[Owasp-board] Empty and incomplete projects again

psiinon psiinon at gmail.com
Fri Nov 6 09:34:06 UTC 2015


Sure, just expressing my opinion :)

On Fri, Nov 6, 2015 at 12:58 AM, Jim Manico <jim.manico at owasp.org> wrote:

> Simon,
>
> I agree with you in spirit. I really do not want to see any empty projects
> either.
>
> Claudia has a close eye on this and I really want to give her some room to
> work these issues out. The scale of empty projects is very small right now
> (2) and the world is not ending. :) Let's give Claudia some room to do her
> thing, and we can all revisit this in a few weeks to ensure progress is
> made.
>
> Does that seem reasonable?
>
> Aloha,
> Jim
>
>
> On 11/5/15 2:50 AM, psiinon wrote:
>
> I think the current rules for the minimum requirements for a project are
> very reasonable, and I think we should all discuss this before changing
> them.
> Empty project pages dont help OWASP and I dont think they help the
> projects either.
>
> Cheers,
>
> Simon
>
> On Thu, Nov 5, 2015 at 12:40 PM, johanna curiel curiel <
> <johanna.curiel at owasp.org>johanna.curiel at owasp.org> wrote:
>
>> Hi Claudia
>>
>> Both projects are setup under 'Documentation'
>>
>> I read the API project and at the moment there is no clear approach on
>> how they will do a research to come with the 'top 10 API vulnerabilities'
>>
>> This means David has to do a quite intensive research and gather a lot of
>> information to be able to come up with a 'reasonable' 'top 10 API'.
>> Claudia, please familiarize yourself how the OWASP TOP 10 is done and you
>> will see how much input data is used over a period of *3 years* to come
>> up with the 'TOP 10'. Thats is the reason why people take quite serious the
>> 'top 10' and has gain such place in the appsec community.
>>
>> API's are dependent on programming languages and frameworks, requiring
>> quite a lot of knowledge of each one to come up with some useful
>> information. I can assure you that after a year, there won't be enough
>> information in this project, this is no easy piece.If he has defined a
>> scope such as ' TOP ten .NET API'  would have been easier.
>>
>> The 'TOP ten privacy' also took more than a year of research before they
>> could come up with some data. Keep in mind that if someone wants to do
>> these kind of projects they definitely need to present some serious
>> proposal otherwise the chance of being and empty project or dummy data is
>> almost definitely.
>>
>> Dave should present a clear plan how he thinks he will achieve this and
>> in the wiki page there is nothing conclusive and clear just 'The roadmap
>> for this project is straightforward: we'll begin by conducting research and
>> seeking feedback from developers and security auditors on the problems they
>> most frequently encounter via web-based APIs. "
>>
>> IF this is a serious research there should be a *research proposal* and
>> this is not even the case. Documentation based on poor research
>> methodologies serves to serious appsec people of no purpose. No one is
>> going to use a 'top ten api' base on poor research , even worse, this
>> will be damaging to owaps image.
>>
>> So I might sound strict, but is not about being nice, but helping the
>> project leaders to understand their responsibilities with OWASP if they
>> want to embark into a project like this.
>>
>> Regards
>>
>> Johanna
>>
>>
>>
>> On Wed, Nov 4, 2015 at 6:47 PM, Claudia Casanovas <
>> <claudia.aviles-casanovas at owasp.org>claudia.aviles-casanovas at owasp.org>
>> wrote:
>>
>>> Hi Johanna,
>>>
>>> These two project leaders are working on their completion and I will
>>> ensure both are completed. They currently marked as In Process for the
>>> Project Task Force.
>>>
>>> <https://www.owasp.org/index.php/OWASP_Security_Ninja_Program_Project>
>>> https://www.owasp.org/index.php/OWASP_Security_Ninja_Program_Project -
>>> Wiki Page will be Deleted as Project Leader has a new name
>>> <https://www.owasp.org/index.php/OWASP_Security_Ninja_Project>
>>> https://www.owasp.org/index.php/OWASP_Security_Ninja_Project
>>> Page will be deleted (as this was only a name change instance) once the
>>> Project Leader adds the completed information.
>>>
>>> This particular project is taking over the work from on Secure
>>> Development Training Project which is in process of shutting down on which
>>> Tobias is the Project Leader and Chris Romeo will be taking over the
>>> project but with a new name and new added content.  The Secure Development
>>> Training Project is not yet merged as Chris Romeo is working on the content
>>> on the new wiki page.
>>>
>>>
>>> David Shaw is working on the content and has been in contact with me
>>> this week.
>>> <https://www.owasp.org/index.php/OWASP_API_Security_Project>https://www.
>>> owasp.org/index.php/OWASP_API_Security_Project
>>>
>>> I agree on your concern and will be diligently working with the Project
>>> Leaders to ensure completion this week.
>>>
>>>
>>>
>>>
>>> On Wed, Nov 4, 2015 at 2:18 PM, johanna curiel curiel <
>>> <johanna.curiel at owasp.org>johanna.curiel at owasp.org> wrote:
>>>
>>>> Hi Project Task Force, and members of the Board
>>>>
>>>> A while ago I noticed that people have decide to change the rules and
>>>> allow empty projects , what that means is that there is nothing produced
>>>> (not even a table of contents) and wiki pages are being setup as 'projects,
>>>> even worse, templates with no content
>>>>
>>>> I feel quite disappointed to see this, especially after the amount of
>>>> work I and other volunteers with some staff took to clean up the 'empty
>>>> projects'
>>>> These projects have no content delivered as mentioned on the conditions
>>>> for starting a project
>>>>
>>>> https://www.owasp.org/index.php/OWASP_Security_Ninja_Program_Project
>>>> https://www.owasp.org/index.php/OWASP_API_Security_Project
>>>>
>>>> Again, what is the benefit of changing the rules and allow this again?
>>>>
>>>> For documentation :(still is mentioned on the website)
>>>>
>>>> https://www.owasp.org/index.php/Category:OWASP_Project#tab=Starting_a_New_Project
>>>>
>>>> A - PROJECT
>>>>
>>>>    1. Project Name,
>>>>    2. Project purpose / overview,
>>>>    3. Project Roadmap,
>>>>    4. Project links (if any) to external sites,
>>>>    5. [[Guidelines_for_OWASP_Projects#Project_Licensing|Project
>>>>    License],]
>>>>    6. Project Leader name,
>>>>    7. Project Leader email address,
>>>>    8. Project Leader wiki account - the username (you'll need this to
>>>>    edit the wiki),
>>>>    9. Project Contributor(s) (if any) - name email and wiki account
>>>>    (if any),
>>>>    10. Project Main Links (if any).
>>>>    11. For Documentation: A table of Contents
>>>>    12. For Code: A prototype hosted in an open source repository of
>>>>    your choice. Make sure it has read access
>>>>
>>>>
>>>> regards
>>>>
>>>> Johanna
>>>>
>>>
>>>
>>>
>>> --
>>>
>>>
>>> Claudia Aviles-Casanovas <claudia.aviles-casanovas at owasp.org>
>>> Project Coordinator
>>> Phone:973-288-1697
>>>
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
>
> _______________________________________________
> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>
>
> --
> Jim Manico
> Global Board Member
> OWASP Foundationhttps://www.owasp.org
>
>


-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151106/77fa5e68/attachment-0001.html>


More information about the Owasp-board mailing list