[Owasp-leaders] OWASP Developer Guide Grant Proposal

Seba seba at owasp.org
Tue Jan 13 03:22:15 EST 2009

Andrew, all,

I am sure the upcoming Spring of Code - focused on cleaning up
existing projects - can support part of this request.

It would indeed be great to have an extra grant from a supporting
OWASP member organisation who wants to dedicate this to the OWASP
Guide. The Guide is one of our flagships, and could certainly benefit
from a complete make-over.
All: we can reach out to our contacts and search for that suporting
OWASP member(s) ?

As for the "process". I think we are an 'agile' organisation.
The processes should not be rigid, or get in the way of an opportunity
to improve our products.

Opinions on
"OWASP can publish the resulting book for profit, offsetting this
grant's cost to OWASP." ?
If we increase the Lulu price for the book with 10$ and sell 1000
extra hard copies the first year we have 10.000 extra income.

Of course: the material on the wiki + downloadable pdf remains completely free.



On Tue, Jan 13, 2009 at 1:45 AM, Mike Boberski <mike.boberski at cox.net> wrote:
> While I don't think there's anyone on this list who's not empathetic, I
> don't think it is appropriate to support one OWASP project or another with a
> such a disproportionally-sized grant unless it is being sponsored by a
> corporate member. In which case, I'm not sure why they wouldn't hire
> whomever! I guess I'm not sure why my opinion is being solicited, though.
> This solicitation is not consistent with my understanding of how the process
> works. Perhaps I'm in error or the process changed, though.
> Mike
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of vanderaj
> vanderaj
> Sent: Monday, January 12, 2009 3:51 PM
> To: owasp-leaders at lists.owasp.org
> Subject: [Owasp-leaders] OWASP Developer Guide Grant Proposal
> Hi folks,
> Recently, I found myself with a whole lot more time going forward, and
> instead of immediately seeking new employment in Australia, I would like to
> seek an OWASP Grant to work full time on the Developer Guide for a period of
> time, probably four to five months total. I think I can make huge in-roads
> of a major re-vamp if it's my only worry for a while, and of course if I can
> rustle up a few contributors to help!
> I'd be interested in getting your input on the grant idea, and of course,
> I'm always interested in contributors to help the Developer Guide process
> along the way!
> -- Included message I sent to the Board previously --
> Hi folks,
> I'd like to apply for a grant from OWASP to work on the Developer Guide full
> time for a few months.
> The Developer Guide is the genesis of OWASP, and one of the most read and
> used OWASP projects. Unfortunately, due to my commitments elsewhere, I've
> let it fall behind the projects. It's more than time to bring it up to date,
> tighten its focus to be solely about Building secure software, help improve
> related projects, and bring it into line with the ASVS and use ESAPI for its
> example code snippets. I would like to use a recent change in my employment
> status as a boon for OWASP and the world wide webappsec community, but I can
> only do that if I can obtain funding to allow me to do this full time for a
> while.
> Goal: To completely revamp the Developer Guide, working with the existing
> text, recruiting others to help author some of the text (see below for
> details), and making improvements or writing new articles as necessary.
> The Developer Guide's focus will change (as planned previously) to be solely
> about building new secure software, and not testing or reviewing existing
> software. Therefore, the Developer Guide will contribute existing material
> and link to the ASDR, the other Guides, and the ASVS, obviously working with
> the help of OWASP's technical editor and the other project leaders and their
> respective teams so that the changes are not surprises for the leaders of
> those projects, and correctly integrated. As I will be using ESAPI as the
> code examples, I will also help drive the adoption of ESAPI, as well as
> improve the ESAPI for PHP implementation.
> As this a much bigger project than many other grant or season of code
> projects, I would suggest that there are multiple delivery stages, with a
> progress payment for successfully completing each stage. I think it makes
> the most sense for four stages, each one to two months long.
> I would like to work on this full time if the grant provides sufficient
> funds to support my family during this effort. If I am able to work on this
> full time, I can have it finished by OWASP EU in May of this year,
> especially if I have sufficient volunteer contributors.
> If the grant cannot support us, I would then try to deliver the project by
> OWASP USA in the latter part of the year, as I will have to seek full time
> employment upon my return to Australia.
> I would like to suggest three grants of $4000 USD each for the first three
> stages and the last stage of $2000 (so totalling $14,000 USD) over a period
> of one to two months each to allow me to work on this full time until its
> done.
> Considering the size of the project - a publishable book of approximately
> 300 pages and major enhancements to the ADSR, heavy linking and some
> improvements to the Code Review, Testing, ESAPI, and ASVS projects,
> hopefully this proposal will find a welcome reception.
> Obviously, as all copyright and rights remains with OWASP, OWASP can publish
