[Owasp-board] [Owasp-leaders] Fwd: Project Summit countdown

johanna curiel curiel johanna.curiel at owasp.org
Mon Feb 16 16:31:24 UTC 2015


Something I promised some projects is to create infographics for them
I did this for the OWASP top 10 risk projects

I'll be available on the 22nd to assist projects to create info-graphics
during an 'infographic session'
Just make sure you have the content you want to place

https://www.owasp.org/index.php/OWASP_Top_10_Privacy_Risks_Project
https://www.owasp.org/images/3/32/Top_10_Risks.png

regards

Johanna

On Mon, Feb 16, 2015 at 11:02 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> >Are you going to be the overall Summit point of contact and coordinator?
>
> Yes I'll be present, Martin will help us with 2 volunteers to help
> coordinate the activities.
>
> regards
>
> Johanna
>
> On Mon, Feb 16, 2015 at 9:58 AM, Fabio Cerullo <fcerullo at owasp.org> wrote:
>
>> Johanna
>>
>> Thanks for putting this together.
>>
>> I like the approach of having an agenda for each project and funding
>> approval based on that.
>>
>> I would also set a funding cap for each participating member. Eg. 800
>> Euro x participant (approx. 1000 USD) so there are no last minutes
>> surprises regarding costs.
>>
>> Ideally, we would like the Summit become a regular activity in which our
>> active community gather together during a couple of days, brainstorm ideas,
>> and make them happen.
>>
>> So with clear goals, agenda and activities I'm in full support of this
>> activity.
>>
>> Are you going to be the overall Summit point of contact and coordinator?
>>
>> Thanks again,
>>
>> Fabio
>>
>> On Mon, Feb 16, 2015 at 12:27 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Hi Andrew
>>>
>>> ROI is essential to any initiative we take, we need to set goals and
>>> measure results.
>>>
>>> >So I think we need to be a tiny bit brutal and be focused on what we
>>> *specifically* need from any project investments. Maybe we invest in fewer,
>>> higher value projects and add more people to each project, so that we get
>>> some momentum rather than spread it out across all the projects.
>>>
>>> Agree and therefore one of the condition of the actual summit is that
>>> the project is active and has a positive review. Another is, that they
>>> provide a clear agenda.
>>>
>>> So far we have 6 participation projects (ZAP,OWTF,CRSF,Hackademic and
>>> Top 10 Privacy risks, ASVS)
>>> All of these projects have positive reviews and a healthy activity level
>>>
>>> I have reserved a budget for Simon's team but he already mentioned that
>>> his team will be paying their own cost. This has been reserved in case of.
>>>
>>> It is required that the leaders provide an agenda by next week,
>>> otherwise they will not have sponsorship.
>>>
>>> If we move fwd with the summit, my attendance and from Timo will depend
>>> of next week reactions on the agenda and off course your final approval.
>>>
>>> I think with this info you are ready to take a decision if you would
>>> like to finance this summit. Also we need to book early so the cost of
>>> tickets do not increase by the time we want to reserve
>>>
>>> So far, we have achieved 11,000 dollar mark. I don't think there will be
>>> more projects willing to attend.
>>>
>>> Please let us know asap your approval or not.
>>>
>>>
>>> https://docs.google.com/spreadsheets/d/1OIUPJ-fBqsrCvphEHOU7qWuIkA-6ab4frXehZmhRpNE/edit#gid=0
>>>
>>> Regards
>>>
>>> Johanna
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Mon, Feb 16, 2015 at 12:27 AM, Andrew van der Stock <
>>> vanderaj at owasp.org> wrote:
>>>
>>>> Michael,
>>>>
>>>> I really think we should either aim for one of several models:
>>>>
>>>> *There are some projects that whilst vital to OWASP's mission, are just
>>>> plain difficult to do*. Things like setting out an education syllabus
>>>> at a tertiary level requires a university level researcher who understands
>>>> pedagogical requirements of tertiary instiutions and solid AppSec outcomes
>>>> can build us something. We have not to date - nor I think will ever - find
>>>> someone who as a side project will contribute such an enormous effort, and
>>>> yet without this key piece of the puzzle, universities will continue to
>>>> churn out pen testers, which at best, is a trade. I see this being like a
>>>> one year research position, similar to how much of university level
>>>> research is made. We have specific requirements for a deliverable, and we
>>>> work with say with a chosen institution to get it done on the basis that
>>>> the IP and materials at the end comply with our open source licensing
>>>> guidelines. This is just one type of Extra Hard Thorny Problem.
