[Owasp-leaders] (Proposed strategy) Re: Rethinking startegy regarding projects

psiinon psiinon at gmail.com
Wed Dec 2 09:05:36 UTC 2015


I think this is a very interesting perspective, and I'm wondering if now is
the time for ZAP to fly from the OWASP nest.
Rather than pollute this thread I'm start another one - I'd really
appreciate everyones thoughts on this matter.

Cheers,

Simon

On Tue, Dec 1, 2015 at 11:17 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:

> Just bumping this thread since I believe it contains the solution for the
> current probs with the benchmark project
>
> TLDR: all Owasp projects should be seen as research projects. The moment
> they are big enough (i.e. big team, support, deliverables) and wish to move
> beyond the 'research label' , is the moment where they need to leave the
> 'Owasp nest' and face the real world by themselves
>
> On 26 Nov 2015 11:36 pm, "johanna curiel curiel" <johanna.curiel at owasp.org>
> wrote:
> >
> > Spot on Dinis.
> >
> > On Thu, Nov 26, 2015 at 7:16 PM, Dinis Cruz <dinis.cruz at owasp.org>
> wrote:
> >>
> >> well, one of the definitions of  'production quality' would be that it
> had its own home, where those 'production' claims were made 'outside OWASP'
> >>
> >> After all, at that moment, that project would be as credible as any
> other open source or commercial product (since all/most of them make wild
> and  'production quality' claims)
> >>
> >> Pure OWASP projects would be research projects. I.e. good ideas in
> multiple stages of research status (with nice disclaimers about it). That
> would prevent a lot of the problems since by definitions 'pure OWASP
> projects' should be seen as 'Research projects'
> >>
> >> The advantage of being an OWASP project would then be the great
> visibility and support that would (and is) provided to new ideas and
> 'research projects' by OWASP mothership and OWASP community
> >>
> >> The idea would be that the path of becoming an
> independent successful project would include a stage where it was (or is)
> an OWASP research project (does that make sense?)
> >>
> >>
> >> On 26 November 2015 at 22:54, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
> >>>
> >>> >>If I was king (and I am not, at all) I would invest in ASVS on a 6
> figure scale.
> >>> >>Once a project starts to reach production quality...
> >>> >>Support the process of mapping the health of projects and providing
> metrics on the status of the projects
> >>> >>In fact, we should encourage successful projects to fly away and
> move into its own space (website, funding, team).
> >>>
> >>>
> >>> Jim, Dinis I appreciate your idealistic dreams. Everything starts with
> a Dream, but let me awake you back to the hard reality...;-P
> >>>
> >>> What determines a project is 'production quality' or map their
> 'health?
> >>> Well thats is the whole problem of reviewing.
> >>>
> >>> No dedicated resources, No 6 figure money for projects  = Rethink a
> realistic strategy that works for projects
> >>>
> >>> Focus what  is feasible, what can work and what can be sustainable
> without the 6 figures ...
> >>>
> >>> Fly away? Quick the projects out! Now on they should stand on their
> own feet including any New project
> >>>
> >>> Rethink 'projects' to 'research'
> >>>
> >>> Rebrand OWasp projects to 'Project member' or something similar
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> On Thu, Nov 26, 2015 at 5:25 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
> >>>>
> >>>> Dinis
> >>>>
> >>>>
> >>>> >>My view is that OWASP projects should be seen as 'research
> projects' designed to push the research on Application Security a bit
> further. OWASP should be encouraging this research and promoting it!
> >>>>
> >>>> Agree. We just don't have resources to monitor, QA and promote to
> flagship and take responsibilities of this kind.
> >>>>
> >>>> Research Projects should be just a list of independent people with
> their own project websites/Github without 'OWASP' as brand. Maybe a label
> 'OWASP project member'
> >>>>
> >>>> In the end successful projects do not need 'OWASP' as a brand if they
> are good enough. ZAP does all the work by itself, even financially.
> >>>>
> >>>> OWASP does have the burden of users expectation that unfortunately
> exist today.
