[Owasp-leaders] OWASP Developer Guide Grant Proposal

Gunnar Peterson gunnar at arctecgroup.net
Mon Jan 12 20:08:37 EST 2009


I agree with Mike's answer in 95% of the cases. Two additional factors  
that are worth considering - 1) you can count on one hand the number  
of people who have done as much work for OWASP as Andrew and 2) the  
long term value of the project to OWASP, which is high.

So I see this as a 5% case where OWASP investing in Andrew's time is  
likely to pay dividends that are quite satisfactory down the road.

Just my $0.02

-gunnar

On Jan 12, 2009, at 6:45 PM, Mike Boberski wrote:

> While I don't think there's anyone on this list who's not  
> empathetic, I
> don't think it is appropriate to support one OWASP project or  
> another with a
> such a disproportionally-sized grant unless it is being sponsored by a
> corporate member. In which case, I'm not sure why they wouldn't hire
> whomever! I guess I'm not sure why my opinion is being solicited,  
> though.
> This solicitation is not consistent with my understanding of how the  
> process
> works. Perhaps I'm in error or the process changed, though.
>
> Mike
>
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of vanderaj
> vanderaj
> Sent: Monday, January 12, 2009 3:51 PM
> To: owasp-leaders at lists.owasp.org
> Subject: [Owasp-leaders] OWASP Developer Guide Grant Proposal
>
> Hi folks,
>
> Recently, I found myself with a whole lot more time going forward, and
> instead of immediately seeking new employment in Australia, I would  
> like to
> seek an OWASP Grant to work full time on the Developer Guide for a  
> period of
> time, probably four to five months total. I think I can make huge in- 
> roads
> of a major re-vamp if it's my only worry for a while, and of course  
> if I can
> rustle up a few contributors to help!
>
> I'd be interested in getting your input on the grant idea, and of  
> course,
> I'm always interested in contributors to help the Developer Guide  
> process
> along the way!
>
> -- Included message I sent to the Board previously --
>
> Hi folks,
>
> I'd like to apply for a grant from OWASP to work on the Developer  
> Guide full
> time for a few months.
>
> The Developer Guide is the genesis of OWASP, and one of the most  
> read and
> used OWASP projects. Unfortunately, due to my commitments elsewhere,  
> I've
> let it fall behind the projects. It's more than time to bring it up  
> to date,
> tighten its focus to be solely about Building secure software, help  
> improve
> related projects, and bring it into line with the ASVS and use ESAPI  
> for its
> example code snippets. I would like to use a recent change in my  
> employment
> status as a boon for OWASP and the world wide webappsec community,  
> but I can
> only do that if I can obtain funding to allow me to do this full  
> time for a
> while.
>
> Goal: To completely revamp the Developer Guide, working with the  
> existing
> text, recruiting others to help author some of the text (see below for
> details), and making improvements or writing new articles as  
> necessary.
>
> The Developer Guide's focus will change (as planned previously) to  
> be solely
> about building new secure software, and not testing or reviewing  
> existing
> software. Therefore, the Developer Guide will contribute existing  
> material
> and link to the ASDR, the other Guides, and the ASVS, obviously  
> working with
> the help of OWASP's technical editor and the other project leaders  
> and their
> respective teams so that the changes are not surprises for the  
> leaders of
> those projects, and correctly integrated. As I will be using ESAPI  
> as the
> code examples, I will also help drive the adoption of ESAPI, as well  
> as
> improve the ESAPI for PHP implementation.
>
> As this a much bigger project than many other grant or season of code
> projects, I would suggest that there are multiple delivery stages,  
> with a
> progress payment for successfully completing each stage. I think it  
> makes
> the most sense for four stages, each one to two months long.
>
> I would like to work on this full time if the grant provides  
> sufficient
> funds to support my family during this effort. If I am able to work  
> on this
> full time, I can have it finished by OWASP EU in May of this year,
> especially if I have sufficient volunteer contributors.
> If the grant cannot support us, I would then try to deliver the  
> project by
> OWASP USA in the latter part of the year, as I will have to seek  
> full time
> employment upon my return to Australia.
>
> I would like to suggest three grants of $4000 USD each for the first  
> three
> stages and the last stage of $2000 (so totalling $14,000 USD) over a  
> period
> of one to two months each to allow me to work on this full time  
> until its
> done.
>
> Considering the size of the project - a publishable book of  
> approximately
> 300 pages and major enhancements to the ADSR, heavy linking and some
> improvements to the Code Review, Testing, ESAPI, and ASVS projects,
> hopefully this proposal will find a welcome reception.
> Obviously, as all copyright and rights remains with OWASP, OWASP can  
> publish
> the resulting book for profit, offsetting this grant's cost to OWASP.
>
> Stage One: The vital few
>
> In the first stage, I intend to:
>
> * Re-vamp a few key chapters which are used by other OWASP  
> materials, in
> particular, the Top 10, ASVS, and ADSR.
