[Owasp-leaders] [Owasp-testing] Flagship Project Status

Dennis Groves dennis.groves at owasp.org
Tue Jul 1 09:12:14 UTC 2014


ignore Dave, do what we want...

(ignore the man behind the curtain - owasp top 10, app-sensor, the many
projects etc....)

seems more like Alice in wonderland than reality,


Dennis


On Thu, Jun 19, 2014 at 11:35 AM, Josh Sokol <josh.sokol at owasp.org> wrote:

> In addition, I started a discussion on what Flagship should mean for
> documentation projects on the Leaders list.  Feedback was low so if you
> have stuff to add to it, now's the time to do it!
>
> http://lists.owasp.org/pipermail/owasp-leaders/2014-June/011888.html
>
> ~josh
>
>
> On Thu, Jun 19, 2014 at 9:58 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Hi Tobias
>>
>> I did mention something regarding approach for reviewing projects:
>>
>> https://www.owasp.org/index.php/Proposal_Project_Review_QA_Approach#Approach_for_Reviewing_Document_projects
>>  Approach for Reviewing Document projects
>>
>> It is difficult to quantify how well written and accurate or not a
>> document is, unless the reviewer has a broad body of knowledge on the
>> subject. Finding the right reviewer is more challenging. This one will have
>> to spend a time reading and creating a report. An Alternative might be to
>> hire a freelance technical editor/writer that can provide his input from
>> the Documentation and editing point of view and how well written and
>> consistent the document is. This is more subjective and that's why I think
>> that we better leave documentation to the Rating system. Hiring a technical
>> writer and editor to provide his opinion could be an option, however, it is
>> subjective.
>>
>> ----
>>
>> Been that said reviewing and setting  a process for reviewing
>> documentation is hard.
>>
>> The project review technical advisory board created some criteria, but
>> who has time to review documents in an unbiased way. I think the a flagship
>> documents should at least:
>>
>> -Have nor grammar errors
>>
>> -Have a way to receive feedback from readers
>>
>> - take into account user feedback to improve the project
>>
>> -Be reviewed by experts in the matter
>>
>> Not a simple answer.
>>
>>
>>
>>
>> https://docs.google.com/a/owasp.org/forms/d/130ScNZPrqrQTkWUmDz2mt2X94LXfrOurNz-46tjGbEg/edit
>>  OWASP Project Quality Assessment: Documentation Projects
>> Please grade each question using the points system. A reviewer can reward
>> points between (0 - 10) (Enter 10 if Not Applicable). Projects 75 or higher
>> are high quality, 50 - 70 medium/beta quality, and less than 50 low or
>> alpha quality. Start awarding points once you pass the project relationship
>> question.
>> Project Version*Required
>>
>> Release Status*Required
>>
>> Does the material help inform consumers about a security topic?*RequiredDoes
>> the project help inform a reader/viewer about a security concern?
>>
>> Can a user download the project artifacts from the OWASP Project wiki
>> page?*RequiredCan a user easily determine how to download the project
>> resources from the wiki page, whether it is from a link on the project page
>> or a link on the project page that redirects the user to another web site
>> where the artifacts are hosted?
>>
>> Is the grammar correct, understandable, and the content flows well?*
>> RequiredIs the document well written/spoken and easy to follow and
>> understand?
>>
>> Do the project leaders/contributors interact with readers and receive and
>> reply to feedback on the project?*RequiredCan users ask questions and
>> receive helpful answers?
>>
>> Does the project leader adapt the documentation based on the priorities,
>> importance, and feedback gathered by reliable sources?*RequiredDo
>> project leaders take into account user feedback to improve the project?
>>
>> Is the documentation translated into at least two different languages?*
>> RequiredHas the original project been translated into another language?
>>
>> If this document is a candidate to publish as an OWASP book, is the
>> document in a format which can be converted to an OWASP book?*RequiredIf
>> the project is a candidate for an OWASP book, is it in the OWASP format?
>>
>> Does the project sufficiently cover material with respect to the topic or