> the resulting book for profit, offsetting this grant's cost to OWASP.
> Stage One: The vital few
> In the first stage, I intend to:
> * Re-vamp a few key chapters which are used by other OWASP materials, in
> particular, the Top 10, ASVS, and ADSR.
> * Start recruiting volunteer contributors to re-vamp both first and second
> stage chapters
> * Farm out a few of the first stage chapters to current contributors, and if
> I get a lot more, some of the second stage chapters to give them more time
> to complete their work
> I have a small number of contributors today, but nothing motivates
> contributions like a leader doing a lot of work (see the Testing Guide for
> results!).
> The main focus is to re-vamp the following chapters:
> * Authentication (in progress today)
> * Access Control
> * Session Management (in progress today via a contributor)
> * Canonicalization and Input validation
> * Database Security (in progress today via a contributor)
> During the revamp, in concert with OWASP's technical editor and the other
> project leads, I will move all testing material to the testing guide (if it
> needs it) and linking, moving the code review material to the code review
> guide (if it needs it) and linking, ensure that attacks and weaknesses are
> linked to the ADSR and ensure that the ADSR article is neutral and factual
> as per a dictionary or encyclopedia article. The main body of the chapter
> will then be either put out to a recruit for re-writing or I will re-write
> it personally.
> At completion of this stage, the above chapters will make the Developer
> Guide more useful for Architects and Developers as a secure building guide
> for the majority of issues found in the OWASP Top 10.
> All applicable build related controls found in the ASVS will be covered by
> the Developer Guide. I will note the ASVS level for each Developer Guide
> implementation / control, and link to the verification in ASVS and other
> Guides to eliminate redundancy and to centralize information.
> Stage Two: The rest of the edits
> Stage Two's focus is to farm out all remaining chapters (approximately
> 10-15) to contributors, using the new Stage 1 chapters as "templates of
> goodness", with an outline of what I believe needs to be covered. I believe
> this is the quickest way to complete the Developer Guide before OWASP EU.
> Therefore, my role in Stage Two is to be the editor..
> As editor, I will make sure the articles are high quality and have a "single
> voice", iron out any English as a second language issues, and ensure links
> are in place, and ensure old material has been appropriately moved to the
> other Guides. I will work with OWASP's technical editor to ensure that these
> changes are well known and communicated amongst all the affected projects
> and leaders.
> Stage Three: Fit and Finish
> Stage Three is all about fit and finish, diagrams, and code snippets:
> * Ensure that all chapters have been received from stage two contributors,
> or re-vamp them myself. This is a last resort as it may delay the completion
> of this stage.
> * Ensure each chapter is written to the same standard as all the others
> * Write as many code examples using ESAPI as possible and ready a code
> snippet gallery for distribution online with the Developer Guide so folks
> can cut and paste it
> * Create standardized diagrams (UML sequence diagrams, etc) for concepts
> that are more easily explained in that way
> * Create standardized screen shots as necessary
> * Communicate with OWASP's graphic designer on any "artistic" diagrams that
> may be necessary so that the Developer Guide feels professional and has a
> single graphical look and feel
> * Research latest real world examples and CVE (via NIST) and place them in
> the footnotes for each chapter
> * Ensure links to the ASVS, Top 10, Coding Guide, Testing Guide and ADSR are
> as complete as possible, and make sure those destinations are relevant and
> useful in themselves
> The majority of code examples will use ESAPI for J2EE as it is complete and
> stable. However, it's important to show code snippets in as many common
> languages as possible. Therefore, on a few key examples, I will use the
> other ports of ESAPI (.NET and PHP), and if necessary make small updates for
> ESAPI for PHP so that it can be API compatible with its J2EE counterpart.
> This will be very selective as I'm not setting out to complete the ESAPI for
> PHP port as part of this effort, but just enough to prove that ESAPI works
> in multiple languages. That said, such improvements will be fed directly
> back to the ESAPI for PHP port, thus benefiting that project, which will
> hopefully attract more developers and contributors to it.
> Stage Four: Publication
> The final stage is to prepare a manuscript for publication, either at Lulu
> (using the OWASP word document template), or a publisher's manuscript
> format.
> Once each chapter is copy complete with all diagrams and code snippets, I
> will farm out the finalized chapters for public peer review. Any review
> changes will be made to both the Word and Wiki versions.
> The document set would form the basis of the PDF for the web site. As this
> is a shorter stage, I would only be seeking USD $2000 for this stage grant.
> Please let me know your thoughts, and hopefully, with some luck, I'd love to
> start work on this as soon as possible.
> thanks,
> Andrew
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list