[Owasp-leaders] Shall we fix projects together?

Andy Lewis alewis at owasp.org
Fri Dec 18 13:23:59 UTC 2015

No amount of talk about process is going to incent a talented individual to
work hard (or form a hard-working team) to yield a project.  Reduce the red
tape.  Make it brain-dead simple, and make it worthwhile.


1. Establish a best project of the year contest.
2. Make the rules very simple.
 - Open license
 - written securely (or at least in conformance w/the OWASP Top 10)
 - $25k (US) to the winner, $10k to runner-up, $5k to 3rd-place
 - $1k/month to entrants, random, so that everyone who writes a single line
of code towards a project knows that they've got a shot at a payoff that
month (and the accompanying publicity)
3. Publicize like crazy - partner w/SANS, Gartner, and whoever else has an
enormous voice in the security marketplace

I am not a talented coder.  I have employed several talented coders (and
project managers).  People deliver innovation in return for 1)
compensation, 2) recognition/applause, or 3) unbridled curiosity in
conjunction w/the promise of 1) or 2).  When managing a Dev team, one of my
biggest responsibilities is to REDUCE red-tape and LET CODERS CODE.
I was also responsible for ensuring that *secure* coding practices were
recognized and rewarded.
My 2 cents.

PS looking for speakers for SnowFROC 2016, regional AppSec con in Denver,
CO on Thursday 18 Feb.  Please email me directly if interested.  No $$ but
plenty of recognition :-)

On Thu, Dec 17, 2015 at 8:01 PM, Andrew van der Stock <vanderaj at owasp.org>

> Timo,
> I think it's unfair and highly inaccurate to say the board is only
> concerned about quantity. If you listen to our Board meetings this year,
> particularly December's meeting, you'll note that we talked about the
> review process several times. In all cases, we were explicitly concerned
> about:
> Is the process working? (not really, not enough folks volunteered, despite
> the project volunteers and our Foundation staff working on new processes to
> automate much of the project review process). This is the focus of Tom's
> efforts to talk about various councils and so on, but we haven't voted on
> them to be founded as yet. I will look forward to more people doing meta
> work on projects, but this hasn't been the case for a long time.
> Is the quality of some projects insufficient? We've had a lot of
> discussions about one project in particular, but we've supported Johanna's
> relegation of many previous flagship projects to incubator status
> (devguide, etc), and inactive projects (e.g. ESAPI).
> What do we do to encourage projects? There was serious discussion about
> OWASP as a project house. We want projects to be under our umbrella, and
> not splatted all over the Internet. If you do a search for OWASP, you'll
> notice projects take up the first 80% of all results. We are rightly famous
> for projects. What can we do better to support them? Although reviews are
> important, we also need folks to work on them, and to feel like OWASP is a
> great place to do projects.
> We need folks who are interested in projects to take part, not only in
> their project, but in the meta-project tasks, such as project initiation
> approvals, and project reviews. We have a full time staff member who is
> responsible for this, as well as passionate volunteers. If you want your
> project to be up there as Flagship status, project leaders should help out
> these folks from time to time.
> It's not possible nor desirable for the Board to be involved in every
> project decision. We help govern the process, not the doing of the process.
> In general, at OWASP, meritocracy rules - do first, and ask later. If
> anything, we should make it easier for projects to do their thing, not add
> more red tape and endless discussion.
> We need folks to be helpful in getting project governance sorted out, as
> well as indicating which projects would like volunteers or need more help.
> Most projects have less than 5 active participants, which can be a strain
> on them getting stuff done. If there's a way we can help projects succeed,
> please let us know. Come along to Tom's meeting on Projects and make
> suggestions. We're all ears.
> thanks
> Andrew
> On Fri, Dec 18, 2015 at 9:22 AM, Liam Smit <liam.smit at gmail.com> wrote:
>> Hi Timo
>> As we discussed at the B-Sides Cape Town conference, a simple minimum
>> requirement for different types of projects may help a lot.
>> E.g. a documentation project needs to have at least some documentation
>> (RFC, outline, draft, etc) before it can be considered a project.
>> Similarly a software project would need some code (prototype, proof of
>> concept, etc) to qualify as a project.
>> If it's only an idea or a concept then it's pre-project. The way to
>> turn that into a project is to then write some code or documentation.
>> If there has been no update to a project for a year then that is stale
>> assuming that there is something workable / usable that exists because
>> if nothing exists after a year then it's unlikely to ever exist. It
>> should be possible to automate the generation of a report of such
>> stale projects which could then be reviewed and then either be
>> resuscitated, removed / archived or put in limbo status (pending
>> further review).
>> Regards,
>> On Thu, Dec 17, 2015 at 9:43 AM, Timo Goosen <timo.goosen at owasp.org>
>> wrote:
>> > There needs to be a greater focus on quality in projects. At the moment
>> the
>> > board only cares about quantity and not about quality.
>> > Also we need incentive to attract good mature security related to become
>> > associated with OWASP.
>> >
>> > Also we need to get rid of outdated and unmaintained projects.
>> >
>> > Johanna and I tried to also make a minimum requirement for starting
>> > projects, but there still seems to be a trend of starting empty
>> projects.
>> >
>> >
>> > I suggest the board members need to start doing project reviews, so that
>> > they have a good idea of the quality and quantity of projects at the
>> moment.
>> >
>> >
>> >
>> > Regards.
>> > Timo
>> >
>> >
>> > On Wed, Dec 16, 2015 at 6:51 PM, Tom Brennan - OWASP <tomb at owasp.org>
>> wrote:
>> >>
>> >> What are your thoughts?
>> >>
>> >> http://lists.owasp.org/pipermail/owasp-board/2015-December/016835.html
>> >>
>> >>
>> >> Tom Brennan
>> >> Global Board of Directors
>> >> NYC/NJ Metro Chapter Leader
>> >> 973-506-9304
>> >>
>> >> --
>> >> The information contained in this message and any attachments may be
>> >> privileged, confidential, proprietary or otherwise protected from
>> >> disclosure. If you, the reader of this message, are not the intended
>> >> recipient, you are hereby notified that any dissemination,
>> distribution,
>> >> copying or use of this message and any attachment is strictly
>> prohibited.
>> >> If you have received this message in error, please notify the sender
>> >> immediately by replying to the message, permanently delete it from your
>> >> computer and destroy any printout.
>> >> _______________________________________________
>> >> OWASP-Leaders mailing list
>> >> OWASP-Leaders at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> >
>> >
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151218/7d2513da/attachment.html>

More information about the OWASP-Leaders mailing list