>>>>
>>>> *There are some flagship projects that OWASP is famous for*. We can
>>>> probably get funding directly from sponsors on this one, and if we could do
>>>> so with sufficient funds to go 24-48 months with a hire in place, we can
>>>> getr some immense traction. I'm thinking these positions would be like
>>>> Linux Foundation's fellows.
>>>>
>>>> *There are some flagship projects that just need a bit more of a boost
>>>> to get over the line to gain the self-sustaining momentum*, like the
>>>> Testing Guide. These could be assisted by making available project grants
>>>> so that folks can travel and be accommodated for at least a week,
>>>> preferably two, at an AppSec conference nearest them and get the big jobs
>>>> done whilst on site. I see this operating like the IBM redbooks residencies
>>>> - you are not ever an OWASP employee, but we help you co-invest in your
>>>> project by getting the project leads and resources together to build
>>>> something specific.
>>>>
>>>> The problem is that we have had for such a long time that the ONLY
>>>> people who cannot be paid by OWASP are the people doing the writing on
>>>> projects. Graphic designers can be paid. The publisher can be paid. Firms
>>>> can create services from the materials can get paid. Dinis made this really
>>>> clear on OWASP-Leaders, and it's pretty much hard wired into the Projects
>>>> handbook. This I feel is off putting to those who might otherwise ask how
>>>> they can best contribute to OWASP. It's resulted in a lot of smaller
>>>> projects of one-two people that don't really change the world, and inaction
>>>> of the big projects. Johanna is right - The DevGuide and ASVS are side
>>>> projects for me. I can do the ASVS as it's approachable and re-writeable by
>>>> one person over a summer break. The DevGuide isn't. The DevGuide needs a
>>>> leader who can work full time on it. Whilst I'm a board member, this is
>>>> almost certainly not me.
>>>>
>>>> We spent a lot of money in 2011 on the Portugal Project Summit. I don't
>>>> think we invested money wisely in that project summit, because we didn't
>>>> get a return on investment. None of the three major guides got a rev during
>>>> the year after it. The Top 10 didn't get a rev. Look at all the tracks and
>>>> working groups. We didn't get a OWASP Universities outcome. We didn't get
>>>> an XSS outcome. As far as I can tell, not one of the tracks produced a
>>>> deliverable within 12 months of that summit.
>>>>
>>>> https://www.owasp.org/index.php/Summit_2011_Attendee
>>>>
>>>> So I think we need to be a tiny bit brutal and be focused on what we
>>>> *specifically* need from any project investments. Maybe we invest in fewer,
>>>> higher value projects and add more people to each project, so that we get
>>>> some momentum rather than spread it out across all the projects. I don't
>>>> know, and I'm a tiny bit conflicted (DevGuide, ASVS). Obviously, if one of
>>>> my projects came to a vote, I'd step aside whilst the vote is taken, but we
>>>> should probably decide on a budget, a model, and then the projects.
>>>> Projects will come and go, but there should always be a budget to be used
>>>> and a governance model to make sure the budget investment is used wisely
>>>> and produces specific deliverables for OWASP and it's mission both inside
>>>> and outside of OWASP.
>>>>
>>>> The bigger projects - if we decide on those they we think are valuable
>>>> and should continue - need some form of investment. We've spent perilously
>>>> close to zero dollars since 2011 on projects. This must change, and we must
>>>> shout it from the rooftops once we decide on strategic projects and
>>>> investment models.
>>>>
>>>> Thoughts?
>>>>
>>>> Andrew
>>>>
>>>>
>>>> On Tue, Feb 10, 2015 at 10:44 PM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>>> Micheal,
>>>>>
>>>>> I think you have made a good point.
>>>>>
>>>>> My experience with projects is, that only the people that can dedicate
>>>>> a lot of time to their projects, will see them flourish
>>>>>
>>>>> If most :Leaders have full time jobs and try todo this on the side,
>>>>> they don't get as much as progress as the other ones.
