[Owasp-leaders] New OWASP project

psiinon psiinon at gmail.com
Wed Nov 2 07:51:57 EDT 2011


Hi Jason,

I think (hope:) that this new model will address many of the criticisms
that have been raised in this thread (and on various blogs).
Do we have a timeline for its introduction (phased or otherwise)?

Cheers,

Simon

On Wed, Nov 2, 2011 at 11:48 AM, Jason Li <jason.li at owasp.org> wrote:

> Yvan,
>
> The GPC has been working on a model for better classifying projects:
> http://sl.owasp.org/gpcws-jun11-projects-handbook#h.gef61ebkljiy
>
> Much of the preliminary work to categorize the projects in tentative
> statuses is already done.
>
> The limiting factors for us progressing forward right now are:
> * Having a scalable, manageable way to prominently display/administrate a
> project's status
> * Have a scalable, community-driven platform to support the project
> reviews necessary for projects to elevate their status in a timely manner
>
> We're working on solutions to these issues as quickly as volunteer time
> allows.
>
> -Jason
>
> On Nov 2, 2011, at 3:26 AM, Yvan Boily <yvanboily at gmail.com> wrote:
>
> First and foremost, this is not a commentary on Lucas' project.  I
> personally don't see the value of it, but at the same time I haven't spent
> much time thinking about how I would use it.
>
> Most of you don't know me, so I will explain a little bit more about
> myself; I have been involved in OWASP on and off over the last several
> years at the chapter level, and have recently decided to get more involved
> in the project.  I was planning to get involved slowly, but things got
> catalyzed when Mark reached out after we released a tool I have been
> working on at Mozilla.  I am now standing in to take over the OWASP
> Security Tools for Developers project, and will be relying on the leaders
> list to help me ensure that the people currently engaged stay so.
>
> While it is pretty clear that while OWASP has to remain open to new
> projects and the ideas of its members and its community, following this
> thread has shown that there is a fair amount of concern about how the OWASP
> brand is being used.
>
> I know there is some work being done in this area, but I think that it is
> critical for OWASP to assemble a mechanism for introducing and incubating
> projects to the point they are worthy of the OWASP  stamp; a good model
> might be the Apache Incubator programme that facilitates projects moving
> from experiment to full fledged Apache Foundation project based on a set of
> criteria.
>
> On Tue, Nov 1, 2011 at 4:14 PM, Jason Li < <jason.li at owasp.org>
> jason.li at owasp.org> wrote:
>
>> All,
>>
>> OWASP encourages projects of any type, as long as they are open and
>> related to application security. Those are the only requirements for a
>> project idea. As Michael pointed out, the low barrier to entry encourages
>> participation from talented volunteers.
>>
>
> The low barrier to entry is important, but the degree of endorsement of
> the constituent projects should be commensurate with the degree of merit,
> stability, and value the project offers.  As a project matures it should
> graduate through a set of ranks and it should be a critical milestone that
> has had sufficient use and review from the community before something gets
> 'blessed' as a full OWASP project.
>
>
>> Yes, that has resulted in a huge landscape of OWASP projects - all of
>> which are in various stages of maturity. This situation makes navigating
>> the OWASP Project landscape difficult. But it is not the responsibility or
>> burden of a project leader to worry about those issues. OWASP as an
>> organization should be responsible for managing the project landscape and
>> facilitating navigation of that landscape.  Project leaders should be
>> focused on their project.
>>
>>
> There's no telling where any project will or will not go from the
>> onset. We have many projects that die on the vine after the project leader
>> realizes the use cases are limited, or that the user population isn't
>> there, or the proof of concept doesn't pan out. We have many projects that
>> grow from the inkling of an idea to wildly and unexpectedly popular
>> projects that become almost synonymous with OWASP. And we don't have the
>> crystal ball to predict which ones are which in advanced.
>>
>
> That is all the more reason to build a set of success criteria, and ensure
> that there is mentorship and guidance offered to community members who
> bring time and effort to the table.  If a project or concept doesn't work
> as an isolated project, then the volunteers who are mentored will be more
> likely to engage in other project areas that might be of interest,
> especially if their mentor or the community can point them to a direct area
> they can contribute to.
>
>
>> Ultimately, it is still up to the project and its leader to succeed. A
>> project that has value will find an audience and support within the
>> community; a project that doesn't have value won't.
>>
>> But just because *you* can't see the potential value in a project doesn't
>> mean that there won't be value in it.
>>
>
> You are correct, but if value can't be demonstrated then it will be hard
> for the community to invest the time and effort to contribute to the
> project.  Having a clear demonstration of how to extract value from a
> project is an important step to enticing involvement.  A proliferation of
> projects that don't demonstrate value will eventually undermine the
> organization as people point to the under-developed or poorly managed
> constituents of the OWASP project and assume that the entire project is in
> that state.
>
>
>>
>> If we have a volunteer that *wants* to work on a project, and there's the
>> potential that even one person out there someday finds it useful, isn't
>> that worthwhile?
>>
>
> It is absolutely valuable to bring the effort, energy, and ideas into the
> community, but until it the contribution converts those resources into
> something of clear, consumable value, it should not get the endorsement of
> the community.  A useless project that wastes the time of a potential
> community member, or worse a potential contributor, has eroded the project.
>
>
>> And before anyone argues that it would be more worthwhile if we diverted
>> such volunteer energy and efforts towards projects with universally
>> acknowledged potential, guess what? Volunteers work on what they want to
>> work on. That's the nature of volunteers. I believe OWASP would be *very*
>> hard pressed to "assign" volunteers to specific tasks unless they're
>> already interested in doing it anyway.
>>
>
> Engagement is an extremely challenging task when you have a team that is
> employed and has employer mandated goals, it is even more challenging when
> the people involved are volunteers.
>
> Part of engagement is ensuring that people who are contributing feel
> properly rewarded; for many open source or volunteer contributors that
> reward comes in the form of recognition from their community.  Successfully
> managing a project through an incubation process would be a significant
> accomplishment for individuals, and each step is an opportunity to
> introduce a stronger sense of community.  Each time a contributer achieves
> one of those steps they will very likely have made a personal investment
> into the OWASP project that makes it less likely that the volunteer will
> pull up stakes and move on.  When a volunteer reaches that degree of
> engagement with the community and project it becomes more likely they will
> not need to be 'assigned', they will be asking where they can contribute!
>
>
>> So if a potential project contributor has an idea that doesn't go against
>> OWASP core values and principles, and they want to commit and devote the
>> energy to work on implementing that idea, then why shouldn't we encourage
>> and support that person?
>>
>
> I don't think anyone is wants to discourage contributors, but there is a
> difference between encouraging participation, and slapping the OWASP brand
> onto something of dubious value.  Too many people have invested too much
> time and effort in the history of the project to risk damaging it by not
> curating the brand in a meaningful fashion.
>
>
>> The Global Projects Committee took this approach in encouraging Lucas to
>> proceed with his project idea and we wish him good luck and success with
>> his project.
>>
>> The GPC has already been working to make the project inception process
>> more scalable. I hope that we will soon be able to provide a platform for
>> folks to comment and provide feedback on project ideas. But ultimately the
>> project leader will take the project in the direction they see fit.
>>
>
> I look forward to getting more engaged with the other leaders to keep the
> OWASP Security Tools for Developers (I don't know that I will ever get used
> to the STD acronym o_O) project moving forward!
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111102/7ddc7e52/attachment-0001.html 


More information about the OWASP-Leaders mailing list