> >>>>
> >>>> This support to these projects should be set in a way  that they do
> not depend of OWASP for their development but just as a community to share
> their research and ideas.
> >>>>
> >>>> OWASP could provide sponsorship based not on 'reviews' or 'levels'
> but the own community and usage the project has created on its own. That is
> easier to judge that reviewing a project no one knows about and has no few
> users.Like Benchmark..with 3 issues on their Github page.
> >>>>
> >>>> regards
> >>>>
> >>>> Johanna
> >>>>
> >>>> On Thu, Nov 26, 2015 at 5:04 PM, Dinis Cruz <dinis.cruz at owasp.org>
> wrote:
> >>>>>
> >>>>> I think a key problem is the expectation that OWASP should ever be
> able to develop professional, best in class and 'secure' apps.
> >>>>>
> >>>>> These conversations always tend to have a base on the idea that
> OWASP 'should not have a lot of projects' and 'only focus on a couple
> high-value/high-quality ones'. This never gains traction because that goes
> completely the model and culture of OWASP projects.
> >>>>>
> >>>>> The reality is that really good a solid projects at OWASP are the
> exception and the outliers.
> >>>>>
> >>>>> What worries me is that we still have this idea that most OWASP
> projects should have a kind of amazing 'quality and reliability' (and
> everything else should be ditched/not-supported)
> >>>>>
> >>>>> That is just not going to happen (apart from a couple cases like Top
> 10, ZAP, Testing guide, ASVS,OSAMM, which should be seen as exceptions and
> outliers).   the reality is that once a project gains a certain level of
> quality and momentum they kinda become self-sufficient and don't need THAT
> much from OWASP.
> >>>>>
> >>>>> My view is that OWASP projects should be seen as 'research projects'
> designed to push the research on Application Security a bit further. OWASP
> should be encouraging this research and promoting it!
> >>>>>
> >>>>> We should NOT encourage the idea that OWASP project's code should be
> used in production! Because frankly, OWASP and its community is not in a
> position to deliver on that promise.
> >>>>>
> >>>>> What I propose is that OWASP continues to support innovation on its
> projects (which are one of the key pillars of OWASP) and move away from the
> idea that OWASP projects should have the 'burden' to be 'production level'.
> >>>>>
> >>>>> In fact, we should encourage successful projects to fly away and
> move into its own space (website, funding, team).
> >>>>>
> >>>>> OWASP projects also need dedicated staff and resources so that the
> review and management workflows (of which I have personal experience in
> helping Paulo,   Samantha and Johanna) have a chance to work.
> >>>>>
> >>>>> Just to be clear, what I'm proposing is:
> >>>>> Increase support for all OWASP projects
> >>>>> Keep pushing them to have more and more quality
> >>>>> Understand that ALL owasp projects are really 'RESEARCH' projects
> >>>>> Promote the ideas that: 1) OWASP projects should NOT be used in
> production, 2) they are RESEARCH driven ideas and 3) that they represent a
> particular OWASP project leader views or coding skills
> >>>>> Support the process of mapping the health of projects and providing
> metrics on the status of the projects
> >>>>> Promote the move of 'flagship' projects into its own home. Of course
> always with some connection to OWASP, but with a level of independence to
> make what ever 'security claims' they wants
> >>>>> an OWASP Summit focused on OWASP Projects would be the best
> investment that OWASP can do in 2016
> >>>>>
> >>>>> Dinis
> >>>>>
> >>>>> On 26 November 2015 at 20:17, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
> >>>>>>
> >>>>>> Simon>>
> >>>>>> If we do keep some projects (and I think we should;) then what
> purpose should they serve?
> >>>>>> Exactly, people start all kind of projects without asking this
> question but even more: Do I have time to pull up this project through(or
> dedicate my weekends to it? Is it useful for the community? Can I realise
> this project to completion?
> >>>>>>
> >>>>>> Tim>>It seems our biggest issue right now is with people trying to
> write code under the OWASP brand, but not following through and making the
> software high quality.
