[Owasp-board] [Owasp-community] RFP - OWASP Foundation Needs Assessment

johanna curiel curiel johanna.curiel at owasp.org
Fri Feb 5 12:40:28 UTC 2016


>>Should we strive to get to that level of maturity:  Heck yes. Will we be
there in the next year or two:  I very much doubt it.
Totally agree with you Mark.

With the RPF we get to know in more detail the issues but still just hiring
someone for a while to fix them is not going to make it maintainable in the
long term.

 Making a plan for fixing the things on short, medium and long term is the
key, then you know where you will be within a period of time.

Depending alone  on volunteers for these kind of efforts, makes the entire
process untenable. Volunteers are sporadic 'work force' and tend to be
quite unreliable.

What needs too be clear is where do you need continuos and constant efforts
to reach that goal and where you can count on the sporadic/irregular help
of volunteers that will make this work. This is what we have been trying to
do with the process of monitoring projects at OWASP.

My comparison to mozilla is about the process of revising wiki documents
and having the accountable team/person behind. I used to work for the
Antillian government as webmaster in 2003 and my task was to make the whole
messy content a cohesive(of all the departments of the government) one with
a team of content providers that also contributed sporadically, believe me,
my government didn't t have not even 1 million for these tasks including my
salary ;-P.
It took me one year to get the content cohesive including the design, I was
accountable for the end results and that made me work hard at it.

If you are a volunteer you don't feel responsible for these kind of things.
You do it if you feel like, if you have time. We need to make this process
easier for volunteers to participate providing content , right now even if
I want to do it is awfully painful to sit and go through the OWASP wiki and
sit to label stuff using these instructions
<https://www.owasp.org/index.php/Wiki_Cleanup>. We need to realise how to
make things easier for participation , motivate volunteers, not darn boring
or difficult. That is also part of finding a creative solution.

Someone must feel they are responsible to manage and provide a cohesive
content. That is the work of a webmaster/content manager with enough
technical skills to be able to do this properly and know when he needs
external help to fix things and propose this as part of the master plan.








On Thu, Feb 4, 2016 at 11:19 PM, Matt Tesauro <matt.tesauro at owasp.org>
wrote:

