<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Hi all, <br>
      <br>
      I agree with Jim, that we should be demoting inactive flagship
      projects more quickly into normal ones if they don't perform and I
      agree with Michael on the community approach. <br>
      <br>
      All the best, Tobias<br>
      <br>
      <br>
      On 28/03/14 22:41, Michael Coates wrote:<br>
    </div>
    <blockquote
cite="mid:CAKA9LHzUJFccoavASwjBX=P7h1iLvD+pEGd5J_4_S8jWxHEnMA@mail.gmail.com"
      type="cite">
      <p dir="ltr">(On my morning walk with the dogs so apologies if I
        miss an item already mentioned in thread.)</p>
      <p dir="ltr">I'd like to propose a slight rewording of something
        Jim mentioned earlier. Instead of "I think the board needs to
        step in..." I think the answer is "the community should qlways
        feel inpowered to raise concerns, dive in and impact real change
        by helping out." So let's do that!</p>
      <p dir="ltr">So let's get Samantha and leaders on a new thread and
        ask what's working and what isn't with the current process? How
        can we help with what we currently have? Also let's provide
        feedback on how to make it better. I bet we could make a ton of
        progress with a good email thread.</p>
      <p dir="ltr">Then let's commit this energy to our review
        process(or whatever we have after some iterations) and get the
        right projects as flagship. I saw Jim's request for project
        review yesterday and filled it out. I'm committed to reviewing
        any number of projects and I bet others are too. Let's ask again
        here.</p>
      <p dir="ltr">My guess is Samantha has many areas that could use
        some community "passion" and several people have some great
        enhancement ideas to the project quality review.</p>
      <p dir="ltr">10 day Owasp sprint on project levels? Let's see what
        we could knock out if we all focus on it.</p>
      <p dir="ltr">Anyone interested to join me?</p>
      <div class="gmail_quote">On Mar 28, 2014 7:27 AM, "Eoin Keary"
        <<a moz-do-not-send="true" href="mailto:eoin.keary@owasp.org">eoin.keary@owasp.org</a>>
        wrote:<br type="attribution">
        <blockquote class="gmail_quote" style="margin:0 0 0
          .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div dir="auto">
            <div>Very generous of your chapter Josh.<br>
              <br>
              Eoin Keary
              <div>Owasp Global Board</div>
              <div><a moz-do-not-send="true"
                  href="tel:%2B353%2087%20977%202988"
                  value="+353879772988" target="_blank">+353 87 977 2988</a></div>
              <div><br>
              </div>
            </div>
            <div><br>
              On 28 Mar 2014, at 14:07, Josh Sokol <<a
                moz-do-not-send="true"
                href="mailto:josh.sokol@owasp.org" target="_blank">josh.sokol@owasp.org</a>>
              wrote:<br>
              <br>
            </div>
            <blockquote type="cite">
              <div>
                <div dir="ltr">
                  <div>
                    <div>
                      <div>I'm imagining you "hulk like angry" like the
                        old skool game of Rampage and it's pretty
                        awesome.<br>
                        <br>
                      </div>
                      To be fair, there are several other, bigger
                      picture, reasons why I've decided not to make
                      SimpleRisk an OWASP project.  As a Board member
                      I'm held (and hold myself) to extra scrutiny and I
                      don't feel comfortable donating some of my code
                      while withholding the other parts that I've deemed
                      "Enterprise functionality" for my paid-for
                      SimpleRisk Extras.  And basing a SaaS model off of
                      an OWASP project feels kinda shady to me as well. 
                      Maybe this is a model that OWASP should consider
                      supporting as it would incentivize developers to
                      bring their work to OWASP knowing that the extra
                      visibility can drive interest in their paid-for
                      offerings, but I'm not willing to let my name and
                      reputation be the guinea pig for that trial.<br>
                      <br>
                    </div>
                    Is there some way to focus the Google Summer of Code
                    efforts on fixing the bugs in the flagship projects
                    to make them seaworthy again?  Could we maybe figure
                    out a way to assign point values and create a reward
                    system to incentivize independent developers to
                    bring them up to snuff?  We need to be realistic in
                    that idealism and volunteerism will only get us so
                    far in fixing this problem and money is the thing
                    that ultimately makes many people get off their
                    asses and do work.  I believe the OWASP Austin
                    Chapter is going to donate $10k of our chapter funds
                    back to the OWASP Foundation.  Would it make sense
                    to use that unexpected money toward this effort?<br>
                    <br>
                  </div>
                  ~josh<br>
                </div>
                <div class="gmail_extra"><br>
                  <br>
                  <div class="gmail_quote">On Fri, Mar 28, 2014 at 8:01
                    AM, Jim Manico <span dir="ltr"><<a
                        moz-do-not-send="true"
                        href="mailto:jim.manico@owasp.org"
                        target="_blank">jim.manico@owasp.org</a>></span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0 0 0
                      .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div bgcolor="#FFFFFF" text="#000000"> I see code
                        flagship projects as being<br>
                        <br>
                        Dependency Check<br>
                        OWASP HTML Sanitizer<br>
                        Maybe AntiSamy if they clean their bugs<br>
                        OWASP Java Encoder <br>
                        OWASP JSON Sanitizer<br>
                        <br>
                        THREE of these projects I am project manager of,
                        I applied to get them reviewed last year and
                        they are all still stuck in incubator stage. I'm
                        miffed at best. There is so little benefit to
                        doing all of this at OWASP I am inclined to
                        shift them all to Apache where they will get
                        real visibility and support. Josh once said he
                        was not going to bring his project to OWASP and
                        it made me HULK LIKE ANGRY but I finally see his
                        point.<br>
                        <br>
                        - Jim<br>
                        <br>
                        <br>
                        <div>On 3/28/14, 6:20 PM, Eoin Keary wrote:<br>
                        </div>
                        <blockquote type="cite">
                          <div>+1</div>
                          <div>Flagships are IMHO</div>
                          <div>Zap</div>
                          <div>Testing guide</div>
                          <div>Ciso</div>
                          <div>SAMM</div>
                          <div>Education/training</div>
                          <div><br>
                            <br>
                            Eoin Keary
                            <div>Owasp Global Board</div>
                            <div><a moz-do-not-send="true"
                                href="tel:%2B353%2087%20977%202988"
                                value="+353879772988" target="_blank">+353
                                87 977 2988</a></div>
                            <div><br>
                            </div>
                          </div>
                          <div>
                            <div>
                              <div><br>
                                On 28 Mar 2014, at 09:46, Jim Manico
                                <<a moz-do-not-send="true"
                                  href="mailto:jim.manico@owasp.org"
                                  target="_blank">jim.manico@owasp.org</a>>

                                wrote:<br>
                                <br>
                              </div>
                              <blockquote type="cite">
                                <div> This makes me very sad.<br>
                                  <br>
                                  <u>Flagship Code Projects</u><br>
                                  <br>
                                  * OWASP AntiSamy Project  < 
                                  Abandoned, had to pay someone to
                                  update the wiki, not project leads.