>>>>>
>>>>> Improving the OWASP inventory has taken also a period of 2 years where
>>>>> we have now in place a reasonable way of reviewing and cleaning the
>>>>> inventory but there is still some work to do on this part
>>>>>
>>>>> if we are looking for innovation, then, another strategy is definitely
>>>>> needed from the actual one.
>>>>>
>>>>> regards
>>>>>
>>>>> Johanna
>>>>>
>>>>> On Tue, Feb 10, 2015 at 12:32 AM, Michael Coates <
>>>>> michael.coates at owasp.org> wrote:
>>>>>
>>>>>> I think that challenge is for us to solve. How would projects spend
>>>>>> money? We've done this exercise before and we have no bites.
>>>>>> https://www.owasp.org/index.php/Funding
>>>>>>
>>>>>> So what are we missing? We've provided guidelines on acceptable
>>>>>> expenditures and haven't had anyone raise ideas different than those.
>>>>>>
>>>>>> As a thought exercise let's allocate 100k to projects this moment
>>>>>> (just hypothetical) where would it actually be spent? Why is our current
>>>>>> approach not working?
>>>>>>
>>>>>> Is it time to fully switch to hired developers and further specific
>>>>>> objectives? Or should we keep muddling around with limited gains?
>>>>>>
>>>>>> Which furthers the mission more?
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Feb 9, 2015, at 1:30 PM, Andrew van der Stock <vanderaj at owasp.org>
>>>>>> wrote:
>>>>>>
>>>>>> +1000
>>>>>>
>>>>>> On Tue, Feb 10, 2015 at 4:49 AM, Jim Manico <jim.manico at owasp.org>
>>>>>> wrote:
>>>>>>
>>>>>>> I personally feel that projects are heavily underfunded and would
>>>>>>> support a large investment if there is a clear path for how those funds
>>>>>>> will be used.
>>>>>>>
>>>>>>> Aloha,
>>>>>>> --
>>>>>>> Jim Manico
>>>>>>> @Manicode
>>>>>>> (808) 652-3805
>>>>>>>
>>>>>>> On Feb 9, 2015, at 6:13 PM, johanna curiel curiel <
>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>
>>>>>>> Hi Josh
>>>>>>>
>>>>>>> I think indeed that I need to create a break down for the actual
>>>>>>> projects leaders that have reacted and a projection for the expected ones
>>>>>>> by tomorrow
>>>>>>> With this info, then we can have a budget that you can vote for,
>>>>>>> including the main goals
>>>>>>>
>>>>>>> I'm also in favor of spending money wisely with a clear expected
>>>>>>> output, not just to hang around and have fun in Amsterdam ;-)
>>>>>>>
>>>>>>> My personal target is to review projects and communicate regarding
>>>>>>> the review process and how to improve this. Also to automate some of the
>>>>>>> process during the summit
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>> Johanna
>>>>>>>
>>>>>>> On Mon, Feb 9, 2015 at 12:21 PM, Josh Sokol <josh.sokol at owasp.org>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Johanna,
>>>>>>>>
>>>>>>>> I think that the majority of the Board is in favor of this and sees
>>>>>>>> the value in it.  The challenge is that you've come to us with it after
>>>>>>>> money was budgeted for 2015 so we would have to pillage from elsewhere in
>>>>>>>> order to make this happen.  More money = more pillaging so we have to be
>>>>>>>> conservative with the budget.  How much do we anticipate for "coffee
>>>>>>>> breaks" for the summit?  How much do we anticipate for tickets,
>>>>>>>> accommodation, and food?  How many people would we actually get off that
>>>>>>>> money?  What are the goals and deliverables that will come out of this
>>>>>>>> summit?  It becomes a question of ROI at this point and the Board has a
>>>>>>>> responsibility to maximize the reward for the Foundation.  If we're
>>>>>>>> spending $10k for four people to get together and drink coffee, that's
>>>>>>>> probably not money well spent, but if we're spending $50k for a code-a-thon
>>>>>>>> where 20 people get together and drastically improve upon our OWASP
>>>>>>>> toolset, then that's a huge reward.  For all of our conferences, we ask the
>>>>>>>> planners to put together a budget that shows anticipated revenue and
>>>>>>>> expenses as well as to provide conference deliverables.  My personal
>>>>>>>> opinion is that a summit is no different than a conference, just with a
>>>>>>>> different target audience, and that a similar plan should be drafted.  Can
>>>>>>>> you put something more formal together that the Board can vote on?  It's
>>>>>>>> all very nebulous at this point.
