[Owasp-board] [Owasp-leaders] Rethinking startegy regarding projects

johanna curiel curiel johanna.curiel at owasp.org
Thu Nov 26 20:17:30 UTC 2015


*Simon>>*
*If we do keep some projects (and I think we should;) then what purpose
should they serve?*
Exactly, people start all kind of projects without asking this question but
even more: Do I have time to pull up this project through(or dedicate my
weekends to it? Is it useful for the community? Can I realise this project
to completion?

*Tim>>It seems our biggest issue right now is with people trying to write
code under the OWASP brand, but not following through and making the
software high quality.*

The problem is across all projects not only code based. Most incubator
projects get abandoned after a year. Nothing wrong with tools that become
stable like DirBuster or Joomla_scanner which are used still in Kali Linux
and later not maintained. So yes, I agree with you Tim that the type of
project makes a huge difference.

*Jim>>We really need to rethink the whole OWASP project philosophy and seek
better focus and direction. We're all over the place and our energy is very
diluted and sometimes abused.*

Yes I feel I have been abused when the leader of a project like Benchmark
pressured the Project task force team to become LAB, and then turned around
to start a marketing campaign promoting an immature project as a mature one.

*Whats next?*
We should keep the flagships, ditch all inactive projects and stop taking
new projects because we do not have dedicated resources(nor the budget) to
evaluate properly new projects. Not even the actual ones...How do you
evaluate a security library like SeraphinDroid'? you have to QA and test
deeply...We are sec folks we should know, we preach testing and security...

*Volunteer based reviews?*
That has been attempted so many times and has fell hard. From the Global
Initiatiave 2008 till Samantha's attempts for a volunteer based project
reviewers .and even she kept continuously looking she hardly got people to
review. I feel it was unfair to expect from her that she should fix this
'project management issue'....and right now a queue of projects awaiting
too be review...

The only time project reviews ever work in my opinion (and not perfect) was
when we paid a dedicated tester(Marios) and I volunteered full time for 3
months to supervise the test and verify results and the activity of the
projects with a full time employee(Kait-Disney) on the side to do reviews
and clean up the inventory. FULL TIME JOB, 3 persons working for 3 months
 including support from 1 volunteer(Jason Jonhson) to setup a VM automated
build Jenkins machine on the side...but this is not sustainable....

*So you want to start a project?*
Start it. Github is free as you need 0 money for this.
Just do it and start it. Announce in the Global connector that 'Leader X'
has started a project but hey, go and check it, let us know what you
think....

You want to present your project at an OWASP conference? Submit a research
paper, just as happens with Blackhat. OWASP own Arsenal....(like Blackhat
Arsenal) and sponsor the selected speakers.

You want to create documentation? Create it, then  fill in the wiki page or
fill it yourself,

Create a loosely couple relation between volunteers efforts without the
responsibility of a process you cannot manage.

 In the end who the hell is taking the responsibility? Don't place it on
volunteers because it has shown it does not work.The Board? Well
unfortunately they cannot neither...they are also volunteers.

