[Owasp-leaders] New OWASP project

John Wilander john.wilander at owasp.org
Wed Nov 2 15:21:45 EDT 2011


I quickly browsed the proposed project model. Looking good. Especially the incubator-->labs-->flagship staging. As long as we keep incubator bureaucracy to a minimum and demand that incubator projects present themselves as such (i.e. not just an "OWASP project") I'm all for it.

Internally, leaders can cope with a plethora of initiatives and incubator projects. But for developers and product owners approaching OWASP for the first time the message has to be clear -- This is how you secure your web apps.

   /John

-- 
My music http://www.johnwilander.com
Twitter https://twitter.com/johnwilander
CV or Résumé http://johnwilander.se

2 nov 2011 kl. 12:48 skrev Jason Li <jason.li at owasp.org>:

> Yvan,
> 
> The GPC has been working on a model for better classifying projects:
> http://sl.owasp.org/gpcws-jun11-projects-handbook#h.gef61ebkljiy
> 
> Much of the preliminary work to categorize the projects in tentative statuses is already done.
> 
> The limiting factors for us progressing forward right now are:
> * Having a scalable, manageable way to prominently display/administrate a project's status
> * Have a scalable, community-driven platform to support the project reviews necessary for projects to elevate their status in a timely manner
> 
> We're working on solutions to these issues as quickly as volunteer time allows.
> 
> -Jason
> 
> On Nov 2, 2011, at 3:26 AM, Yvan Boily <yvanboily at gmail.com> wrote:
> 
>> First and foremost, this is not a commentary on Lucas' project.  I personally don't see the value of it, but at the same time I haven't spent much time thinking about how I would use it.
>> 
>> Most of you don't know me, so I will explain a little bit more about myself; I have been involved in OWASP on and off over the last several years at the chapter level, and have recently decided to get more involved in the project.  I was planning to get involved slowly, but things got catalyzed when Mark reached out after we released a tool I have been working on at Mozilla.  I am now standing in to take over the OWASP Security Tools for Developers project, and will be relying on the leaders list to help me ensure that the people currently engaged stay so.
>> 
>> While it is pretty clear that while OWASP has to remain open to new projects and the ideas of its members and its community, following this thread has shown that there is a fair amount of concern about how the OWASP brand is being used.
>> 
>> I know there is some work being done in this area, but I think that it is critical for OWASP to assemble a mechanism for introducing and incubating projects to the point they are worthy of the OWASP  stamp; a good model might be the Apache Incubator programme that facilitates projects moving from experiment to full fledged Apache Foundation project based on a set of criteria.
>> 
>> On Tue, Nov 1, 2011 at 4:14 PM, Jason Li <jason.li at owasp.org> wrote:
>> All, 
>> 
>> OWASP encourages projects of any type, as long as they are open and related to application security. Those are the only requirements for a project idea. As Michael pointed out, the low barrier to entry encourages participation from talented volunteers. 
>> 
>> The low barrier to entry is important, but the degree of endorsement of the constituent projects should be commensurate with the degree of merit, stability, and value the project offers.  As a project matures it should graduate through a set of ranks and it should be a critical milestone that has had sufficient use and review from the community before something gets 'blessed' as a full OWASP project.
>>  
>> Yes, that has resulted in a huge landscape of OWASP projects - all of which are in various stages of maturity. This situation makes navigating the OWASP Project landscape difficult. But it is not the responsibility or burden of a project leader to worry about those issues. OWASP as an organization should be responsible for managing the project landscape and facilitating navigation of that landscape.  Project leaders should be focused on their project.
>>  
>> There's no telling where any project will or will not go from the onset. We have many projects that die on the vine after the project leader realizes the use cases are limited, or that the user population isn't there, or the proof of concept doesn't pan out. We have many projects that grow from the inkling of an idea to wildly and unexpectedly popular projects that become almost synonymous with OWASP. And we don't have the crystal ball to predict which ones are which in advanced.
>> 
>> That is all the more reason to build a set of success criteria, and ensure that there is mentorship and guidance offered to community members who bring time and effort to the table.  If a project or concept doesn't work as an isolated project, then the volunteers who are mentored will be more likely to engage in other project areas that might be of interest, especially if their mentor or the community can point them to a direct area they can contribute to.
>>  
>> Ultimately, it is still up to the project and its leader to succeed. A project that has value will find an audience and support within the community; a project that doesn't have value won't.
>> 
>> But just because *you* can't see the potential value in a project doesn't mean that there won't be value in it.
>> 
>> You are correct, but if value can't be demonstrated then it will be hard for the community to invest the time and effort to contribute to the project.  Having a clear demonstration of how to extract value from a project is an important step to enticing involvement.  A proliferation of projects that don't demonstrate value will eventually undermine the organization as people point to the under-developed or poorly managed constituents of the OWASP project and assume that the entire project is in that state.
>>  
>> 
>> If we have a volunteer that *wants* to work on a project, and there's the potential that even one person out there someday finds it useful, isn't that worthwhile?
>> 
>> It is absolutely valuable to bring the effort, energy, and ideas into the community, but until it the contribution converts those resources into something of clear, consumable value, it should not get the endorsement of the community.  A useless project that wastes the time of a potential community member, or worse a potential contributor, has eroded the project.
>>  
>> And before anyone argues that it would be more worthwhile if we diverted such volunteer energy and efforts towards projects with universally acknowledged potential, guess what? Volunteers work on what they want to work on. That's the nature of volunteers. I believe OWASP would be *very* hard pressed to "assign" volunteers to specific tasks unless they're already interested in doing it anyway.
>> 
>> Engagement is an extremely challenging task when you have a team that is employed and has employer mandated goals, it is even more challenging when the people involved are volunteers.  
>> 
>> Part of engagement is ensuring that people who are contributing feel properly rewarded; for many open source or volunteer contributors that reward comes in the form of recognition from their community.  Successfully managing a project through an incubation process would be a significant accomplishment for individuals, and each step is an opportunity to introduce a stronger sense of community.  Each time a contributer achieves one of those steps they will very likely have made a personal investment into the OWASP project that makes it less likely that the volunteer will pull up stakes and move on.  When a volunteer reaches that degree of engagement with the community and project it becomes more likely they will not need to be 'assigned', they will be asking where they can contribute!
>>  
>> So if a potential project contributor has an idea that doesn't go against OWASP core values and principles, and they want to commit and devote the energy to work on implementing that idea, then why shouldn't we encourage and support that person?
>> 
>> I don't think anyone is wants to discourage contributors, but there is a difference between encouraging participation, and slapping the OWASP brand onto something of dubious value.  Too many people have invested too much time and effort in the history of the project to risk damaging it by not curating the brand in a meaningful fashion.
>>  
>> The Global Projects Committee took this approach in encouraging Lucas to proceed with his project idea and we wish him good luck and success with his project.
>> 
>> The GPC has already been working to make the project inception process more scalable. I hope that we will soon be able to provide a platform for folks to comment and provide feedback on project ideas. But ultimately the project leader will take the project in the direction they see fit.
>>  
>> I look forward to getting more engaged with the other leaders to keep the OWASP Security Tools for Developers (I don't know that I will ever get used to the STD acronym o_O) project moving forward!
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111102/a5f8c167/attachment.html 


More information about the OWASP-Leaders mailing list