[Owasp-leaders] New OWASP project

Fabio Cerullo fcerullo at owasp.org
Thu Nov 3 14:34:41 EDT 2011


Wagner,

Could you please expand the difficulties you had with those two projects?

ESAPI Swingset is perfectly aligned with OWASP and don't see a reason to
reject them.

Thanks,

Fabio

On Thu, Nov 3, 2011 at 3:33 PM, Wagner Elias <wagner.elias at owasp.org> wrote:

> This project can even generate a doubt that their purpose is aligned with
> the goals of OWASP or not, but it is a fact that should be clarified and
> set clear standards for accepting a project or not.
>
> I had a pretty bad experience when I tried to publish two projects that
> were fully aligned to the purpose of OWASP:
>
> http://code.google.com/p/swingset-php/
>
> http://code.google.com/p/swingset-dotnet/
>
> It was a lot of discussion and the project was outside the OWASP projects.
>
> Cheers
>
> Wagner Elias
>
>
> On Wed, Nov 2, 2011 at 5:21 PM, John Wilander <john.wilander at owasp.org>wrote:
>
>> I quickly browsed the proposed project model. Looking good. Especially
>> the incubator-->labs-->flagship staging. As long as we keep incubator
>> bureaucracy to a minimum and demand that incubator projects present
>> themselves as such (i.e. not just an "OWASP project") I'm all for it.
>>
>> Internally, leaders can cope with a plethora of initiatives and incubator
>> projects. But for developers and product owners approaching OWASP for the
>> first time the message has to be clear -- This is how you secure your web
>> apps.
>>
>>    /John
>>
>> --
>> My music http://www.johnwilander.com
>> Twitter https://twitter.com/johnwilander
>> CV or Résumé http://johnwilander.se
>>
>> 2 nov 2011 kl. 12:48 skrev Jason Li <jason.li at owasp.org>:
>>
>> Yvan,
>>
>> The GPC has been working on a model for better classifying projects:
>> http://sl.owasp.org/gpcws-jun11-projects-handbook#h.gef61ebkljiy
>>
>> Much of the preliminary work to categorize the projects in tentative
>> statuses is already done.
>>
>> The limiting factors for us progressing forward right now are:
>> * Having a scalable, manageable way to prominently display/administrate a
>> project's status
>> * Have a scalable, community-driven platform to support the project
>> reviews necessary for projects to elevate their status in a timely manner
>>
>> We're working on solutions to these issues as quickly as volunteer time
>> allows.
>>
>> -Jason
>>
>> On Nov 2, 2011, at 3:26 AM, Yvan Boily <yvanboily at gmail.com> wrote:
>>
>>  First and foremost, this is not a commentary on Lucas' project.  I
>> personally don't see the value of it, but at the same time I haven't spent
>> much time thinking about how I would use it.
>>
>> Most of you don't know me, so I will explain a little bit more about
>> myself; I have been involved in OWASP on and off over the last several
>> years at the chapter level, and have recently decided to get more involved
>> in the project.  I was planning to get involved slowly, but things got
>> catalyzed when Mark reached out after we released a tool I have been
>> working on at Mozilla.  I am now standing in to take over the OWASP
>> Security Tools for Developers project, and will be relying on the leaders
>> list to help me ensure that the people currently engaged stay so.
>>
>> While it is pretty clear that while OWASP has to remain open to new
>> projects and the ideas of its members and its community, following this
>> thread has shown that there is a fair amount of concern about how the OWASP
>> brand is being used.
>>
>> I know there is some work being done in this area, but I think that it is
>> critical for OWASP to assemble a mechanism for introducing and incubating
>> projects to the point they are worthy of the OWASP  stamp; a good model
>> might be the Apache Incubator programme that facilitates projects moving
>> from experiment to full fledged Apache Foundation project based on a set of
>> criteria.
>>
>> On Tue, Nov 1, 2011 at 4:14 PM, Jason Li < <jason.li at owasp.org>
>> jason.li at owasp.org> wrote:
>>
>>> All,
>>>
>>> OWASP encourages projects of any type, as long as they are open and
>>> related to application security. Those are the only requirements for a
>>> project idea. As Michael pointed out, the low barrier to entry encourages
>>> participation from talented volunteers.
>>>
>>
>> The low barrier to entry is important, but the degree of endorsement of
>> the constituent projects should be commensurate with the degree of merit,
>> stability, and value the project offers.  As a project matures it should
>> graduate through a set of ranks and it should be a critical milestone that
>> has had sufficient use and review from the community before something gets
>> 'blessed' as a full OWASP project.
>>
>>
>>> Yes, that has resulted in a huge landscape of OWASP projects - all of
>>> which are in various stages of maturity. This situation makes navigating
>>> the OWASP Project landscape difficult. But it is not the responsibility or
>>> burden of a project leader to worry about those issues. OWASP as an
>>> organization should be responsible for managing the project landscape and
>>> facilitating navigation of that landscape.  Project leaders should be
>>> focused on their project.
>>>
>>>
>> There's no telling where any project will or will not go from the
