[Owasp-leaders] [Owasp-testing] Flagship Project Status

Josh Sokol josh.sokol at owasp.org
Tue Jul 1 13:54:26 UTC 2014


Dennis,

I'm not sure that I understand the message that you are trying to convey
here.  Could you please clarify?

~josh


On Tue, Jul 1, 2014 at 4:12 AM, Dennis Groves <dennis.groves at owasp.org>
wrote:

> ignore Dave, do what we want...
>
> (ignore the man behind the curtain - owasp top 10, app-sensor, the many
> projects etc....)
>
> seems more like Alice in wonderland than reality,
>
>
> Dennis
>
>
> On Thu, Jun 19, 2014 at 11:35 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> In addition, I started a discussion on what Flagship should mean for
>> documentation projects on the Leaders list.  Feedback was low so if you
>> have stuff to add to it, now's the time to do it!
>>
>> http://lists.owasp.org/pipermail/owasp-leaders/2014-June/011888.html
>>
>> ~josh
>>
>>
>> On Thu, Jun 19, 2014 at 9:58 AM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Hi Tobias
>>>
>>> I did mention something regarding approach for reviewing projects:
>>>
>>> https://www.owasp.org/index.php/Proposal_Project_Review_QA_Approach#Approach_for_Reviewing_Document_projects
>>>  Approach for Reviewing Document projects
>>>
>>> It is difficult to quantify how well written and accurate or not a
>>> document is, unless the reviewer has a broad body of knowledge on the
>>> subject. Finding the right reviewer is more challenging. This one will have
>>> to spend a time reading and creating a report. An Alternative might be to
>>> hire a freelance technical editor/writer that can provide his input from
>>> the Documentation and editing point of view and how well written and
>>> consistent the document is. This is more subjective and that's why I think
>>> that we better leave documentation to the Rating system. Hiring a technical
>>> writer and editor to provide his opinion could be an option, however, it is
>>> subjective.
>>>
>>> ----
>>>
>>> Been that said reviewing and setting  a process for reviewing
>>> documentation is hard.
>>>
>>> The project review technical advisory board created some criteria, but
>>> who has time to review documents in an unbiased way. I think the a flagship
>>> documents should at least:
>>>
>>> -Have nor grammar errors
>>>
>>> -Have a way to receive feedback from readers
>>>
>>> - take into account user feedback to improve the project
>>>
>>> -Be reviewed by experts in the matter
>>>
>>> Not a simple answer.
>>>
>>>
>>>
>>>
>>> https://docs.google.com/a/owasp.org/forms/d/130ScNZPrqrQTkWUmDz2mt2X94LXfrOurNz-46tjGbEg/edit
>>>  OWASP Project Quality Assessment: Documentation Projects
>>> Please grade each question using the points system. A reviewer can
>>> reward points between (0 - 10) (Enter 10 if Not Applicable). Projects 75 or
>>> higher are high quality, 50 - 70 medium/beta quality, and less than 50 low
>>> or alpha quality. Start awarding points once you pass the project
>>> relationship question.
>>> Project Version*Required
>>>
>>> Release Status*Required
>>>
>>> Does the material help inform consumers about a security topic?*RequiredDoes
>>> the project help inform a reader/viewer about a security concern?
>>>
>>> Can a user download the project artifacts from the OWASP Project wiki
>>> page?*RequiredCan a user easily determine how to download the project
>>> resources from the wiki page, whether it is from a link on the project page
>>> or a link on the project page that redirects the user to another web site
>>> where the artifacts are hosted?
>>>
>>> Is the grammar correct, understandable, and the content flows well?*
>>> RequiredIs the document well written/spoken and easy to follow and
>>> understand?
>>>
>>> Do the project leaders/contributors interact with readers and receive
>>> and reply to feedback on the project?*RequiredCan users ask questions
>>> and receive helpful answers?
>>>
>>> Does the project leader adapt the documentation based on the priorities,
>>> importance, and feedback gathered by reliable sources?*RequiredDo
>>> project leaders take into account user feedback to improve the project?
>>>
>>> Is the documentation translated into at least two different languages?*
>>> RequiredHas the original project been translated into another language?
>>>
>>> If this document is a candidate to publish as an OWASP book, is the
>>> document in a format which can be converted to an OWASP book?*RequiredIf
>>> the project is a candidate for an OWASP book, is it in the OWASP format?
>>>
>>> Does the project sufficiently cover material with respect to the topic
>>> or process it is intended to cover?*RequiredDoes this project provided
>>> adequate coverage of the security concern it covers?