> * Start recruiting volunteer contributors to re-vamp both first and  
> second
> stage chapters
> * Farm out a few of the first stage chapters to current  
> contributors, and if
> I get a lot more, some of the second stage chapters to give them  
> more time
> to complete their work
>
> I have a small number of contributors today, but nothing motivates
> contributions like a leader doing a lot of work (see the Testing  
> Guide for
> results!).
>
> The main focus is to re-vamp the following chapters:
>
> * Authentication (in progress today)
> * Access Control
> * Session Management (in progress today via a contributor)
> * Canonicalization and Input validation
> * Database Security (in progress today via a contributor)
>
> During the revamp, in concert with OWASP's technical editor and the  
> other
> project leads, I will move all testing material to the testing guide  
> (if it
> needs it) and linking, moving the code review material to the code  
> review
> guide (if it needs it) and linking, ensure that attacks and  
> weaknesses are
> linked to the ADSR and ensure that the ADSR article is neutral and  
> factual
> as per a dictionary or encyclopedia article. The main body of the  
> chapter
> will then be either put out to a recruit for re-writing or I will re- 
> write
> it personally.
>
> At completion of this stage, the above chapters will make the  
> Developer
> Guide more useful for Architects and Developers as a secure building  
> guide
> for the majority of issues found in the OWASP Top 10.
> All applicable build related controls found in the ASVS will be  
> covered by
> the Developer Guide. I will note the ASVS level for each Developer  
> Guide
> implementation / control, and link to the verification in ASVS and  
> other
> Guides to eliminate redundancy and to centralize information.
>
> Stage Two: The rest of the edits
>
> Stage Two's focus is to farm out all remaining chapters (approximately
> 10-15) to contributors, using the new Stage 1 chapters as "templates  
> of
> goodness", with an outline of what I believe needs to be covered. I  
> believe
> this is the quickest way to complete the Developer Guide before  
> OWASP EU.
> Therefore, my role in Stage Two is to be the editor..
>
> As editor, I will make sure the articles are high quality and have a  
> "single
> voice", iron out any English as a second language issues, and ensure  
> links
> are in place, and ensure old material has been appropriately moved  
> to the
> other Guides. I will work with OWASP's technical editor to ensure  
> that these
> changes are well known and communicated amongst all the affected  
> projects
> and leaders.
>
> Stage Three: Fit and Finish
>
> Stage Three is all about fit and finish, diagrams, and code snippets:
>
> * Ensure that all chapters have been received from stage two  
> contributors,
> or re-vamp them myself. This is a last resort as it may delay the  
> completion
> of this stage.
> * Ensure each chapter is written to the same standard as all the  
> others
> * Write as many code examples using ESAPI as possible and ready a code
> snippet gallery for distribution online with the Developer Guide so  
> folks
> can cut and paste it
> * Create standardized diagrams (UML sequence diagrams, etc) for  
> concepts
> that are more easily explained in that way
> * Create standardized screen shots as necessary
> * Communicate with OWASP's graphic designer on any "artistic"  
> diagrams that
> may be necessary so that the Developer Guide feels professional and  
> has a
> single graphical look and feel
> * Research latest real world examples and CVE (via NIST) and place  
> them in
> the footnotes for each chapter
> * Ensure links to the ASVS, Top 10, Coding Guide, Testing Guide and  
> ADSR are
> as complete as possible, and make sure those destinations are  
> relevant and
> useful in themselves
>
> The majority of code examples will use ESAPI for J2EE as it is  
> complete and
> stable. However, it's important to show code snippets in as many  
> common
> languages as possible. Therefore, on a few key examples, I will use  
> the
> other ports of ESAPI (.NET and PHP), and if necessary make small  
> updates for
> ESAPI for PHP so that it can be API compatible with its J2EE  
> counterpart.
> This will be very selective as I'm not setting out to complete the  
> ESAPI for
> PHP port as part of this effort, but just enough to prove that ESAPI  
> works
> in multiple languages. That said, such improvements will be fed  
> directly
> back to the ESAPI for PHP port, thus benefiting that project, which  
> will
> hopefully attract more developers and contributors to it.
>
> Stage Four: Publication
>
> The final stage is to prepare a manuscript for publication, either  
> at Lulu
> (using the OWASP word document template), or a publisher's manuscript
> format.
>
> Once each chapter is copy complete with all diagrams and code  
> snippets, I
> will farm out the finalized chapters for public peer review. Any  
> review
> changes will be made to both the Word and Wiki versions.
>
> The document set would form the basis of the PDF for the web site.  
> As this
> is a shorter stage, I would only be seeking USD $2000 for this stage  
> grant.
>
> Please let me know your thoughts, and hopefully, with some luck, I'd  
> love to
> start work on this as soon as possible.
>
> thanks,
> Andrew
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>



More information about the OWASP-Leaders mailing list