[Owasp-board] Empty and incomplete projects again

Jim Manico jim.manico at owasp.org
Fri Nov 6 15:54:08 UTC 2015


I personally like the new category to give new project leaders some time 
to flesh out their wiki pages and initial project setup. These things 
take time.

But I think Johanna (and Simon) is making a good point here. Having a 
project listed as 'in progress' and empty *for a long time *is something 
we should probably be careful about.

Perhaps we can put a time limit on this project status? Just a thought.

Aloha,
Jim



On 11/6/15 5:40 AM, johanna curiel curiel wrote:
> Hi Claudia
>
> My point to this is:
> Consult not only with the actual members of the task force if this is 
> ok but especially with actual project leaders and community in 
> general, especially because of issues in the past regarding lack of 
> activity in projects like this. It does not seem quite well in my 
> opinion to have project listed 'in progress' that is going to be empty 
> for a long time.
>
> Adding a new category: what is the benefit of this new category and 
> why it was introduced? Could you elaborate on this part?
>
> Why not allow this category to be on a separate wiki page instead on 
> the inventory project list for example? IF this helps you administrate 
> or keep an eye on people willing to start new projects.
>
> In the past many people complained of these kind of empty pages with 
> no content. Hope you understand that this affected the image of OWASP 
> in the past as this was discussed in many outside circles and social 
> media.
>
> The fact that I stepped out of Project reviews as reviewer does not 
> mean I do not have an eye on what happens with projects ;-)
>
> regards
>
> Johanna
>
> On Fri, Nov 6, 2015 at 11:31 AM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>     > New Projects In Process
>
>     Hey now, what a very reasonable idea, Claudia. Do you need a new
>     project banner made for this new category?
>
>     Aloha,
>     --
>     Jim Manico
>     Global Board Member
>     OWASP Foundation
>     https://www.owasp.org <https://www.owasp.org/>
>     Join me in Rome for AppSecEU 2016!
>
>     On Nov 6, 2015, at 5:25 AM, Claudia Casanovas
>     <claudia.aviles-casanovas at owasp.org
>     <mailto:claudia.aviles-casanovas at owasp.org>> wrote:
>
>>     Hi Johanna,
>>
>>     I understand and agree with communities concerns.  Although we
>>     had some conversations in the past prior to you stepping down
>>     from the Project Task Force.  The Project Task Force continued
>>     the work and meetings and agreed to add a new category "New
>>     Projects In Process".
>>
>>     I will take additional steps to meet with the Project Task Force
>>     and review your valuable concerns and recommendations. Perhaps
>>     not adding them to the Project Inventory is the first step as to
>>     not hurt the integrity of OWASP which is one of my first priority
>>     and never my intention.
>>
>>     We will provide the community follow up and as always an
>>     opportunity to provide feedback.
>>
>>     Thank you and appreciate you bringing this to our attention.
>>
>>
>>     On Fri, Nov 6, 2015 at 5:41 AM, johanna curiel curiel
>>     <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>> wrote:
>>
>>         Hi Jim and the Board
>>
>>         I have been upset about this issue because I explained very
>>         well to Claudia multiple times , through Skype calls , the
>>         issues related to empty projects and all the work it has been
>>         taken to clean up the inventory. Also all the work it was
>>         taken to setup 'Start a new project'
>>
>>         What upset me most of this change is  that it was not even
>>         communicated to the community and I think I have always been
>>         open to be consulted for advice
>>
>>         For my surprise I go to the project page and see those empty
>>         projects, then I asked myself : what happened here?
>>
>>         I hope you understand my point of view. Especially after all
>>         the amount of work it took to clean up this were I personally
>>         invested many hours of my free time to help this cause
>>
>>         My advice therefore is to communicate and consult with
>>         leaders and the community. So far I still do not see the
>>         benefit of this change and has not been explained.
>>
>>         So mean while we want to provide room to staff they should
>>         also understand that they cannot go and change things like
>>         things without any form of explanation especially without
>>         providing a good justification for the change.
>>
>>         So far I want an explanation. I have been asking and I'm been
>>         ignore. Is this the way you treat volunteers?
>>
>>         regards
>>
>>         Johanna
>>
>>
>>         On Fri, Nov 6, 2015 at 5:34 AM, psiinon <psiinon at gmail.com
>>         <mailto:psiinon at gmail.com>> wrote:
>>
>>             Sure, just expressing my opinion :)
>>
>>             On Fri, Nov 6, 2015 at 12:58 AM, Jim Manico
>>             <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>>
>>                 Simon,
>>
>>                 I agree with you in spirit. I really do not want to
>>                 see any empty projects either.
>>
>>                 Claudia has a close eye on this and I really want to
>>                 give her some room to work these issues out. The
>>                 scale of empty projects is very small right now (2)
>>                 and the world is not ending. :) Let's give Claudia
>>                 some room to do her thing, and we can all revisit
