[Owasp-board] Empty and incomplete projects again

johanna curiel curiel johanna.curiel at owasp.org
Thu Nov 5 12:40:25 UTC 2015


Hi Claudia

Both projects are setup under 'Documentation'

I read the API project and at the moment there is no clear approach on how
they will do a research to come with the 'top 10 API vulnerabilities'

This means David has to do a quite intensive research and gather a lot of
information to be able to come up with a 'reasonable' 'top 10 API'.
Claudia, please familiarize yourself how the OWASP TOP 10 is done and you
will see how much input data is used over a period of *3 years* to come up
with the 'TOP 10'. Thats is the reason why people take quite serious the
'top 10' and has gain such place in the appsec community.

API's are dependent on programming languages and frameworks, requiring
quite a lot of knowledge of each one to come up with some useful
information. I can assure you that after a year, there won't be enough
information in this project, this is no easy piece.If he has defined a
scope such as ' TOP ten .NET API'  would have been easier.

The 'TOP ten privacy' also took more than a year of research before they
could come up with some data. Keep in mind that if someone wants to do
these kind of projects they definitely need to present some serious
proposal otherwise the chance of being and empty project or dummy data is
almost definitely.

Dave should present a clear plan how he thinks he will achieve this and in
the wiki page there is nothing conclusive and clear just 'The roadmap for
this project is straightforward: we'll begin by conducting research and
seeking feedback from developers and security auditors on the problems they
most frequently encounter via web-based APIs. "

IF this is a serious research there should be a *research proposal* and
this is not even the case. Documentation based on poor research
methodologies serves to serious appsec people of no purpose. No one is
going to use a 'top ten api' base on poor research , even worse, this will
be damaging to owaps image.

So I might sound strict, but is not about being nice, but helping the
project leaders to understand their responsibilities with OWASP if they
want to embark into a project like this.

Regards

Johanna



On Wed, Nov 4, 2015 at 6:47 PM, Claudia Casanovas <
claudia.aviles-casanovas at owasp.org> wrote:

> Hi Johanna,
>
> These two project leaders are working on their completion and I will
> ensure both are completed. They currently marked as In Process for the
> Project Task Force.
>
> https://www.owasp.org/index.php/OWASP_Security_Ninja_Program_Project -
> Wiki Page will be Deleted as Project Leader has a new name https://www.
> owasp.org/index.php/OWASP_Security_Ninja_Project
> Page will be deleted (as this was only a name change instance) once the
> Project Leader adds the completed information.
>
> This particular project is taking over the work from on Secure
> Development Training Project which is in process of shutting down on which
> Tobias is the Project Leader and Chris Romeo will be taking over the
> project but with a new name and new added content.  The Secure Development
> Training Project is not yet merged as Chris Romeo is working on the content
> on the new wiki page.
>
>
> David Shaw is working on the content and has been in contact with me this
> week.
> https://www.owasp.org/index.php/OWASP_API_Security_Project
>
> I agree on your concern and will be diligently working with the Project
> Leaders to ensure completion this week.
>
>
>
>
> On Wed, Nov 4, 2015 at 2:18 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Hi Project Task Force, and members of the Board
>>
>> A while ago I noticed that people have decide to change the rules and
>> allow empty projects , what that means is that there is nothing produced
>> (not even a table of contents) and wiki pages are being setup as 'projects,
>> even worse, templates with no content
>>
>> I feel quite disappointed to see this, especially after the amount of
>> work I and other volunteers with some staff took to clean up the 'empty
>> projects'
>> These projects have no content delivered as mentioned on the conditions
>> for starting a project
>>
>> https://www.owasp.org/index.php/OWASP_Security_Ninja_Program_Project
>> https://www.owasp.org/index.php/OWASP_API_Security_Project
>>
>> Again, what is the benefit of changing the rules and allow this again?
>>
>> For documentation :(still is mentioned on the website)
>>
>> https://www.owasp.org/index.php/Category:OWASP_Project#tab=Starting_a_New_Project
>>
>> A - PROJECT
>>
>>    1. Project Name,
>>    2. Project purpose / overview,
>>    3. Project Roadmap,
>>    4. Project links (if any) to external sites,
>>    5. [[Guidelines_for_OWASP_Projects#Project_Licensing|Project
>>    License],]
>>    6. Project Leader name,
>>    7. Project Leader email address,
>>    8. Project Leader wiki account - the username (you'll need this to
>>    edit the wiki),
>>    9. Project Contributor(s) (if any) - name email and wiki account (if
>>    any),
>>    10. Project Main Links (if any).
>>    11. For Documentation: A table of Contents
>>    12. For Code: A prototype hosted in an open source repository of your
>>    choice. Make sure it has read access
>>
>>
>> regards
>>
>> Johanna
>>
>
>
>
> --
>
>
> Claudia Aviles-Casanovas <claudia.aviles-casanovas at owasp.org>
> Project Coordinator
> Phone:973-288-1697
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151105/29cc845a/attachment.html>


More information about the Owasp-board mailing list