[Owasp-board] Empty and incomplete projects again

Jim Manico jim.manico at owasp.org
Fri Nov 6 00:58:34 UTC 2015


I agree with you in spirit. I really do not want to see any empty 
projects either.

Claudia has a close eye on this and I really want to give her some room 
to work these issues out. The scale of empty projects is very small 
right now (2) and the world is not ending. :) Let's give Claudia some 
room to do her thing, and we can all revisit this in a few weeks to 
ensure progress is made.

Does that seem reasonable?


On 11/5/15 2:50 AM, psiinon wrote:
> I think the current rules for the minimum requirements for a project 
> are very reasonable, and I think we should all discuss this before 
> changing them.
> Empty project pages dont help OWASP and I dont think they help the 
> projects either.
> Cheers,
> Simon
> On Thu, Nov 5, 2015 at 12:40 PM, johanna curiel curiel 
> <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>> wrote:
>     Hi Claudia
>     Both projects are setup under 'Documentation'
>     I read the API project and at the moment there is no clear
>     approach on how they will do a research to come with the 'top 10
>     API vulnerabilities'
>     This means David has to do a quite intensive research and gather a
>     lot of information to be able to come up with a 'reasonable' 'top
>     10 API'. Claudia, please familiarize yourself how the OWASP TOP 10
>     is done and you will see how much input data is used over a period
>     of *_3 years_* to come up with the 'TOP 10'. Thats is the reason
>     why people take quite serious the 'top 10' and has gain such place
>     in the appsec community.
>     API's are dependent on programming languages and frameworks,
>     requiring quite a lot of knowledge of each one to come up with
>     some useful information. I can assure you that after a year, there
>     won't be enough information in this project, this is no easy
>     piece.If he has defined a scope such as ' TOP ten .NET API'  would
>     have been easier.
>     The 'TOP ten privacy' also took more than a year of research
>     before they could come up with some data. Keep in mind that if
>     someone wants to do these kind of projects they definitely need to
>     present some serious proposal otherwise the chance of being and
>     empty project or dummy data is almost definitely.
>     Dave should present a clear plan how he thinks he will achieve
>     this and in the wiki page there is nothing conclusive and clear
>     just 'The roadmap for this project is straightforward: we'll begin
>     by conducting research and seeking feedback from developers and
>     security auditors on the problems they most frequently encounter
>     via web-based APIs. "
>     IF this is a serious research there should be a _research
>     proposal_ and this is not even the case. Documentation based on
>     poor research methodologies serves to serious appsec people of no
>     purpose. No one is going to use a 'top ten api' base on poor
>     research , even worse, this will be damaging to owaps image.
>     So I might sound strict, but is not about being nice, but helping
>     the project leaders to understand their responsibilities with
>     OWASP if they want to embark into a project like this.
>     Regards
>     Johanna
>     On Wed, Nov 4, 2015 at 6:47 PM, Claudia Casanovas
>     <claudia.aviles-casanovas at owasp.org
>     <mailto:claudia.aviles-casanovas at owasp.org>> wrote:
>         Hi Johanna,
>         These two project leaders are working on their completion and
>         I will ensure both are completed. They currently marked as In
>         Process for the Project Task Force.
>         https://www.owasp.org/index.php/OWASP_Security_Ninja_Program_Project
>         <https://www.owasp.org/index.php/OWASP_Security_Ninja_Program_Project> -
>         Wiki Page will be Deleted as Project Leader has a new name
>         https://www.owasp.org/index.php/OWASP_Security_Ninja_Project
>         <https://www.owasp.org/index.php/OWASP_Security_Ninja_Project>
>         Page will be deleted (as this was only a name change instance)
>         once the Project Leader adds the completed information.
>         This particular project is taking over the work from on Secure
>         Development Training Project which is in process of shutting
>         down on which Tobias is the Project Leader and Chris Romeo
>         will be taking over the project but with a new name and new
>         added content.  The Secure Development Training Project is not
>         yet merged as Chris Romeo is working on the content on the new
>         wiki page.
>         David Shaw is working on the content and has been in contact
>         with me this week.
>         https://www.owasp.org/index.php/OWASP_API_Security_Project
>         <https://www.owasp.org/index.php/OWASP_API_Security_Project>
>         I agree on your concern and will be diligently working with
>         the Project Leaders to ensure completion this week.
>         On Wed, Nov 4, 2015 at 2:18 PM, johanna curiel curiel
>         <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>>
>         wrote:
>             Hi Project Task Force, and members of the Board
>             A while ago I noticed that people have decide to change
>             the rules and allow empty projects , what that means is
>             that there is nothing produced (not even a table of
>             contents) and wiki pages are being setup as 'projects,
>             even worse, templates with no content
>             I feel quite disappointed to see this, especially after
>             the amount of work I and other volunteers with some staff
>             took to clean up the 'empty projects'
>             These projects have no content delivered as mentioned on
>             the conditions for starting a project
>             https://www.owasp.org/index.php/OWASP_Security_Ninja_Program_Project
>             https://www.owasp.org/index.php/OWASP_API_Security_Project
>             Again, what is the benefit of changing the rules and allow
>             this again?
>             For documentation :(still is mentioned on the website)
>             https://www.owasp.org/index.php/Category:OWASP_Project#tab=Starting_a_New_Project
>             A - PROJECT
>              1. Project Name,
>              2. Project purpose / overview,
>              3. Project Roadmap,
>              4. Project links (if any) to external sites,
>              5. [[Guidelines_for_OWASP_Projects#Project_Licensing|Project
>                 License],]
>              6. Project Leader name,
>              7. Project Leader email address,
>              8. Project Leader wiki account - the username (you'll
>                 need this to edit the wiki),
>              9. Project Contributor(s) (if any) - name email and wiki
>                 account (if any),
>             10. Project Main Links (if any).
>             11. For Documentation: A table of Contents
>             12. For Code: A prototype hosted in an open source
>                 repository of your choice. Make sure it has read access
>             regards
>             Johanna
>         -- 
>         Claudia Aviles-Casanovas
>         <mailto:claudia.aviles-casanovas at owasp.org>
>         Project Coordinator
>         Phone:973-288-1697 <tel:973-288-1697>
>     _______________________________________________
>     Owasp-board mailing list
>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-board
> -- 
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

Jim Manico
Global Board Member
OWASP Foundation

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151105/f454776a/attachment-0001.html>

More information about the Owasp-board mailing list