>> process it is intended to cover?*RequiredDoes this project provided
>> adequate coverage of the security concern it covers?
>>
>> Would you recommend this project to educate them about a security concern?
>> *RequiredOverall would you promote this project to others who want to
>> learn about the security issue this project attempts to cover?
>>
>> Total:*
>>
>>
>> On Thu, Jun 19, 2014 at 10:27 AM, Tobias <tobias.gondrom at owasp.org>
>> wrote:
>>
>>>  Hi all,
>>>
>>> my answer is simple: status today is that *all* Flagship projects had
>>> been reset to Labs status. So the question is not whether Top10 "keeps"
>>> Flagship status, but for Top10 to regain the Flagship status.
>>>
>>> Considering that Top10 is still IMO very high quality, I would think it
>>> very likely for Top-10 to regain Flagship status relatively quickly.
>>>
>>> Maybe Johanna could advise on the process for a documentation project to
>>> achieve Flagship status?
>>>
>>> Best wishes, Tobias
>>>
>>>
>>>
>>> On 19/06/14 06:53, Josh Sokol wrote:
>>>
>>> I'd like to suggest a compromise here in that we keep Top 10 2013 as
>>> Flagship status and make sure that the 2016 release is done based on the
>>> new document quality metrics once they are flushed out and fully approved.
>>> I think those requirements should handle Jim's concerns.  We can't change
>>> the past, but we can certainly influence the future.
>>>
>>> ~josh
>>> On Jun 19, 2014 12:39 AM, "Jim Manico" <jim.manico at owasp.org> wrote:
>>>
>>>>  Dave,
>>>>
>>>> I have mixed feelings here. I worry about past issues of how you came
>>>> to conclusions for the top ten final items, issues with partnerships that
>>>> led to the A9, and issues around how statistics were collected and used.
>>>> Also, I also worry about a top ten list in general being very lacking in
>>>> terms of helping people build a full application security program. (Heck,
>>>> I'm working on a defense top ten as well).
>>>>
>>>> Now that aside, the work you and others have done in the Top Ten is
>>>> very polished and is indeed useful for initial awareness. As it stands
>>>> today, I am still a fan of the document and endorse it.
>>>>
>>>> I am not the decision maker here, but I personally support lifting the
>>>> primary Top Ten to flagship status. But I implore you to make the next
>>>> version much more transparent, community built, vendor neutral and be only
>>>> OWASP branded. There is still work we can do in this area in my opinion.
>>>>
>>>> Aloha,
>>>> Jim
>>>>
>>>>
>>>>
>>>>
>>>> On 6/8/14, 10:30 PM, Dave Wichers wrote:
>>>>
>>>>  I’m wondering what this means to the OWASP Top 10 project. This is an
>>>> active project that is currently on its normal schedule. All top 10
>>>> products are done, up to date, release quality. Its been translated into
>>>> many different languages and more are actively being worked on now.
>>>>
>>>>
>>>>
>>>> Many people look at the Top 10 as a defacto standard, so having it
>>>> demoted to non-flagship (even temporarily) is concerning to some people. (I
>>>> have received several direct inquiries about what this means for the Top
>>>> 10)  Like should they stop recommend people use it?? Or should they
>>>> recommend the SANS Top 25 instead, etc.)
>>>>
>>>>
>>>>
>>>> Given the high visibility of this particular documentation project, I
>>>> want to know what I have to do, if anything, to either retain flagship
>>>> status (It’s still marked that way as far as I know), or quickly get it
>>>> back to that status?
>>>>
>>>>
>>>>
>>>> This is certainly confusing and potentially harmful to my project.
>>>>
>>>>
>>>>
>>>> -Dave
>>>>
>>>>
>>>>
>>>> p.s. By the way, I support this initiative, so I’m not blasting anyone.
>>>> Just trying to figure out what to do for my particular project.
>>>>
>>>>
>>>>
>>>> *From:* owasp-leaders-bounces at lists.owasp.org [
>>>> mailto:owasp-leaders-bounces at lists.owasp.org
>>>> <owasp-leaders-bounces at lists.owasp.org>] *On Behalf Of *Josh Sokol
>>>> *Sent:* Saturday, June 07, 2014 4:10 AM
>>>> *To:* Yvan Boily
>>>> *Cc:* Christian Heinrich; OWASP Leaders; owasp-testing at lists.owasp.org
>>>> *Subject:* Re: [Owasp-leaders] [Owasp-testing] Flagship Project Status
>>>>
>>>>
>>>>
>>>> Thanks for bringing this discussion to the leaders list.  I can