> While I think a goal of achieving what the Mozilla Foundation has for
> their developer network is a good goal, it's not a very fair comparison:
>
> Last audited returns provided by Mozilla Foundation are 2014:  $329.5
> million in revenue [1]
>
> Latest annual budget for the OWASP Foundation - 2015:  $2,540,667 or ~
> $2.5 million in revenue [2]
>
> Mozilla has ~ 132 times OWASP's revenue so the comparison really doesn't
> work.
>
> Should we strive to get to that level of maturity:  Heck yes.
>
> Will we be there in the next year or two:  I very much doubt it.
>
> [1]  https://en.wikipedia.org/wiki/Mozilla_Foundation
>              &
>       https://www.mozilla.org/en-US/foundation/documents/
>
> [2]
> https://www.owasp.org/index.php/About_OWASP#Audited_Financial_Statements
>              &
>
> https://drive.google.com/file/d/0BxjNZI6rYJRKbnBlaHM3LTU2ckk/view?usp=sharing
>
> --
> -- Matt Tesauro
> OWASP AppSec Pipeline Lead
> https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
> OWASP WTE Project Lead
> *https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
> <https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
> http://AppSecLive.org <http://appseclive.org/> - Community and Download
> site
>
> On Thu, Feb 4, 2016 at 5:51 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Hi Paul
>>
>> Having been quite involved with OWASP and its content for 3.5 years , I
>> can provide a quick assessment  based on my experience:
>>
>> *Content management of Wiki*
>> We lack a Content management team responsible/accountable to drive and
>> mantain cohesive content on the wiki.Right now the wiki is a 'messy
>> collage' of content, with sporadic volunteers but way too many people
>> creating isolated wiki pages, uncategorised and outdated content that never
>> gets properly cleaned up after many years ago.
>>
>> *Volunteer program management*
>> We lack  proper implementation of a volunteer program.Volunteers needs to
>> be managed and motivated so they contribute(aka work for free ;-). I Think
>> we have a big gap in OWASP to motivate volunteers properly
>>
>> *Integration of work-flow processes through Salesforce API *
>> I was a salesforce developer for SafeBoot
>> <http://searchsecurity.techtarget.com/news/1275984/McAfee-acquires-SafeBoot-for-endpoint-encryption>
>> (bought by McAfee in 2007) and I did some heavy integration between the
>> Safeboot website with customer portals and the Salesforce API. OWASP can do
>> the same and integrate many processes(such as the forms, requests from
>> volunteers, reports etc)  but this will require some serious development
>> and develop this process properly with involvement of the staff and
>> volunteers needs.Not sure if 1 hour conference call with a task force of
>> volunteers(which has not been formed yet) on each type of projects
>> (Builders, Breakers, Developers)will provide an external party with little
>> knowledge about OWASP enough information about these issues.
>>
>> *Modernisation of Wiki *
>> For the wiki, we need to modernise it so we have the same level as
>> Mozilla Developer Network <https://developer.mozilla.org/en-US/> to
>> allow continuos reviews and a program properly managed to motivate
>> volunteers work on content (Mozilla have the 'badges
>> <https://badges.mozilla.org/en-US/>' which is quite nice). It is driven
>> by volunteers, however managed by a team.
>> I contribute with content and reviews to Mozilla just because I love that
>> interface and the way the content looks(some of my contributions):
>>
>> https://developer.mozilla.org/en-US/docs/Web/SVG/Tutorial/SVG_Filters_Tutorial
>> .
>>
>> We lack volunteers working on content and doing out in a concessive way
>> and right now this is quite sporadic and messy. This also is closely
>> correlated to a proper management of volunteer contributions.
>>
>> While I think is an excellent initiative to hire and contractor / 3rd
>> party, I think many of us involved with OWASP for some years already know
>> the answers to the problems: We need a team to manage the process and
>> implement the solutions. The assessment wont solve that problem, it will
>> only confirm what we already know.
>>
>>
>> Cheers
>>
>> Johanna
>>
>>
>>
>>
>> On Wed, Feb 3, 2016 at 9:46 PM, Paul Ritchie <paul.ritchie at owasp.org>
>> wrote:
>>
>>> Hi Johanna:
>>> I can jump in and clarify.
>>>
>>> 1. Yes, this is the initiative & budget that the Board approve in late
>>> 2015.
>>> 30 days for vendor response, and 30 days to have a community team
>>> including Staff to evaluate the proposals is pretty reasonable.
>>>
>>> 2. On the budget, yes, this is the range approved by the board.  We
>>> included the 'range' as a beginning point so we didn't get any $50K or
>>> larger proposals that would have been a waste of time for both parties.
>>>
>>> To those cc'd on this email via the group Board List.   We are looking
>>> for Volunteers to help evaluate any proposals received. If you are
>>> interested in being part of the evaluation team.....please let me know.
>>>
>>> I know there have been similar initiatives on wiki/infrastructure
>>> enhancements in the past....but I'm aiming for the Kaizen
>>> philosophy........continuing and regular improvements over time.
>>>
>>> Regards. Paul
>>>
>>> Best Regards, Paul Ritchie
>>> OWASP Executive Director
>>> paul.ritchie at owasp.org
>>>
>>>
>>> On Wed, Feb 3, 2016 at 4:25 PM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>>> Hi Kate
>>>>
>>>> Do I understand well that this RFP is only to execute an assessment
>>>>  with a time line of 60 days (+/- 2 months)?
>>>> And the budget to do this research/assessment is USD20 to 30K?
>>>>
>>>> Cheers
>>>>
>>>> Johanna
>>>>
>>>> On Wed, Feb 3, 2016 at 5:33 PM, Kate Hartmann <kate.hartmann at owasp.org>
>>>> wrote:
>>>>
>>>>> OWASP Community,
>>>>>
>>>>> In late 2015, the OWASP Board approved an initiative to assess and
>>>>> update our Wiki and internal infrastructure.  The following RFP request
>>>>> includes the feedback & requirements received from various community
>>>>> leaders in order to capture various viewpoints from our diverse community.
>>>>>
>>>>> If you know of a consultant, service provider or expert who would like
>>>>> respond to this RFP, please forward to their attention.
>>>>>
>>>>> Details about the RFP objectives and requirements are available in the
>>>>> attached document.  The document is also available here:
>>>>> https://drive.google.com/file/d/0BxI4iTO_QojvY0ItSk56aWY3WXM/view?usp=sharing
>>>>> and on the wiki here:
>>>>> https://www.owasp.org/index.php/OWASP_Initiatives_Global_Strategic_Focus#Active_Initiatives
>>>>>
>>>>> Submission Information
>>>>>
>>>>> RFP open:  February 3, 2016
>>>>> RFP close:  February 29, 2016
>>>>>
>>>>> Please email proposals to owasp.foundation at owasp.org
>>>>>
>>>>> Sincerely,
>>>>> The OWASP Foundation
>>>>>
>>>>>
>>>>> ====
>>>>> Disclaimer: OWASP does not endorse or recommend commercial products or
>>>>> services allowing our community to remain vendor neutral with the
>>>>> collective wisdom of the best minds in application security worldwide.
>>>>> ====
>>>>> _______________________________________________
>>>>> Owasp-community mailing list
>>>>> Owasp-community at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-community
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160205/1e2f5995/attachment-0001.html>


More information about the Owasp-board mailing list