> >>>>>>
> >>>>>> The problem is across all projects not only code based. Most
> incubator projects get abandoned after a year. Nothing wrong with tools
> that become stable like DirBuster or Joomla_scanner which are used still in
> Kali Linux and later not maintained. So yes, I agree with you Tim that the
> type of project makes a huge difference.
> >>>>>>
> >>>>>> Jim>>We really need to rethink the whole OWASP project philosophy
> and seek better focus and direction. We're all over the place and our
> energy is very diluted and sometimes abused.
> >>>>>>
> >>>>>> Yes I feel I have been abused when the leader of a project like
> Benchmark pressured the Project task force team to become LAB, and then
> turned around to start a marketing campaign promoting an immature project
> as a mature one.
> >>>>>>
> >>>>>> Whats next?
> >>>>>> We should keep the flagships, ditch all inactive projects and stop
> taking new projects because we do not have dedicated resources(nor the
> budget) to evaluate properly new projects. Not even the actual ones...How
> do you evaluate a security library like SeraphinDroid'? you have to QA and
> test deeply...We are sec folks we should know, we preach testing and
> security...
> >>>>>>
> >>>>>> Volunteer based reviews?
> >>>>>> That has been attempted so many times and has fell hard. From the
> Global Initiatiave 2008 till Samantha's attempts for a volunteer based
> project reviewers .and even she kept continuously looking she hardly got
> people to review. I feel it was unfair to expect from her that she should
> fix this 'project management issue'....and right now a queue of projects
> awaiting too be review...
> >>>>>>
> >>>>>> The only time project reviews ever work in my opinion (and not
> perfect) was when we paid a dedicated tester(Marios) and I volunteered full
> time for 3 months to supervise the test and verify results and the activity
> of the projects with a full time employee(Kait-Disney) on the side to do
> reviews and clean up the inventory. FULL TIME JOB, 3 persons working for 3
> months  including support from 1 volunteer(Jason Jonhson) to setup a VM
> automated build Jenkins machine on the side...but this is not
> sustainable....
> >>>>>>
> >>>>>> So you want to start a project?
> >>>>>> Start it. Github is free as you need 0 money for this.
> >>>>>> Just do it and start it. Announce in the Global connector that
> 'Leader X' has started a project but hey, go and check it, let us know what
> you think....
> >>>>>>
> >>>>>> You want to present your project at an OWASP conference? Submit a
> research paper, just as happens with Blackhat. OWASP own Arsenal....(like
> Blackhat Arsenal) and sponsor the selected speakers.
> >>>>>>
> >>>>>> You want to create documentation? Create it, then  fill in the wiki
> page or fill it yourself,
> >>>>>>
> >>>>>> Create a loosely couple relation between volunteers efforts without
> the responsibility of a process you cannot manage.
> >>>>>>
> >>>>>>  In the end who the hell is taking the responsibility? Don't place
> it on volunteers because it has shown it does not work.The Board? Well
> unfortunately they cannot neither...they are also volunteers.
> >>>>>>
> >>>>>> regards
> >>>>>>
> >>>>>> Johanna
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On Thu, Nov 26, 2015 at 2:48 PM, Josh Sokol <josh.sokol at owasp.org>
> wrote:
> >>>>>>>
> >>>>>>> This is the reason why we raised the bar to get from incubator to
> lab and from lab to flagship.  Since the majority of those projects are
> incubator state, they should take up very little of our resources until
> they fulfill whatever our qualifications are to move them up and invest
> more in them.  That said, I think that a different strategy altogether on
> projects wouldn't be a bad idea.  While I like the general idea of people
> working on the projects that excite them, I also feel that we need to be
> more strategic about what we are working on.  We need to think more about
> the problems that we are trying to solve and try to allocate our limited
> volunteer resources to those.  It's definitely not the OWASP way, today,
> but it solves bigger problems by putting more people on them.  The starting
> point with this would be trying to figure out the skill sets across our
> volunteer base and figure out if there's a way to better leverage them to
> accomplish our mission.
> >>>>>>>
> >>>>>>> ~josh
> >>>>>>>
> >>>>>>> On Thu, Nov 26, 2015 at 11:02 AM, Tim <tim.morgan at owasp.org>
> wrote:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> I'm all for reform of some sort, but it should be done carefully
> and I
> >>>>>>>> don't know of any obvious solution to the dilution problem.