>>>> certainly see how someone, especially those running projects, would see
>>>> this Flagship status demotion as a hassle at best and perhaps even
>>>> "catastrophic" as Christian put it.  I was, admittedly, a bit skeptical of
>>>> the value of such an action when the idea was first brought to me, but upon
>>>> further consideration, I changed my mind.  People around the world have
>>>> come to respect the OWASP name as a trusted source for tools and
>>>> documentation, but when they come to our website, their experience can vary
>>>> based on where they land.  Think about how you'd feel if you downloaded an
>>>> OWASP "Flagship" document with outdated information or a "Flagship" tool
>>>> that actually created security vulnerabilities when you used it.  It
>>>> becomes a situation where the proverbial one rotten apple can spoil the
>>>> entire bunch.  Sure, you could make the argument that we could evaluate
>>>> each current Flagship project and then demote on a case-by-case basis, and
>>>> you'd probably be right, but as hard as the evaluator would try to be
>>>> objective, in the end someone is probably going to get upset and cry foul.
>>>> With this action, we have leveled the playing field (so to speak) and the
>>>> projects that advance back to Flagship can do so under the full support of
>>>> the community.
>>>>
>>>> I don't think that it's in anybody's best interest to be in this limbo
>>>> state for long and in the interests of expediting the process, I just threw
>>>> out some ideas on what "Flagship" means to me here:
>>>>
>>>> http://lists.owasp.org/pipermail/owasp-leaders/2014-June/011888.html
>>>>
>>>> These are just suggestions, nothing set in stone, and I'm hoping that
>>>> you guys will follow up with your feedback and perhaps even your own
>>>> suggestions.  In a nutshell, how do we define a process that ensures that
>>>> when a person goes to OWASP and downloads a Flagship document, we know,
>>>> without hesitation, that it will be a high quality product that they can
>>>> rely on?  I'd say let's take the next week or so to solicit feedback from
>>>> the community, and then maybe you guys would be interested in helping to
>>>> assemble the pieces that make up the final process?  Johanna is already
>>>> working on putting the pieces in place for the code projects and I'm happy
>>>> to try to get the ball rolling on the documentation projects as well.  All
>>>> things considered, I bet we can have a process in place in the next 2-4
>>>> weeks.
>>>>
>>>> ~josh
>>>>
>>>>
>>>>
>>>> On Fri, Jun 6, 2014 at 10:17 PM, Yvan Boily <yvanboily at gmail.com>
>>>> wrote:
>>>>
>>>> On Fri, Jun 6, 2014 at 6:34 PM, Christian Heinrich <
>>>> christian.heinrich at cmlh.id.au> wrote:
>>>>
>>>> Yvan,
>>>>
>>>>
>>>> On Sat, Jun 7, 2014 at 1:05 AM, Yvan Boily <yvanboily at gmail.com> wrote:
>>>> > I am going to be pretty blunt about this.  Those examples were from 3
>>>> or
>>>> > more years ago.  I have been involved with OWASP for 10 years (at my
>>>> > earliest recollection, 2004, when I launched the Winnipeg chapter),
>>>> and I
>>>> > have seen (on and off mailing lists) that left a bad taste in my
>>>> mouth; that
>>>> > hasn't changed my desire to help my chapter be better, and to find
>>>> ways to
>>>> > contribute.  There are always going to be people who use
>>>> organizations like
>>>> > OWASP for self-aggrandizement, and there may even be corruption by
>>>> some
>>>> > bad actors (I don't know the specifics).  If you are aware of ongoing
>>>> > corruption, then collect the evidence, and put a proposal forward to
>>>> the
>>>> > group for a 3rd party audit of the organization and let the OWASP
>>>> members
>>>> > voice their opinions.  Otherwise don't make claims that you can't
>>>> back.
>>>>
>>>> You haven't dispute the evidence that I have put forth?
>>>>
>>>>
>>>>
>>>> If *you* are aware of ongoing corruption, then *you* collect the
>>>> evidence, and put forward a proposal for a review.  I am not going to.  I
>>>> have a career, run a separate non-profit, contribute to owasp, organize
>>>> several local groups, and have a family; I don't (and most of the other
>>>> OWASP leaders probably don't) have time to investigate it for you.  I am
