[Owasp-board] Project Platform

Jim Manico jim.manico at owasp.org
Sat May 30 03:47:30 UTC 2015

More than money, I think we need top tier XSS assessment professionals 
to evaluate and expand on the current XSS filter evasion cheat sheet. 
And more than static payloads I'd love someone to contribute advice on 
more contextual filter evasion.

If anyone is interested in working on this or even "owning" this cheat 
sheet as the lead editor, please drop me a line and let's talk.


On 5/29/15 1:43 PM, Josh Sokol wrote:
> Timo,
> Could you please elaborate on what you would actually use these funds 
> for and how much you think you need to update the XSS Evasion Cheat 
> Sheet?  OWASP Austin donated some money to the Foundation which we 
> have been given the opportunity to choose how it is allocated and this 
> sounds like it may be an area we can assist.
> ~josh
> On Fri, May 29, 2015 at 5:29 AM, Timo Goosen <timo.goosen at owasp.org 
> <mailto:timo.goosen at owasp.org>> wrote:
>     I support this initiative.
>     I'd like to see some funds allocated to updating the XSS Evasion
>     Cheat Sheet as well as all the other offensive related cheatsheets.
>     Attacks are changing all the time and we need to put some money
>     towards having the latest info.
>     Regards.
>     Timo
>     On Thu, May 28, 2015 at 6:00 PM, Josh Sokol <josh.sokol at owasp.org
>     <mailto:josh.sokol at owasp.org>> wrote:
>         Some great thoughts and ideas here Matt and I agree with
>         pretty much everything you've said.  IIRC, I think there were
>         challenges with using Meetup as a platform over in APAC
>         (China?) which I think is why it hasn't received a more global
>         adoption.  In general, I do like the idea of a centralized
>         platform for our chapters to organize events in a way where
>         they are easily found by people in other communities.  For
>         example, a search for "security" in Meetup should yield the
>         OWASP meeting in your area.
>         One thing that I also like about Meetup is the open
>         Discussions forums.  I've tried for years now to get a social
>         platform for OWASP that isn't the mailing list.  I've spent
>         quite a bit of personal time with the content on
>         http://my.owasp.org, and promoted it a few times, but despite
>         my best efforts, it seems that OWASP very much prefers these
>         old school mailing lists for communication.  It's been a great
>         platform for OWASP Austin, but there's not much activity
>         outside of that, unfortunately.  My ideal would be a scenario
>         where content on the mailing list is sync'd to the discussion
>         forums and vice-versa.  I'm not sure how possible that would
>         be, but it would certainly make these kinds of conversations
>         more available and searchable to those not "in the know".
>         ~josh
>         On Thu, May 28, 2015 at 10:07 AM, Matt Konda
>         <matt.konda at owasp.org <mailto:matt.konda at owasp.org>> wrote:
>             Hello all,
>             Sorry in advance for the long email.
>             Following up on our meeting and some discussions at
>             AppSecEU, I wanted to think more about the OWASP
>             "platform".  I see one role of the board as working to
>             make it easy for the volunteers and leaders to succeed
>             with their projects, events and community building (chapters).
>             I'm a visual person so I put this presentation together
>             with boxes and colors as a point of reference.  I'm
>             interested in your feedback (comments enabled).  Please be
>             patient with me, this is just a rough idea and is not
>             intended in any way to be a criticism of where we are and
>             what we are doing!!!  I made notes in the notes area to
>             explain my color choices.
>             https://docs.google.com/a/owasp.org/presentation/d/1SLd1BG4TxrN75NqQo8_zKLC8CfhYa8WgfkXx7mcerhU/edit?usp=sharing
>             Getting more concrete, I want to suggest based on this
>             thought process that we invest in Meetup as an
>             organization and hire a technical writer on a 3 month
>             contract basis.
>             Here is the long story of why:
>             I asked one successful project leader what OWASP could do
>             to remove obstacles to success and their answer
>             (paraphrasing) was something like this:
>             "We struggle with:  publicity, documentation and training
>             courses."
>             This made me think that a concrete investment we could
>             make to support projects would be to hire a contract
>             technical writer to help with documentation across
>             projects and the wiki.  Assuming a 3 month, full time gig
>             at a rate of $40 per hour (75th percentile according to
>             this http://www.bls.gov/oes/current/oes273042.htm) would
>             cost approximately 21K.
>             We could build a list of tasks focused on:
>               * Documentation for 3 projects
>               * 10 wiki page updates per week (2 per day based on
>                 google analytics top hits)
>             I imagine the person would work closely with the project
>             co-ordinator and community manager.
>             I don't know just what is realistic, but I am interested
>             in exploring ways that we can model and then build a
>             platform of core services that the foundation can provide
>             to support projects, chapters and events - with the goal
>             of making it easier to have success with our volunteers
>             and leaders.
>             What do you think?  One thing that would help me is if we
>             can think about the metrics we wanted to measure in
>             strategic goals and whether these things would move the
>             needle.  I haven't gotten there yet, but it seems to make
>             sense...
>             Input appreciated!!!
>             Matt
>             _______________________________________________
>             Owasp-board mailing list
>             Owasp-board at lists.owasp.org
>             <mailto:Owasp-board at lists.owasp.org>
>             https://lists.owasp.org/mailman/listinfo/owasp-board
>         _______________________________________________
>         Owasp-board mailing list
>         Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>         https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150529/fcc63db1/attachment.html>

More information about the Owasp-board mailing list