> Whatever
> >>>>>>>> changes we make, let's make them conservative and targeted for
> now andb
> >>>>>>>> see how it goes.
> >>>>>>>>
> >>>>>>>> Also, I think it is important to distinguish between software
> projects
> >>>>>>>> and non-software projects.  It seems our biggest issue right now
> is
> >>>>>>>> with people trying to write code under the OWASP brand, but not
> >>>>>>>> following through and making the software high quality.
> >>>>>>>>
> >>>>>>>> Consider for a moment the skillsets of most OWASP volunteers.  We
> tend
> >>>>>>>> to be security people.  It might make a lot of sense for us to
> write
> >>>>>>>> code for "breakers" types of projects, since only security people
> see
> >>>>>>>> the value in doing that and have the associated know-how.
> >>>>>>>>
> >>>>>>>> However, for "defenders" types of coding projects, does it really
> make
> >>>>>>>> sense to build yet more frameworks?  Sometimes this could work,
> but in
> >>>>>>>> most cases, how can we possibly compete with existing frameworks
> that
> >>>>>>>> have large numbers of volunteers and/or companies behind them?
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Better stop now before I start rambling, but those are my
> thoughts at
> >>>>>>>> the moment.
> >>>>>>>>
> >>>>>>>> tim
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On Thu, Nov 26, 2015 at 12:17:12PM +0200, Jim Manico wrote:
> >>>>>>>> > I think OWASP projects are critical to the foundation and I
> want to support new ideas that new projects bring.
> >>>>>>>> >
> >>>>>>>> > But I surrender. We really need to rethink the whole OWASP
> project philosophy and seek better focus and direction. We're all over the
> place and our energy is very diluted and sometimes abused.
> >>>>>>>> >
> >>>>>>>> > I have a lot of ideas, but frankly I'm not sure what the best
> direction is. But I am open to significant change.
> >>>>>>>> >
> >>>>>>>> > By the same token, we have some amazing flagship projects and I
> think it would be a tragedy if those went away.
> >>>>>>>> >
> >>>>>>>> > --
> >>>>>>>> > Jim Manico
> >>>>>>>> > Global Board Member
> >>>>>>>> > OWASP Foundation
> >>>>>>>> > https://www.owasp.org
> >>>>>>>> > Join me in Rome for AppSecEU 2016!
> >>>>>>>> >
> >>>>>>>> > > On Nov 26, 2015, at 12:00 PM, psiinon <psiinon at gmail.com>
> wrote:
> >>>>>>>> > >
> >>>>>>>> > > I agree that this is a good time to rethink OWASP's project
> strategy.
> >>>>>>>> > > Creating and maintaining high quality open source projects
> takes a lot of time and effort, and can only be done in ones 'spare time'
> for a relatively short period.
> >>>>>>>> > > Successful projects need sponsorship and people who are able
> to dedicate a significant part of their working week to them.
> >>>>>>>> > > Abandoned or poorly maintained projects only damage OWASP's
> reputation.
> >>>>>>>> > >
> >>>>>>>> > > Should we effectively ditch all but the flagship projects?
> Only taking on new projects when they reach that level of quality?
> >>>>>>>> > > Would a tool that becomes successful in its own right _want_
> to be adopted by OWASP?
> >>>>>>>> > > Should OWASP ditch project altogether??
> >>>>>>>> > > Or maybe just ditch all but the documentation projects?
> >>>>>>>> > > Maybe we should just recommend open source projects, a sort
> of 'OWASP approved' badge?
> >>>>>>>> > >
> >>>>>>>> > > If we do keep some projects (and I think we should;) then
> what purpose should they serve?
> >>>>>>>> > > Providing high quality tools that help make the internet more
> secure?
> >>>>>>>> > > Helping people learn about security?
> >>>>>>>> > > Driving awareness of OWASP? (How would people learn about
> OWASP if not via projects like the Top 10 and ZAP?)
