[Owasp-board] Higher Criteria on Starting projects

johanna curiel curiel johanna.curiel at owasp.org
Sun Jun 28 02:25:18 UTC 2015

Hi Matt

The Low Activity Category refers to projects that have a complete
deliverable and have shown to be very useful projects but do not have an
active project leaders or are not planning to launch a new updated version.
As you know , security and IT developments do not stand still.

As described for low activity: 'Projects might have a recession period of
activity, especially after they have reached a certain level of maturity,
however the content could be outdated based on the amount of time (6
months/ 1 year)

This project has not been downgraded, but to be consider a flagship is not
applicable as the project have no active leaders.In my opinion is just
outdated at certain levels, but still useful.Agai, the project leaders are
not active promoting the project or updating the content. Last release
dates from 2010. That's 5 years ago.

Maybe the label 'Low activity' implies 'inactivity' but how do we
categorised projects whose project leaders are not active maintaining the
content, updating it and responding to potential users and consumers of the

Any ideas are welcome :-)



On Mon, Jun 22, 2015 at 11:55 PM, Matt Tesauro <matt.tesauro at owasp.org>

> Johanna,
> Generally speaking, I think the work with Project Review team has been
> stellar and the use of OpenHub is extremely useful.
> I do think there's a big difference and gap in accuracy between "code-ish"
> projects and documentation projects.  If all docs were written in a markup
> and stored in Git, then we'd be in a better position but that is not the
> usual situation - more like a extreme statistical outlier.
> The one place I've seen this not work - and I preface this with the fact
> that one specific case does not invalidate the entire process - is the
> Secure Coding Practices Quick Reference Guide [1].
> This is listed as a "Low Activity Project: on the project page:
> https://www.owasp.org/index.php/Category:OWASP_Project#tab=Project_Inventory
> However, this project is still VERY useful and I continue to recommend its
> use today.  It was very solid when Boeing donated it to OWASP and really
> hasn't _needed_ activity to remain useful.  While most projects, especially
> coding projects, deteriorate over time and 'get stale', some projects like
> this don't require much care and feeding to remain useful.
> I worked on the Global Projects Committee (GPC) when it existed and this
> was a problem at that time as well.  Its very hard to find ~the one metric~
> or set of metrics which work well across the diversity of our projects.  We
> created separate criteria for projects vs code and even that really isn't a
> 100% method to categorize projects - there are things which don't fall
> cleanly into either category - like the OWASP WTE - its a collection of
> easy to consume tools and documentation and some automation/code to package
> those things up.  Is that code or a doc?  Who knows.  How about the OWASP
> Legal Project?  Its sort of a doc but not entirely.
> If I had the magic answer I would have proposed it long ago on the GPC -
> its something you will struggle with.  I just want to make sure that we
> don't inadvertently 'down grade' projects which don't fit the metrics well
> but are still useful.
> And, I agree 100% that project review is a VERY LABOR INTENSIVE process.
> Maybe we need to round up some college kids and find a way to
> non-financially reward them for doing some project reviews for the
> Foundation.  That's not a bad pool of pretty smart people who generally
> have some spare time on their hands and are looking for resume/vita
> building activities.
> Cheers!
> [1]
> https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
> --
> -- Matt Tesauro
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
> On Sun, Jun 21, 2015 at 3:56 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>> Matt
>> Yes indeed. In 2013 a Project Review team created this criteria( I was
>> one of them)
>> https://docs.google.com/spreadsheets/d/1upIyG0L-P-myUM6EPg0aJmCTDvJrdqaVdnjdNBME9is/edit?usp=sharing
>> We have been using automated tools for tracking like Openhub and SWAMP,
>> but checking quality of documentation and testing is more labor intensive.
>> Timo for example, is a developer and has been giving a hand on this, as
>> myself and when we hired a Tester to help us out with project reviews last
>> year.
>> Still, like mentioned before, is labor intensive. We are looking at ideas
>> to help us automate as possible, but the human component is indispensable
>> so far.
>> regards
>> Johanna
>> On Sun, Jun 21, 2015 at 4:37 PM, Matt Konda <matt.konda at owasp.org> wrote:
>>> Johanna,
>>> This is cool.  I hadn't seen this view yet.  Do we have a way to
>>> establish maturity of documentation, testing, issue response?
>>> I am interested to chat more sometime.
>>> Matt
>>> On Sun, Jun 21, 2015 at 4:13 PM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>> Hi MAtt
>>>> Not sure if you are aware, we are using Openhub to track projects. It
>>>> gives us a quite complete report of the activity level of all the OWASP
>>>> projects using an open repository so we can track then.
>>>> https://www.openhub.net/orgs/OWASP
>>>> [image: Inline image 1]
>>>> I try to register them here and keep track. The main issue is empty
>>>> projects but we have reduce significantly the amount of empty projects,
>>>> however, there are some beginning with some lines of code and this is what
>>>> still concern us, because a few pages of text or some lines  of code cannot
>>>> be really consider a 'project'. This is where Timo and other members have
>>>> expressed their concern.
>>>> I would like to discuss further your ideas on how to improve the
>>>> project platform faster and get more quality project  to certain status
>>>> regards
>>>> Johanna
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150627/3fa0ba22/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot 2015-06-21 16.11.19.png
Type: image/png
Size: 56989 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150627/3fa0ba22/attachment-0001.png>

More information about the Owasp-board mailing list