>>>
>>> Would you recommend this project to educate them about a security
>>> concern?*RequiredOverall would you promote this project to others who
>>> want to learn about the security issue this project attempts to cover?
>>>
>>> Total:*
>>>
>>>
>>> On Thu, Jun 19, 2014 at 10:27 AM, Tobias <tobias.gondrom at owasp.org>
>>> wrote:
>>>
>>>>  Hi all,
>>>>
>>>> my answer is simple: status today is that *all* Flagship projects had
>>>> been reset to Labs status. So the question is not whether Top10 "keeps"
>>>> Flagship status, but for Top10 to regain the Flagship status.
>>>>
>>>> Considering that Top10 is still IMO very high quality, I would think it
>>>> very likely for Top-10 to regain Flagship status relatively quickly.
>>>>
>>>> Maybe Johanna could advise on the process for a documentation project
>>>> to achieve Flagship status?
>>>>
>>>> Best wishes, Tobias
>>>>
>>>>
>>>>
>>>> On 19/06/14 06:53, Josh Sokol wrote:
>>>>
>>>> I'd like to suggest a compromise here in that we keep Top 10 2013 as
>>>> Flagship status and make sure that the 2016 release is done based on the
>>>> new document quality metrics once they are flushed out and fully approved.
>>>> I think those requirements should handle Jim's concerns.  We can't change
>>>> the past, but we can certainly influence the future.
>>>>
>>>> ~josh
>>>> On Jun 19, 2014 12:39 AM, "Jim Manico" <jim.manico at owasp.org> wrote:
>>>>
>>>>>  Dave,
>>>>>
>>>>> I have mixed feelings here. I worry about past issues of how you came
>>>>> to conclusions for the top ten final items, issues with partnerships that
>>>>> led to the A9, and issues around how statistics were collected and used.
>>>>> Also, I also worry about a top ten list in general being very lacking in
>>>>> terms of helping people build a full application security program. (Heck,
>>>>> I'm working on a defense top ten as well).
>>>>>
>>>>> Now that aside, the work you and others have done in the Top Ten is
>>>>> very polished and is indeed useful for initial awareness. As it stands
>>>>> today, I am still a fan of the document and endorse it.
>>>>>
>>>>> I am not the decision maker here, but I personally support lifting the
>>>>> primary Top Ten to flagship status. But I implore you to make the next
>>>>> version much more transparent, community built, vendor neutral and be only
>>>>> OWASP branded. There is still work we can do in this area in my opinion.
>>>>>
>>>>> Aloha,
>>>>> Jim
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 6/8/14, 10:30 PM, Dave Wichers wrote:
>>>>>
>>>>>  I’m wondering what this means to the OWASP Top 10 project. This is
>>>>> an active project that is currently on its normal schedule. All top 10
>>>>> products are done, up to date, release quality. Its been translated into
>>>>> many different languages and more are actively being worked on now.
>>>>>
>>>>>
>>>>>
>>>>> Many people look at the Top 10 as a defacto standard, so having it
>>>>> demoted to non-flagship (even temporarily) is concerning to some people. (I
>>>>> have received several direct inquiries about what this means for the Top
>>>>> 10)  Like should they stop recommend people use it?? Or should they
>>>>> recommend the SANS Top 25 instead, etc.)
>>>>>
>>>>>
>>>>>
>>>>> Given the high visibility of this particular documentation project, I
>>>>> want to know what I have to do, if anything, to either retain flagship
>>>>> status (It’s still marked that way as far as I know), or quickly get it
>>>>> back to that status?
>>>>>
>>>>>
>>>>>
>>>>> This is certainly confusing and potentially harmful to my project.
>>>>>
>>>>>
>>>>>
>>>>> -Dave
>>>>>
>>>>>
>>>>>
>>>>> p.s. By the way, I support this initiative, so I’m not blasting
>>>>> anyone. Just trying to figure out what to do for my particular project.
