<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Matt,<br>
    <br>
    A polite counterpoint. This checklist does not address any of the
    modern javascript frameworks or modern identity methods (saml,
    oauth, oidc, etc). These items are very important for secure coding
    today.<br>
    <br>
    I would love to see this checklist undergo a cleanup and update.<br>
    <br>
    Respectfully,<br>
    Jim<br>
    <br>
    <div class="moz-cite-prefix">On 6/22/15 5:55 PM, Matt Tesauro wrote:<br>
    </div>
    <blockquote
cite="mid:CALKUk+N3AKS6LcyV9ueK35GFnNmdn01e_kA+iiLemyemmxk=+A@mail.gmail.com"
      type="cite">
      <div dir="ltr">Johanna, 
        <div><br>
        </div>
        <div>Generally speaking, I think the work with Project Review
          team has been stellar and the use of OpenHub is extremely
          useful.</div>
        <div><br>
        </div>
        <div>I do think there's a big difference and gap in accuracy
          between "code-ish" projects and documentation projects.  If
          all docs were written in a markup and stored in Git, then we'd
          be in a better position but that is not the usual situation -
          more like a extreme statistical outlier.</div>
        <div><br>
        </div>
        <div>The one place I've seen this not work - and I preface this
          with the fact that one specific case does not invalidate the
          entire process - is the Secure Coding Practices Quick
          Reference Guide [1].</div>
        <div><br>
        </div>
        <div>This is listed as a "Low Activity Project: on the project
          page: <a moz-do-not-send="true"
href="https://www.owasp.org/index.php/Category:OWASP_Project#tab=Project_Inventory">https://www.owasp.org/index.php/Category:OWASP_Project#tab=Project_Inventory</a></div>
        <div><br>
        </div>
        <div>However, this project is still VERY useful and I continue
          to recommend its use today.  It was very solid when Boeing
          donated it to OWASP and really hasn't _needed_ activity to
          remain useful.  While most projects, especially coding
          projects, deteriorate over time and 'get stale', some projects
          like this don't require much care and feeding to remain
          useful.</div>
        <div><br>
        </div>
        <div>I worked on the Global Projects Committee (GPC) when it
          existed and this was a problem at that time as well.  Its very
          hard to find ~the one metric~ or set of metrics which work
          well across the diversity of our projects.  We created
          separate criteria for projects vs code and even that really
          isn't a 100% method to categorize projects - there are things
          which don't fall cleanly into either category - like the OWASP
          WTE - its a collection of easy to consume tools and
          documentation and some automation/code to package those things
          up.  Is that code or a doc?  Who knows.  How about the OWASP
          Legal Project?  Its sort of a doc but not entirely.</div>
        <div><br>
        </div>
        <div>If I had the magic answer I would have proposed it long ago
          on the GPC - its something you will struggle with.  I just
          want to make sure that we don't inadvertently 'down grade'
          projects which don't fit the metrics well but are still
          useful.</div>
        <div><br>
        </div>
        <div>And, I agree 100% that project review is a VERY LABOR
          INTENSIVE process.  Maybe we need to round up some college
          kids and find a way to non-financially reward them for doing
          some project reviews for the Foundation.  That's not a bad
          pool of pretty smart people who generally have some spare time
          on their hands and are looking for resume/vita building
          activities.</div>
        <div><br>
        </div>
        <div>Cheers! </div>
        <div><br>
        </div>
        <div>[1] <a moz-do-not-send="true"
href="https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide">https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide</a></div>
        <div class="gmail_extra"><br clear="all">
          <div>
            <div class="gmail_signature">--<br>
              -- Matt Tesauro<br>
              OWASP WTE Project Lead<br>
              <a moz-do-not-send="true"
                href="http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project"
                target="_blank">http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project</a><br>
              <a moz-do-not-send="true" href="http://AppSecLive.org"
                target="_blank">http://AppSecLive.org</a> - Community
              and Download site
              <div>OWASP OpenStack Security Project Lead
                <div><a moz-do-not-send="true"
                    href="https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project"
                    target="_blank">https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project</a></div>
              </div>
            </div>
          </div>
          <br>
          <div class="gmail_quote">On Sun, Jun 21, 2015 at 3:56 PM,
            johanna curiel curiel <span dir="ltr"><<a
                moz-do-not-send="true"
                href="mailto:johanna.curiel@owasp.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:johanna.curiel@owasp.org">johanna.curiel@owasp.org</a></a>></span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0 0 0
              .8ex;border-left:1px #ccc solid;padding-left:1ex">
              <div dir="ltr">Matt
                <div><br>
                </div>
                <div>Yes indeed. In 2013 a Project Review team created
                  this criteria( I was one of them)</div>
                <div><br>
                </div>
                <div><a moz-do-not-send="true"
href="https://docs.google.com/spreadsheets/d/1upIyG0L-P-myUM6EPg0aJmCTDvJrdqaVdnjdNBME9is/edit?usp=sharing"
                    target="_blank">https://docs.google.com/spreadsheets/d/1upIyG0L-P-myUM6EPg0aJmCTDvJrdqaVdnjdNBME9is/edit?usp=sharing</a><br>
                </div>
                <div><br>
                </div>
                <div>We have been using automated tools for tracking
                  like Openhub and SWAMP, but checking quality of
                  documentation and testing is more labor intensive.</div>
                <div><br>
                </div>
                <div>Timo for example, is a developer and has been
                  giving a hand on this, as myself and when we hired a
                  Tester to help us out with project reviews last year.</div>
                <div><br>
                </div>
                <div>Still, like mentioned before, is labor intensive.