>>>>>>>>
>>>>>>>> ~josh
>>>>>>>>
>>>>>>>> On Mon, Feb 9, 2015 at 6:53 AM, johanna curiel curiel <
>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>
>>>>>>>>> Hi Josh
>>>>>>>>>
>>>>>>>>> Tentatively? Lets be more specific ;-)
>>>>>>>>> Does the board agree yes or no?
>>>>>>>>>
>>>>>>>>> The money as I have mentioned, will be used to pay the tickets,
>>>>>>>>> accommodation and coffee breaks
>>>>>>>>> Depending how many leaders would like to assist then I create a
>>>>>>>>> breakdown of the cost per leaders (Ticket/Accommodation/Food) and Coffee
>>>>>>>>> breaks for in between the sessions. We have 2 rooms but if more projects
>>>>>>>>> wants to attend , then we need probably 2 or 3 rooms more
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>    - Flagship leaders have highest prio
>>>>>>>>>    - Then LABS
>>>>>>>>>    - and then the best out of the incubators
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> The selection is based on their activity level which we have being
>>>>>>>>> monitoring through the reviews.
>>>>>>>>>
>>>>>>>>> If everyone would like to come, I know 10K won't be enough.
>>>>>>>>> Probably it will be around 30 to 40K if everyone wants to have sessions but
>>>>>>>>> we can accommodate more than one session in one room as done during APPSEC
>>>>>>>>> 2013 US.
>>>>>>>>>
>>>>>>>>> Please let me know what we can expect from the board and if there
>>>>>>>>> is an agreement for the 10k at least, be aware, more leaders, then we have
>>>>>>>>> more costs but It will be great if we can have at least the top projects
>>>>>>>>> leaders together. ZAP and OWTF,ASVS and Dev Guide and  have said yes, but
>>>>>>>>> please, be clear if we can count on this budget
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>>
>>>>>>>>> Johanna
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Sun, Feb 8, 2015 at 10:41 PM, Josh Sokol <josh.sokol at owasp.org>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Johanna,
>>>>>>>>>>
>>>>>>>>>> Just to be clear, I believe the Board tentatively approved your
>>>>>>>>>> request for the $10k, but requested that you provided a more detailed
>>>>>>>>>> budget showing what you intended to use the money for.  I don't remember
>>>>>>>>>> you asking if you could solicit sponsors through OWASP, but I, personally,
>>>>>>>>>> don't see any reason why we couldn't help with that part of the fundraising.
>>>>>>>>>>
>>>>>>>>>> ~josh
>>>>>>>>>>
>>>>>>>>>> On Sun, Feb 8, 2015 at 5:06 PM, johanna curiel curiel <
>>>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi Collin
>>>>>>>>>>>
>>>>>>>>>>> Indeed my mistake, we didn't set a deadline yet,however by first
>>>>>>>>>>> week of March we will close the participation opportunity. We have publish
>>>>>>>>>>> an invitation for participation through the OWASP connector
>>>>>>>>>>>
>>>>>>>>>>> My answers below
>>>>>>>>>>>
>>>>>>>>>>> 1. The comment about "launch and or promote" in that email
>>>>>>>>>>> confused me because I thought summits were to generate outputs. Is it more
>>>>>>>>>>> like a project showcase? If so, are OWASP projects not a part of the main
>>>>>>>>>>> conference program?
>>>>>>>>>>>
>>>>>>>>>>> *A summit is not a showcase but an opportunity to have all
>>>>>>>>>>> leaders together to discuss and generate output, guidelines, give direction
>>>>>>>>>>> , take decision regarding the direction of projects in general. But I think
>>>>>>>>>>> we might turn towards Showcases instead of Summits*
>>>>>>>>>>>
>>>>>>>>>>> 2. The AppsecEU website doesn't mention this summit. What will
>>>>>>>>>>> be done to promote it?