>>>>>
>>>>>
>>>>>
>>>>> *From:* owasp-leaders-bounces at lists.owasp.org [
>>>>> mailto:owasp-leaders-bounces at lists.owasp.org
>>>>> <owasp-leaders-bounces at lists.owasp.org>] *On Behalf Of *Josh Sokol
>>>>> *Sent:* Saturday, June 07, 2014 4:10 AM
>>>>> *To:* Yvan Boily
>>>>> *Cc:* Christian Heinrich; OWASP Leaders; owasp-testing at lists.owasp.org
>>>>> *Subject:* Re: [Owasp-leaders] [Owasp-testing] Flagship Project Status
>>>>>
>>>>>
>>>>>
>>>>> Thanks for bringing this discussion to the leaders list.  I can
>>>>> certainly see how someone, especially those running projects, would see
>>>>> this Flagship status demotion as a hassle at best and perhaps even
>>>>> "catastrophic" as Christian put it.  I was, admittedly, a bit skeptical of
>>>>> the value of such an action when the idea was first brought to me, but upon
>>>>> further consideration, I changed my mind.  People around the world have
>>>>> come to respect the OWASP name as a trusted source for tools and
>>>>> documentation, but when they come to our website, their experience can vary
>>>>> based on where they land.  Think about how you'd feel if you downloaded an
>>>>> OWASP "Flagship" document with outdated information or a "Flagship" tool
>>>>> that actually created security vulnerabilities when you used it.  It
>>>>> becomes a situation where the proverbial one rotten apple can spoil the
>>>>> entire bunch.  Sure, you could make the argument that we could evaluate
>>>>> each current Flagship project and then demote on a case-by-case basis, and
>>>>> you'd probably be right, but as hard as the evaluator would try to be
>>>>> objective, in the end someone is probably going to get upset and cry foul.
>>>>> With this action, we have leveled the playing field (so to speak) and the
>>>>> projects that advance back to Flagship can do so under the full support of
>>>>> the community.
>>>>>
>>>>> I don't think that it's in anybody's best interest to be in this limbo
>>>>> state for long and in the interests of expediting the process, I just threw
>>>>> out some ideas on what "Flagship" means to me here:
>>>>>
>>>>> http://lists.owasp.org/pipermail/owasp-leaders/2014-June/011888.html
>>>>>
>>>>> These are just suggestions, nothing set in stone, and I'm hoping that
>>>>> you guys will follow up with your feedback and perhaps even your own
>>>>> suggestions.  In a nutshell, how do we define a process that ensures that
>>>>> when a person goes to OWASP and downloads a Flagship document, we know,
>>>>> without hesitation, that it will be a high quality product that they can
>>>>> rely on?  I'd say let's take the next week or so to solicit feedback from
>>>>> the community, and then maybe you guys would be interested in helping to
>>>>> assemble the pieces that make up the final process?  Johanna is already
>>>>> working on putting the pieces in place for the code projects and I'm happy
>>>>> to try to get the ball rolling on the documentation projects as well.  All
>>>>> things considered, I bet we can have a process in place in the next 2-4
>>>>> weeks.
>>>>>
>>>>> ~josh
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Jun 6, 2014 at 10:17 PM, Yvan Boily <yvanboily at gmail.com>
>>>>> wrote:
>>>>>
>>>>> On Fri, Jun 6, 2014 at 6:34 PM, Christian Heinrich <
>>>>> christian.heinrich at cmlh.id.au> wrote:
>>>>>
>>>>> Yvan,
>>>>>
>>>>>
>>>>> On Sat, Jun 7, 2014 at 1:05 AM, Yvan Boily <yvanboily at gmail.com>
>>>>> wrote:
>>>>> > I am going to be pretty blunt about this.  Those examples were from
>>>>> 3 or
>>>>> > more years ago.  I have been involved with OWASP for 10 years (at my
>>>>> > earliest recollection, 2004, when I launched the Winnipeg chapter),
>>>>> and I
>>>>> > have seen (on and off mailing lists) that left a bad taste in my
>>>>> mouth; that
>>>>> > hasn't changed my desire to help my chapter be better, and to find
>>>>> ways to
>>>>> > contribute.  There are always going to be people who use
>>>>> organizations like
>>>>> > OWASP for self-aggrandizement, and there may even be corruption by
>>>>> some
>>>>> > bad actors (I don't know the specifics).  If you are aware of ongoing
>>>>> > corruption, then collect the evidence, and put a proposal forward to
>>>>> the
>>>>> > group for a 3rd party audit of the organization and let the OWASP
>>>>> members
>>>>> > voice their opinions.  Otherwise don't make claims that you can't
>>>>> back.
>>>>>
>>>>> You haven't dispute the evidence that I have put forth?
