[Owasp-board] Empty and incomplete projects again

johanna curiel curiel johanna.curiel at owasp.org
Fri Nov 6 15:40:41 UTC 2015


Hi Claudia

My point to this is:
Consult not only with the actual members of the task force if this is ok
but especially with actual project leaders and community in general,
especially because of issues in the past regarding lack of activity in
projects like this. It does not seem quite well in my opinion to have
project listed 'in progress' that is going to be empty for a long time.

Adding a new category: what is the benefit of this new category and why it
was introduced? Could you elaborate on this part?

Why not allow this category to be on a separate wiki page instead on the
inventory project list for example? IF this helps you administrate or keep
an eye on people willing to start new projects.

In the past many people complained of these kind of empty pages with no
content. Hope you understand that this affected the image of OWASP in the
past as this was discussed in many outside circles and social media.

The fact that I stepped out of Project reviews as reviewer does not mean I
do not have an eye on what happens with projects ;-)

regards

Johanna

On Fri, Nov 6, 2015 at 11:31 AM, Jim Manico <jim.manico at owasp.org> wrote:

> > New Projects In Process
>
> Hey now, what a very reasonable idea, Claudia. Do you need a new project
> banner made for this new category?
>
> Aloha,
> --
> Jim Manico
> Global Board Member
> OWASP Foundation
> https://www.owasp.org
> Join me in Rome for AppSecEU 2016!
>
> On Nov 6, 2015, at 5:25 AM, Claudia Casanovas <
> claudia.aviles-casanovas at owasp.org> wrote:
>
> Hi Johanna,
>
> I understand and agree with communities concerns.  Although we had some
> conversations in the past prior to you stepping down from the Project Task
> Force.  The Project Task Force continued the work and meetings and agreed
> to add a new category "New Projects In Process".
>
> I will take additional steps to meet with the Project Task Force and
> review your valuable concerns and recommendations.  Perhaps not adding them
> to the Project Inventory is the first step as to not hurt the integrity of
> OWASP which is one of my first priority and never my intention.
>
> We will provide the community follow up and as always an opportunity to
> provide feedback.
>
> Thank you and appreciate you bringing this to our attention.
>
>
> On Fri, Nov 6, 2015 at 5:41 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Hi Jim and the Board
>>
>> I have been upset about this issue because I explained very well to
>> Claudia multiple times , through Skype calls , the issues related to empty
>> projects and all the work it has been taken to clean up the inventory. Also
>> all the work it was taken to setup 'Start a new project'
>>
>> What upset me most of this change is  that it was not even communicated
>> to the community and I think I have always been open to be consulted for
>> advice
>>
>> For my surprise I go to the project page and see those empty projects,
>> then I asked myself : what happened here?
>>
>> I hope you understand my point of view. Especially after all the amount
>> of work it took to clean up this were I personally invested many hours of
>> my free time to help this cause
>>
>> My advice therefore is to communicate and consult with leaders and the
>> community. So far I still do not see the benefit of this change and has not
>> been explained.
>>
>> So mean while we want to provide room to staff they should also
>> understand that they cannot go and change things like things without any
>> form of explanation especially without providing a good justification for
>> the change.
>>
>> So far I want an explanation. I have been asking and I'm been ignore. Is
>> this the way you treat volunteers?
>>
>> regards
>>
>> Johanna
>>
>>
>> On Fri, Nov 6, 2015 at 5:34 AM, psiinon <psiinon at gmail.com> wrote:
>>
>>> Sure, just expressing my opinion :)
>>>