>>>>>>>>>>> *Correct. We are looking to first determine how
>>>>>>>>>>> many leaders want to assist, apply for a budget and sponsoring in order to
>>>>>>>>>>> publish this together *
>>>>>>>>>>>
>>>>>>>>>>> 3. Who is getting paid/what?
>>>>>>>>>>>
>>>>>>>>>>> *We are looking for sponsors to at least pay for accommodation
>>>>>>>>>>> and tickets. The Boards has not answer my question if there is available
>>>>>>>>>>> budget for this and if I can send invitation through OWASP to get sponsors.
>>>>>>>>>>> I have proposed to ask for sponsors that could help us cover the expenses.
>>>>>>>>>>> This summit should have the leaders of the Flagship projects, LABS and the
>>>>>>>>>>> best out of the incubators. An invitation was sent to the Flagships and,
>>>>>>>>>>> only a couple of them reacted that they could assist*
>>>>>>>>>>>
>>>>>>>>>>> 4 . The date and that there are two rooms appear to be new
>>>>>>>>>>> information today. What else can be shared please?
>>>>>>>>>>>
>>>>>>>>>>> *We are looking for budget but important to determine is, how
>>>>>>>>>>> many leaders are willing to assist in order to create a final budget
>>>>>>>>>>> covering accommodation/tickets and food for them. No leaders, no summit.*
>>>>>>>>>>>
>>>>>>>>>>> 5. What else will the summit be competing with on the same day?
>>>>>>>>>>> *The conference sessions on that day*
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Hope this has clarified your questions.
>>>>>>>>>>>
>>>>>>>>>>> regards
>>>>>>>>>>>
>>>>>>>>>>> Johanna
>>>>>>>>>>>
>>>>>>>>>>> On Sun, Feb 8, 2015 at 3:56 PM, colin.watson at owasp.org <
>>>>>>>>>>> colin.watson at owasp.org> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Joanna
>>>>>>>>>>>>
>>>>>>>>>>>> The Amsterdam "project summit " invitation I saw was sent on
>>>>>>>>>>>> 21st January:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> http://lists.owasp.org/pipermail/owasp-leaders/2015-January/013715.html
>>>>>>>>>>>>
>>>>>>>>>>>> What is the deadline please?
>>>>>>>>>>>>
>>>>>>>>>>>> Could you provide any more detrimental than appear in the
>>>>>>>>>>>> firm's questions?
>>>>>>>>>>>>
>>>>>>>>>>>> 1. The comment about "launch and or promote" in that email
>>>>>>>>>>>> confused me because I thought summits were to generate outputs. Is it more
>>>>>>>>>>>> like a project showcase? If so, are OWASP projects not a part of the main
>>>>>>>>>>>> conference program?
>>>>>>>>>>>>
>>>>>>>>>>>> 2. The AppsecEU website doesn't mention this summit. What will
>>>>>>>>>>>> be done to promote it?
>>>>>>>>>>>>
>>>>>>>>>>>> 3. Who is getting paid/what?
>>>>>>>>>>>>
>>>>>>>>>>>> 4 . The date and that there are two rooms appear to be new
>>>>>>>>>>>> information today. What else can be shared please?
>>>>>>>>>>>>
>>>>>>>>>>>> 5. What else will the summit be competing with on the same day?
>>>>>>>>>>>>
>>>>>>>>>>>> I am sure other projects will want to participate.
>>>>>>>>>>>>
>>>>>>>>>>>> Regards Colin
>>>>>>>>>>>>
>>>>>>>>>>>> ----- Reply message -----
>>>>>>>>>>>> From: "johanna curiel curiel" <johanna.curiel at owasp.org>
>>>>>>>>>>>> To: "owasp-leaders at lists.owasp.org" <
>>>>>>>>>>>> owasp-leaders at lists.owasp.org>
>>>>>>>>>>>> Subject: [Owasp-leaders] Fwd: Project Summit countdown
>>>>>>>>>>>> Date: Sun, Feb 8, 2015 18:29
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> >Back to the Project Summit, the interesting question is: *should
>>>>>>>>>>>> OWASP invest 50k or 100k on its projects? *
>>>>>>>>>>>>
>>>>>>>>>>>> Well that is the golden question. I have the impression that
>>>>>>>>>>>> key decision makers are reluctant for this part, since it is not clear what
>>>>>>>>>>>> will be the output from this. This has being mentioned to me in the past.
