[Owasp-leaders] (Proposed strategy) Re: Rethinking startegy regarding projects

johanna curiel curiel johanna.curiel at owasp.org
Thu Nov 26 23:36:46 UTC 2015


Spot on Dinis.

On Thu, Nov 26, 2015 at 7:16 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:

> well, one of the definitions of  'production quality' would be that it
> had its own home, where those 'production' claims were made 'outside OWASP'
>
> After all, at that moment, that project would be as credible as any other
> open source or commercial product (since all/most of them make wild and  'production
> quality' claims)
>
> Pure OWASP projects would be research projects. I.e. good ideas in
> multiple stages of research status (with nice disclaimers about it). That
> would prevent a lot of the problems since by definitions 'pure OWASP
> projects' should be seen as 'Research projects'
>
> The advantage of being an OWASP project would then be the great
> visibility and support that would (and is) provided to new ideas and
> 'research projects' by OWASP mothership and OWASP community
>
> The idea would be that the path of becoming an
> independent successful project would include a stage where it was (or is)
> an OWASP research project (does that make sense?)
>
>
> On 26 November 2015 at 22:54, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> >>If I was king (and I am not, at all) I would invest in ASVS on a 6
>> figure scale.
>> *>>*Once a project starts to reach production quality...
>> >>Support the process of mapping the health of projects and providing
>> metrics on the status of the projects
>> >>In fact, we should encourage successful projects to fly away and move
>> into its own space (website, funding, team).
>>
>>
>> Jim, Dinis I appreciate your idealistic dreams. Everything starts with a
>> Dream, but let me awake you back to the hard reality...;-P
>>
>> What determines a project is 'production quality' or map their 'health?
>> Well thats is the whole problem of reviewing.
>>
>> No dedicated resources, No 6 figure money for projects  = Rethink a
>> realistic strategy that works for projects
>>
>> Focus what  is feasible, what can work and what can be sustainable
>> without the 6 figures ...
>>
>> Fly away? Quick the projects out! Now on they should stand on their own
>> feet including any New project
>>
>> Rethink 'projects' to 'research'
>>
>> Rebrand OWasp projects to 'Project member' or something similar
>>
>>
>>
>>
>>
>>
>>
>>
>> On Thu, Nov 26, 2015 at 5:25 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Dinis
>>>
>>>
>>> *>>My view is that OWASP projects should be seen as 'research projects' *designed
>>> to push the research on Application Security a bit further. OWASP should be
>>> encouraging this research and promoting it!
>>>
>>> Agree. We just don't have resources to monitor, QA and promote to
>>> flagship and take responsibilities of this kind.
>>>
>>> Research Projects should be just a list of independent people with their
>>> own project websites/Github without 'OWASP' as brand. Maybe a label 'OWASP
>>> project member'
>>>
>>> In the end successful projects do not need 'OWASP' as a brand if they
>>> are good enough. ZAP does all the work by itself, even financially.
>>>
>>> OWASP does have the burden of users expectation that unfortunately exist
>>> today.
>>>
>>> This support to these projects should be set in a way  that they do not
>>> depend of OWASP for their development but just as a community to share
>>> their research and ideas.
>>>
>>> OWASP could provide sponsorship based not on 'reviews' or 'levels' but
>>> the own community and usage the project has created on its own. That is
>>> easier to judge that reviewing a project no one knows about and has no few
>>> users.Like Benchmark..with 3 issues on their Github page.
>>>
>>> regards
>>>
>>> Johanna
>>>
>>> On Thu, Nov 26, 2015 at 5:04 PM, Dinis Cruz <dinis.cruz at owasp.org>
>>> wrote:
>>>
>>>> I think a key problem is the expectation that OWASP should ever be able
>>>> to develop professional, best in class and 'secure' apps.
