[Owasp-board] Empty and incomplete projects again

psiinon psiinon at gmail.com
Thu Nov 5 12:50:02 UTC 2015


I think the current rules for the minimum requirements for a project are
very reasonable, and I think we should all discuss this before changing
them.
Empty project pages dont help OWASP and I dont think they help the projects
either.

Cheers,

Simon

On Thu, Nov 5, 2015 at 12:40 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Hi Claudia
>
> Both projects are setup under 'Documentation'
>
> I read the API project and at the moment there is no clear approach on how
> they will do a research to come with the 'top 10 API vulnerabilities'
>
> This means David has to do a quite intensive research and gather a lot of
> information to be able to come up with a 'reasonable' 'top 10 API'.
> Claudia, please familiarize yourself how the OWASP TOP 10 is done and you
> will see how much input data is used over a period of *3 years* to come
> up with the 'TOP 10'. Thats is the reason why people take quite serious the
> 'top 10' and has gain such place in the appsec community.
>
> API's are dependent on programming languages and frameworks, requiring
> quite a lot of knowledge of each one to come up with some useful
> information. I can assure you that after a year, there won't be enough
> information in this project, this is no easy piece.If he has defined a
> scope such as ' TOP ten .NET API'  would have been easier.
>
> The 'TOP ten privacy' also took more than a year of research before they
> could come up with some data. Keep in mind that if someone wants to do
> these kind of projects they definitely need to present some serious
> proposal otherwise the chance of being and empty project or dummy data is
> almost definitely.
>
> Dave should present a clear plan how he thinks he will achieve this and in
> the wiki page there is nothing conclusive and clear just 'The roadmap for
> this project is straightforward: we'll begin by conducting research and
> seeking feedback from developers and security auditors on the problems they
> most frequently encounter via web-based APIs. "
>
> IF this is a serious research there should be a *research proposal* and
> this is not even the case. Documentation based on poor research
> methodologies serves to serious appsec people of no purpose. No one is
> going to use a 'top ten api' base on poor research , even worse, this
> will be damaging to owaps image.
>
> So I might sound strict, but is not about being nice, but helping the
> project leaders to understand their responsibilities with OWASP if they
> want to embark into a project like this.
>
> Regards
>
> Johanna
>
>
>
> On Wed, Nov 4, 2015 at 6:47 PM, Claudia Casanovas <
> claudia.aviles-casanovas at owasp.org> wrote:
>
>> Hi Johanna,
>>
>> These two project leaders are working on their completion and I will
>> ensure both are completed. They currently marked as In Process for the
>> Project Task Force.
>>
>> https://www.owasp.org/index.php/OWASP_Security_Ninja_Program_Project -
>> Wiki Page will be Deleted as Project Leader has a new name https://www.
>> owasp.org/index.php/OWASP_Security_Ninja_Project
>> Page will be deleted (as this was only a name change instance) once the
>> Project Leader adds the completed information.
>>
>> This particular project is taking over the work from on Secure
>> Development Training Project which is in process of shutting down on which
>> Tobias is the Project Leader and Chris Romeo will be taking over the
>> project but with a new name and new added content.  The Secure Development
>> Training Project is not yet merged as Chris Romeo is working on the content
>> on the new wiki page.
>>
>>
>> David Shaw is working on the content and has been in contact with me this
>> week.
>> https://www.owasp.org/index.php/OWASP_API_Security_Project
>>
>> I agree on your concern and will be diligently working with the Project
>> Leaders to ensure completion this week.
>>
>>
>>
>>
>> On Wed, Nov 4, 2015 at 2:18 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Hi Project Task Force, and members of the Board
>>>
>>> A while ago I noticed that people have decide to change the rules and
>>> allow empty projects , what that means is that there is nothing produced
>>> (not even a table of contents) and wiki pages are being setup as 'projects,
>>> even worse, templates with no content
>>>
>>> I feel quite disappointed to see this, especially after the amount of
>>> work I and other volunteers with some staff took to clean up the 'empty
>>> projects'
>>> These projects have no content delivered as mentioned on the conditions
>>> for starting a project
>>>
>>> https://www.owasp.org/index.php/OWASP_Security_Ninja_Program_Project
>>> https://www.owasp.org/index.php/OWASP_API_Security_Project
>>>
>>> Again, what is the benefit of changing the rules and allow this again?
>>>
>>> For documentation :(still is mentioned on the website)
>>>
>>> https://www.owasp.org/index.php/Category:OWASP_Project#tab=Starting_a_New_Project
>>>
>>> A - PROJECT
>>>
>>>    1. Project Name,
>>>    2. Project purpose / overview,
>>>    3. Project Roadmap,
>>>    4. Project links (if any) to external sites,
>>>    5. [[Guidelines_for_OWASP_Projects#Project_Licensing|Project
>>>    License],]
>>>    6. Project Leader name,
>>>    7. Project Leader email address,
>>>    8. Project Leader wiki account - the username (you'll need this to
>>>    edit the wiki),
>>>    9. Project Contributor(s) (if any) - name email and wiki account (if
>>>    any),
>>>    10. Project Main Links (if any).
>>>    11. For Documentation: A table of Contents
>>>    12. For Code: A prototype hosted in an open source repository of
>>>    your choice. Make sure it has read access
>>>
>>>
>>> regards
>>>
>>> Johanna
>>>
>>
>>
>>
>> --
>>
>>
>> Claudia Aviles-Casanovas <claudia.aviles-casanovas at owasp.org>
>> Project Coordinator
>> Phone:973-288-1697
>>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>


-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151105/2cffb5ba/attachment-0001.html>


More information about the Owasp-board mailing list