[Owasp-leaders] (please add this item to the next OWASP Board meeting) Re: Request for OWASP board to approves 100K for a project Summit in 2016

Dinis Cruz dinis.cruz at owasp.org
Fri Dec 4 01:08:09 UTC 2015

Bumping this thread, since I believe not much has happened since.

I would like to request again for *"OWASP board to approve 100K for a
project Summit in 2016. And then ask for a  team or OWASP leaders to lead
that effort"*

I know that Paul (as part of the threat bellow prefers that *"Step 1 is for
the community to create the proposal, timeline & value proposition that can
be presented to the Board for approval."*

But having lead the organisation of two Summits before (with an amazing
team), my view is that we need first that 100k commitment.

OWASP can afford this 100k, and if we really care about our projects, a
dedicated "OWASP Projects summit" is not just important, it could be vital
for the future of OWASP

Think about the amazingness of having the main OWASP project leaders and
its users in one place for one week (of course that this would also include
other OWASP Leaders, like the ones that run our chapters and conferences)

Specially since we now have projects that are big enough to create their
own working tracks (and even villas/villages :): ZAP, Top 10, Testing
Guide, ASVS, Dependency Checker, Cheatsheets, OWTF, OSAMM, AppSensor,
ModSecurity Ruleset, etc...

VERY IMPORTANT: This OWASP Project Summit would also be the place were we
could reclassify the OWASP Project status, since it will be the perfect
opportunity to  review/map properly our projects. Realistically, it will
take the kind of energy and resources only made possible in a DEDICATED
OWASP summit, to really make a dent in our current OWASP Projects situation

In fact, even if the main thing we would get from that Summit would be a
massive cleanup of realignment of our OWASP Projects, THAT would be a
massive success story, and worth every penny of it :)

That said, I think we can do much more than that at such summit, since that
would be biggest concentration of AppSec knowledge in 2016 (focused on
working on AppSec, vs participating in a conference).  But it's good to
start the Summit planning with a focused target.

(see links below to multiple blogs posts I have written about OWASP
summits, and how important they are for OWASP)


On 30 June 2015 at 22:28, Dinis Cruz <dinis.cruz at owasp.org> wrote:

