[Owasp-board] [Owasp-leaders] Fwd: Project Summit countdown

johanna curiel curiel johanna.curiel at owasp.org
Tue Feb 10 11:44:38 UTC 2015


Micheal,

I think you have made a good point.

My experience with projects is, that only the people that can dedicate a
lot of time to their projects, will see them flourish

If most :Leaders have full time jobs and try todo this on the side, they
don't get as much as progress as the other ones.

Improving the OWASP inventory has taken also a period of 2 years where we
have now in place a reasonable way of reviewing and cleaning the inventory
but there is still some work to do on this part

if we are looking for innovation, then, another strategy is definitely
needed from the actual one.

regards

Johanna

On Tue, Feb 10, 2015 at 12:32 AM, Michael Coates <michael.coates at owasp.org>
wrote:

> I think that challenge is for us to solve. How would projects spend money?
> We've done this exercise before and we have no bites.
> https://www.owasp.org/index.php/Funding
>
> So what are we missing? We've provided guidelines on acceptable
> expenditures and haven't had anyone raise ideas different than those.
>
> As a thought exercise let's allocate 100k to projects this moment (just
> hypothetical) where would it actually be spent? Why is our current approach
> not working?
>
> Is it time to fully switch to hired developers and further specific
> objectives? Or should we keep muddling around with limited gains?
>
> Which furthers the mission more?
>
>
>
> On Feb 9, 2015, at 1:30 PM, Andrew van der Stock <vanderaj at owasp.org>
> wrote:
>
> +1000
>
> On Tue, Feb 10, 2015 at 4:49 AM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> I personally feel that projects are heavily underfunded and would support
>> a large investment if there is a clear path for how those funds will be
>> used.
>>
>> Aloha,
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>>
>> On Feb 9, 2015, at 6:13 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>> Hi Josh
>>
>> I think indeed that I need to create a break down for the actual projects
>> leaders that have reacted and a projection for the expected ones by tomorrow
>> With this info, then we can have a budget that you can vote for,
>> including the main goals
>>
>> I'm also in favor of spending money wisely with a clear expected output,
>> not just to hang around and have fun in Amsterdam ;-)
>>
>> My personal target is to review projects and communicate regarding the
>> review process and how to improve this. Also to automate some of the
>> process during the summit
>>
>> Regards
>>
>> Johanna
>>
>> On Mon, Feb 9, 2015 at 12:21 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>
>>> Johanna,
>>>
>>> I think that the majority of the Board is in favor of this and sees the
>>> value in it.  The challenge is that you've come to us with it after money
>>> was budgeted for 2015 so we would have to pillage from elsewhere in order
>>> to make this happen.  More money = more pillaging so we have to be
>>> conservative with the budget.  How much do we anticipate for "coffee
>>> breaks" for the summit?  How much do we anticipate for tickets,
>>> accommodation, and food?  How many people would we actually get off that
>>> money?  What are the goals and deliverables that will come out of this
>>> summit?  It becomes a question of ROI at this point and the Board has a
>>> responsibility to maximize the reward for the Foundation.  If we're
>>> spending $10k for four people to get together and drink coffee, that's
>>> probably not money well spent, but if we're spending $50k for a code-a-thon
>>> where 20 people get together and drastically improve upon our OWASP
>>> toolset, then that's a huge reward.  For all of our conferences, we ask the
>>> planners to put together a budget that shows anticipated revenue and
>>> expenses as well as to provide conference deliverables.  My personal
