[Owasp-leaders] (Proposed strategy) Re: Rethinking startegy regarding projects

Dinis Cruz dinis.cruz at owasp.org
Thu Nov 26 21:04:29 UTC 2015


I think a key problem is the expectation that OWASP should ever be able to
develop professional, best in class and 'secure' apps.

These conversations always tend to have a base on the idea that OWASP
'should not have a lot of projects' and 'only focus on a couple
high-value/high-quality ones'. This never gains traction because that goes
completely the model and culture of OWASP projects.

The reality is that really good a solid projects at OWASP are the exception
and the outliers.

What worries me is that we still have this idea that most OWASP projects
should have a kind of amazing 'quality and reliability' (and everything
else should be ditched/not-supported)

That is just not going to happen (apart from a couple cases like Top 10,
ZAP, Testing guide, ASVS,OSAMM, which should be seen as exceptions and
outliers).   the reality is that once a project gains a certain level of
quality and momentum they kinda become self-sufficient and don't need THAT
much from OWASP.

*My view is that OWASP projects should be seen as 'research projects' *designed
to push the research on Application Security a bit further. OWASP should be
encouraging this research and promoting it!

*We should NOT encourage the idea that OWASP project's code should be used
in production!* Because frankly, OWASP and its community is not in a
position to deliver on that promise.

What I propose is that OWASP continues to support innovation on its
projects (which are one of the key pillars of OWASP) and move away from the
idea that OWASP projects should have the 'burden' to be 'production level'.

In fact, we should encourage successful projects to fly away and move into
its own space (website, funding, team).

OWASP projects also need dedicated staff and resources so that the review
and management workflows (of which I have personal experience in helping
Paulo,   Samantha and Johanna) have a chance to work.

Just to be clear, what I'm proposing is:

   - Increase support for all OWASP projects
   - Keep pushing them to have more and more quality
   - Understand that ALL owasp projects are really 'RESEARCH' projects
   - Promote the ideas that: 1) OWASP projects should NOT be used in
   production, 2) they are RESEARCH driven ideas and 3) that they represent a
   particular OWASP project leader views or coding skills
   - Support the process of mapping the health of projects and providing
   metrics on the status of the projects
   - Promote the move of 'flagship' projects into its own home. Of course
   always with some connection to OWASP, but with a level of independence to
   make what ever 'security claims' they wants
   - an OWASP Summit focused on OWASP Projects would be the best investment
   that OWASP can do in 2016