>>>>
>>>> These conversations always tend to have a base on the idea that OWASP
>>>> 'should not have a lot of projects' and 'only focus on a couple
>>>> high-value/high-quality ones'. This never gains traction because that goes
>>>> completely the model and culture of OWASP projects.
>>>>
>>>> The reality is that really good a solid projects at OWASP are the
>>>> exception and the outliers.
>>>>
>>>> What worries me is that we still have this idea that most OWASP
>>>> projects should have a kind of amazing 'quality and reliability' (and
>>>> everything else should be ditched/not-supported)
>>>>
>>>> That is just not going to happen (apart from a couple cases like Top
>>>> 10, ZAP, Testing guide, ASVS,OSAMM, which should be seen as exceptions and
>>>> outliers).   the reality is that once a project gains a certain level of
>>>> quality and momentum they kinda become self-sufficient and don't need THAT
>>>> much from OWASP.
>>>>
>>>> *My view is that OWASP projects should be seen as 'research projects' *designed
>>>> to push the research on Application Security a bit further. OWASP should be
>>>> encouraging this research and promoting it!
>>>>
>>>> *We should NOT encourage the idea that OWASP project's code should be
>>>> used in production!* Because frankly, OWASP and its community is not
>>>> in a position to deliver on that promise.
>>>>
>>>> What I propose is that OWASP continues to support innovation on its
>>>> projects (which are one of the key pillars of OWASP) and move away from the
>>>> idea that OWASP projects should have the 'burden' to be 'production level'.
>>>>
>>>> In fact, we should encourage successful projects to fly away and move
>>>> into its own space (website, funding, team).
>>>>
>>>> OWASP projects also need dedicated staff and resources so that the
>>>> review and management workflows (of which I have personal experience in
>>>> helping Paulo,   Samantha and Johanna) have a chance to work.
>>>>
>>>> Just to be clear, what I'm proposing is:
>>>>
>>>>    - Increase support for all OWASP projects
>>>>    - Keep pushing them to have more and more quality
>>>>    - Understand that ALL owasp projects are really 'RESEARCH' projects
>>>>    - Promote the ideas that: 1) OWASP projects should NOT be used in
>>>>    production, 2) they are RESEARCH driven ideas and 3) that they represent a
>>>>    particular OWASP project leader views or coding skills
>>>>    - Support the process of mapping the health of projects and
>>>>    providing metrics on the status of the projects
>>>>    - Promote the move of 'flagship' projects into its own home. Of
>>>>    course always with some connection to OWASP, but with a level of
>>>>    independence to make what ever 'security claims' they wants
>>>>    - an OWASP Summit focused on OWASP Projects would be the best
>>>>    investment that OWASP can do in 2016
>>>>
>>>>
>>>> Dinis
>>>>
>>>> On 26 November 2015 at 20:17, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>>> *Simon>>*
>>>>> *If we do keep some projects (and I think we should;) then what
>>>>> purpose should they serve?*
>>>>> Exactly, people start all kind of projects without asking this
>>>>> question but even more: Do I have time to pull up this project through(or
>>>>> dedicate my weekends to it? Is it useful for the community? Can I realise
>>>>> this project to completion?
>>>>>
>>>>> *Tim>>It seems our biggest issue right now is with people trying to
>>>>> write code under the OWASP brand, but not following through and making the
>>>>> software high quality.*
>>>>>
>>>>> The problem is across all projects not only code based. Most incubator
>>>>> projects get abandoned after a year. Nothing wrong with tools that become
>>>>> stable like DirBuster or Joomla_scanner which are used still in Kali Linux
>>>>> and later not maintained. So yes, I agree with you Tim that the type of
>>>>> project makes a huge difference.
>>>>>
>>>>> *Jim>>We really need to rethink the whole OWASP project philosophy and
>>>>> seek better focus and direction. We're all over the place and our energy is
>>>>> very diluted and sometimes abused.*
>>>>>
>>>>> Yes I feel I have been abused when the leader of a project like
>>>>> Benchmark pressured the Project task force team to become LAB, and then
>>>>> turned around to start a marketing campaign promoting an immature project
>>>>> as a mature one.