>>>> happy with the direction that OWASP is going, and support the direction
>>>> that the current board is moving in.  I am not going to do your work for
>>>> you.
>>>>
>>>>
>>>>
>>>>
>>>> On Sat, Jun 7, 2014 at 1:05 AM, Yvan Boily <yvanboily at gmail.com> wrote:
>>>> > I don't know Dinis personally, but I have looked at O2 on several
>>>> occasions
>>>> > since it's release, and while it never took a huge place in my tool
>>>> box I
>>>> > certainly see it's value and appeal; OWASP should be supporting
>>>> projects
>>>> > that are innovative and try new things.  It is unfortunate if money
>>>> spent
>>>> > didn't have the desired outcome, but those are the breaks of funding
>>>> > research and development.  If OWASP didn't back new and experimental
>>>> > projects then it is entirely possible that Simon may not have brought
>>>> ZAP to
>>>> > the table when figuring out where it should live.
>>>>
>>>> No, no and no.
>>>>
>>>> Dinis Cruz, as an OWASP Board Member, should *not* be allowed to
>>>> manage or lead his own OWASP Projects.
>>>>
>>>>
>>>>
>>>> Wait what? The people who are most invested in the success of their
>>>> projects that are contributed to OWASP shouldn't be allowed take on a
>>>> position of greater responsibility to ensure the success of the community
>>>> in addition to their own project?  I don't know if you have leadership or
>>>> management experience, but in general, you want to promote and/or recruit
>>>> people that show initiative.
>>>>
>>>>
>>>>
>>>>  Neither should he be allowed
>>>> to direct "charity" funds to the development of a commercial product
>>>> owned by Security Innovation.
>>>>
>>>>
>>>>
>>>> I tend to agree (where "Security Innovation" is replaced with "a
>>>> for-profit business").  So, take the initiative, collect the evidence, and
>>>> build a case.
>>>>
>>>>
>>>>
>>>>
>>>> Reread
>>>> http://lists.owasp.org/pipermail/owasp-board/2011-January/009563.html
>>>> that supports the above.
>>>>
>>>> Furthermore, OWASP should not hire the wife of Dinis Cruz's personal
>>>> friend, Paulo Coimbra i.e.
>>>> https://lists.owasp.org/pipermail/owasp-leaders/2011-January/004493.html
>>>> to assist with Security Innvotations commercial exploitation of OWASP
>>>> when
>>>> http://blog.diniscruz.com/2013/05/sarah-baso-as-owasp-executive-director.html
>>>> has considerably more experience with OWASP.
>>>>
>>>> ... and who could forget Jeff Williams own opinion of Security
>>>> Innovation i.e.
>>>> https://lists.owasp.org/pipermail/owasp-leaders/2011-August/006011.html
>>>>
>>>> Sonatype was founded by former employees of 02 and Josh Corman worked
>>>> for Rugged Software.
>>>>
>>>> https://www.owasp.org/index.php/Rugged_Software <- WTF is this doing
>>>> on the OWASP Wiki? 0WASP "02 With Aspect Security Promotion"  :-)
>>>>
>>>> BTW No one expect for Dinis Cruz has any idea what 02 does and Dinis
>>>> doesn't help it when he references other well known projects, such as
>>>> HacmeBank.  Mark Curphey refers to this as [Dinis Cruz] "lost in 02
>>>> world".
>>>>
>>>>
>>>>
>>>> So this is a stream of consciousness style write-up that doesn't really
>>>> make clear sense to me without reading the supporting docs.
>>>>
>>>>
>>>> I don't have an issue with Simon but the fact is Michael Coates, him
>>>> and you have all worked for Mozilla and yet OWASP invested in WebScrab
>>>> in the past.
>>>>
>>>>
>>>>
>>>> Yeah, you might want to educate yourself on the history of ZAP before
>>>> you put your foot in your mouth.  Simon implemented ZAP before he was
>>>> involved with OWASP, and made a strong positive contribution to OWASP out
>>>> of the gate.
>>>>
>>>> I don't know why you want to drag my employer into this; all three of
>>>> the people named were OWASP contributors before joining Mozilla, and
>>>> actually ramped up their involvement after joining Mozilla.
>>>>
>>>>
>>>>
>>>> In Simon's defence he probably didn't know about
>>>> WebScrab because OWASP didn't help with the promotion of known
>>>> projects since hired Dinis Cruz hired personal friends to promote his
>>>> own projects.
>>>>
>>>>
>>>>
>>>> Sorry to break it to you, but no amount of promotion would have saved
>>>> WebScarab.  It was a powerful and flexible tool, but it had a painful UI, a