Dinis

On 26 November 2015 at 20:17, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> *Simon>>*
> *If we do keep some projects (and I think we should;) then what purpose
> should they serve?*
> Exactly, people start all kind of projects without asking this question
> but even more: Do I have time to pull up this project through(or dedicate
> my weekends to it? Is it useful for the community? Can I realise this
> project to completion?
>
> *Tim>>It seems our biggest issue right now is with people trying to write
> code under the OWASP brand, but not following through and making the
> software high quality.*
>
> The problem is across all projects not only code based. Most incubator
> projects get abandoned after a year. Nothing wrong with tools that become
> stable like DirBuster or Joomla_scanner which are used still in Kali Linux
> and later not maintained. So yes, I agree with you Tim that the type of
> project makes a huge difference.
>
> *Jim>>We really need to rethink the whole OWASP project philosophy and
> seek better focus and direction. We're all over the place and our energy is
> very diluted and sometimes abused.*
>
> Yes I feel I have been abused when the leader of a project like Benchmark
> pressured the Project task force team to become LAB, and then turned around
> to start a marketing campaign promoting an immature project as a mature one.
>
> *Whats next?*
> We should keep the flagships, ditch all inactive projects and stop taking
> new projects because we do not have dedicated resources(nor the budget) to
> evaluate properly new projects. Not even the actual ones...How do you
> evaluate a security library like SeraphinDroid'? you have to QA and test
> deeply...We are sec folks we should know, we preach testing and security...
>
> *Volunteer based reviews?*
> That has been attempted so many times and has fell hard. From the Global
> Initiatiave 2008 till Samantha's attempts for a volunteer based project
> reviewers .and even she kept continuously looking she hardly got people to
> review. I feel it was unfair to expect from her that she should fix this
> 'project management issue'....and right now a queue of projects awaiting
> too be review...
>
> The only time project reviews ever work in my opinion (and not perfect)
> was when we paid a dedicated tester(Marios) and I volunteered full time for
> 3 months to supervise the test and verify results and the activity of the
> projects with a full time employee(Kait-Disney) on the side to do reviews
> and clean up the inventory. FULL TIME JOB, 3 persons working for 3 months
>  including support from 1 volunteer(Jason Jonhson) to setup a VM automated
> build Jenkins machine on the side...but this is not sustainable....
>
> *So you want to start a project?*
> Start it. Github is free as you need 0 money for this.
> Just do it and start it. Announce in the Global connector that 'Leader X'
> has started a project but hey, go and check it, let us know what you
> think....
>
> You want to present your project at an OWASP conference? Submit a research
> paper, just as happens with Blackhat. OWASP own Arsenal....(like Blackhat
> Arsenal) and sponsor the selected speakers.
>
> You want to create documentation? Create it, then  fill in the wiki page
> or fill it yourself,
>
> Create a loosely couple relation between volunteers efforts without the
> responsibility of a process you cannot manage.
>
>  In the end who the hell is taking the responsibility? Don't place it on
> volunteers because it has shown it does not work.The Board? Well
> unfortunately they cannot neither...they are also volunteers.
>
> regards
>
> Johanna
>
>
>
>
>
> On Thu, Nov 26, 2015 at 2:48 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> This is the reason why we raised the bar to get from incubator to lab and
>> from lab to flagship.  Since the majority of those projects are incubator
>> state, they should take up very little of our resources until they fulfill
>> whatever our qualifications are to move them up and invest more in them.
>> That said, I think that a different strategy altogether on projects
>> wouldn't be a bad idea.  While I like the general idea of people working on
>> the projects that excite them, I also feel that we need to be more
>> strategic about what we are working on.  We need to think more about the
>> problems that we are trying to solve and try to allocate our limited
>> volunteer resources to those.  It's definitely not the OWASP way, today,
>> but it solves bigger problems by putting more people on them.  The starting
>> point with this would be trying to figure out the skill sets across our
>> volunteer base and figure out if there's a way to better leverage them to
>> accomplish our mission.
>>
>> ~josh
>>
>> On Thu, Nov 26, 2015 at 11:02 AM, Tim <tim.morgan at owasp.org> wrote:
>>
>>>
>>> I'm all for reform of some sort, but it should be done carefully and I
>>> don't know of any obvious solution to the dilution problem.  Whatever
>>> changes we make, let's make them conservative and targeted for now andb
>>> see how it goes.
>>>
>>> Also, I think it is important to distinguish between software projects
>>> and non-software projects.  It seems our biggest issue right now is
>>> with people trying to write code under the OWASP brand, but not
>>> following through and making the software high quality.
>>>
>>> Consider for a moment the skillsets of most OWASP volunteers.  We tend
>>> to be security people.  It might make a lot of sense for us to write
>>> code for "breakers" types of projects, since only security people see