> Hi Johanna, I stand by my original request (which you quoted):
> *"Request for OWASP board to approve 100K for a project Summit in
> 2016. And then ask for a  team or OWASP leaders to lead that effort"*
> I think that is the correct sequence of events to create another Summit
> like the two we had in Portugal in 2008 and 2011.
> For the ones that were not there you can read more details about those two
> Summits at https://www.owasp.org/index.php/Summit_2011 and
> https://www.owasp.org/index.php/OWASP_EU_Summit_2008 . For the 2011 event
> Sarah Baso created this detailed report
> <http://sl.owasp.org/summit2011_finalreport> which contains a lot of what
> we achieved and the thinking behind how it was organised and structured.
> I have also written extensively about my ideas about OWASP Summits which
> you can find at On the current OWASP Project Summit efforts (in Feb 2015)
> <http://blog.diniscruz.com/2015/02/on-current-owasp-project-summit-efforts.html> that
> post contains links to other posts, but here are main 'Summit related ones':
>    - Summits must be part of OWASP's DNA
>    <http://blog.diniscruz.com/2012/04/summits-must-be-part-of-owasps-dna.html>
>    - Great description of why OWASP Summits are special
>    <http://blog.diniscruz.com/2012/04/great-description-of-why-owasp-summits.html>
>    - I want to vote for a Summit Team+Vision , NOT for a venue
>    <http://blog.diniscruz.com/2012/04/i-want-to-vote-for-summit-teamvision.html>
>    - Some proposed Visions for next OWASP Summit
>    <http://blog.diniscruz.com/2012/04/some-proposed-visions-for-next-owasp.html>
> Dinis
> On 30 June 2015 at 18:31, johanna curiel curiel <johanna.curiel at owasp.org>
> wrote:
>> Hi Paul & leaders
>> I would like to clarify something from this thread and then we will move
>> soon to another.
>> This email chain was started from Dinis as
>> "Request for OWASP board to approves 100K for a project Summit in 2016. And
>> then ask for a  team or OWASP leaders to lead that effort.Josh and
>> Andrew can provide more details on the context of this request"
>> From this email came all sort of reactions but Dinis does not seems the
>> person who wants to lead this initiative (otherwise Dinis, correct me if
>> I'm wrong and please take the lead)
>> Based on the reactions from this chain some people suggested:
>>    - Have a big summit and spend 100K
>>    - OR Have small summits in different regions and more often
>>    - OR Have summits like OPENSAMM did with user day and sponsors
>>    - Have a summit in NYC
>>    - Create a committee to decide this
>> At this moment I have no idea what we should do based on these reactions.
>> The only thing that is clear to me is that we will set a Summit Committee
>> (Eoin, Tom,Claudia as support staff, me- if you want to join, please,
>> react).
>> From there we move on.
>> So far is my conclusion that the original idea of having a 100K summit
>> has not been decided or taken under the wing by any  specific leader.
>> Regards
>> Johanna
>> On Tue, Jun 30, 2015 at 12:37 PM, Paul Ritchie <paul.ritchie at owasp.org>
>> wrote:
>>> Hi Tom, all:
>>> Back in the middle of this thread of 30 emails, I already volunteered
>>> and inserted Claudia into the mix, and she WILL be very actively working
>>> with the Community team on this.
>>> But, lets be clear - This is a  community driven request for $100K to
>>> the Board to propose a fairly significant Project Summit.  Step 1 is for
>>> the community to create the proposal, timeline & value proposition that can
>>> be presented to the Board for approval.
>>> Then, once approved, her role as 'coordinator' will be to assist and
>>> partner with the 'Project Summit Planning Team' on any and all task
>>> required to initiate and complete a successful Project Summit 'with the
>>> planning team'.
>>> To clear up expectations, her role was defined as a 'Coordinator' rather
>>> than a Project manager, so that means that she will be leading some
>>> programs, but major programs like a $100K Project Summit will be led by a
>>> Community driven planning team.
>>> I suggest its time to move this email thread into a teleconference and
>>> working session on building a proposal.
>>> @Claudia & Johanna - can the 2 of you coordinate your schedules and
>>> propose/schedule a teleconference meeting date.
>>> Goal = ID the people willing to do some 'hands on' work to build the
>>> proposal, and plus volunteer on the planning & implementation team.
>>> Thanks, Paul
>>> Best Regards, Paul Ritchie
>>> OWASP Executive Director
>>> paul.ritchie at owasp.org
>>> On Tue, Jun 30, 2015 at 4:06 AM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>> Right on Tom
>>>> I think that Claudia's key role as Project coordinator is to support