>>>>>
>>>>>
>>>>>
>>>>> If *you* are aware of ongoing corruption, then *you* collect the
>>>>> evidence, and put forward a proposal for a review.  I am not going to.  I
>>>>> have a career, run a separate non-profit, contribute to owasp, organize
>>>>> several local groups, and have a family; I don't (and most of the other
>>>>> OWASP leaders probably don't) have time to investigate it for you.  I am
>>>>> happy with the direction that OWASP is going, and support the direction
>>>>> that the current board is moving in.  I am not going to do your work for
>>>>> you.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Sat, Jun 7, 2014 at 1:05 AM, Yvan Boily <yvanboily at gmail.com>
>>>>> wrote:
>>>>> > I don't know Dinis personally, but I have looked at O2 on several
>>>>> occasions
>>>>> > since it's release, and while it never took a huge place in my tool
>>>>> box I
>>>>> > certainly see it's value and appeal; OWASP should be supporting
>>>>> projects
>>>>> > that are innovative and try new things.  It is unfortunate if money
>>>>> spent
>>>>> > didn't have the desired outcome, but those are the breaks of funding
>>>>> > research and development.  If OWASP didn't back new and experimental
>>>>> > projects then it is entirely possible that Simon may not have
>>>>> brought ZAP to
>>>>> > the table when figuring out where it should live.
>>>>>
>>>>> No, no and no.
>>>>>
>>>>> Dinis Cruz, as an OWASP Board Member, should *not* be allowed to
>>>>> manage or lead his own OWASP Projects.
>>>>>
>>>>>
>>>>>
>>>>> Wait what? The people who are most invested in the success of their
>>>>> projects that are contributed to OWASP shouldn't be allowed take on a
>>>>> position of greater responsibility to ensure the success of the community
>>>>> in addition to their own project?  I don't know if you have leadership or
>>>>> management experience, but in general, you want to promote and/or recruit
>>>>> people that show initiative.
>>>>>
>>>>>
>>>>>
>>>>>  Neither should he be allowed
>>>>> to direct "charity" funds to the development of a commercial product
>>>>> owned by Security Innovation.
>>>>>
>>>>>
>>>>>
>>>>> I tend to agree (where "Security Innovation" is replaced with "a
>>>>> for-profit business").  So, take the initiative, collect the evidence, and
>>>>> build a case.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Reread
>>>>> http://lists.owasp.org/pipermail/owasp-board/2011-January/009563.html
>>>>> that supports the above.
>>>>>
>>>>> Furthermore, OWASP should not hire the wife of Dinis Cruz's personal
>>>>> friend, Paulo Coimbra i.e.
>>>>>
>>>>> https://lists.owasp.org/pipermail/owasp-leaders/2011-January/004493.html
>>>>> to assist with Security Innvotations commercial exploitation of OWASP
>>>>> when
>>>>> http://blog.diniscruz.com/2013/05/sarah-baso-as-owasp-executive-director.html
>>>>> has considerably more experience with OWASP.
>>>>>
>>>>> ... and who could forget Jeff Williams own opinion of Security
>>>>> Innovation i.e.
>>>>> https://lists.owasp.org/pipermail/owasp-leaders/2011-August/006011.html
>>>>>
>>>>> Sonatype was founded by former employees of 02 and Josh Corman worked
>>>>> for Rugged Software.
>>>>>
>>>>> https://www.owasp.org/index.php/Rugged_Software <- WTF is this doing
>>>>> on the OWASP Wiki? 0WASP "02 With Aspect Security Promotion"  :-)
>>>>>
>>>>> BTW No one expect for Dinis Cruz has any idea what 02 does and Dinis
>>>>> doesn't help it when he references other well known projects, such as
>>>>> HacmeBank.  Mark Curphey refers to this as [Dinis Cruz] "lost in 02
>>>>> world".
>>>>>
>>>>>
>>>>>
>>>>> So this is a stream of consciousness style write-up that doesn't
>>>>> really make clear sense to me without reading the supporting docs.
>>>>>
>>>>>
>>>>> I don't have an issue with Simon but the fact is Michael Coates, him
>>>>> and you have all worked for Mozilla and yet OWASP invested in WebScrab
>>>>> in the past.
>>>>>
>>>>>
>>>>>
>>>>> Yeah, you might want to educate yourself on the history of ZAP before
>>>>> you put your foot in your mouth.  Simon implemented ZAP before he was
>>>>> involved with OWASP, and made a strong positive contribution to OWASP out
>>>>> of the gate.
>>>>>
>>>>> I don't know why you want to drag my employer into this; all three of
>>>>> the people named were OWASP contributors before joining Mozilla, and
>>>>> actually ramped up their involvement after joining Mozilla.
>>>>>
>>>>>
>>>>>
>>>>> In Simon's defence he probably didn't know about
>>>>> WebScrab because OWASP didn't help with the promotion of known
>>>>> projects since hired Dinis Cruz hired personal friends to promote his
>>>>> own projects.