>>> On Fri, Nov 6, 2015 at 12:58 AM, Jim Manico <jim.manico at owasp.org>
>>> wrote:
>>>
>>>> Simon,
>>>>
>>>> I agree with you in spirit. I really do not want to see any empty
>>>> projects either.
>>>>
>>>> Claudia has a close eye on this and I really want to give her some room
>>>> to work these issues out. The scale of empty projects is very small right
>>>> now (2) and the world is not ending. :) Let's give Claudia some room to do
>>>> her thing, and we can all revisit this in a few weeks to ensure progress is
>>>> made.
>>>>
>>>> Does that seem reasonable?
>>>>
>>>> Aloha,
>>>> Jim
>>>>
>>>>
>>>> On 11/5/15 2:50 AM, psiinon wrote:
>>>>
>>>> I think the current rules for the minimum requirements for a project
>>>> are very reasonable, and I think we should all discuss this before changing
>>>> them.
>>>> Empty project pages dont help OWASP and I dont think they help the
>>>> projects either.
>>>>
>>>> Cheers,
>>>>
>>>> Simon
>>>>
>>>> On Thu, Nov 5, 2015 at 12:40 PM, johanna curiel curiel <
>>>> <johanna.curiel at owasp.org>johanna.curiel at owasp.org> wrote:
>>>>
>>>>> Hi Claudia
>>>>>
>>>>> Both projects are setup under 'Documentation'
>>>>>
>>>>> I read the API project and at the moment there is no clear approach on
>>>>> how they will do a research to come with the 'top 10 API vulnerabilities'
>>>>>
>>>>> This means David has to do a quite intensive research and gather a lot
>>>>> of information to be able to come up with a 'reasonable' 'top 10 API'.
>>>>> Claudia, please familiarize yourself how the OWASP TOP 10 is done and you
>>>>> will see how much input data is used over a period of *3 years* to
>>>>> come up with the 'TOP 10'. Thats is the reason why people take quite
>>>>> serious the 'top 10' and has gain such place in the appsec community.
>>>>>
>>>>> API's are dependent on programming languages and frameworks, requiring
>>>>> quite a lot of knowledge of each one to come up with some useful
>>>>> information. I can assure you that after a year, there won't be enough
>>>>> information in this project, this is no easy piece.If he has defined a
>>>>> scope such as ' TOP ten .NET API'  would have been easier.
>>>>>
>>>>> The 'TOP ten privacy' also took more than a year of research before
>>>>> they could come up with some data. Keep in mind that if someone wants to do
>>>>> these kind of projects they definitely need to present some serious
>>>>> proposal otherwise the chance of being and empty project or dummy data is
>>>>> almost definitely.
>>>>>
>>>>> Dave should present a clear plan how he thinks he will achieve this
>>>>> and in the wiki page there is nothing conclusive and clear just 'The
>>>>> roadmap for this project is straightforward: we'll begin by conducting
>>>>> research and seeking feedback from developers and security auditors on the
>>>>> problems they most frequently encounter via web-based APIs. "
>>>>>
>>>>> IF this is a serious research there should be a *research proposal*
>>>>> and this is not even the case. Documentation based on poor research
>>>>> methodologies serves to serious appsec people of no purpose. No one is
>>>>> going to use a 'top ten api' base on poor research , even worse, this
>>>>> will be damaging to owaps image.
>>>>>
>>>>> So I might sound strict, but is not about being nice, but helping the
>>>>> project leaders to understand their responsibilities with OWASP if they
>>>>> want to embark into a project like this.
>>>>>
>>>>> Regards
>>>>>
>>>>> Johanna
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Nov 4, 2015 at 6:47 PM, Claudia Casanovas <
>>>>> <claudia.aviles-casanovas at owasp.org>claudia.aviles-casanovas at owasp.org
>>>>> > wrote:
>>>>>
>>>>>> Hi Johanna,
>>>>>>
>>>>>> These two project leaders are working on their completion and I will
>>>>>> ensure both are completed. They currently marked as In Process for the
>>>>>> Project Task Force.
>>>>>>
>>>>>> <https://www.owasp.org/index.php/OWASP_Security_Ninja_Program_Project>
>>>>>> https://www.owasp.org/index.php/OWASP