>>>>>>>>>>>>
>>>>>>>>>>>> The question is, how effective is to invest 50 or 100k in a
>>>>>>>>>>>> summit and what do we get out of it?
>>>>>>>>>>>>
>>>>>>>>>>>> I think OWASP should at least invest and help promote those
>>>>>>>>>>>> flagship projects and LABS/Incubators doing an excellent work . That is how
>>>>>>>>>>>> Project leaders can promote and spread the word out about their projects
>>>>>>>>>>>> with OWASP support. But, what about new blood and innovative thinking? I'm
>>>>>>>>>>>> seeing many vulnerabilities that are not being handle with new projects or
>>>>>>>>>>>> fresh approaches.
>>>>>>>>>>>>
>>>>>>>>>>>> The key factor is, there is low participation and motivation
>>>>>>>>>>>> within the Project leaders. There is not really new blood of ideas coming
>>>>>>>>>>>> in and some leaders have decided to start their projects outside OWASP.
>>>>>>>>>>>>
>>>>>>>>>>>> This is what we need to change and reach, more participation,
>>>>>>>>>>>> community bonding and innovative projects.
>>>>>>>>>>>>
>>>>>>>>>>>> *An idea*
>>>>>>>>>>>> All major flagship/LABS and the best incubators projects should
>>>>>>>>>>>> be present at Defcon/OWASP conference  for the "OWASP Hackaton Contest"
>>>>>>>>>>>>
>>>>>>>>>>>> Budget: 50,000K
>>>>>>>>>>>> Goals:
>>>>>>>>>>>>
>>>>>>>>>>>>    - Build new features for OWASP projects,
>>>>>>>>>>>>    - Promote OWASP projects and Chapters
>>>>>>>>>>>>    - Help actual projects to move fwd with development
>>>>>>>>>>>>    - Get new volunteers to work on projects
>>>>>>>>>>>>    - Start new innovative projects
>>>>>>>>>>>>
>>>>>>>>>>>> OWASP Hackaton Activities:
>>>>>>>>>>>>
>>>>>>>>>>>>    - Help build new features,
>>>>>>>>>>>>    - Start a new innovative project
>>>>>>>>>>>>    - Become an owaps member/volunteer/start a chapter
>>>>>>>>>>>>    - Write documentation,
>>>>>>>>>>>>    - Motivation for participation: get recognition and a
>>>>>>>>>>>>    price(plenty small prices can be given away such as : Drinks/Food vouchers
>>>>>>>>>>>>    , T-Shirts etc).
>>>>>>>>>>>>
>>>>>>>>>>>> This hackaton should be fun, and help people connect and
>>>>>>>>>>>> participate
>>>>>>>>>>>>
>>>>>>>>>>>> regards
>>>>>>>>>>>>
>>>>>>>>>>>> Johanna
>>>>>>>>>>>>
>>>>>>>>>>>> On Sun, Feb 8, 2015 at 1:08 PM, Dinis Cruz <
>>>>>>>>>>>> dinis.cruz at owasp.org> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hi Johanna, as you are seeing, it's really hard to create an
>>>>>>>>>>>>> OWASP Project Summit with the current model (with little funding, with no
>>>>>>>>>>>>> dedicated team, attached to a conference, etc..)