>>> the value in doing that and have the associated know-how.
>>>
>>> However, for "defenders" types of coding projects, does it really make
>>> sense to build yet more frameworks?  Sometimes this could work, but in
>>> most cases, how can we possibly compete with existing frameworks that
>>> have large numbers of volunteers and/or companies behind them?
>>>
>>>
>>> Better stop now before I start rambling, but those are my thoughts at
>>> the moment.
>>>
>>> tim
>>>
>>>
>>> On Thu, Nov 26, 2015 at 12:17:12PM +0200, Jim Manico wrote:
>>> > I think OWASP projects are critical to the foundation and I want to
>>> support new ideas that new projects bring.
>>> >
>>> > But I surrender. We really need to rethink the whole OWASP project
>>> philosophy and seek better focus and direction. We're all over the place
>>> and our energy is very diluted and sometimes abused.
>>> >
>>> > I have a lot of ideas, but frankly I'm not sure what the best
>>> direction is. But I am open to significant change.
>>> >
>>> > By the same token, we have some amazing flagship projects and I think
>>> it would be a tragedy if those went away.
>>> >
>>> > --
>>> > Jim Manico
>>> > Global Board Member
>>> > OWASP Foundation
>>> > https://www.owasp.org
>>> > Join me in Rome for AppSecEU 2016!
>>> >
>>> > > On Nov 26, 2015, at 12:00 PM, psiinon <psiinon at gmail.com> wrote:
>>> > >
>>> > > I agree that this is a good time to rethink OWASP's project strategy.
>>> > > Creating and maintaining high quality open source projects takes a
>>> lot of time and effort, and can only be done in ones 'spare time' for a
>>> relatively short period.
>>> > > Successful projects need sponsorship and people who are able to
>>> dedicate a significant part of their working week to them.
>>> > > Abandoned or poorly maintained projects only damage OWASP's
>>> reputation.
>>> > >
>>> > > Should we effectively ditch all but the flagship projects? Only
>>> taking on new projects when they reach that level of quality?
>>> > > Would a tool that becomes successful in its own right _want_ to be
>>> adopted by OWASP?
>>> > > Should OWASP ditch project altogether??
>>> > > Or maybe just ditch all but the documentation projects?
>>> > > Maybe we should just recommend open source projects, a sort of
>>> 'OWASP approved' badge?
>>> > >
>>> > > If we do keep some projects (and I think we should;) then what
>>> purpose should they serve?
>>> > > Providing high quality tools that help make the internet more secure?
>>> > > Helping people learn about security?
>>> > > Driving awareness of OWASP? (How would people learn about OWASP if
>>> not via projects like the Top 10 and ZAP?)
>>> > > Provide tools and features that commercial companies are not
>>> currently providing (effectively, or for a reasonable price)?
>>> > > Interested to see what other people think.
>>> > >
>>> > > Cheers,
>>> > >
>>> > > Simon
>>> > >
>>> > >
>>> > >> On Thu, Nov 26, 2015 at 9:19 AM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>> > >> Leaders and members of the board
>>> > >>
>>> > >> As former member of the project review team, I have been observing
>>> the increasing issues related with projects
>>> > >> Fact is, we do not have enough volunteers nor staff to support and
>>> watch quality of projects, do reviews and have a supervison on them.
>>> > >>
>>> > >> More than often, projects become dormant or inactive.
>>> > >> Recently The misuse of owasp brand have been an issue with projects
>>> like Benchmark and recent  complains of users from The PHPSEC project. But
>>> this is an on going issue.
>>> > >>
>>> > >> I think is time that OWASP rethink its strategy regarding projects
>>> > >>
>>> > >> Maybe instead of trying to offer a platform that is not
>>> sustainable, owasp should adopt and sponsor projects  that already have
>>> established a name on their own
>>> > >>
>>> > >> Nothing stops a dedicated individual to start an open source
>>> project on his own. In The past when owasp was a small organization ran by
>>> dedicated volunteers, it worked for these couple of projects, but right now
>>> is out of hand. Take a look how many active projects are actually being
>>> mantained.
>>> > >>
>>> > >> Mantaining a project takes a lot of dedication and this is what
>>> People need to realize when starting an open source project
>>> > >>
>>> > >> What I see quite often is People wanting to misuse Owasp brand
>>> instead of willing to pull a project
>>> > >> Major reason I quit from reviewing and the fact that we do not have
>>> feasible resources to produce projects that are sustainable in the long
>>> term.
>>> > >>
>>> > >> I'm also cancelling the proposal with regards of bounty source
>>> program. Reality is that without dedicated efforts and resources , it wont
>>> be sustainable.
>>> > >>
>>> > >> Regards
>>> > >>
>>> > >> Johanna
>>> > >>
>>> > >>
>>> > >>
>>> > >> _______________________________________________
>>> > >> Owasp-board mailing list
>>> > >> Owasp-board at lists.owasp.org
>>> > >> https://lists.owasp.org/mailman/listinfo/owasp-board
>>> > >
>>> > >
>>> > >
>>> > > --
>>> > > OWASP ZAP Project leader
>>> > > _______________________________________________
>>> > > Owasp-board mailing list
>>> > > Owasp-board at lists.owasp.org
>>> > > https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>> > _______________________________________________
>>> > OWASP-Leaders mailing list
>>> > OWASP-Leaders at lists.owasp.org
>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151126/9f299f16/attachment-0001.html>


More information about the OWASP-Leaders mailing list