> >>>>>>>> > > Provide tools and features that commercial companies are not
> currently providing (effectively, or for a reasonable price)?
> >>>>>>>> > > Interested to see what other people think.
> >>>>>>>> > >
> >>>>>>>> > > Cheers,
> >>>>>>>> > >
> >>>>>>>> > > Simon
> >>>>>>>> > >
> >>>>>>>> > >
> >>>>>>>> > >> On Thu, Nov 26, 2015 at 9:19 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
> >>>>>>>> > >> Leaders and members of the board
> >>>>>>>> > >>
> >>>>>>>> > >> As former member of the project review team, I have been
> observing the increasing issues related with projects
> >>>>>>>> > >> Fact is, we do not have enough volunteers nor staff to
> support and watch quality of projects, do reviews and have a supervison on
> them.
> >>>>>>>> > >>
> >>>>>>>> > >> More than often, projects become dormant or inactive.
> >>>>>>>> > >> Recently The misuse of owasp brand have been an issue with
> projects like Benchmark and recent  complains of users from The PHPSEC
> project. But this is an on going issue.
> >>>>>>>> > >>
> >>>>>>>> > >> I think is time that OWASP rethink its strategy regarding
> projects
> >>>>>>>> > >>
> >>>>>>>> > >> Maybe instead of trying to offer a platform that is not
> sustainable, owasp should adopt and sponsor projects  that already have
> established a name on their own
> >>>>>>>> > >>
> >>>>>>>> > >> Nothing stops a dedicated individual to start an open source
> project on his own. In The past when owasp was a small organization ran by
> dedicated volunteers, it worked for these couple of projects, but right now
> is out of hand. Take a look how many active projects are actually being
> mantained.
> >>>>>>>> > >>
> >>>>>>>> > >> Mantaining a project takes a lot of dedication and this is
> what People need to realize when starting an open source project
> >>>>>>>> > >>
> >>>>>>>> > >> What I see quite often is People wanting to misuse Owasp
> brand instead of willing to pull a project
> >>>>>>>> > >> Major reason I quit from reviewing and the fact that we do
> not have feasible resources to produce projects that are sustainable in the
> long term.
> >>>>>>>> > >>
> >>>>>>>> > >> I'm also cancelling the proposal with regards of bounty
> source program. Reality is that without dedicated efforts and resources ,
> it wont be sustainable.
> >>>>>>>> > >>
> >>>>>>>> > >> Regards
> >>>>>>>> > >>
> >>>>>>>> > >> Johanna
> >>>>>>>> > >>
> >>>>>>>> > >>
> >>>>>>>> > >>
> >>>>>>>> > >> _______________________________________________
> >>>>>>>> > >> Owasp-board mailing list
> >>>>>>>> > >> Owasp-board at lists.owasp.org
> >>>>>>>> > >> https://lists.owasp.org/mailman/listinfo/owasp-board
> >>>>>>>> > >
> >>>>>>>> > >
> >>>>>>>> > >
> >>>>>>>> > > --
> >>>>>>>> > > OWASP ZAP Project leader
> >>>>>>>> > > _______________________________________________
> >>>>>>>> > > Owasp-board mailing list
> >>>>>>>> > > Owasp-board at lists.owasp.org
> >>>>>>>> > > https://lists.owasp.org/mailman/listinfo/owasp-board
> >>>>>>>>
> >>>>>>>> > _______________________________________________
> >>>>>>>> > OWASP-Leaders mailing list
> >>>>>>>> > OWASP-Leaders at lists.owasp.org
> >>>>>>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>>>>>>
> >>>>>>>> _______________________________________________
> >>>>>>>> OWASP-Leaders mailing list
> >>>>>>>> OWASP-Leaders at lists.owasp.org
> >>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> Owasp-board mailing list
> >>>>>>> Owasp-board at lists.owasp.org
> >>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> OWASP-Leaders mailing list
> >>>>>> OWASP-Leaders at lists.owasp.org
> >>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>>>>
> >>>>>
> >>>>
> >>>
> >>
> >
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151202/38b7ddfe/attachment-0001.html>


More information about the OWASP-Leaders mailing list