>>>> and manage requests  for project funding and activities related to projects
>>>> On Tuesday, June 30, 2015, Tom Brennan <tomb at owasp.org> wrote:
>>>>> Isn't this not the focus of Claudia?
>>>>> We should back up and wait for her observations and recommendations.
>>>>> I am looking forward to the first public meeting with her and a podcast
>>>>> with her actually.
>>>>> On Monday, June 29, 2015, johanna curiel curiel <
>>>>> johanna.curiel at owasp.org> wrote:
>>>>>> Would love to provide my P.O.V. about this discussion ;-)
>>>>>> 2 years ago, there was a free pass to start projects, anyone could
>>>>>> start a EMPTY project and make use of funds.
>>>>>> The result of this action:
>>>>>> After 2 years 90+ were empty(2 or 3 years without a single
>>>>>> deliverbale) from an inventory of 150 (totally empty at all) and the OWASP
>>>>>> inventory was a shell of empty wiki pages. It took us 6 months to clean up
>>>>>> all this, and people misusing the OWASP brand for projects that were
>>>>>> empty.We had cases were some leaders were even saying they were members of
>>>>>> the board!
>>>>>> We cannot trust blindly everyone to spend money (or even start empty
>>>>>> projects) without at least explaining what is it for what.This works with
>>>>>> small group of projects but not for +100 projects.
>>>>>> I do agree that the situation of 'budget allocation' chapters vs.
>>>>>> projects is an issue but so difficult to spend money is not.
>>>>>> I have a full time job and get the time to write a small explanation
>>>>>> to get funds for an initiative and how and under which conditions. OWASP do
>>>>>> not ask an entire report to do this. Just a small explanation. The bigger
>>>>>> the budget, off course you need to explain more the purpose of
>>>>>> @ Dinis I do respect your pov but definitely we cannot allow this
>>>>>> kind of free for all. It has been shown that people already abused from
>>>>>> this free pass and now with more than +100 projects, we need regulations.
>>>>>> It didn't cost you much to write an email explaining in a sentence what was
>>>>>> it for.
>>>>>> The issue : if you do not explain what is it for, everyone then wants
>>>>>> the same and becomes chaotic.
>>>>>> Regards
>>>>>> Johanna
>>>>>> On Mon, Jun 29, 2015 at 2:44 PM, Mark Miller <mark.miller at owasp.org>
>>>>>> wrote:
>>>>>>> The full interview with Josh, Andrew and Dinis is now available as
>>>>>>> an OWASP 24/7 Podcast: OWASP Project Funding
>>>>>>> <http://www.sonatype.org/nexus/2015/06/29/owasp-project-funding-w-josh-sokol-dinis-cruz-and-andrew-van-der-stock/>
>>>>>>> w/ Josh Sokol, Dinis Cruz and Andrew van der Stock. I hope you find it
>>>>>>> helpful to further this discussion. -- Mark
>>>>>>> On Mon, Jun 29, 2015 at 1:35 PM, johanna curiel curiel <
>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>> >Unsure how to govern this but setting up an empty wiki and not
>>>>>>>> having any activity for a time after is not a project? Unsure we should
>>>>>>>> fund such empty vessels :)
>>>>>>>> No empty vessel, no empty wikis is the motto and has been after the
>>>>>>>> latest big clean up since 2 years ago. After so many called 'projects' that
>>>>>>>> were empty(more than 90), we have set as rule that a project must
>>>>>>>> deliver something based on their road-map, based on the time line provided
>>>>>>>> by its road-map. We evaluate the project based on the criteria we published
>>>>>>>> 2 years ago  and communicate with the project leader. There is no purpose
>>>>>>>> or advantage to have an empty wiki or poor content when potential OWASP
>>>>>>>> users look at your project. We try to focus on a minimum quality because
>>>>>>>> this goes along with OWASP reputation.
>>>>>>>> @Mike:
>>>>>>>> All projects, including incubators have the opportunity to go. Last
>>>>>>>> Summit KBA-PMP applied to assist the summit @EU, which is an incubator and
>>>>>>>> they were there , but KBA has been working on its deliverable and are quite
>>>>>>>> active with meetings and research.
>>>>>>>> I do not recall you sent me an agenda.
>>>>>>>> Keep in mind that the Summit is about sharing with other leaders
>>>>>>>> but is more about getting things done for your own project. So the question
>>>>>>>> is : What do you want to achieve during those 2 days, what are your targets
>>>>>>>> and what is your purpose and goals for assisting?
>>>>>>>> ZAP will not be at this summit so ,(and btw Simon was fully
>>>>>>>> sponsored by his employer as there are others such Appsensor)
>>>>>>>> You want to participate  just like anyone:
>>>>>>>>    - Create an agenda, send it to me
>>>>>>>>    - I publish it on the Task force mailing list, we evaluate the