>>>>>>>>>>>>>
>>>>>>>>>>>>> The formula that worked in the past was to start with a set
>>>>>>>>>>>>> budget (lets say 50k to 100k) and :
>>>>>>>>>>>>>
>>>>>>>>>>>>>    - use those funds to make sure the key players (in this
>>>>>>>>>>>>>    case project leaders and 'new players') are going to attend (by offering to
>>>>>>>>>>>>>    cover all travel and accommodation expenses (while asking them if they can
>>>>>>>>>>>>>    get their employee to pay instead))
>>>>>>>>>>>>>    - hire a dedicated summit team (for that period)
>>>>>>>>>>>>>    - secure dedicated venue and summit resources
>>>>>>>>>>>>>    - generate a huge amount of energy about the summit
>>>>>>>>>>>>>    sessions (starting by inventing all sorts of sessions, until the real
>>>>>>>>>>>>>    sessions become solid)
>>>>>>>>>>>>>    - cast a very wide net of 'invitations to attend the
>>>>>>>>>>>>>    summit' (with the vision that* 'the summit is THE place to
>>>>>>>>>>>>>    be, where all the key players will be in the same location, and  where REAL
>>>>>>>>>>>>>    work can be done'*)
>>>>>>>>>>>>>
>>>>>>>>>>>>> The hard part is making people 'believe' in the Summit. The
>>>>>>>>>>>>> objective is for our leaders (and attendees) to create the sessions that
>>>>>>>>>>>>> THEY want to attend (on top of the infrastructure provided by the Summit).
>>>>>>>>>>>>> By definition those sessions will be interested to others, and eventually a
>>>>>>>>>>>>> virtuous cycle will start to occur.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Back to the Project Summit, the interesting question is: *should
>>>>>>>>>>>>> OWASP invest 50k or 100k on its projects? *
>>>>>>>>>>>>>
>>>>>>>>>>>>> I think the answer is *YES *since Owasp's projects are
>>>>>>>>>>>>> critical part of OWASP (which deserves solid investment)
>>>>>>>>>>>>>
>>>>>>>>>>>>> Here are some of my blog posts about my views on OWASP Summits
>>>>>>>>>>>>> and OWASP Projects
>>>>>>>>>>>>>
>>>>>>>>>>>>>    - Summits must be part of OWASP's DNA
>>>>>>>>>>>>>    <http://blog.diniscruz.com/2012/04/summits-must-be-part-of-owasps-dna.html>
>>>>>>>>>>>>>
>>>>>>>>>>>>>    - Great description of why OWASP Summits are special
>>>>>>>>>>>>>    <http://blog.diniscruz.com/2012/04/great-description-of-why-owasp-summits.html>
>>>>>>>>>>>>>
>>>>>>>>>>>>>    - OWASP Revenue Splits and the "Non-profits have a charter
>>>>>>>>>>>>>    to be innovators"
>>>>>>>>>>>>>    <http://blog.diniscruz.com/2012/12/owasp-revenue-splits-and-non-profits.html>
>>>>>>>>>>>>>
>>>>>>>>>>>>>    - I want to vote for a Summit Team+Vision , NOT for a venue
>>>>>>>>>>>>>    <http://blog.diniscruz.com/2012/04/i-want-to-vote-for-summit-teamvision.html>
>>>>>>>>>>>>>
>>>>>>>>>>>>>    - Some proposed Visions for next OWASP Summit
>>>>>>>>>>>>>    <http://blog.diniscruz.com/2012/04/some-proposed-visions-for-next-owasp.html>
>>>>>>>>>>>>>
>>>>>>>>>>>>>    - Why large OWASP projects start to stale (and who should
>>>>>>>>>>>>>    pay for the work)
>>>>>>>>>>>>>    <http://blog.diniscruz.com/2012/04/why-large-owasp-projects-start-to-stale.html>
>>>>>>>>>>>>>
>>>>>>>>>>>>>    - OWASP: Proposed change for SoC: Use budget to pay for
>>>>>>>>>>>>>    project related expenses
>>>>>>>>>>>>>    <http://blog.diniscruz.com/2009/06/owasp-proposed-change-for-soc-use.html>
>>>>>>>>>>>>>
>>>>>>>>>>>>>    - Sometimes the best response is just say 'YES'
>>>>>>>>>>>>>    <http://blog.diniscruz.com/2012/10/sometimes-best-response-is-just-say-yes.html>
>>>>>>>>>>>>>
>>>>>>>>>>>>>    - I wish that OWASP in 2014 ....
>>>>>>>>>>>>>    <http://blog.diniscruz.com/2012/11/i-wish-that-owasp-in-2014.html>
>>>>>>>>>>>>>
>>>>>>>>>>>>>    - OWASP Principles based on NHS?