>>> onset. We have many projects that die on the vine after the project leader
>>> realizes the use cases are limited, or that the user population isn't
>>> there, or the proof of concept doesn't pan out. We have many projects that
>>> grow from the inkling of an idea to wildly and unexpectedly popular
>>> projects that become almost synonymous with OWASP. And we don't have the
>>> crystal ball to predict which ones are which in advanced.
>>>
>>
>> That is all the more reason to build a set of success criteria, and
>> ensure that there is mentorship and guidance offered to community members
>> who bring time and effort to the table.  If a project or concept doesn't
>> work as an isolated project, then the volunteers who are mentored will be
>> more likely to engage in other project areas that might be of interest,
>> especially if their mentor or the community can point them to a direct area
>> they can contribute to.
>>
>>
>>> Ultimately, it is still up to the project and its leader to succeed. A
>>> project that has value will find an audience and support within the
>>> community; a project that doesn't have value won't.
>>>
>>> But just because *you* can't see the potential value in a project
>>> doesn't mean that there won't be value in it.
>>>
>>
>> You are correct, but if value can't be demonstrated then it will be hard
>> for the community to invest the time and effort to contribute to the
>> project.  Having a clear demonstration of how to extract value from a
>> project is an important step to enticing involvement.  A proliferation of
>> projects that don't demonstrate value will eventually undermine the
>> organization as people point to the under-developed or poorly managed
>> constituents of the OWASP project and assume that the entire project is in
>> that state.
>>
>>
>>>
>>> If we have a volunteer that *wants* to work on a project, and there's
>>> the potential that even one person out there someday finds it useful, isn't
>>> that worthwhile?
>>>
>>
>> It is absolutely valuable to bring the effort, energy, and ideas into the
>> community, but until it the contribution converts those resources into
>> something of clear, consumable value, it should not get the endorsement of
>> the community.  A useless project that wastes the time of a potential
>> community member, or worse a potential contributor, has eroded the project.
>>
>>
>>> And before anyone argues that it would be more worthwhile if we diverted
>>> such volunteer energy and efforts towards projects with universally
>>> acknowledged potential, guess what? Volunteers work on what they want to
>>> work on. That's the nature of volunteers. I believe OWASP would be *very*
>>> hard pressed to "assign" volunteers to specific tasks unless they're
>>> already interested in doing it anyway.
>>>
>>
>> Engagement is an extremely challenging task when you have a team that is
>> employed and has employer mandated goals, it is even more challenging when
>> the people involved are volunteers.
>>
>> Part of engagement is ensuring that people who are contributing feel
>> properly rewarded; for many open source or volunteer contributors that
>> reward comes in the form of recognition from their community.  Successfully
>> managing a project through an incubation process would be a significant
>> accomplishment for individuals, and each step is an opportunity to
>> introduce a stronger sense of community.  Each time a contributer achieves
>> one of those steps they will very likely have made a personal investment
>> into the OWASP project that makes it less likely that the volunteer will
>> pull up stakes and move on.  When a volunteer reaches that degree of
>> engagement with the community and project it becomes more likely they will
>> not need to be 'assigned', they will be asking where they can contribute!
>>
>>
>>> So if a potential project contributor has an idea that doesn't go
>>> against OWASP core values and principles, and they want to commit and
>>> devote the energy to work on implementing that idea, then why shouldn't we
>>> encourage and support that person?
>>>
>>
>> I don't think anyone is wants to discourage contributors, but there is a
>> difference between encouraging participation, and slapping the OWASP brand
>> onto something of dubious value.  Too many people have invested too much
>> time and effort in the history of the project to risk damaging it by not
>> curating the brand in a meaningful fashion.
>>
>>
>>> The Global Projects Committee took this approach in encouraging Lucas to
>>> proceed with his project idea and we wish him good luck and success with
>>> his project.
>>>
>>> The GPC has already been working to make the project inception process
>>> more scalable. I hope that we will soon be able to provide a platform for
>>> folks to comment and provide feedback on project ideas. But ultimately the
>>> project leader will take the project in the direction they see fit.
>>>
>>
>> I look forward to getting more engaged with the other leaders to keep the
>> OWASP Security Tools for Developers (I don't know that I will ever get used
>> to the STD acronym o_O) project moving forward!
>>
>> _______________________________________________
>>
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111103/33b58baf/attachment.html 


More information about the OWASP-Leaders mailing list