>>>>>
>>>>> *Whats next?*
>>>>> We should keep the flagships, ditch all inactive projects and stop
>>>>> taking new projects because we do not have dedicated resources(nor the
>>>>> budget) to evaluate properly new projects. Not even the actual ones...How
>>>>> do you evaluate a security library like SeraphinDroid'? you have to QA and
>>>>> test deeply...We are sec folks we should know, we preach testing and
>>>>> security...
>>>>>
>>>>> *Volunteer based reviews?*
>>>>> That has been attempted so many times and has fell hard. From the
>>>>> Global Initiatiave 2008 till Samantha's attempts for a volunteer based
>>>>> project reviewers .and even she kept continuously looking she hardly got
>>>>> people to review. I feel it was unfair to expect from her that she should
>>>>> fix this 'project management issue'....and right now a queue of projects
>>>>> awaiting too be review...
>>>>>
>>>>> The only time project reviews ever work in my opinion (and not
>>>>> perfect) was when we paid a dedicated tester(Marios) and I volunteered full
>>>>> time for 3 months to supervise the test and verify results and the activity
>>>>> of the projects with a full time employee(Kait-Disney) on the side to do
>>>>> reviews and clean up the inventory. FULL TIME JOB, 3 persons working for 3
>>>>> months  including support from 1 volunteer(Jason Jonhson) to setup a VM
>>>>> automated build Jenkins machine on the side...but this is not
>>>>> sustainable....
>>>>>
>>>>> *So you want to start a project?*
>>>>> Start it. Github is free as you need 0 money for this.
>>>>> Just do it and start it. Announce in the Global connector that 'Leader
>>>>> X' has started a project but hey, go and check it, let us know what you
>>>>> think....
>>>>>
>>>>> You want to present your project at an OWASP conference? Submit a
>>>>> research paper, just as happens with Blackhat. OWASP own Arsenal....(like
>>>>> Blackhat Arsenal) and sponsor the selected speakers.
>>>>>
>>>>> You want to create documentation? Create it, then  fill in the wiki
>>>>> page or fill it yourself,
>>>>>
>>>>> Create a loosely couple relation between volunteers efforts without
>>>>> the responsibility of a process you cannot manage.
>>>>>
>>>>>  In the end who the hell is taking the responsibility? Don't place it
>>>>> on volunteers because it has shown it does not work.The Board? Well
>>>>> unfortunately they cannot neither...they are also volunteers.
>>>>>
>>>>> regards
>>>>>
>>>>> Johanna
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Nov 26, 2015 at 2:48 PM, Josh Sokol <josh.sokol at owasp.org>
>>>>> wrote:
>>>>>
>>>>>> This is the reason why we raised the bar to get from incubator to lab
>>>>>> and from lab to flagship.  Since the majority of those projects are
>>>>>> incubator state, they should take up very little of our resources until
>>>>>> they fulfill whatever our qualifications are to move them up and invest
>>>>>> more in them.  That said, I think that a different strategy altogether on
>>>>>> projects wouldn't be a bad idea.  While I like the general idea of people
>>>>>> working on the projects that excite them, I also feel that we need to be
>>>>>> more strategic about what we are working on.  We need to think more about
>>>>>> the problems that we are trying to solve and try to allocate our limited
>>>>>> volunteer resources to those.  It's definitely not the OWASP way, today,
>>>>>> but it solves bigger problems by putting more people on them.  The starting
>>>>>> point with this would be trying to figure out the skill sets across our
>>>>>> volunteer base and figure out if there's a way to better leverage them to
>>>>>> accomplish our mission.