>>> opinion is that a summit is no different than a conference, just with a
>>> different target audience, and that a similar plan should be drafted.  Can
>>> you put something more formal together that the Board can vote on?  It's
>>> all very nebulous at this point.
>>>
>>> ~josh
>>>
>>> On Mon, Feb 9, 2015 at 6:53 AM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>>> Hi Josh
>>>>
>>>> Tentatively? Lets be more specific ;-)
>>>> Does the board agree yes or no?
>>>>
>>>> The money as I have mentioned, will be used to pay the tickets,
>>>> accommodation and coffee breaks
>>>> Depending how many leaders would like to assist then I create a
>>>> breakdown of the cost per leaders (Ticket/Accommodation/Food) and Coffee
>>>> breaks for in between the sessions. We have 2 rooms but if more projects
>>>> wants to attend , then we need probably 2 or 3 rooms more
>>>>
>>>>
>>>>    - Flagship leaders have highest prio
>>>>    - Then LABS
>>>>    - and then the best out of the incubators
>>>>
>>>>
>>>> The selection is based on their activity level which we have being
>>>> monitoring through the reviews.
>>>>
>>>> If everyone would like to come, I know 10K won't be enough. Probably it
>>>> will be around 30 to 40K if everyone wants to have sessions but we can
>>>> accommodate more than one session in one room as done during APPSEC 2013 US.
>>>>
>>>> Please let me know what we can expect from the board and if there is an
>>>> agreement for the 10k at least, be aware, more leaders, then we have more
>>>> costs but It will be great if we can have at least the top projects leaders
>>>> together. ZAP and OWTF,ASVS and Dev Guide and  have said yes, but please,
>>>> be clear if we can count on this budget
>>>>
>>>> Regards
>>>>
>>>> Johanna
>>>>
>>>>
>>>> On Sun, Feb 8, 2015 at 10:41 PM, Josh Sokol <josh.sokol at owasp.org>
>>>> wrote:
>>>>
>>>>> Johanna,
>>>>>
>>>>> Just to be clear, I believe the Board tentatively approved your
>>>>> request for the $10k, but requested that you provided a more detailed
>>>>> budget showing what you intended to use the money for.  I don't remember
>>>>> you asking if you could solicit sponsors through OWASP, but I, personally,
>>>>> don't see any reason why we couldn't help with that part of the fundraising.
>>>>>
>>>>> ~josh
>>>>>
>>>>> On Sun, Feb 8, 2015 at 5:06 PM, johanna curiel curiel <
>>>>> johanna.curiel at owasp.org> wrote:
>>>>>
>>>>>> Hi Collin
>>>>>>
>>>>>> Indeed my mistake, we didn't set a deadline yet,however by first week
>>>>>> of March we will close the participation opportunity. We have publish an
>>>>>> invitation for participation through the OWASP connector
>>>>>>
>>>>>> My answers below
>>>>>>
>>>>>> 1. The comment about "launch and or promote" in that email confused
>>>>>> me because I thought summits were to generate outputs. Is it more like a
>>>>>> project showcase? If so, are OWASP projects not a part of the main
>>>>>> conference program?
>>>>>>
>>>>>> *A summit is not a showcase but an opportunity to have all leaders
>>>>>> together to discuss and generate output, guidelines, give direction , take
>>>>>> decision regarding the direction of projects in general. But I think we
>>>>>> might turn towards Showcases instead of Summits*
>>>>>>
>>>>>> 2. The AppsecEU website doesn't mention this summit. What will be
>>>>>> done to promote it?
>>>>>> *Correct. We are looking to first determine how many leaders want to
>>>>>> assist, apply for a budget and sponsoring in order to publish this
>>>>>> together *
>>>>>>
>>>>>> 3. Who is getting paid/what?
>>>>>>
>>>>>> *We are looking for sponsors to at least pay for accommodation and
>>>>>> tickets. The Boards has not answer my question if there is available budget
>>>>>> for this and if I can send invitation through OWASP to get sponsors. I have
>>>>>> proposed to ask for sponsors that could help us cover the expenses. This
>>>>>> summit should have the leaders of the Flagship projects, LABS and the best
