[Owasp-leaders] New OWASP project

Jason Li jason.li at owasp.org
Tue Nov 1 19:14:23 EDT 2011


OWASP encourages projects of any type, as long as they are open and related
to application security. Those are the only requirements for a project
idea. As Michael pointed out, the low barrier to entry encourages
participation from talented volunteers.

Yes, that has resulted in a huge landscape of OWASP projects - all of which
are in various stages of maturity. This situation makes navigating the
OWASP Project landscape difficult. But it is not the responsibility or
burden of a project leader to worry about those issues. OWASP as an
organization should be responsible for managing the project landscape and
facilitating navigation of that landscape.  Project leaders should be
focused on their project.

There's no telling where any project will or will not go from the onset. We
have many projects that die on the vine after the project leader realizes
the use cases are limited, or that the user population isn't there, or the
proof of concept doesn't pan out. We have many projects that grow from the
inkling of an idea to wildly and unexpectedly popular projects that become
almost synonymous with OWASP. And we don't have the crystal ball to predict
which ones are which in advanced.

Ultimately, it is still up to the project and its leader to succeed. A
project that has value will find an audience and support within the
community; a project that doesn't have value won't.

But just because *you* can't see the potential value in a project doesn't
mean that there won't be value in it.

Note that there are a couple projects at OWASP in early stages of
development that are essentially repositories of hashes:
* https://www.owasp.org/index.php/OWASP_Secure_Password_Project
* https://www.owasp.org/index.php/Category:OWASP_Favicon_Database_Project

When we were gathering metadata about projects during our inventory process
last June, I myself was uncertain about the use case for the Favicon
Database Project. Much to my surprise, OWASP was coincidentally contacted
soon after about the project.  They wanted to confirm the licensing of the
database because they wanted to use it!

None of us are prescient enough to know what project ideas may have value
to others.

If we have a volunteer that *wants* to work on a project, and there's the
potential that even one person out there someday finds it useful, isn't
that worthwhile?

And before anyone argues that it would be more worthwhile if we diverted
such volunteer energy and efforts towards projects with universally
acknowledged potential, guess what? Volunteers work on what they want to
work on. That's the nature of volunteers. I believe OWASP would be *very*
hard pressed to "assign" volunteers to specific tasks unless they're
already interested in doing it anyway.

So if a potential project contributor has an idea that doesn't go against
OWASP core values and principles, and they want to commit and devote the
energy to work on implementing that idea, then why shouldn't we encourage
and support that person?

The Global Projects Committee took this approach in encouraging Lucas to
proceed with his project idea and we wish him good luck and success with
his project.

The GPC has already been working to make the project inception process more
scalable. I hope that we will soon be able to provide a platform for folks
to comment and provide feedback on project ideas. But ultimately the
project leader will take the project in the direction they see fit.

Global Projects Committee Chair

On Tue, Nov 1, 2011 at 7:37 AM, Lucas Ferreira <lucas.ferreira at owasp.org>wrote:

> Hello all,
> I'll hijack Michael's email to answer all previous emails in this
> thread. If I left anything out, please remind me and I'll do my best
> to provide a suitable answer.
> First, I also had doubts if this project would fit in OWASP. I then
> talked to some OWASPers and the conclusion was that it should be given
> a try. I then submitted the project proposal to the Global Projects
> Committee and it was approved.
> Second, I understand that this project is not directly linked to web
> or application security, but I think it could be used in web or
> application security tasks. As Dinis pointed out, there is the
> possibility of using the database to validate scripts or libraries in
> a convergence-inspired way. A web crawler could be used to check web
> pages and downloads, as pointed by Christian.
> In any case, if the OWASP community thinks this project does not
> belong here, I can withdraw it. No problems with that at all. So far,
> opinions are divided, so I'd ask the Projects Committee to take care
> of this and warn me if the project needs to be taken off OWASP.
> Answering more specific concerns:
> Christian, the list of data sources for the projects database is not
> closed. If you know a good source of hash data of web-related files,
> please let me know and I'll manage to include them. Regarding
> including tripwire-like functionality, it can be done. We need to
> finish writing some code to allow users to upload data to the database
> and also  a web crawler. I will post a roadmap soon. Regarding Google
> safe browsing, their approach is to work with URLs. We work with file
> contents. I think the approaches are complementary. The problem I see
> with Google is that their database is not open, as far as I know. Our
> database should be available to anyone to copy or query.
> Mark, I am aware of the MD5 collision attacks. That's why the project
> includes SHA-1 hashes too. Also, the use of both hashes combined seems
> beyond current attacks. Please note that the hashes are not stored
> with the files. Our database only includes the hashes. The process
> would be for someone to get the file, calculate the hashes and then
> check the hashes against the database.
> Well, thanks everyone for the attention and please excuse me if I
> caused any trouble.
> Regards,
> Lucas
> On Tue, Nov 1, 2011 at 02:48, Michael Coates <michael.coates at owasp.org>
> wrote:
> > This has been an interesting discussion and its a good sign that the
> > community is weighing in with various view points.
> >
> > I'd like to present a few thoughts for people to consider.
> > OWASP is built on top of a community of volunteers that are experts in
> their
> > respective fields. Our guides, tools, resources, outreach, conferences
> (and
> > more) are excellent because talented people have dedicated their time and
> > skills.
> > One of the great things that OWASP works towards is making OWASP a
> platform
> > that is easy for anyone to contribute their time and effort.  A model
> that
> > requires approval from a centralized body before a project could be
> started
> > would be a very different model than what we have now and one that I
> think
> > would diminish the successes of our community.
> > In the end, good ideas will flourish and attract more participation and
> also
> > more support from OWASP overall.  However, its very hard to know what the
> > next great idea is unless we experiment with bright minds in a variety of
> > areas.
> > With that, I say best of luck to this new project and any others that are
> > inline with the principles of OWASP.
> >
> >
> >
> > --
> > Michael Coates
> >
> >
> >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >
> --
> Homo sapiens non urinat in ventum.
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111101/49622c08/attachment.html 

More information about the OWASP-Leaders mailing list