>>>>>>>>    project. I know that already Timo did a quick review.
>>>>>>>>    - Describe What do you want to get done during this period
>>>>>>>>    - We evaluate your project to see how far you are regarding the
>>>>>>>>    road-map and maturity level
>>>>>>>>    - We evaluate your proposal and based on this you get the
>>>>>>>>    opportunity
>>>>>>>> Budget is tight so first come first served based on the agenda and
>>>>>>>> deliverable. Your project is quite new (June 2, 2015). So please bear with
>>>>>>>> us also that the summit budget allocation is based on how much a project
>>>>>>>> has delivered.
>>>>>>>> If you have questions, please let us know
>>>>>>>> regards
>>>>>>>> Johanna
>>>>>>>> On Mon, Jun 29, 2015 at 12:54 PM, Eoin Keary <eoin.keary at owasp.org>
>>>>>>>> wrote:
>>>>>>>>> Unsure how to govern this but setting up an empty wiki and not
>>>>>>>>> having any activity for a time after is not a project? Unsure we should
>>>>>>>>> fund such empty vessels :)
>>>>>>>>> Eoin Keary
>>>>>>>>> OWASP Volunteer
>>>>>>>>> @eoinkeary
>>>>>>>>> On 29 Jun 2015, at 18:41, Mike Goodwin <mike.goodwin at owasp.org>
>>>>>>>>> wrote:
>>>>>>>>> Hello all,
>>>>>>>>> I agree that we want to encourage activity and forward progress on
>>>>>>>>> projects, but does that mean that a summit should only be for established
>>>>>>>>> projects that have delivered already? I am just in the process of starting
>>>>>>>>> a new OWASP project - I'm waiting anxiously for its approval by the Project
>>>>>>>>> Task Force. I'm the sole contributor at the moment,  but I am active on it,
>>>>>>>>> it has regular code checkins and there is a working prototype that is
>>>>>>>>> moving forward with a clear goal (it is
>>>>>>>>> https://www.owasp.org/index.php/OWASP_Threat_Dragon for anyone
>>>>>>>>> that want to take a look).
>>>>>>>>> I would benefit a lot from the experience of other project leaders
>>>>>>>>> both directly in terms of their opinion on the project and indirectly in
>>>>>>>>> terms of how to promote a project and build its visibility and eventually
>>>>>>>>> its user base. I'd love it to be the next ZAP! The time I need that support
>>>>>>>>> most is now, at the start of the project, rather than once its already
>>>>>>>>> succeeded. Or maybe to put it another way, I need a different type of
>>>>>>>>> support as the leader of an incubator compared to the leaders of flagship
>>>>>>>>> projects.
>>>>>>>>> I appreciate that this is a tricky issue. Many organisations and
>>>>>>>>> businesses suffer from the inability to end projects that have no chance of
>>>>>>>>> furthering their mission. Given that our projects are volunteer-led, this
>>>>>>>>> will be even more difficult for us. However, the best companies are the
>>>>>>>>> ones that can judge where to focus their efforts, keeping a balanced
>>>>>>>>> portfolio of established products alongside early stage ones. This is an
>>>>>>>>> extension inn some ways of the the "risk taking in NFPs" discussion that
>>>>>>>>> Diniz Cruz raised.
>>>>>>>>> I'm not sure what the answer is, but I'm pretty sure that I could
>>>>>>>>> benefit from the experience of meeting and talking with people who have
>>>>>>>>> already turned incubator projects into flagships ones.
>>>>>>>>> Thoughts and comments welcome!
>>>>>>>>> Mike
>>>>>>>>> On 28 June 2015 at 19:33, johanna curiel curiel <
>>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>>> 100K can allow us to involve more projects but I believe in
>>>>>>>>>> regulations.
>>>>>>>>>> After having review so many projects, there are many people that
>>>>>>>>>> were starting a project with no content and after a year or 2, an empty
>>>>>>>>>> wiki page has hanging with the title project, but there was no project
>>>>>>>>>> content to be found.
>>>>>>>>>> I don't think we want to sponsor this kind of behaviour.
>>>>>>>>>> We want to sponsor and support those projects that are working
>>>>>>>>>> hard to get things done. Recession period is not the point here. It's about
>>>>>>>>>> starting a project in a wiki page that never comes with a deliverable. But
>>>>>>>>>> lets also consider that if a project has been inactive for more than 3
>>>>>>>>>> years and suddenly a project leader wants to 'revive the project', the
>>>>>>>>>> summit should not be used as a kind of paid vacation and 'by the way'
>>>>>>>>>> participate in the summit.
>>>>>>>>>> Thats why we need some kind of rules for participation and
>>>>>>>>>> regulation to avoid abuses.
>>>>>>>>>> I think we need to make clear that anyone that wants to make use
>>>>>>>>>> of funds for summits, have to produce a clear deliverable that contributes
>>>>>>>>>> to their project. That's why now, our rules for starting projects must have