>>>>>>>>>>>>>    <http://blog.diniscruz.com/2013/01/owasp-principles-based-on-nhs.html>
>>>>>>>>>>>>>
>>>>>>>>>>>>>    - On how to get paid to work on OWASP projects
>>>>>>>>>>>>>    <http://blog.diniscruz.com/2013/01/on-how-to-get-paid-to-work-on-owasp.html>
>>>>>>>>>>>>>
>>>>>>>>>>>>>    - ROI on OWASP investment on Projects (ie paying leaders)
>>>>>>>>>>>>>    <http://blog.diniscruz.com/2012/04/roi-on-owasp-investment-on-projects-ie.html>
>>>>>>>>>>>>>
>>>>>>>>>>>>>    - Improved Wikipedia funding page, why OWASP needs
>>>>>>>>>>>>>    something similar, and who buys OWASP Corporate Memberships
>>>>>>>>>>>>>    <http://blog.diniscruz.com/2012/11/improved-wikipedia-funding-page-why.html>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>
>>>>>>>>>>>>> Dinis
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 7 February 2015 at 19:47, johanna curiel curiel <
>>>>>>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Board and Project Leaders
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> After a first call to get people to assist and participate
>>>>>>>>>>>>>> into the Project Summit NL, only 2 major projects(Flagship) have reacted
>>>>>>>>>>>>>> and would like to participate.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>    - OWASP ZAP
>>>>>>>>>>>>>>    - OWTF
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Right now we have 2 rooms available for this day-20th May
>>>>>>>>>>>>>> (Martin please confirm if this is still the case)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> For the rest I think we definitely need to breed in new life
>>>>>>>>>>>>>> into projects participation. It can be that for projects with leaders
>>>>>>>>>>>>>> located in USA, it will be more convenient to have a small summit there
>>>>>>>>>>>>>> specially for them or, we can try to promote participation to projects
>>>>>>>>>>>>>> (looking for volunteers, starting a project etc).
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> So far , I don't think we can call this a Project Summit ,
>>>>>>>>>>>>>> and it might get down to ZAP/OWTF summit
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> In that case is essential to know:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>    - Identify how many people will be assisting to the ZAP
>>>>>>>>>>>>>>    and OWTF session
>>>>>>>>>>>>>>    - IF Traveling tickets and accommodation could be paid
>>>>>>>>>>>>>>    for ZAP/OWTF leaders
>>>>>>>>>>>>>>    - Coffee break sponsorship for the attendees of this
>>>>>>>>>>>>>>    summit
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> That will basically resume the costs. based on this low
>>>>>>>>>>>>>> attendance I don't think I'll be present in Amsterdam.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I think we need to think of another strategy to promote Owasp
>>>>>>>>>>>>>> projects through summits if we want to continue with this. What do we want
>>>>>>>>>>>>>> to achieve indeed?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> My impression is that no new innovative projects are being
>>>>>>>>>>>>>> started at OWASP.
>>>>>>>>>>>>>> We definitely need new 'blood' and innovative thinkers
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Regards
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Johanna
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>  --
>>>>>>>>>>>>>> You received this message because you are subscribed to the
>>>>>>>>>>>>>> Google Groups "OWASP Projects Task Force" group.
>>>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails from
>>>>>>>>>>>>>> it, send an email to
>>>>>>>>>>>>>> projects-task-force+unsubscribe at owasp.org.
>>>>>>>>>>>>>> To post to this group, send email to
>>>>>>>>>>>>>> projects-task-force at owasp.org.
>>>>>>>>>>>>>> To view this discussion on the web visit
>>>>>>>>>>>>>> https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/CACxry_0OwMS2fHm8v2DuK7a2h8oXuo4WpPmiz3cKF2A%3DqXYJRg%40mail.gmail.com
>>>>>>>>>>>>>> <https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/CACxry_0OwMS2fHm8v2DuK7a2h8oXuo4WpPmiz3cKF2A%3DqXYJRg%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Owasp-board mailing list
>>>>>>> Owasp-board at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Owasp-board mailing list
>>>>>>> Owasp-board at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>
>>>>>>>
>>>>>> _______________________________________________
>>>>>> Owasp-board mailing list
>>>>>> Owasp-board at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Owasp-board mailing list
>>>>>> Owasp-board at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150216/00ccf031/attachment-0001.html>


More information about the Owasp-board mailing list