[Owasp-leaders] New OWASP project

Wagner Elias wagner.elias at owasp.org
Thu Nov 3 16:10:23 EDT 2011


Cerullo,

The thread is here:
https://lists.owasp.org/pipermail/owasp-esapi/2010-July/001793.html

Cheers



On Thu, Nov 3, 2011 at 4:34 PM, Fabio Cerullo <fcerullo at owasp.org> wrote:

> Wagner,
>
> Could you please expand the difficulties you had with those two projects?
>
> ESAPI Swingset is perfectly aligned with OWASP and don't see a reason to
> reject them.
>
> Thanks,
>
> Fabio
>
> On Thu, Nov 3, 2011 at 3:33 PM, Wagner Elias <wagner.elias at owasp.org>wrote:
>
>> This project can even generate a doubt that their purpose is aligned with
>> the goals of OWASP or not, but it is a fact that should be clarified and
>> set clear standards for accepting a project or not.
>>
>> I had a pretty bad experience when I tried to publish two projects that
>> were fully aligned to the purpose of OWASP:
>>
>> http://code.google.com/p/swingset-php/
>>
>> http://code.google.com/p/swingset-dotnet/
>>
>> It was a lot of discussion and the project was outside the OWASP projects.
>>
>> Cheers
>>
>> Wagner Elias
>>
>>
>> On Wed, Nov 2, 2011 at 5:21 PM, John Wilander <john.wilander at owasp.org>wrote:
>>
>>> I quickly browsed the proposed project model. Looking good. Especially
>>> the incubator-->labs-->flagship staging. As long as we keep incubator
>>> bureaucracy to a minimum and demand that incubator projects present
>>> themselves as such (i.e. not just an "OWASP project") I'm all for it.
>>>
>>> Internally, leaders can cope with a plethora of initiatives and
>>> incubator projects. But for developers and product owners approaching OWASP
>>> for the first time the message has to be clear -- This is how you secure
>>> your web apps.
>>>
>>>    /John
>>>
>>> --
>>> My music http://www.johnwilander.com
>>> Twitter https://twitter.com/johnwilander
>>> CV or Résumé http://johnwilander.se
>>>
>>> 2 nov 2011 kl. 12:48 skrev Jason Li <jason.li at owasp.org>:
>>>
>>> Yvan,
>>>
>>> The GPC has been working on a model for better classifying projects:
>>> http://sl.owasp.org/gpcws-jun11-projects-handbook#h.gef61ebkljiy
>>>
>>> Much of the preliminary work to categorize the projects in tentative
>>> statuses is already done.
>>>
>>> The limiting factors for us progressing forward right now are:
>>> * Having a scalable, manageable way to prominently display/administrate
>>> a project's status
>>> * Have a scalable, community-driven platform to support the project
>>> reviews necessary for projects to elevate their status in a timely manner
>>>
>>> We're working on solutions to these issues as quickly as volunteer time
>>> allows.
>>>
>>> -Jason
>>>
>>> On Nov 2, 2011, at 3:26 AM, Yvan Boily <yvanboily at gmail.com> wrote:
>>>
>>>  First and foremost, this is not a commentary on Lucas' project.  I
>>> personally don't see the value of it, but at the same time I haven't spent
>>> much time thinking about how I would use it.
>>>
>>> Most of you don't know me, so I will explain a little bit more about
>>> myself; I have been involved in OWASP on and off over the last several
>>> years at the chapter level, and have recently decided to get more involved
>>> in the project.  I was planning to get involved slowly, but things got
>>> catalyzed when Mark reached out after we released a tool I have been
>>> working on at Mozilla.  I am now standing in to take over the OWASP
>>> Security Tools for Developers project, and will be relying on the leaders
>>> list to help me ensure that the people currently engaged stay so.
>>>
>>> While it is pretty clear that while OWASP has to remain open to new
>>> projects and the ideas of its members and its community, following this
>>> thread has shown that there is a fair amount of concern about how the OWASP
>>> brand is being used.
>>>
>>> I know there is some work being done in this area, but I think that it
>>> is critical for OWASP to assemble a mechanism for introducing and
>>> incubating projects to the point they are worthy of the OWASP  stamp; a
>>> good model might be the Apache Incubator programme that facilitates
>>> projects moving from experiment to full fledged Apache Foundation project
>>> based on a set of criteria.
>>>
>>> On Tue, Nov 1, 2011 at 4:14 PM, Jason Li < <jason.li at owasp.org>
>>> jason.li at owasp.org> wrote:
>>>
>>>> All,
>>>>
>>>> OWASP encourages projects of any type, as long as they are open and
>>>> related to application security. Those are the only requirements for a
>>>> project idea. As Michael pointed out, the low barrier to entry encourages
>>>> participation from talented volunteers.
>>>>
>>>
>>> The low barrier to entry is important, but the degree of endorsement of
>>> the constituent projects should be commensurate with the degree of merit,
>>> stability, and value the project offers.  As a project matures it should
>>> graduate through a set of ranks and it should be a critical milestone that
>>> has had sufficient use and review from the community before something gets
>>> 'blessed' as a full OWASP project.
>>>
>>>
>>>> Yes, that has resulted in a huge landscape of OWASP projects - all of
>>>> which are in various stages of maturity. This situation makes navigating
>>>> the OWASP Project landscape difficult. But it is not the responsibility or
>>>> burden of a project leader to worry about those issues. OWASP as an
>>>> organization should be responsible for managing the project landscape and
>>>> facilitating navigation of that landscape.  Project leaders should be
>>>> focused on their project.