>>>>>>>>>> some deliverables, but even so, there are still many projects that produce
>>>>>>>>>> very little and are called projects. Like once Josh said, we should not
>>>>>>>>>> confuse concepts or ideas and call them projects.
>>>>>>>>>> I also like the idea of small events based on different regions
>>>>>>>>>> that are more accessible for project leaders in different regions and time
>>>>>>>>>> zones.
>>>>>>>>>> On Sun, Jun 28, 2015 at 2:16 PM, Eoin Keary <eoin.keary at owasp.org
>>>>>>>>>> > wrote:
>>>>>>>>>>> Spot on Tobias.
>>>>>>>>>>> A breakdown of the 100k would be a first step. Do we need 100k
>>>>>>>>>>> or more/less?
>>>>>>>>>>> I'm happy to help with this given my decent track record with
>>>>>>>>>>> flagship projects.
>>>>>>>>>>> I'd still suggest having more than 1 summit and having them more
>>>>>>>>>>> frequent globally as projects may need a summit event at different times. -
>>>>>>>>>>> more frequent and smaller events.
>>>>>>>>>>> Eoin Keary
>>>>>>>>>>> OWASP Volunteer
>>>>>>>>>>> @eoinkeary
>>>>>>>>>>> On 28 Jun 2015, at 21:00, Tobias <tobias.gondrom at owasp.org>
>>>>>>>>>>> wrote:
>>>>>>>>>>> I agree. And big thanks to all the interest and voluntary
>>>>>>>>>>> announced contributions.
>>>>>>>>>>> It will be great see all this come to fruition.
>>>>>>>>>>> And I believe it will also be good to see some basic plan for
>>>>>>>>>>> this to see how much money we like to spend and how. Some more details down
>>>>>>>>>>> the road will also help motivate chapters and sponsors even more.
>>>>>>>>>>> Best regards, Tobias
>>>>>>>>>>> Ps.: Small addition: if people feel that a committee is too
>>>>>>>>>>> complicated, we could also handle this as an "initiative". Whatever works
>>>>>>>>>>> best for the team.
>>>>>>>>>>> On 28/06/15 19:35, Josh Sokol wrote:
>>>>>>>>>>> It's great to see a discussion already happening around this.
>>>>>>>>>>> For context, this was something that Dinis, Andrew, Mark, and I talked
>>>>>>>>>>> about on the OWASP Podcast that we recorded last Friday.  It was an
>>>>>>>>>>> "initiative" that Dinis suggested as a way to encourage Chapters and
>>>>>>>>>>> Projects to donate some of their "ring-fenced" account money and further
>>>>>>>>>>> the OWASP mission.  With Tom already offering a $10k donation from the
>>>>>>>>>>> OWASP NJ Chapter, it looks like we could pretty easily raise the $100k that
>>>>>>>>>>> Dinis suggests and then some.  I believe that the Board would be in full
>>>>>>>>>>> support of this initiative.  What I would propose is that those interested
>>>>>>>>>>> should establish a new "OWASP Project Summit Committee" under the new
>>>>>>>>>>> Committees 2.0 model (
>>>>>>>>>>> http://owasp.blogspot.com/2014/07/owasp-committees-20.html).
>>>>>>>>>>> The first step in this process is for a community member to propose the new
>>>>>>>>>>> committee here on the Leaders List stating their rationale and desired
>>>>>>>>>>> scope for creating a new committee.  Basically, we need someone to step up
>>>>>>>>>>> to lead the initial effort of scoping what this committee will be
>>>>>>>>>>> responsible for doing.  Once we have that, the Board will determine if
>>>>>>>>>>> there is an existing conflict (I doubt it) and then will initiate a public
>>>>>>>>>>> call for people interested in membership.  By creating a committee for this
>>>>>>>>>>> initiative, we are empowering those committee members to take action as
>>>>>>>>>>> defined in the scope and spend money as allocated by the budget.  Is there
>>>>>>>>>>> someone who would like to take lead on forming the committee?
>>>>>>>>>>> ~josh
>>>>>>>>>>> On Fri, Jun 26, 2015 at 5:06 PM, Dinis Cruz <
>>>>>>>>>>> dinis.cruz at owasp.org> wrote:
>>>>>>>>>>>> And then ask for a a team or OWASP leaders to lead that effort.
>>>>>>>>>>>> Josh and Andrew can provide more details on the context of this
>>>>>>>>>>>> request
>>>>>>>>>>>> Dinis
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>> _______________________________________________
>>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>> _______________________________________________
>>>>>>>> OWASP-Leaders mailing list
>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>> --
>>>>>>> *Mark Miller, Senior Storyteller*
>>>>>>> *Curator and Founder, Trusted Software Alliance*
>>>>>>> *Host and Executive Producer, OWASP 24/7 Podcast ChannelCommunity
>>>>>>> Advocate, Sonatype*
>>>>>>> *Developers and Application Security: Who is Responsible?*
>>>>>>> <https://www.surveymonkey.com/s/Developers_and_AppSec>
>>>>> --
>>>>> Tom Brennan
>>>>> 973-202-0122
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151204/792f4479/attachment-0001.html>

More information about the OWASP-Leaders mailing list