                  We are looking at ideas to help us automate as
                  possible, but the human component is indispensable so
                  far.</div>
                <div><br>
                </div>
                <div>regards</div>
                <span class="HOEnZb"><font color="#888888">
                    <div><br>
                    </div>
                    <div>Johanna</div>
                    <div><br>
                    </div>
                  </font></span></div>
              <div class="HOEnZb">
                <div class="h5">
                  <div class="gmail_extra"><br>
                    <div class="gmail_quote">On Sun, Jun 21, 2015 at
                      4:37 PM, Matt Konda <span dir="ltr"><<a
                          moz-do-not-send="true"
                          href="mailto:matt.konda@owasp.org"
                          target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:matt.konda@owasp.org">matt.konda@owasp.org</a></a>></span>
                      wrote:<br>
                      <blockquote class="gmail_quote" style="margin:0 0
                        0 .8ex;border-left:1px #ccc
                        solid;padding-left:1ex">
                        <div dir="ltr">Johanna,
                          <div><br>
                          </div>
                          <div>This is cool.  I hadn't seen this view
                            yet.  Do we have a way to establish maturity
                            of documentation, testing, issue response?</div>
                          <div><br>
                          </div>
                          <div>I am interested to chat more sometime.</div>
                          <span><font color="#888888">
                              <div><br>
                              </div>
                              <div>Matt</div>
                              <div><br>
                              </div>
                            </font></span></div>
                        <div>
                          <div>
                            <div class="gmail_extra"><br>
                              <div class="gmail_quote">On Sun, Jun 21,
                                2015 at 4:13 PM, johanna curiel curiel <span
                                  dir="ltr"><<a
                                    moz-do-not-send="true"
                                    href="mailto:johanna.curiel@owasp.org"
                                    target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:johanna.curiel@owasp.org">johanna.curiel@owasp.org</a></a>></span>
                                wrote:<br>
                                <blockquote class="gmail_quote"
                                  style="margin:0 0 0
                                  .8ex;border-left:1px #ccc
                                  solid;padding-left:1ex">
                                  <div dir="ltr">Hi MAtt
                                    <div><br>
                                    </div>
                                    <div>Not sure if you are aware, we
                                      are using Openhub to track
                                      projects. It gives us a quite
                                      complete report of the activity
                                      level of all the OWASP projects
                                      using an open repository so we can
                                      track then.</div>
                                    <div><a moz-do-not-send="true"
                                        href="https://www.openhub.net/orgs/OWASP"
                                        target="_blank">https://www.openhub.net/orgs/OWASP</a><br>
                                    </div>
                                    <div><br>
                                    </div>
                                    <div><img
                                        src="cid:part11.07060600.07020505@owasp.org"
                                        alt="Inline image 1"
                                        style="margin-right:25px"><br>
                                    </div>
                                    <div><br>
                                    </div>
                                    <div>I try to register them here and
                                      keep track. The main issue is
                                      empty projects but we have reduce
                                      significantly the amount of empty
                                      projects, however, there are some
                                      beginning with some lines of code
                                      and this is what still concern us,
                                      because a few pages of text or
                                      some lines  of code cannot be
                                      really consider a 'project'. This
                                      is where Timo and other members
                                      have expressed their concern.</div>
                                    <div><br>
                                    </div>
                                    <div>I would like to discuss further
                                      your ideas on how to improve the
                                      project platform faster and get
                                      more quality project  to certain
                                      status</div>
                                    <div><br>
                                    </div>
                                    <div>regards</div>
                                    <span><font color="#888888">
                                        <div><br>
                                        </div>
                                        <div>Johanna</div>
                                      </font></span></div>
                                </blockquote>
                              </div>
                              <br>
                            </div>
                          </div>
                        </div>
                      </blockquote>
                    </div>
                    <br>
                  </div>
                </div>
              </div>
              <br>
              _______________________________________________<br>
              Owasp-board mailing list<br>
              <a moz-do-not-send="true"
                href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a><br>
              <a moz-do-not-send="true"
                href="https://lists.owasp.org/mailman/listinfo/owasp-board"
                rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br>
              <br>
            </blockquote>
          </div>
          <br>
        </div>
      </div>
      -- <br>
      You received this message because you are subscribed to the Google
      Groups "OWASP Projects Task Force" group.<br>
      To unsubscribe from this group and stop receiving emails from it,
      send an email to <a moz-do-not-send="true"
        href="mailto:projects-task-force+unsubscribe@owasp.org">projects-task-force+unsubscribe@owasp.org</a>.<br>
      To post to this group, send email to <a moz-do-not-send="true"
        href="mailto:projects-task-force@owasp.org">projects-task-force@owasp.org</a>.<br>
      To view this discussion on the web visit <a
        moz-do-not-send="true"
href="https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/CALKUk%2BN3AKS6LcyV9ueK35GFnNmdn01e_kA%2BiiLemyemmxk%3D%2BA%40mail.gmail.com?utm_medium=email&utm_source=footer"><a class="moz-txt-link-freetext" href="https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/CALKUk%2BN3AKS6LcyV9ueK35GFnNmdn01e_kA%2BiiLemyemmxk%3D%2BA%40mail.gmail.com">https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/CALKUk%2BN3AKS6LcyV9ueK35GFnNmdn01e_kA%2BiiLemyemmxk%3D%2BA%40mail.gmail.com</a></a>.<br>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Jim Manico
Global Board Member
OWASP Foundation
<a class="moz-txt-link-freetext" href="https://www.owasp.org">https://www.owasp.org</a>
Join me at AppSecUSA 2015!</pre>
  </body>
</html>