>>>>>> _Security_Ninja_Program_Project -
>>>>>> Wiki Page will be Deleted as Project Leader has a new name
>>>>>> <https://www.owasp.org/index.php/OWASP_Security_Ninja_Project>
>>>>>> https://www.owasp.org/index.php/OWASP_Security_Ninja_Project
>>>>>> Page will be deleted (as this was only a name change instance) once
>>>>>> the Project Leader adds the completed information.
>>>>>>
>>>>>> This particular project is taking over the work from on Secure
>>>>>> Development Training Project which is in process of shutting down on which
>>>>>> Tobias is the Project Leader and Chris Romeo will be taking over the
>>>>>> project but with a new name and new added content.  The Secure Development
>>>>>> Training Project is not yet merged as Chris Romeo is working on the content
>>>>>> on the new wiki page.
>>>>>>
>>>>>>
>>>>>> David Shaw is working on the content and has been in contact with me
>>>>>> this week.
>>>>>> <https://www.owasp.org/index.php/OWASP_API_Security_Project>
>>>>>> https://www.owasp.org/index.php/OWASP_API_Security_Project
>>>>>>
>>>>>> I agree on your concern and will be diligently working with the
>>>>>> Project Leaders to ensure completion this week.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, Nov 4, 2015 at 2:18 PM, johanna curiel curiel <
>>>>>> <johanna.curiel at owasp.org>johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>>> Hi Project Task Force, and members of the Board
>>>>>>>
>>>>>>> A while ago I noticed that people have decide to change the rules
>>>>>>> and allow empty projects , what that means is that there is nothing
>>>>>>> produced (not even a table of contents) and wiki pages are being setup as
>>>>>>> 'projects, even worse, templates with no content
>>>>>>>
>>>>>>> I feel quite disappointed to see this, especially after the amount
>>>>>>> of work I and other volunteers with some staff took to clean up the 'empty
>>>>>>> projects'
>>>>>>> These projects have no content delivered as mentioned on the
>>>>>>> conditions for starting a project
>>>>>>>
>>>>>>> https://www.owasp.org/index.php/OWASP_Security_Ninja_Program_Project
>>>>>>> https://www.owasp.org/index.php/OWASP_API_Security_Project
>>>>>>>
>>>>>>> Again, what is the benefit of changing the rules and allow this
>>>>>>> again?
>>>>>>>
>>>>>>> For documentation :(still is mentioned on the website)
>>>>>>>
>>>>>>> https://www.owasp.org/index.php/Category:OWASP_Project#tab=Starting_a_New_Project
>>>>>>>
>>>>>>> A - PROJECT
>>>>>>>
>>>>>>>    1. Project Name,
>>>>>>>    2. Project purpose / overview,
>>>>>>>    3. Project Roadmap,
>>>>>>>    4. Project links (if any) to external sites,
>>>>>>>    5. [[Guidelines_for_OWASP_Projects#Project_Licensing|Project
>>>>>>>    License],]
>>>>>>>    6. Project Leader name,
>>>>>>>    7. Project Leader email address,
>>>>>>>    8. Project Leader wiki account - the username (you'll need this
>>>>>>>    to edit the wiki),
>>>>>>>    9. Project Contributor(s) (if any) - name email and wiki account
>>>>>>>    (if any),
>>>>>>>    10. Project Main Links (if any).
>>>>>>>    11. For Documentation: A table of Contents
>>>>>>>    12. For Code: A prototype hosted in an open source repository of
>>>>>>>    your choice. Make sure it has read access
>>>>>>>
>>>>>>>
>>>>>>> regards
>>>>>>>
>>>>>>> Johanna
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>>
>>>>>> Claudia Aviles-Casanovas <claudia.aviles-casanovas at owasp.org>
>>>>>> Project Coordinator
>>>>>> Phone:973-288-1697
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>> --
>>>> Jim Manico
>>>> Global Board Member
>>>> OWASP Foundationhttps://www.owasp.org
>>>>
>>>>
>>>
>>>
>>> --
>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>
>>
>>
>
>
> --
>
>
> Claudia Aviles-Casanovas <claudia.aviles-casanovas at owasp.org>
> Project Coordinator
> Phone:973-288-1697
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151106/edcb7ac5/attachment-0001.html>


More information about the Owasp-board mailing list