[Owasp-board] Higher Criteria on Starting projects

Jim Manico jim.manico at owasp.org
Wed Jun 24 19:24:55 UTC 2015


Matt,

A polite counterpoint. This checklist does not address any of the modern 
javascript frameworks or modern identity methods (saml, oauth, oidc, 
etc). These items are very important for secure coding today.

I would love to see this checklist undergo a cleanup and update.

Respectfully,
Jim

On 6/22/15 5:55 PM, Matt Tesauro wrote:
> Johanna,
>
> Generally speaking, I think the work with Project Review team has been 
> stellar and the use of OpenHub is extremely useful.
>
> I do think there's a big difference and gap in accuracy between 
> "code-ish" projects and documentation projects.  If all docs were 
> written in a markup and stored in Git, then we'd be in a better 
> position but that is not the usual situation - more like a extreme 
> statistical outlier.
>
> The one place I've seen this not work - and I preface this with the 
> fact that one specific case does not invalidate the entire process - 
> is the Secure Coding Practices Quick Reference Guide [1].
>
> This is listed as a "Low Activity Project: on the project page: 
> https://www.owasp.org/index.php/Category:OWASP_Project#tab=Project_Inventory
>
> However, this project is still VERY useful and I continue to recommend 
> its use today.  It was very solid when Boeing donated it to OWASP and 
> really hasn't _needed_ activity to remain useful.  While most 
> projects, especially coding projects, deteriorate over time and 'get 
> stale', some projects like this don't require much care and feeding to 
> remain useful.
>
> I worked on the Global Projects Committee (GPC) when it existed and 
> this was a problem at that time as well.  Its very hard to find ~the 
> one metric~ or set of metrics which work well across the diversity of 
> our projects.  We created separate criteria for projects vs code and 
> even that really isn't a 100% method to categorize projects - there 
> are things which don't fall cleanly into either category - like the 
> OWASP WTE - its a collection of easy to consume tools and 
> documentation and some automation/code to package those things up.  Is 
> that code or a doc?  Who knows.  How about the OWASP Legal Project?  
> Its sort of a doc but not entirely.
>
> If I had the magic answer I would have proposed it long ago on the GPC 
> - its something you will struggle with.  I just want to make sure that 
> we don't inadvertently 'down grade' projects which don't fit the 
> metrics well but are still useful.
>
> And, I agree 100% that project review is a VERY LABOR INTENSIVE 
> process.  Maybe we need to round up some college kids and find a way 
> to non-financially reward them for doing some project reviews for the 
> Foundation.  That's not a bad pool of pretty smart people who 
> generally have some spare time on their hands and are looking for 
> resume/vita building activities.
>
> Cheers!
>
> [1] 
> https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
>
> --
> -- Matt Tesauro
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>
> On Sun, Jun 21, 2015 at 3:56 PM, johanna curiel curiel 
> <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>> wrote:
>
>     Matt
>
>     Yes indeed. In 2013 a Project Review team created this criteria( I
>     was one of them)
>
>     https://docs.google.com/spreadsheets/d/1upIyG0L-P-myUM6EPg0aJmCTDvJrdqaVdnjdNBME9is/edit?usp=sharing
>
>     We have been using automated tools for tracking like Openhub and
>     SWAMP, but checking quality of documentation and testing is more
>     labor intensive.
>
>     Timo for example, is a developer and has been giving a hand on
>     this, as myself and when we hired a Tester to help us out with
>     project reviews last year.
>
>     Still, like mentioned before, is labor intensive. We are looking
>     at ideas to help us automate as possible, but the human component
>     is indispensable so far.
>
>     regards
>
>     Johanna
>
>
>     On Sun, Jun 21, 2015 at 4:37 PM, Matt Konda <matt.konda at owasp.org
>     <mailto:matt.konda at owasp.org>> wrote:
>
>         Johanna,
>
>         This is cool.  I hadn't seen this view yet.  Do we have a way
>         to establish maturity of documentation, testing, issue response?
>
>         I am interested to chat more sometime.
>
>         Matt
>
>
>         On Sun, Jun 21, 2015 at 4:13 PM, johanna curiel curiel
>         <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>>
>         wrote:
>
>             Hi MAtt
>
>             Not sure if you are aware, we are using Openhub to track
>             projects. It gives us a quite complete report of the
>             activity level of all the OWASP projects using an open
>             repository so we can track then.
>             https://www.openhub.net/orgs/OWASP
>
>             Inline image 1
>
>             I try to register them here and keep track. The main issue
>             is empty projects but we have reduce significantly the
>             amount of empty projects, however, there are some
>             beginning with some lines of code and this is what still
>             concern us, because a few pages of text or some lines  of
>             code cannot be really consider a 'project'. This is where
>             Timo and other members have expressed their concern.
>
>             I would like to discuss further your ideas on how to
>             improve the project platform faster and get more quality
>             project  to certain status
>
>             regards
>
>             Johanna
>
>
>
>
>     _______________________________________________
>     Owasp-board mailing list
>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
> -- 
> You received this message because you are subscribed to the Google 
> Groups "OWASP Projects Task Force" group.
> To unsubscribe from this group and stop receiving emails from it, send 
> an email to projects-task-force+unsubscribe at owasp.org 
> <mailto:projects-task-force+unsubscribe at owasp.org>.
> To post to this group, send email to projects-task-force at owasp.org 
> <mailto:projects-task-force at owasp.org>.
> To view this discussion on the web visit 
> https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/CALKUk%2BN3AKS6LcyV9ueK35GFnNmdn01e_kA%2BiiLemyemmxk%3D%2BA%40mail.gmail.com 
> <https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/CALKUk%2BN3AKS6LcyV9ueK35GFnNmdn01e_kA%2BiiLemyemmxk%3D%2BA%40mail.gmail.com?utm_medium=email&utm_source=footer>.

-- 
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org
Join me at AppSecUSA 2015!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150624/cac5068b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 56989 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150624/cac5068b/attachment-0001.png>


More information about the Owasp-board mailing list