>>>>>> out of the incubators. An invitation was sent to the Flagships and, only a
>>>>>> couple of them reacted that they could assist*
>>>>>>
>>>>>> 4 . The date and that there are two rooms appear to be new
>>>>>> information today. What else can be shared please?
>>>>>>
>>>>>> *We are looking for budget but important to determine is, how many
>>>>>> leaders are willing to assist in order to create a final budget
>>>>>> covering accommodation/tickets and food for them. No leaders, no summit.*
>>>>>>
>>>>>> 5. What else will the summit be competing with on the same day?
>>>>>> *The conference sessions on that day*
>>>>>>
>>>>>>
>>>>>> Hope this has clarified your questions.
>>>>>>
>>>>>> regards
>>>>>>
>>>>>> Johanna
>>>>>>
>>>>>> On Sun, Feb 8, 2015 at 3:56 PM, colin.watson at owasp.org <
>>>>>> colin.watson at owasp.org> wrote:
>>>>>>
>>>>>>> Joanna
>>>>>>>
>>>>>>> The Amsterdam "project summit " invitation I saw was sent on 21st
>>>>>>> January:
>>>>>>>
>>>>>>>
>>>>>>> http://lists.owasp.org/pipermail/owasp-leaders/2015-January/013715.html
>>>>>>>
>>>>>>> What is the deadline please?
>>>>>>>
>>>>>>> Could you provide any more detrimental than appear in the firm's
>>>>>>> questions?
>>>>>>>
>>>>>>> 1. The comment about "launch and or promote" in that email confused
>>>>>>> me because I thought summits were to generate outputs. Is it more like a
>>>>>>> project showcase? If so, are OWASP projects not a part of the main
>>>>>>> conference program?
>>>>>>>
>>>>>>> 2. The AppsecEU website doesn't mention this summit. What will be
>>>>>>> done to promote it?
>>>>>>>
>>>>>>> 3. Who is getting paid/what?
>>>>>>>
>>>>>>> 4 . The date and that there are two rooms appear to be new
>>>>>>> information today. What else can be shared please?
>>>>>>>
>>>>>>> 5. What else will the summit be competing with on the same day?
>>>>>>>
>>>>>>> I am sure other projects will want to participate.
>>>>>>>
>>>>>>> Regards Colin
>>>>>>>
>>>>>>> ----- Reply message -----
>>>>>>> From: "johanna curiel curiel" <johanna.curiel at owasp.org>
>>>>>>> To: "owasp-leaders at lists.owasp.org" <owasp-leaders at lists.owasp.org>
>>>>>>> Subject: [Owasp-leaders] Fwd: Project Summit countdown
>>>>>>> Date: Sun, Feb 8, 2015 18:29
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> >Back to the Project Summit, the interesting question is: *should
>>>>>>> OWASP invest 50k or 100k on its projects? *
>>>>>>>
>>>>>>> Well that is the golden question. I have the impression that key
>>>>>>> decision makers are reluctant for this part, since it is not clear what
>>>>>>> will be the output from this. This has being mentioned to me in the past.
>>>>>>>
>>>>>>> The question is, how effective is to invest 50 or 100k in a summit
>>>>>>> and what do we get out of it?
>>>>>>>
>>>>>>> I think OWASP should at least invest and help promote those flagship
>>>>>>> projects and LABS/Incubators doing an excellent work . That is how Project
>>>>>>> leaders can promote and spread the word out about their projects with OWASP
>>>>>>> support. But, what about new blood and innovative thinking? I'm seeing many
>>>>>>> vulnerabilities that are not being handle with new projects or fresh
>>>>>>> approaches.
>>>>>>>
>>>>>>> The key factor is, there is low participation and motivation within
>>>>>>> the Project leaders. There is not really new blood of ideas coming in and
>>>>>>> some leaders have decided to start their projects outside OWASP.
>>>>>>>
>>>>>>> This is what we need to change and reach, more participation,
>>>>>>> community bonding and innovative projects.
>>>>>>>
>>>>>>> *An idea*
>>>>>>> All major flagship/LABS and the best incubators projects should be
>>>>>>> present at Defcon/OWASP conference  for the "OWASP Hackaton Contest"
>>>>>>>
>>>>>>> Budget: 50,000K
>>>>>>> Goals:
>>>>>>>
>>>>>>>    - Build new features for OWASP projects,
>>>>>>>    - Promote OWASP projects and Chapters
>>>>>>>    - Help actual projects to move fwd with development