                                  Roadmap is from 2011, no updates, etc.<br>
                                  <br>
                                  * OWASP Enterprise Security API < 
                                  Abandoned, wiki out of date, old
                                  template, no code changes, we paid
                                  good money to have a codeathon in NYC
                                  and got... nothing.<br>
                                  <br>
                                  * WASP CSRFGuard Project < 
                                  Somewhat being maintained, abandoned
                                  by author but picked up by another
                                  leaders, but is a horrific design and
                                  only works on the most basic of
                                  websites. This is a bad bad design for
                                  complex web 2.0 applications (since it
                                  uses JavaScript to inject tokes into
                                  the DOM which is fraught with error).
                                  <br>
                                  <br>
                                  * OWASP ModSecurity Core Rule Set
                                  Project <  Awesome updates, wiki
                                  updated by project owner, <a
                                    moz-do-not-send="true"
href="https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project"
                                    target="_blank">https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project</a><br>
                                  <br>
                                  I've been helping manage several
                                  production quality, highly scalable
                                  secure coding components (that were
                                  written by PhD level software
                                  engineers) and I'm sad to see them
                                  still stuck in incubator.  We also
                                  have projects like Dependency Check
                                  that are incredibly fantastic tools,
                                  still stuck in incubator.<br>
                                  <br>
                                  Samantha has been working hard on
                                  this, but every time I see our project
                                  list it really upsets me because when
                                  dev folks really try to use these
                                  components; it's so far from
                                  production quality that it makes us
                                  look really bad. No wonder we can't
                                  really get developers to be a part of
                                  our community or use our stuff.<br>
                                  <br>
                                  I am sure I will get flack for this,
                                  but I stand by my opinions that this
                                  is something that is critical to fix
                                  at OWASP. I was recently trying to get
                                  a software company to be the first top
                                  tier corporate sponsor, but as part of
                                  this, they looked at our flagship
                                  projects and wiki, saw how crusty they
                                  both were, and said "no way". Sad.<br>
                                  <br>
                                  - Jim<br>
                                </div>
                              </blockquote>
                            </div>
                          </div>
                          <blockquote type="cite">
                            <div><span>_______________________________________________</span>
                              <div><br>
                                <span>Owasp-board mailing list</span><br>
                                <span><a moz-do-not-send="true"
                                    href="mailto:Owasp-board@lists.owasp.org"
                                    target="_blank">Owasp-board@lists.owasp.org</a></span><br>
                                <span><a moz-do-not-send="true"
                                    href="https://lists.owasp.org/mailman/listinfo/owasp-board"
                                    target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a></span><br>
                              </div>
                            </div>
                          </blockquote>
                        </blockquote>
                        <br>
                      </div>
                      <br>
                      _______________________________________________<br>
                      Owasp-board mailing list<br>
                      <a moz-do-not-send="true"
                        href="mailto:Owasp-board@lists.owasp.org"
                        target="_blank">Owasp-board@lists.owasp.org</a><br>
                      <a moz-do-not-send="true"
                        href="https://lists.owasp.org/mailman/listinfo/owasp-board"
                        target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br>
                      <br>
                    </blockquote>
                  </div>
                  <br>
                </div>
              </div>
            </blockquote>
            <blockquote type="cite">
              <div><span>_______________________________________________</span><br>
                <span>Owasp-board mailing list</span><br>
                <span><a moz-do-not-send="true"
                    href="mailto:Owasp-board@lists.owasp.org"
                    target="_blank">Owasp-board@lists.owasp.org</a></span><br>
                <span><a moz-do-not-send="true"
                    href="https://lists.owasp.org/mailman/listinfo/owasp-board"
                    target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a></span><br>
              </div>
            </blockquote>
          </div>
          <br>
          _______________________________________________<br>
          Owasp-board mailing list<br>
          <a moz-do-not-send="true"
            href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a><br>
          <a moz-do-not-send="true"
            href="https://lists.owasp.org/mailman/listinfo/owasp-board"
            target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br>
          <br>
        </blockquote>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Owasp-board mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a>
<a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-board">https://lists.owasp.org/mailman/listinfo/owasp-board</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>