>>                 this in a few weeks to ensure progress is made.
>>
>>                 Does that seem reasonable?
>>
>>                 Aloha,
>>                 Jim
>>
>>
>>                 On 11/5/15 2:50 AM, psiinon wrote:
>>>                 I think the current rules for the minimum
>>>                 requirements for a project are very reasonable, and
>>>                 I think we should all discuss this before changing them.
>>>                 Empty project pages dont help OWASP and I dont think
>>>                 they help the projects either.
>>>
>>>                 Cheers,
>>>
>>>                 Simon
>>>
>>>                 On Thu, Nov 5, 2015 at 12:40 PM, johanna curiel
>>>                 curiel <johanna.curiel at owasp.org
>>>                 <mailto:johanna.curiel at owasp.org>> wrote:
>>>
>>>                     Hi Claudia
>>>
>>>                     Both projects are setup under 'Documentation'
>>>
>>>                     I read the API project and at the moment there
>>>                     is no clear approach on how they will do a
>>>                     research to come with the 'top 10 API
>>>                     vulnerabilities'
>>>
>>>                     This means David has to do a quite intensive
>>>                     research and gather a lot of information to be
>>>                     able to come up with a 'reasonable' 'top 10
>>>                     API'. Claudia, please familiarize yourself how
>>>                     the OWASP TOP 10 is done and you will see how
>>>                     much input data is used over a period of *_3
>>>                     years_* to come up with the 'TOP 10'. Thats is
>>>                     the reason why people take quite serious the
>>>                     'top 10' and has gain such place in the appsec
>>>                     community.
>>>
>>>                     API's are dependent on programming languages and
>>>                     frameworks, requiring quite a lot of knowledge
>>>                     of each one to come up with some useful
>>>                     information. I can assure you that after a year,
>>>                     there won't be enough information in this
>>>                     project, this is no easy piece.If he has defined
>>>                     a scope such as ' TOP ten .NET API'  would have
>>>                     been easier.
>>>
>>>                     The 'TOP ten privacy' also took more than a year
>>>                     of research before they could come up with some
>>>                     data. Keep in mind that if someone wants to do
>>>                     these kind of projects they definitely need to
>>>                     present some serious proposal otherwise the
>>>                     chance of being and empty project or dummy data
>>>                     is almost definitely.
>>>
>>>                     Dave should present a clear plan how he thinks
>>>                     he will achieve this and in the wiki page there
>>>                     is nothing conclusive and clear just 'The
>>>                     roadmap for this project is straightforward:
>>>                     we'll begin by conducting research and seeking
>>>                     feedback from developers and security auditors
>>>                     on the problems they most frequently encounter
>>>                     via web-based APIs. "
>>>
>>>                     IF this is a serious research there should be a
>>>                     _research proposal_ and this is not even the
>>>                     case. Documentation based on poor research
>>>                     methodologies serves to serious appsec people of
>>>                     no purpose. No one is going to use a 'top ten
>>>                     api' base on poor research , even worse, this
>>>                     will be damaging to owaps image.
>>>
>>>                     So I might sound strict, but is not about being
>>>                     nice, but helping the project leaders to
>>>                     understand their responsibilities with OWASP if
>>>                     they want to embark into a project like this.
>>>
>>>                     Regards
>>>
>>>                     Johanna
>>>
>>>
>>>
>>>                     On Wed, Nov 4, 2015 at 6:47 PM, Claudia
>>>                     Casanovas <claudia.aviles-casanovas at owasp.org
>>>                     <mailto:claudia.aviles-casanovas at owasp.org>> wrote:
>>>
>>>                         Hi Johanna,
>>>
>>>                         These two project leaders are working on
>>>                         their completion and I will ensure both are
>>>                         completed. They currently marked as In
>>>                         Process for the Project Task Force.
>>>
>>>                         https://www.owasp.org/index.php/OWASP_Security_Ninja_Program_Project -
>>>
>>>                         Wiki Page will be Deleted as Project Leader
>>>                         has a new name
>>>                         https://www.owasp.org/index.php/OWASP_Security_Ninja_Project
>>>                         Page will be deleted (as this was only a
>>>                         name change instance) once the Project
>>>                         Leader adds the completed information.
>>>
>>>                         This particular project is taking over the
>>>                         work from on Secure Development Training
>>>                         Project which is in process of shutting down
>>>                         on which Tobias is the Project Leader and
>>>                         Chris Romeo will be taking over the project