>>>>>>>    - Get new volunteers to work on projects
>>>>>>>    - Start new innovative projects
>>>>>>>
>>>>>>> OWASP Hackaton Activities:
>>>>>>>
>>>>>>>    - Help build new features,
>>>>>>>    - Start a new innovative project
>>>>>>>    - Become an owaps member/volunteer/start a chapter
>>>>>>>    - Write documentation,
>>>>>>>    - Motivation for participation: get recognition and a
>>>>>>>    price(plenty small prices can be given away such as : Drinks/Food vouchers
>>>>>>>    , T-Shirts etc).
>>>>>>>
>>>>>>> This hackaton should be fun, and help people connect and participate
>>>>>>>
>>>>>>> regards
>>>>>>>
>>>>>>> Johanna
>>>>>>>
>>>>>>> On Sun, Feb 8, 2015 at 1:08 PM, Dinis Cruz <dinis.cruz at owasp.org>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi Johanna, as you are seeing, it's really hard to create an OWASP
>>>>>>>> Project Summit with the current model (with little funding, with no
>>>>>>>> dedicated team, attached to a conference, etc..)
>>>>>>>>
>>>>>>>> The formula that worked in the past was to start with a set budget
>>>>>>>> (lets say 50k to 100k) and :
>>>>>>>>
>>>>>>>>    - use those funds to make sure the key players (in this case
>>>>>>>>    project leaders and 'new players') are going to attend (by offering to
>>>>>>>>    cover all travel and accommodation expenses (while asking them if they can
>>>>>>>>    get their employee to pay instead))
>>>>>>>>    - hire a dedicated summit team (for that period)
>>>>>>>>    - secure dedicated venue and summit resources
>>>>>>>>    - generate a huge amount of energy about the summit sessions
>>>>>>>>    (starting by inventing all sorts of sessions, until the real sessions
>>>>>>>>    become solid)
>>>>>>>>    - cast a very wide net of 'invitations to attend the summit'
>>>>>>>>    (with the vision that* 'the summit is THE place to be, where
>>>>>>>>    all the key players will be in the same location, and  where REAL work can
>>>>>>>>    be done'*)
>>>>>>>>
>>>>>>>> The hard part is making people 'believe' in the Summit. The
>>>>>>>> objective is for our leaders (and attendees) to create the sessions that
>>>>>>>> THEY want to attend (on top of the infrastructure provided by the Summit).
>>>>>>>> By definition those sessions will be interested to others, and eventually a
>>>>>>>> virtuous cycle will start to occur.
>>>>>>>>
>>>>>>>> Back to the Project Summit, the interesting question is: *should
>>>>>>>> OWASP invest 50k or 100k on its projects? *
>>>>>>>>
>>>>>>>> I think the answer is *YES *since Owasp's projects are critical
>>>>>>>> part of OWASP (which deserves solid investment)
>>>>>>>>
>>>>>>>> Here are some of my blog posts about my views on OWASP Summits and
>>>>>>>> OWASP Projects
>>>>>>>>
>>>>>>>>    - Summits must be part of OWASP's DNA
>>>>>>>>    <http://blog.diniscruz.com/2012/04/summits-must-be-part-of-owasps-dna.html>
>>>>>>>>
>>>>>>>>    - Great description of why OWASP Summits are special
>>>>>>>>    <http://blog.diniscruz.com/2012/04/great-description-of-why-owasp-summits.html>
>>>>>>>>
>>>>>>>>    - OWASP Revenue Splits and the "Non-profits have a charter to
>>>>>>>>    be innovators"
>>>>>>>>    <http://blog.diniscruz.com/2012/12/owasp-revenue-splits-and-non-profits.html>
>>>>>>>>
>>>>>>>>    - I want to vote for a Summit Team+Vision , NOT for a venue
>>>>>>>>    <http://blog.diniscruz.com/2012/04/i-want-to-vote-for-summit-teamvision.html>
>>>>>>>>
>>>>>>>>    - Some proposed Visions for next OWASP Summit
>>>>>>>>    <http://blog.diniscruz.com/2012/04/some-proposed-visions-for-next-owasp.html>
>>>>>>>>
>>>>>>>>    - Why large OWASP projects start to stale (and who should pay
>>>>>>>>    for the work)
>>>>>>>>    <http://blog.diniscruz.com/2012/04/why-large-owasp-projects-start-to-stale.html>
>>>>>>>>
>>>>>>>>    - OWASP: Proposed change for SoC: Use budget to pay for project
>>>>>>>>    related expenses
>>>>>>>>    <http://blog.diniscruz.com/2009/06/owasp-proposed-change-for-soc-use.html>
