[Owasp-board] Higher Criteria on Starting projects

Matt Tesauro matt.tesauro at owasp.org
Tue Jun 23 03:55:04 UTC 2015


Johanna,

Generally speaking, I think the work with Project Review team has been
stellar and the use of OpenHub is extremely useful.

I do think there's a big difference and gap in accuracy between "code-ish"
projects and documentation projects.  If all docs were written in a markup
and stored in Git, then we'd be in a better position but that is not the
usual situation - more like a extreme statistical outlier.

The one place I've seen this not work - and I preface this with the fact
that one specific case does not invalidate the entire process - is the
Secure Coding Practices Quick Reference Guide [1].

This is listed as a "Low Activity Project: on the project page:
https://www.owasp.org/index.php/Category:OWASP_Project#tab=Project_Inventory

However, this project is still VERY useful and I continue to recommend its
use today.  It was very solid when Boeing donated it to OWASP and really
hasn't _needed_ activity to remain useful.  While most projects, especially
coding projects, deteriorate over time and 'get stale', some projects like
this don't require much care and feeding to remain useful.

I worked on the Global Projects Committee (GPC) when it existed and this
was a problem at that time as well.  Its very hard to find ~the one metric~
or set of metrics which work well across the diversity of our projects.  We
created separate criteria for projects vs code and even that really isn't a
100% method to categorize projects - there are things which don't fall
cleanly into either category - like the OWASP WTE - its a collection of
easy to consume tools and documentation and some automation/code to package
those things up.  Is that code or a doc?  Who knows.  How about the OWASP
Legal Project?  Its sort of a doc but not entirely.

If I had the magic answer I would have proposed it long ago on the GPC -
its something you will struggle with.  I just want to make sure that we
don't inadvertently 'down grade' projects which don't fit the metrics well
but are still useful.

And, I agree 100% that project review is a VERY LABOR INTENSIVE process.
Maybe we need to round up some college kids and find a way to
non-financially reward them for doing some project reviews for the
Foundation.  That's not a bad pool of pretty smart people who generally
have some spare time on their hands and are looking for resume/vita
building activities.

Cheers!

[1]
https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide

--
-- Matt Tesauro
OWASP WTE Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site
OWASP OpenStack Security Project Lead
https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project

On Sun, Jun 21, 2015 at 3:56 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Matt
>
> Yes indeed. In 2013 a Project Review team created this criteria( I was one
> of them)
>
>
> https://docs.google.com/spreadsheets/d/1upIyG0L-P-myUM6EPg0aJmCTDvJrdqaVdnjdNBME9is/edit?usp=sharing
>
> We have been using automated tools for tracking like Openhub and SWAMP,
> but checking quality of documentation and testing is more labor intensive.
>
> Timo for example, is a developer and has been giving a hand on this, as
> myself and when we hired a Tester to help us out with project reviews last
> year.
>
> Still, like mentioned before, is labor intensive. We are looking at ideas
> to help us automate as possible, but the human component is indispensable
> so far.
>
> regards
>
> Johanna
>
>
> On Sun, Jun 21, 2015 at 4:37 PM, Matt Konda <matt.konda at owasp.org> wrote:
>
>> Johanna,
>>
>> This is cool.  I hadn't seen this view yet.  Do we have a way to
>> establish maturity of documentation, testing, issue response?
>>
>> I am interested to chat more sometime.
>>
>> Matt
>>
>>
>> On Sun, Jun 21, 2015 at 4:13 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Hi MAtt
>>>
>>> Not sure if you are aware, we are using Openhub to track projects. It
>>> gives us a quite complete report of the activity level of all the OWASP
>>> projects using an open repository so we can track then.
>>> https://www.openhub.net/orgs/OWASP
>>>
>>> [image: Inline image 1]
>>>
>>> I try to register them here and keep track. The main issue is empty
>>> projects but we have reduce significantly the amount of empty projects,
>>> however, there are some beginning with some lines of code and this is what
>>> still concern us, because a few pages of text or some lines  of code cannot
>>> be really consider a 'project'. This is where Timo and other members have
>>> expressed their concern.
>>>
>>> I would like to discuss further your ideas on how to improve the project
>>> platform faster and get more quality project  to certain status
>>>
>>> regards
>>>
>>> Johanna
>>>
>>
>>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150622/6ff9d7b8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot 2015-06-21 16.11.19.png
Type: image/png
Size: 56989 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150622/6ff9d7b8/attachment-0001.png>


More information about the Owasp-board mailing list