>>>>>
>>>>>
>>>>>
>>>>> Sorry to break it to you, but no amount of promotion would have saved
>>>>> WebScarab.  It was a powerful and flexible tool, but it had a painful UI, a
>>>>> terrible learning curve.  ZAP is successful because it was a natural
>>>>> progression of an effectively abandoned (but still popular) tool, a
>>>>> generous helping of new features, and alot of UI love.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Sat, Jun 7, 2014 at 1:05 AM, Yvan Boily <yvanboily at gmail.com>
>>>>> wrote:
>>>>> > I won't speak for the past, but the current efforts to update and
>>>>> refresh
>>>>> > OWASP practices and policies have been sorely needed, and comes at a
>>>>> time
>>>>> > when people are seriously questioning whether or not OWASP brings
>>>>> value to
>>>>> > the industry.  OWASP needs to put a better foot forward, and part of
>>>>> that is
>>>>> > recognizing projects that should bear the benefit of the OWASP
>>>>> brand, *and*
>>>>> > keeping those products (whether they are tool, library, or doc
>>>>> projects)
>>>>> > accountable to maintain their status as a 'gold-star' tool.
>>>>>
>>>>>
>>>>>  Yeah, so in essence what Jim is now doing is what Dinis Cruz should
>>>>> have completed three years ago but didn't.
>>>>>
>>>>>
>>>>>
>>>>> Again, what?  You are complaining that a current board member is doing
>>>>> something you felt was long needed?  I am not sure what your point is.
>>>>> Dinis isn't on the board.  Focusing your aggression and frustration on a
>>>>> single (or a small group) of individuals really detracts from any
>>>>> significant point you are trying to make.  I have yet to see a single
>>>>> constructive point come out of anything you have said in this thread.  That
>>>>> deficiency, by the way, coupled with your accusations and tone are the main
>>>>> reasons I felt the need to respond.  You aren't contributing in a
>>>>> constructive fashion, you are actively undermining folks (Jim, Johanna)
>>>>> that are, and you are wasting peoples ime.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> The OWASP Testing Guide is a documentation project and as far as I am
>>>>> aware is out of being demoted now?
>>>>>
>>>>>
>>>>>
>>>>> If so, it is my opinion that it is a mistake; once the clearly defined
>>>>> criteria for being a flagship project are available, the projects should be
>>>>> made to apply, with no grandfathering.  This forces projects to meet a
>>>>> quality assurance guideline that means something.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Sat, Jun 7, 2014 at 1:05 AM, Yvan Boily <yvanboily at gmail.com>
>>>>> wrote:
>>>>> > If you think putting in some basic effort to preserve the OWASP
>>>>> brand is an
>>>>> > unnecessary burden, then I question your commitment to protecting
>>>>> OWASP,
>>>>> > not the team working on the QA project.
>>>>>
>>>>> http://lists.owasp.org/pipermail/owasp-board/2011-January/009590.html
>>>>> <- Yeah, Dinis Cruz just wants to see the world burn.
>>>>>
>>>>>
>>>>> BTW I don't see how your reply is relevant to the OWASP Testing Guide.
>>>>>
>>>>>
>>>>>
>>>>> I reference the testing guide a fair bit.  I have designed several
>>>>> training courses that reference them; I am interested in seeing the Guide
>>>>> remain a flagship project, but not at the expense of seeing a process
>>>>> implemented that says the 'Flagship' stamp actually means something.
>>>>>
>>>>>
>>>>> You are correct.  Pushing to the leaders list since this makes more
>>>>> sense there.  I don't care much about the issues you have with past board
>>>>> members, unless you are going to position them in way that focuses on being
>>>>> constructive (learning from mistakes made in the past is constructive,
>>>>> dwelling on them isn't).
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Yvan
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Regards,
>>>>> Christian Heinrich
>>>>>
>>>>> http://cmlh.id.au/contact
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> --
> Dennis Groves <http://about.me/dennis.groves>, MSc
> Email me, <dennis.groves at owasp.org> or schedule a meeting
> <http://goo.gl/8sPIy>.
> *This email is licensed under a CC BY-ND 3.0
> <http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB> license.*
> Stand up for your freedom to install free software.
> <http://www.fsf.org/campaigns/secure-boot/statement>
> Please do not send me Microsoft Office/Apple iWork documents.
> Send OpenDocument <http://fsf.org/campaigns/opendocument/> instead!
>
> <http://www.owasp.org/>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140701/87acf6c4/attachment-0001.html>


More information about the OWASP-Leaders mailing list