[Owasp-leaders] BCS Talk on "Open Source Security Successes & Failures"

Mark Miller mark.miller at owasp.org
Thu Sep 11 14:36:11 UTC 2014


Johanna - A much appreciated analysis of an underlying problem in the
structure of the OWASP projects process. Thanks -- Mark

On Thu, Sep 11, 2014 at 10:16 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> >looking at the successes and failures of open source security projects
>
> Adrian, one case is owasp projects .After having review all tools/code and
> big part of the documentation these are my findings Many projects have
> started and many have  failed to even make their first release or sustain
> their projects. Here are a couple of things I would like to share
>
> -Many people begin a project with an idea but never think on how to
> execute that idea into a project
> -The amount of effort necessary to create a project is directly depended
> on the complexity of it. The more complex, the more time is needed to
> realize it and many people seem not to realize this
> -Many Projects are treated like hobbies or fun projects so there is no
> sense of priority to finish and keep on producing
> -Lack of time: Many seems not to have enough time to realize the proposed
> projects
> -Divide and conquer. Very few projects apply this principle for developing
> their tools. Roadmaps tend to be very vague
> -Little experience with project management and estimation
> -Documentation: Many incubator projects lack a proper user/installation
> guide. The more complex is to use the tool, the better the documentation
> must be otherwise, no one uses the tool/project
> -Lack of description: Very vague description what is the project and its
> purpose
> -A tendency to repeat existing projects: Documentation indulge in this sin
> more often than code/tools. Many incubator docs are a malformed clone of
> successful existing documentation
> -Lack of originality/explore new fields of research: very few projects are
> really unique in their nature. There is no clear attempt to solve missing
> gaps in the security arena.
> -Lack of promotion: the project is not going to be consume just by being
> displayed in the owasp wiki. The amount of time/money project leaders must
> invest to promote their project is considerable and its quite
> underestimated by many.
> -High expectations: many project leaders seems to expect that OWASP must
> do the most of the promotion work and maintenance of info/sponsors/grants
> for them. Unfortunately, this is not supported as expected. Project leaders
> must take more initiative to do their promotion and look and ask for staff
> support. Keep in mind OWASP has really a small staff too.
>
> On Thu, Sep 11, 2014 at 8:33 AM, Adrian Winckles <
> adrian.winckles at owasp.org> wrote:
>
>> Dear All
>>
>> I'm doing a talk to the BCS Open Source groups security day event in a
>> couple of weeks, looking at the successes and failures of open source
>> security projects.
>>
>> Does anyone have any good case OWASP study material I could use (other
>> than the obvious Heartbleed etc)
>>
>> Thanks
>>
>> Adrian
>>
>> OWASP UK Cambridge Chapter Leader
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
*Mark Miller, Senior Storyteller*
*Curator and Founder, Trusted Software Alliance*

*Host and Executive Producer, OWASP 24/7 Podcast ChannelCommunity Advocate,
Sonatype*

*Developers and Application Security: Who is Responsible?*
<https://www.surveymonkey.com/s/Developers_and_AppSec>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140911/7f4e6e4f/attachment.html>


More information about the OWASP-Leaders mailing list