>>>>>>
>>>>>> ~josh
>>>>>>
>>>>>> On Thu, Nov 26, 2015 at 11:02 AM, Tim <tim.morgan at owasp.org> wrote:
>>>>>>
>>>>>>>
>>>>>>> I'm all for reform of some sort, but it should be done carefully and
>>>>>>> I
>>>>>>> don't know of any obvious solution to the dilution problem.  Whatever
>>>>>>> changes we make, let's make them conservative and targeted for now
>>>>>>> andb
>>>>>>> see how it goes.
>>>>>>>
>>>>>>> Also, I think it is important to distinguish between software
>>>>>>> projects
>>>>>>> and non-software projects.  It seems our biggest issue right now is
>>>>>>> with people trying to write code under the OWASP brand, but not
>>>>>>> following through and making the software high quality.
>>>>>>>
>>>>>>> Consider for a moment the skillsets of most OWASP volunteers.  We
>>>>>>> tend
>>>>>>> to be security people.  It might make a lot of sense for us to write
>>>>>>> code for "breakers" types of projects, since only security people see
>>>>>>> the value in doing that and have the associated know-how.
>>>>>>>
>>>>>>> However, for "defenders" types of coding projects, does it really
>>>>>>> make
>>>>>>> sense to build yet more frameworks?  Sometimes this could work, but
>>>>>>> in
>>>>>>> most cases, how can we possibly compete with existing frameworks that
>>>>>>> have large numbers of volunteers and/or companies behind them?
>>>>>>>
>>>>>>>
>>>>>>> Better stop now before I start rambling, but those are my thoughts at
>>>>>>> the moment.
>>>>>>>
>>>>>>> tim
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Nov 26, 2015 at 12:17:12PM +0200, Jim Manico wrote:
>>>>>>> > I think OWASP projects are critical to the foundation and I want
>>>>>>> to support new ideas that new projects bring.
>>>>>>> >
>>>>>>> > But I surrender. We really need to rethink the whole OWASP project
>>>>>>> philosophy and seek better focus and direction. We're all over the place
>>>>>>> and our energy is very diluted and sometimes abused.
>>>>>>> >
>>>>>>> > I have a lot of ideas, but frankly I'm not sure what the best
>>>>>>> direction is. But I am open to significant change.
>>>>>>> >
>>>>>>> > By the same token, we have some amazing flagship projects and I
>>>>>>> think it would be a tragedy if those went away.
>>>>>>> >
>>>>>>> > --
>>>>>>> > Jim Manico
>>>>>>> > Global Board Member
>>>>>>> > OWASP Foundation
>>>>>>> > https://www.owasp.org
>>>>>>> > Join me in Rome for AppSecEU 2016!
>>>>>>> >
>>>>>>> > > On Nov 26, 2015, at 12:00 PM, psiinon <psiinon at gmail.com> wrote:
>>>>>>> > >
>>>>>>> > > I agree that this is a good time to rethink OWASP's project
>>>>>>> strategy.
>>>>>>> > > Creating and maintaining high quality open source projects takes
>>>>>>> a lot of time and effort, and can only be done in ones 'spare time' for a
>>>>>>> relatively short period.
>>>>>>> > > Successful projects need sponsorship and people who are able to
>>>>>>> dedicate a significant part of their working week to them.
>>>>>>> > > Abandoned or poorly maintained projects only damage OWASP's
>>>>>>> reputation.
>>>>>>> > >
>>>>>>> > > Should we effectively ditch all but the flagship projects? Only
>>>>>>> taking on new projects when they reach that level of quality?
>>>>>>> > > Would a tool that becomes successful in its own right _want_ to
>>>>>>> be adopted by OWASP?
>>>>>>> > > Should OWASP ditch project altogether??
>>>>>>> > > Or maybe just ditch all but the documentation projects?
>>>>>>> > > Maybe we should just recommend open source projects, a sort of
>>>>>>> 'OWASP approved' badge?
>>>>>>> > >
>>>>>>> > > If we do keep some projects (and I think we should;) then what
>>>>>>> purpose should they serve?