>>>                         but with a new name and new added content. 
>>>                         The Secure Development Training Project is
>>>                         not yet merged as Chris Romeo is working on
>>>                         the content on the new wiki page.
>>>
>>>
>>>                         David Shaw is working on the content and has
>>>                         been in contact with me this week.
>>>                         https://www.owasp.org/index.php/OWASP_API_Security_Project
>>>
>>>                         I agree on your concern and will be
>>>                         diligently working with the Project Leaders
>>>                         to ensure completion this week.
>>>
>>>
>>>
>>>
>>>                         On Wed, Nov 4, 2015 at 2:18 PM, johanna
>>>                         curiel curiel <johanna.curiel at owasp.org
>>>                         <mailto:johanna.curiel at owasp.org>> wrote:
>>>
>>>                             Hi Project Task Force, and members of
>>>                             the Board
>>>
>>>                             A while ago I noticed that people have
>>>                             decide to change the rules and allow
>>>                             empty projects , what that means is that
>>>                             there is nothing produced (not even a
>>>                             table of contents) and wiki pages are
>>>                             being setup as 'projects, even worse,
>>>                             templates with no content
>>>
>>>                             I feel quite disappointed to see this,
>>>                             especially after the amount of work I
>>>                             and other volunteers with some staff
>>>                             took to clean up the 'empty projects'
>>>                             These projects have no content delivered
>>>                             as mentioned on the conditions for
>>>                             starting a project
>>>
>>>                             https://www.owasp.org/index.php/OWASP_Security_Ninja_Program_Project
>>>                             https://www.owasp.org/index.php/OWASP_API_Security_Project
>>>
>>>                             Again, what is the benefit of changing
>>>                             the rules and allow this again?
>>>
>>>                             For documentation :(still is mentioned
>>>                             on the website)
>>>                             https://www.owasp.org/index.php/Category:OWASP_Project#tab=Starting_a_New_Project
>>>
>>>                             A - PROJECT
>>>
>>>                              1. Project Name,
>>>                              2. Project purpose / overview,
>>>                              3. Project Roadmap,
>>>                              4. Project links (if any) to external
>>>                                 sites,
>>>                              5. [[Guidelines_for_OWASP_Projects#Project_Licensing|Project
>>>                                 License],]
>>>                              6. Project Leader name,
>>>                              7. Project Leader email address,
>>>                              8. Project Leader wiki account - the
>>>                                 username (you'll need this to edit
>>>                                 the wiki),
>>>                              9. Project Contributor(s) (if any) -
>>>                                 name email and wiki account (if any),
>>>                             10. Project Main Links (if any).
>>>                             11. For Documentation: A table of Contents
>>>                             12. For Code: A prototype hosted in an
>>>                                 open source repository of your
>>>                                 choice. Make sure it has read access
>>>
>>>
>>>                             regards
>>>
>>>                             Johanna
>>>
>>>
>>>
>>>
>>>                         -- 
>>>
>>>
>>>                         Claudia Aviles-Casanovas
>>>                         <mailto:claudia.aviles-casanovas at owasp.org>
>>>                         Project Coordinator
>>>                         Phone:973-288-1697 <tel:973-288-1697>
>>>
>>>
>>>
>>>                     _______________________________________________
>>>                     Owasp-board mailing list
>>>                     Owasp-board at lists.owasp.org
>>>                     <mailto:Owasp-board at lists.owasp.org>
>>>                     https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>>
>>>
>>>                 -- 
>>>                 OWASP ZAP <https://www.owasp.org/index.php/ZAP>
>>>                 Project leader
>>>
>>>
>>>                 _______________________________________________
>>>                 Owasp-board mailing list
>>>                 Owasp-board at lists.owasp.org
>>>                 <mailto:Owasp-board at lists.owasp.org>
>>>                 https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>                 -- 
>>                 Jim Manico
>>                 Global Board Member
>>                 OWASP Foundation
>>                 https://www.owasp.org
>>
>>
>>
>>
>>             -- 
>>             OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project
>>             leader
>>
>>
>>
>>
>>
>>     -- 
>>
>>
>>     Claudia Aviles-Casanovas <mailto:claudia.aviles-casanovas at owasp.org>
>>     Project Coordinator
>>     Phone:973-288-1697 <tel:973-288-1697>
>
>

-- 
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151106/b5f0dd95/attachment-0001.html>


More information about the Owasp-board mailing list