>>>>>>>>
>>>>>>>>    - Sometimes the best response is just say 'YES'
>>>>>>>>    <http://blog.diniscruz.com/2012/10/sometimes-best-response-is-just-say-yes.html>
>>>>>>>>
>>>>>>>>    - I wish that OWASP in 2014 ....
>>>>>>>>    <http://blog.diniscruz.com/2012/11/i-wish-that-owasp-in-2014.html>
>>>>>>>>
>>>>>>>>    - OWASP Principles based on NHS?
>>>>>>>>    <http://blog.diniscruz.com/2013/01/owasp-principles-based-on-nhs.html>
>>>>>>>>
>>>>>>>>    - On how to get paid to work on OWASP projects
>>>>>>>>    <http://blog.diniscruz.com/2013/01/on-how-to-get-paid-to-work-on-owasp.html>
>>>>>>>>
>>>>>>>>    - ROI on OWASP investment on Projects (ie paying leaders)
>>>>>>>>    <http://blog.diniscruz.com/2012/04/roi-on-owasp-investment-on-projects-ie.html>
>>>>>>>>
>>>>>>>>    - Improved Wikipedia funding page, why OWASP needs something
>>>>>>>>    similar, and who buys OWASP Corporate Memberships
>>>>>>>>    <http://blog.diniscruz.com/2012/11/improved-wikipedia-funding-page-why.html>
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>>
>>>>>>>> Dinis
>>>>>>>>
>>>>>>>> On 7 February 2015 at 19:47, johanna curiel curiel <
>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>
>>>>>>>>> Board and Project Leaders
>>>>>>>>>
>>>>>>>>> After a first call to get people to assist and participate into
>>>>>>>>> the Project Summit NL, only 2 major projects(Flagship) have reacted and
>>>>>>>>> would like to participate.
>>>>>>>>>
>>>>>>>>>    - OWASP ZAP
>>>>>>>>>    - OWTF
>>>>>>>>>
>>>>>>>>> Right now we have 2 rooms available for this day-20th May (Martin
>>>>>>>>> please confirm if this is still the case)
>>>>>>>>>
>>>>>>>>> For the rest I think we definitely need to breed in new life into
>>>>>>>>> projects participation. It can be that for projects with leaders located in
>>>>>>>>> USA, it will be more convenient to have a small summit there specially for
>>>>>>>>> them or, we can try to promote participation to projects (looking for
>>>>>>>>> volunteers, starting a project etc).
>>>>>>>>>
>>>>>>>>> So far , I don't think we can call this a Project Summit , and it
>>>>>>>>> might get down to ZAP/OWTF summit
>>>>>>>>>
>>>>>>>>> In that case is essential to know:
>>>>>>>>>
>>>>>>>>>    - Identify how many people will be assisting to the ZAP and
>>>>>>>>>    OWTF session
>>>>>>>>>    - IF Traveling tickets and accommodation could be paid for
>>>>>>>>>    ZAP/OWTF leaders
>>>>>>>>>    - Coffee break sponsorship for the attendees of this summit
>>>>>>>>>
>>>>>>>>> That will basically resume the costs. based on this low attendance
>>>>>>>>> I don't think I'll be present in Amsterdam.
>>>>>>>>>
>>>>>>>>> I think we need to think of another strategy to promote Owasp
>>>>>>>>> projects through summits if we want to continue with this. What do we want
>>>>>>>>> to achieve indeed?
>>>>>>>>>
>>>>>>>>> My impression is that no new innovative projects are being started
>>>>>>>>> at OWASP.
>>>>>>>>> We definitely need new 'blood' and innovative thinkers
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>>
>>>>>>>>> Johanna
>>>>>>>>>
>>>>>>>>>  --
>>>>>>>>> You received this message because you are subscribed to the Google
>>>>>>>>> Groups "OWASP Projects Task Force" group.
>>>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>>>> send an email to projects-task-force+unsubscribe at owasp.org.
>>>>>>>>> To post to this group, send email to projects-task-force at owasp.org
>>>>>>>>> .
>>>>>>>>> To view this discussion on the web visit
>>>>>>>>> https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/CACxry_0OwMS2fHm8v2DuK7a2h8oXuo4WpPmiz3cKF2A%3DqXYJRg%40mail.gmail.com
>>>>>>>>> <https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/CACxry_0OwMS2fHm8v2DuK7a2h8oXuo4WpPmiz3cKF2A%3DqXYJRg%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>>>>>>> .
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150210/d8a9bcad/attachment-0001.html>


More information about the Owasp-board mailing list