>>>>>>> > > Providing high quality tools that help make the internet more
>>>>>>> secure?
>>>>>>> > > Helping people learn about security?
>>>>>>> > > Driving awareness of OWASP? (How would people learn about OWASP
>>>>>>> if not via projects like the Top 10 and ZAP?)
>>>>>>> > > Provide tools and features that commercial companies are not
>>>>>>> currently providing (effectively, or for a reasonable price)?
>>>>>>> > > Interested to see what other people think.
>>>>>>> > >
>>>>>>> > > Cheers,
>>>>>>> > >
>>>>>>> > > Simon
>>>>>>> > >
>>>>>>> > >
>>>>>>> > >> On Thu, Nov 26, 2015 at 9:19 AM, johanna curiel curiel <
>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>> > >> Leaders and members of the board
>>>>>>> > >>
>>>>>>> > >> As former member of the project review team, I have been
>>>>>>> observing the increasing issues related with projects
>>>>>>> > >> Fact is, we do not have enough volunteers nor staff to support
>>>>>>> and watch quality of projects, do reviews and have a supervison on them.
>>>>>>> > >>
>>>>>>> > >> More than often, projects become dormant or inactive.
>>>>>>> > >> Recently The misuse of owasp brand have been an issue with
>>>>>>> projects like Benchmark and recent  complains of users from The PHPSEC
>>>>>>> project. But this is an on going issue.
>>>>>>> > >>
>>>>>>> > >> I think is time that OWASP rethink its strategy regarding
>>>>>>> projects
>>>>>>> > >>
>>>>>>> > >> Maybe instead of trying to offer a platform that is not
>>>>>>> sustainable, owasp should adopt and sponsor projects  that already have
>>>>>>> established a name on their own
>>>>>>> > >>
>>>>>>> > >> Nothing stops a dedicated individual to start an open source
>>>>>>> project on his own. In The past when owasp was a small organization ran by
>>>>>>> dedicated volunteers, it worked for these couple of projects, but right now
>>>>>>> is out of hand. Take a look how many active projects are actually being
>>>>>>> mantained.
>>>>>>> > >>
>>>>>>> > >> Mantaining a project takes a lot of dedication and this is what
>>>>>>> People need to realize when starting an open source project
>>>>>>> > >>
>>>>>>> > >> What I see quite often is People wanting to misuse Owasp brand
>>>>>>> instead of willing to pull a project
>>>>>>> > >> Major reason I quit from reviewing and the fact that we do not
>>>>>>> have feasible resources to produce projects that are sustainable in the
>>>>>>> long term.
>>>>>>> > >>
>>>>>>> > >> I'm also cancelling the proposal with regards of bounty source
>>>>>>> program. Reality is that without dedicated efforts and resources , it wont
>>>>>>> be sustainable.
>>>>>>> > >>
>>>>>>> > >> Regards
>>>>>>> > >>
>>>>>>> > >> Johanna
>>>>>>> > >>
>>>>>>> > >>
>>>>>>> > >>
>>>>>>> > >> _______________________________________________
>>>>>>> > >> Owasp-board mailing list
>>>>>>> > >> Owasp-board at lists.owasp.org
>>>>>>> > >> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>> > >
>>>>>>> > >
>>>>>>> > >
>>>>>>> > > --
>>>>>>> > > OWASP ZAP Project leader
>>>>>>> > > _______________________________________________
>>>>>>> > > Owasp-board mailing list
>>>>>>> > > Owasp-board at lists.owasp.org
>>>>>>> > > https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>
>>>>>>> > _______________________________________________
>>>>>>> > OWASP-Leaders mailing list
>>>>>>> > OWASP-Leaders at lists.owasp.org
>>>>>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Owasp-board mailing list
>>>>>> Owasp-board at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151126/6e1b0517/attachment-0001.html>


More information about the OWASP-Leaders mailing list