regards

Johanna





On Thu, Nov 26, 2015 at 2:48 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> This is the reason why we raised the bar to get from incubator to lab and
> from lab to flagship.  Since the majority of those projects are incubator
> state, they should take up very little of our resources until they fulfill
> whatever our qualifications are to move them up and invest more in them.
> That said, I think that a different strategy altogether on projects
> wouldn't be a bad idea.  While I like the general idea of people working on
> the projects that excite them, I also feel that we need to be more
> strategic about what we are working on.  We need to think more about the
> problems that we are trying to solve and try to allocate our limited
> volunteer resources to those.  It's definitely not the OWASP way, today,
> but it solves bigger problems by putting more people on them.  The starting
> point with this would be trying to figure out the skill sets across our
> volunteer base and figure out if there's a way to better leverage them to
> accomplish our mission.
>
> ~josh
>
> On Thu, Nov 26, 2015 at 11:02 AM, Tim <tim.morgan at owasp.org> wrote:
>
>>
>> I'm all for reform of some sort, but it should be done carefully and I
>> don't know of any obvious solution to the dilution problem.  Whatever
>> changes we make, let's make them conservative and targeted for now andb
>> see how it goes.
>>
>> Also, I think it is important to distinguish between software projects
>> and non-software projects.  It seems our biggest issue right now is
>> with people trying to write code under the OWASP brand, but not
>> following through and making the software high quality.
>>
>> Consider for a moment the skillsets of most OWASP volunteers.  We tend
>> to be security people.  It might make a lot of sense for us to write
>> code for "breakers" types of projects, since only security people see
>> the value in doing that and have the associated know-how.
>>
>> However, for "defenders" types of coding projects, does it really make
>> sense to build yet more frameworks?  Sometimes this could work, but in
>> most cases, how can we possibly compete with existing frameworks that
>> have large numbers of volunteers and/or companies behind them?
>>
>>
>> Better stop now before I start rambling, but those are my thoughts at
>> the moment.
>>
>> tim
>>
>>
>> On Thu, Nov 26, 2015 at 12:17:12PM +0200, Jim Manico wrote:
>> > I think OWASP projects are critical to the foundation and I want to
>> support new ideas that new projects bring.
>> >
>> > But I surrender. We really need to rethink the whole OWASP project
>> philosophy and seek better focus and direction. We're all over the place
>> and our energy is very diluted and sometimes abused.
>> >
>> > I have a lot of ideas, but frankly I'm not sure what the best direction
>> is. But I am open to significant change.
>> >
>> > By the same token, we have some amazing flagship projects and I think
>> it would be a tragedy if those went away.
>> >
>> > --
>> > Jim Manico
>> > Global Board Member
>> > OWASP Foundation
>> > https://www.owasp.org
>> > Join me in Rome for AppSecEU 2016!
>> >
>> > > On Nov 26, 2015, at 12:00 PM, psiinon <psiinon at gmail.com> wrote:
>> > >
>> > > I agree that this is a good time to rethink OWASP's project strategy.
>> > > Creating and maintaining high quality open source projects takes a
>> lot of time and effort, and can only be done in ones 'spare time' for a
>> relatively short period.
>> > > Successful projects need sponsorship and people who are able to
>> dedicate a significant part of their working week to them.
>> > > Abandoned or poorly maintained projects only damage OWASP's
>> reputation.
>> > >
>> > > Should we effectively ditch all but the flagship projects? Only
>> taking on new projects when they reach that level of quality?
>> > > Would a tool that becomes successful in its own right _want_ to be
>> adopted by OWASP?
>> > > Should OWASP ditch project altogether??
>> > > Or maybe just ditch all but the documentation projects?
>> > > Maybe we should just recommend open source projects, a sort of 'OWASP
>> approved' badge?
>> > >
>> > > If we do keep some projects (and I think we should;) then what
>> purpose should they serve?
>> > > Providing high quality tools that help make the internet more secure?
>> > > Helping people learn about security?
>> > > Driving awareness of OWASP? (How would people learn about OWASP if
>> not via projects like the Top 10 and ZAP?)
>> > > Provide tools and features that commercial companies are not
>> currently providing (effectively, or for a reasonable price)?
>> > > Interested to see what other people think.
>> > >
>> > > Cheers,
>> > >
>> > > Simon
>> > >
>> > >
>> > >> On Thu, Nov 26, 2015 at 9:19 AM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>> > >> Leaders and members of the board
>> > >>
>> > >> As former member of the project review team, I have been observing
>> the increasing issues related with projects
>> > >> Fact is, we do not have enough volunteers nor staff to support and
>> watch quality of projects, do reviews and have a supervison on them.
>> > >>
>> > >> More than often, projects become dormant or inactive.
>> > >> Recently The misuse of owasp brand have been an issue with projects
>> like Benchmark and recent  complains of users from The PHPSEC project. But
>> this is an on going issue.
>> > >>
>> > >> I think is time that OWASP rethink its strategy regarding projects
>> > >>
>> > >> Maybe instead of trying to offer a platform that is not sustainable,
>> owasp should adopt and sponsor projects  that already have established a
>> name on their own
>> > >>
>> > >> Nothing stops a dedicated individual to start an open source project
>> on his own. In The past when owasp was a small organization ran by
>> dedicated volunteers, it worked for these couple of projects, but right now
>> is out of hand. Take a look how many active projects are actually being
>> mantained.
>> > >>
>> > >> Mantaining a project takes a lot of dedication and this is what
>> People need to realize when starting an open source project
>> > >>
>> > >> What I see quite often is People wanting to misuse Owasp brand
>> instead of willing to pull a project
>> > >> Major reason I quit from reviewing and the fact that we do not have
>> feasible resources to produce projects that are sustainable in the long
>> term.
>> > >>
>> > >> I'm also cancelling the proposal with regards of bounty source
>> program. Reality is that without dedicated efforts and resources , it wont
>> be sustainable.
>> > >>
>> > >> Regards
>> > >>
>> > >> Johanna
>> > >>
>> > >>
>> > >>
>> > >> _______________________________________________
>> > >> Owasp-board mailing list
>> > >> Owasp-board at lists.owasp.org
>> > >> https://lists.owasp.org/mailman/listinfo/owasp-board
>> > >
>> > >
>> > >
>> > > --
>> > > OWASP ZAP Project leader
>> > > _______________________________________________
>> > > Owasp-board mailing list
>> > > Owasp-board at lists.owasp.org
>> > > https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151126/f24304d2/attachment-0001.html>


More information about the Owasp-board mailing list