>>>>
>>>>
>>> There's no telling where any project will or will not go from the
>>>> onset. We have many projects that die on the vine after the project leader
>>>> realizes the use cases are limited, or that the user population isn't
>>>> there, or the proof of concept doesn't pan out. We have many projects that
>>>> grow from the inkling of an idea to wildly and unexpectedly popular
>>>> projects that become almost synonymous with OWASP. And we don't have the
>>>> crystal ball to predict which ones are which in advanced.
>>>>
>>>
>>> That is all the more reason to build a set of success criteria, and
>>> ensure that there is mentorship and guidance offered to community members
>>> who bring time and effort to the table.  If a project or concept doesn't
>>> work as an isolated project, then the volunteers who are mentored will be
>>> more likely to engage in other project areas that might be of interest,
>>> especially if their mentor or the community can point them to a direct area
>>> they can contribute to.
>>>
>>>
>>>> Ultimately, it is still up to the project and its leader to succeed. A
>>>> project that has value will find an audience and support within the
>>>> community; a project that doesn't have value won't.
>>>>
>>>> But just because *you* can't see the potential value in a project
>>>> doesn't mean that there won't be value in it.
>>>>
>>>
>>> You are correct, but if value can't be demonstrated then it will be hard
>>> for the community to invest the time and effort to contribute to the
>>> project.  Having a clear demonstration of how to extract value from a
>>> project is an important step to enticing involvement.  A proliferation of
>>> projects that don't demonstrate value will eventually undermine the
>>> organization as people point to the under-developed or poorly managed
>>> constituents of the OWASP project and assume that the entire project is in
>>> that state.
>>>
>>>
>>>>
>>>> If we have a volunteer that *wants* to work on a project, and there's
>>>> the potential that even one person out there someday finds it useful, isn't
>>>> that worthwhile?
>>>>
>>>
>>> It is absolutely valuable to bring the effort, energy, and ideas into
>>> the community, but until it the contribution converts those resources into
>>> something of clear, consumable value, it should not get the endorsement of
>>> the community.  A useless project that wastes the time of a potential
>>> community member, or worse a potential contributor, has eroded the project.
>>>
>>>
>>>> And before anyone argues that it would be more worthwhile if we
>>>> diverted such volunteer energy and efforts towards projects with
>>>> universally acknowledged potential, guess what? Volunteers work on what
>>>> they want to work on. That's the nature of volunteers. I believe OWASP
>>>> would be *very* hard pressed to "assign" volunteers to specific tasks
>>>> unless they're already interested in doing it anyway.
>>>>
>>>
>>> Engagement is an extremely challenging task when you have a team that is
>>> employed and has employer mandated goals, it is even more challenging when
>>> the people involved are volunteers.
>>>
>>> Part of engagement is ensuring that people who are contributing feel
>>> properly rewarded; for many open source or volunteer contributors that
>>> reward comes in the form of recognition from their community.  Successfully
>>> managing a project through an incubation process would be a significant
>>> accomplishment for individuals, and each step is an opportunity to
>>> introduce a stronger sense of community.  Each time a contributer achieves
>>> one of those steps they will very likely have made a personal investment
>>> into the OWASP project that makes it less likely that the volunteer will
>>> pull up stakes and move on.  When a volunteer reaches that degree of
>>> engagement with the community and project it becomes more likely they will
>>> not need to be 'assigned', they will be asking where they can contribute!
>>>
>>>
>>>> So if a potential project contributor has an idea that doesn't go
>>>> against OWASP core values and principles, and they want to commit and
>>>> devote the energy to work on implementing that idea, then why shouldn't we
>>>> encourage and support that person?
>>>>
>>>
>>> I don't think anyone is wants to discourage contributors, but there is a
>>> difference between encouraging participation, and slapping the OWASP brand
>>> onto something of dubious value.  Too many people have invested too much
>>> time and effort in the history of the project to risk damaging it by not
>>> curating the brand in a meaningful fashion.
>>>
>>>
>>>> The Global Projects Committee took this approach in encouraging Lucas
>>>> to proceed with his project idea and we wish him good luck and success with
>>>> his project.
>>>>
>>>> The GPC has already been working to make the project inception process
>>>> more scalable. I hope that we will soon be able to provide a platform for
>>>> folks to comment and provide feedback on project ideas. But ultimately the
>>>> project leader will take the project in the direction they see fit.
>>>>
>>>
>>> I look forward to getting more engaged with the other leaders to keep
>>> the OWASP Security Tools for Developers (I don't know that I will ever get
>>> used to the STD acronym o_O) project moving forward!
>>>
>>> _______________________________________________
>>>
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111103/f3216a8b/attachment-0001.html 


More information about the OWASP-Leaders mailing list