[Owasp-board] [Owasp-leaders] Rethinking startegy regarding projects

Josh Sokol josh.sokol at owasp.org
Thu Nov 26 18:48:59 UTC 2015


This is the reason why we raised the bar to get from incubator to lab and
from lab to flagship.  Since the majority of those projects are incubator
state, they should take up very little of our resources until they fulfill
whatever our qualifications are to move them up and invest more in them.
That said, I think that a different strategy altogether on projects
wouldn't be a bad idea.  While I like the general idea of people working on
the projects that excite them, I also feel that we need to be more
strategic about what we are working on.  We need to think more about the
problems that we are trying to solve and try to allocate our limited
volunteer resources to those.  It's definitely not the OWASP way, today,
but it solves bigger problems by putting more people on them.  The starting
point with this would be trying to figure out the skill sets across our
volunteer base and figure out if there's a way to better leverage them to
accomplish our mission.

~josh

On Thu, Nov 26, 2015 at 11:02 AM, Tim <tim.morgan at owasp.org> wrote:

>
> I'm all for reform of some sort, but it should be done carefully and I
> don't know of any obvious solution to the dilution problem.  Whatever
> changes we make, let's make them conservative and targeted for now andb
> see how it goes.
>
> Also, I think it is important to distinguish between software projects
> and non-software projects.  It seems our biggest issue right now is
> with people trying to write code under the OWASP brand, but not
> following through and making the software high quality.
>
> Consider for a moment the skillsets of most OWASP volunteers.  We tend
> to be security people.  It might make a lot of sense for us to write
> code for "breakers" types of projects, since only security people see
> the value in doing that and have the associated know-how.
>
> However, for "defenders" types of coding projects, does it really make
> sense to build yet more frameworks?  Sometimes this could work, but in
> most cases, how can we possibly compete with existing frameworks that
> have large numbers of volunteers and/or companies behind them?
>
>
> Better stop now before I start rambling, but those are my thoughts at
> the moment.
>
> tim
>
>
> On Thu, Nov 26, 2015 at 12:17:12PM +0200, Jim Manico wrote:
> > I think OWASP projects are critical to the foundation and I want to
> support new ideas that new projects bring.
> >
> > But I surrender. We really need to rethink the whole OWASP project
> philosophy and seek better focus and direction. We're all over the place
> and our energy is very diluted and sometimes abused.
> >
> > I have a lot of ideas, but frankly I'm not sure what the best direction
> is. But I am open to significant change.
> >
> > By the same token, we have some amazing flagship projects and I think it
> would be a tragedy if those went away.
> >
> > --
> > Jim Manico
> > Global Board Member
> > OWASP Foundation
> > https://www.owasp.org
> > Join me in Rome for AppSecEU 2016!
> >
> > > On Nov 26, 2015, at 12:00 PM, psiinon <psiinon at gmail.com> wrote:
> > >
> > > I agree that this is a good time to rethink OWASP's project strategy.
> > > Creating and maintaining high quality open source projects takes a lot
> of time and effort, and can only be done in ones 'spare time' for a
> relatively short period.
> > > Successful projects need sponsorship and people who are able to
> dedicate a significant part of their working week to them.
> > > Abandoned or poorly maintained projects only damage OWASP's reputation.
> > >
> > > Should we effectively ditch all but the flagship projects? Only taking
> on new projects when they reach that level of quality?
> > > Would a tool that becomes successful in its own right _want_ to be
> adopted by OWASP?
> > > Should OWASP ditch project altogether??
> > > Or maybe just ditch all but the documentation projects?
> > > Maybe we should just recommend open source projects, a sort of 'OWASP
> approved' badge?
> > >
> > > If we do keep some projects (and I think we should;) then what purpose
> should they serve?
> > > Providing high quality tools that help make the internet more secure?
> > > Helping people learn about security?
> > > Driving awareness of OWASP? (How would people learn about OWASP if not
> via projects like the Top 10 and ZAP?)
> > > Provide tools and features that commercial companies are not currently
> providing (effectively, or for a reasonable price)?
> > > Interested to see what other people think.
> > >
> > > Cheers,
> > >
> > > Simon
> > >
> > >
> > >> On Thu, Nov 26, 2015 at 9:19 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
> > >> Leaders and members of the board
> > >>
> > >> As former member of the project review team, I have been observing
> the increasing issues related with projects
> > >> Fact is, we do not have enough volunteers nor staff to support and
> watch quality of projects, do reviews and have a supervison on them.
> > >>
> > >> More than often, projects become dormant or inactive.
> > >> Recently The misuse of owasp brand have been an issue with projects
> like Benchmark and recent  complains of users from The PHPSEC project. But
> this is an on going issue.
> > >>
> > >> I think is time that OWASP rethink its strategy regarding projects
> > >>
> > >> Maybe instead of trying to offer a platform that is not sustainable,
> owasp should adopt and sponsor projects  that already have established a
> name on their own
> > >>
> > >> Nothing stops a dedicated individual to start an open source project
> on his own. In The past when owasp was a small organization ran by
> dedicated volunteers, it worked for these couple of projects, but right now
> is out of hand. Take a look how many active projects are actually being
> mantained.
> > >>
> > >> Mantaining a project takes a lot of dedication and this is what
> People need to realize when starting an open source project
> > >>
> > >> What I see quite often is People wanting to misuse Owasp brand
> instead of willing to pull a project
> > >> Major reason I quit from reviewing and the fact that we do not have
> feasible resources to produce projects that are sustainable in the long
> term.
> > >>
> > >> I'm also cancelling the proposal with regards of bounty source
> program. Reality is that without dedicated efforts and resources , it wont
> be sustainable.
> > >>
> > >> Regards
> > >>
> > >> Johanna
> > >>
> > >>
> > >>
> > >> _______________________________________________
> > >> Owasp-board mailing list
> > >> Owasp-board at lists.owasp.org
> > >> https://lists.owasp.org/mailman/listinfo/owasp-board
> > >
> > >
> > >
> > > --
> > > OWASP ZAP Project leader
> > > _______________________________________________
> > > Owasp-board mailing list
> > > Owasp-board at lists.owasp.org
> > > https://lists.owasp.org/mailman/listinfo/owasp-board
>
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151126/c9254316/attachment.html>


More information about the Owasp-board mailing list