Paulo and
>>>         Kate were the only paid employees of OWASP and before
>>>         chapters and projects had their own budgets. We've obviously
>>>         grown a lot since then, and the goals are different this
>>>         time around. But as an organization, we do have some history
>>>         running this type of initiative ourselves.
>>>
>>>         -Jason
>>>
>>>         On Wed, Apr 22, 2015 at 8:31 AM, Josh Sokol
>>>         <josh.sokol at owasp.org> wrote:
>>>
>>>              I would like to see a couple of changes:
>>>
>>>             1) I'm not sure it makes sense to use $30k of the
>>>             project funding for this one initiative.  It consumes
>>>             60% of the funding for a far smaller percentage of our
>>>             active projects.  OWASP also has no history with running
>>>             this initiative ourselves so I would prefer to limit our
>>>             exposure here the first time around.  I would rather see
>>>             us allocate $12,000, roughly 25% of the overall budget
>>>             allocated to projects.  This burns our budget for one
>>>             quarter, but leaves sufficient budget for the rest of
>>>             the year.  It is enough to fully fund 8 students at the
>>>             $1500/student price tag which seems like a reasonable
>>>             place for us to start this initiative.  If the
>>>             initiative is successful, then I would consider
>>>             increasing the funding when budgeting for next year.
>>>
>>>             2) I have not seen any stipulation here stating that
>>>             projects must use their project funds before being able
>>>             to use Foundation funds.  This is a requirement for all
>>>             chapters using community engagement funding and should
>>>             apply equally to the projects. Saying that project a
>>>             with money can buy additional slots is not the same
>>>             thing as saying that they need to use their funds
>>>             first.  If we all agree that funds are allocated to be
>>>             spent, not saved, then I see no reason why projects with
>>>             funds should not be encouraged to spend funds in their
>>>             account first and foremost.
>>>
>>>             I fully support the initiative, but would like to see
>>>             these limitations placed on it before voting yes on it.
>>>
>>>             ~josh
>>>
>>>             On Mon, Apr 20, 2015 at 6:00 PM, Fabio Cerullo
>>>             <fcerullo at owasp.org> wrote:
>>>
>>>                 Hi
>>>
>>>                 I fully endorse this initiative and think is aligned
>>>                 with our mission and strategic goals.
>>>
>>>                 I appreciate the comments regarding the budgeting
>>>                 and we could lower them to a level which everyone
>>>                 feels comfortable with.. What about 10 slots at USD
>>>                 1500 each.. Total budget USD 15000
>>>
>>>                 Paul, I think the proposal by Kostas supports that
>>>                 approach. Any project leader could decide to get an
>>>                 additional slot/s by using their project funds. The
>>>                 only clarification is that Summer of Code is about
>>>                 'code' so the documentation projects are out of scope.
>>>
>>>                 Is everyone satisfied with the overall contents of
>>>                 the proposal? Can we bring this to a vote by the
>>>                 Board and move forward?
>>>
>>>                 Thanks Kostas for putting this together.
>>>
>>>                 Regards,
>>>
>>>                 Fabio
>>>
>>>                 Sent from my iPhone
>>>
>>>                 On 20 Apr 2015, at 14:39, Paul Ritchie
>>>                 <paul.ritchie at owasp.org> wrote:
>>>
>>>>                 Hi Josh, all:
>>>>
>>>>                 So you are suggesting that a couple of the well
>>>>                 funded Projects like AppSensor, OpenSAMM, ZAP,
>>>>                 etc., could make a decision to 'sponsor' a student
>>>>                 under the Summer of Code program to the tune or
>>>>                 $1500 or $3000 or whatever they wanted to
>>>>                 contribute. And, they could ensure that those funds
>>>>                 were used on student work benefiting their project.
>>>>
>>>>                 I like that approach. Funded projects support their
>>>>                 own work effort, and then the Foundation could
>>>>                 support other high-value student proposals that
>>>>                 focus on new projects or under-funded projects.
>>>>                 Paul
>>>>
>>>>                 Best Regards, Paul Ritchie
>>>>                 OWASP Interim Executive Director
>>>>                 paul.ritchie at owasp.org
>>>>
>>>>
>>>>                 On Mon, Apr 20, 2015 at 1:21 PM, Josh Sokol
>>>>                 <josh.sokol at owasp.org> wrote:
>>>>
>>>>                     I think we should treat it like we do the
>>>>                     chapters.  If a project has money in their
>>>>                     account, then they are not eligible for
>>>>                     Foundation funds until that money has been
>>>>                     allocated. I'd also agree that $30k of
>>>>                     unbudgeted funds is a lot to spend like this
>>>>                     considering I don't see any reason to hurry
>>>>                     here. It literally means robbing another
>>>>                     budgeted project in order to account for this. 
>>>>                     That said, I support the idea, in concept.
>>>>                     Maybe the projects with some money can front it
>>>>                     for their slots, the Foundation can use this as
>>>>                     an experiment for our own program, and we can
>>>>                     see how it goes. Minimal risk with a high
>>>>                     reward and we can budget for more next year?
>>>>
>>>>                     ~josh
>>>>
>>>>                     On Mon, Apr 20, 2015 at 2:59 PM, Tobias
>>>>                     <tobias.gondrom at owasp.org> wrote:
>>>>
>>>>                         Well, I don't know.