>>>> terrible learning curve.  ZAP is successful because it was a natural
>>>> progression of an effectively abandoned (but still popular) tool, a
>>>> generous helping of new features, and alot of UI love.
>>>>
>>>>
>>>>
>>>>
>>>> On Sat, Jun 7, 2014 at 1:05 AM, Yvan Boily <yvanboily at gmail.com> wrote:
>>>> > I won't speak for the past, but the current efforts to update and
>>>> refresh
>>>> > OWASP practices and policies have been sorely needed, and comes at a
>>>> time
>>>> > when people are seriously questioning whether or not OWASP brings
>>>> value to
>>>> > the industry.  OWASP needs to put a better foot forward, and part of
>>>> that is
>>>> > recognizing projects that should bear the benefit of the OWASP brand,
>>>> *and*
>>>> > keeping those products (whether they are tool, library, or doc
>>>> projects)
>>>> > accountable to maintain their status as a 'gold-star' tool.
>>>>
>>>>
>>>>  Yeah, so in essence what Jim is now doing is what Dinis Cruz should
>>>> have completed three years ago but didn't.
>>>>
>>>>
>>>>
>>>> Again, what?  You are complaining that a current board member is doing
>>>> something you felt was long needed?  I am not sure what your point is.
>>>> Dinis isn't on the board.  Focusing your aggression and frustration on a
>>>> single (or a small group) of individuals really detracts from any
>>>> significant point you are trying to make.  I have yet to see a single
>>>> constructive point come out of anything you have said in this thread.  That
>>>> deficiency, by the way, coupled with your accusations and tone are the main
>>>> reasons I felt the need to respond.  You aren't contributing in a
>>>> constructive fashion, you are actively undermining folks (Jim, Johanna)
>>>> that are, and you are wasting peoples ime.
>>>>
>>>>
>>>>
>>>>
>>>> The OWASP Testing Guide is a documentation project and as far as I am
>>>> aware is out of being demoted now?
>>>>
>>>>
>>>>
>>>> If so, it is my opinion that it is a mistake; once the clearly defined
>>>> criteria for being a flagship project are available, the projects should be
>>>> made to apply, with no grandfathering.  This forces projects to meet a
>>>> quality assurance guideline that means something.
>>>>
>>>>
>>>>
>>>>
>>>> On Sat, Jun 7, 2014 at 1:05 AM, Yvan Boily <yvanboily at gmail.com> wrote:
>>>> > If you think putting in some basic effort to preserve the OWASP brand
>>>> is an
>>>> > unnecessary burden, then I question your commitment to protecting
>>>> OWASP,
>>>> > not the team working on the QA project.
>>>>
>>>> http://lists.owasp.org/pipermail/owasp-board/2011-January/009590.html
>>>> <- Yeah, Dinis Cruz just wants to see the world burn.
>>>>
>>>>
>>>> BTW I don't see how your reply is relevant to the OWASP Testing Guide.
>>>>
>>>>
>>>>
>>>> I reference the testing guide a fair bit.  I have designed several
>>>> training courses that reference them; I am interested in seeing the Guide
>>>> remain a flagship project, but not at the expense of seeing a process
>>>> implemented that says the 'Flagship' stamp actually means something.
>>>>
>>>>
>>>> You are correct.  Pushing to the leaders list since this makes more
>>>> sense there.  I don't care much about the issues you have with past board
>>>> members, unless you are going to position them in way that focuses on being
>>>> constructive (learning from mistakes made in the past is constructive,
>>>> dwelling on them isn't).
>>>>
>>>> Cheers,
>>>>
>>>> Yvan
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Regards,
>>>> Christian Heinrich
>>>>
>>>> http://cmlh.id.au/contact
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Dennis Groves <http://about.me/dennis.groves>, MSc
Email me, <dennis.groves at owasp.org> or schedule a meeting
<http://goo.gl/8sPIy>.
*This email is licensed under a CC BY-ND 3.0
<http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB> license.*
Stand up for your freedom to install free software.
<http://www.fsf.org/campaigns/secure-boot/statement>
Please do not send me Microsoft Office/Apple iWork documents.
Send OpenDocument <http://fsf.org/campaigns/opendocument/> instead!

<http://www.owasp.org/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140701/6321e49e/attachment-0001.html>


More information about the OWASP-Leaders mailing list