>>>>
>>>>                         IMHO the criteria should be based on
>>>>                         quality of proposal and bang for the buck
>>>>                         for OWASP.
>>>>
>>>>                         incubator/lab/flagship seems not so useful.
>>>>                         E.g. if we get three good in one category,
>>>>                         I would not see a point selecting one from
>>>>                         another one just to serve all categories.
>>>>
>>>>                         Cheers, Tobias
>>>>
>>>>
>>>>
>>>>                         On 20/04/15 19:49, johanna curiel curiel wrote:
>>>>>                         >Not sure we need to split this in incubator/lab/flagship categories.
>>>>>
>>>>>                         Tobias, this could be a option If we would
>>>>>                         like to provide a fair chance to all
>>>>>                         project categories. Woudl you suggest
>>>>>                         other criteria for selection?
>>>>>
>>>>>                         cheers
>>>>>
>>>>>                         Johanna
>>>>>
>>>>>                         On Mon, Apr 20, 2015 at 2:44 PM, Tobias
>>>>>                         <tobias.gondrom at owasp.org> wrote:
>>>>>
>>>>>                             3 x 2500USD sounds reasonable.
>>>>>
>>>>>                             Not sure we need to split this in
>>>>>                             incubator/lab/flagship categories.
>>>>>
>>>>>                             Best, Tobias
>>>>>
>>>>>
>>>>>
>>>>>                             On 20/04/15 19:39, johanna curiel
>>>>>                             curiel wrote:
>>>>>>                             Consider maybe a small pilot with 3
>>>>>>                             types of projects:
>>>>>>                             1 Incubator, 1 LAB, 1 Flagship
>>>>>>
>>>>>>                             Do a pre selection of the most active
>>>>>>                             on each category  and then select at
>>>>>>                             random the participating one.
>>>>>>
>>>>>>                             just an idea
>>>>>>
>>>>>>                             Total for the pilot 9,000USD (3 x
>>>>>>                             3000USD) or
>>>>>>                             USD2500x 3 = 7500USD
>>>>>>
>>>>>>                             regards
>>>>>>
>>>>>>                             Johanna
>>>>>>
>>>>>>                             On Mon, Apr 20, 2015 at 2:21 PM, Jim
>>>>>>                             Manico <jim.manico at owasp.org> wrote:
>>>>>>
>>>>>>                                 A suggestion. Because this is the
>>>>>>                                 first time OWASP is directly
>>>>>>                                 funding this initiative, can we
>>>>>>                                 start with a smaller financial
>>>>>>                                 amount, measure success, and then
>>>>>>                                 consider larger funding next
>>>>>>                                 year? I want to see how we do
>>>>>>                                 first and would feel more
>>>>>>                                 comfortable with a smaller
>>>>>>                                 experiment.
>>>>>>
>>>>>>                                 - Jim
>>>>>>
>>>>>>
>>>>>>
>>>>>>                                 On 4/19/15 8:27 AM, Konstantinos
>>>>>>                                 Papapanagiotou wrote:
>>>>>>>                                 Dear board,
>>>>>>>
>>>>>>>                                 Following recent conversations I
>>>>>>>                                 would like to formally submit a
>>>>>>>                                 proposal for the OWASP Summer of
>>>>>>>                                 Code Sprint, requesting a budget
>>>>>>>                                 of $30,000.
>>>>>>>
>>>>>>>                                 The details of the proposal can
>>>>>>>                                 be found here:
>>>>>>>                                 https://docs.google.com/document/d/1FTC-zh__i6ft6uyZRw4rZHxOA44U6T7i33r8RkN0AXk/edit?usp=sharing
>>>>>>>
>>>>>>>                                 I believe that such initiatives
>>>>>>>                                 are important for our mission as
>>>>>>>                                 they combine project
>>>>>>>                                 contributions and reaching out
>>>>>>>                                 to students who are future
>>>>>>>                                 developers.
>>>>>>>
>>>>>>>                                 Looking forward to your comments,
>>>>>>>
>>>>>>>                                 Kostas
>>>>>>>
>>>>>>>
>>>>>>>                                 _______________________________________________
>>>>>>>                                 Owasp-board mailing list
>>>>>>>                                 Owasp-board at lists.owasp.org
>>>>>>>                                 https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>
>>>>>>
>>>>>>                                 _______________________________________________
>>>>>>                                 Owasp-board mailing list
>>>>>>                                 Owasp-board at lists.owasp.org
>>>>>>                                 https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>                             _______________________________________________
>>>>>>                             Owasp-board mailing list
>>>>>>                             Owasp-board at lists.owasp.org
>>>>>>                             https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>
>>>>
>>>>                         _______________________________________________
>>>>                         Owasp-board mailing list
>>>>                         Owasp-board at lists.owasp.org
>>>>                         https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>>
>>>>                     _______________________________________________
>>>>                     Owasp-board mailing list
>>>>                     Owasp-board at lists.owasp.org
>>>>                     https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>>                 _______________________________________________
>>>>                 Owasp-board mailing list
>>>>                 Owasp-board at lists.owasp.org
>>>>                 https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>>
>>>             _______________________________________________
>>>             Owasp-board mailing list
>>>             Owasp-board at lists.owasp.org
>>>             https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>>         _______________________________________________
>>>         Owasp-board mailing list
>>>         Owasp-board at lists.owasp.org
>>>         https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150425/04940a17/attachment-0001.html>


More information about the Owasp-board mailing list