[Owasp-leaders] Shall we fix projects together?

Munir Njiru munir.njiru at owasp.org
Thu Jan 7 08:27:46 UTC 2016


I like the shaping up thats coming up here . These ideas can help the
quality of projects quite alot and also ensure they have a purpose and add
value to the infosec community more.

Munir Njenga,
OWASP Chapter Leader (Kenya) || Information Security Consultant || Developer
Mob   (KE) +254 (0) 734960670

=============================
Chapter Page: www.owasp.org/index.php/Kenya
Project Site:
http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/
Email: munir.njiru at owasp.org
Facebook: https://www.facebook.com/OWASP.Kenya
Mailing List: https://lists.owasp.org/mailman/listinfo/owasp-Kenya


On Thu, Jan 7, 2016 at 11:12 AM, Timo Goosen <timo.goosen at owasp.org> wrote:

> Sorry for my late reply to this but I agree with Andy.
>
> What Liam said also makes sense.
>
> But what we do need is two things:
> 1.) Way to incentivise existing good security projects to become
> associated with OWASP.
> 2.) Way to demote projects completely that are no longer active or
> maintained or promoting practices that are no longer regarded as secure for
> example implementing certain crypto ciphers that are outdated etc.
> 3.) Minimum requirement for projects.
>
> We do need to reduce red tape, but we need more governance. Also needs to
> be some sense of accountability.
>
> On Fri, Dec 18, 2015 at 3:23 PM, Andy Lewis <alewis at owasp.org> wrote:
>
>> No amount of talk about process is going to incent a talented individual
>> to work hard (or form a hard-working team) to yield a project.  Reduce the
>> red tape.  Make it brain-dead simple, and make it worthwhile.
>>
>> Specifically:
>>
>> 1. Establish a best project of the year contest.
>> 2. Make the rules very simple.
>>  - Open license
>>  - written securely (or at least in conformance w/the OWASP Top 10)
>>  - $25k (US) to the winner, $10k to runner-up, $5k to 3rd-place
>>  - $1k/month to entrants, random, so that everyone who writes a single
>> line of code towards a project knows that they've got a shot at a payoff
>> that month (and the accompanying publicity)
>> 3. Publicize like crazy - partner w/SANS, Gartner, and whoever else has
>> an enormous voice in the security marketplace
>>
>> I am not a talented coder.  I have employed several talented coders (and
>> project managers).  People deliver innovation in return for 1)
>> compensation, 2) recognition/applause, or 3) unbridled curiosity in
>> conjunction w/the promise of 1) or 2).  When managing a Dev team, one of my
>> biggest responsibilities is to REDUCE red-tape and LET CODERS CODE.
>> I was also responsible for ensuring that *secure* coding practices were
>> recognized and rewarded.
>> My 2 cents.
>> Andy
>>
>> PS looking for speakers for SnowFROC 2016, regional AppSec con in Denver,
>> CO on Thursday 18 Feb.  Please email me directly if interested.  No $$ but
>> plenty of recognition :-)
>>
>> On Thu, Dec 17, 2015 at 8:01 PM, Andrew van der Stock <vanderaj at owasp.org
>> > wrote:
>>
>>> Timo,
>>>
>>> I think it's unfair and highly inaccurate to say the board is only
>>> concerned about quantity. If you listen to our Board meetings this year,
>>> particularly December's meeting, you'll note that we talked about the
>>> review process several times. In all cases, we were explicitly concerned
>>> about:
>>>
>>> Is the process working? (not really, not enough folks volunteered,
>>> despite the project volunteers and our Foundation staff working on new
>>> processes to automate much of the project review process). This is the
>>> focus of Tom's efforts to talk about various councils and so on, but we
>>> haven't voted on them to be founded as yet. I will look forward to more
>>> people doing meta work on projects, but this hasn't been the case for a
>>> long time.
>>>
>>> Is the quality of some projects insufficient? We've had a lot of
>>> discussions about one project in particular, but we've supported Johanna's
>>> relegation of many previous flagship projects to incubator status
>>> (devguide, etc), and inactive projects (e.g. ESAPI).
>>>
>>> What do we do to encourage projects? There was serious discussion about
>>> OWASP as a project house. We want projects to be under our umbrella, and
>>> not splatted all over the Internet. If you do a search for OWASP, you'll
>>> notice projects take up the first 80% of all results. We are rightly famous
>>> for projects. What can we do better to support them? Although reviews are
>>> important, we also need folks to work on them, and to feel like OWASP is a
>>> great place to do projects.
>>>
>>> We need folks who are interested in projects to take part, not only in
>>> their project, but in the meta-project tasks, such as project initiation
>>> approvals, and project reviews. We have a full time staff member who is
>>> responsible for this, as well as passionate volunteers. If you want your
>>> project to be up there as Flagship status, project leaders should help out
>>> these folks from time to time.
>>>
>>> It's not possible nor desirable for the Board to be involved in every
>>> project decision. We help govern the process, not the doing of the process.
>>> In general, at OWASP, meritocracy rules - do first, and ask later. If
>>> anything, we should make it easier for projects to do their thing, not add
>>> more red tape and endless discussion.
>>>
>>> We need folks to be helpful in getting project governance sorted out, as
>>> well as indicating which projects would like volunteers or need more help.
>>> Most projects have less than 5 active participants, which can be a strain
>>> on them getting stuff done. If there's a way we can help projects succeed,
>>> please let us know. Come along to Tom's meeting on Projects and make
>>> suggestions. We're all ears.
>>>
>>> thanks
>>> Andrew
>>>
>>> On Fri, Dec 18, 2015 at 9:22 AM, Liam Smit <liam.smit at gmail.com> wrote:
>>>
>>>> Hi Timo
>>>>
>>>> As we discussed at the B-Sides Cape Town conference, a simple minimum
>>>> requirement for different types of projects may help a lot.
>>>>
>>>> E.g. a documentation project needs to have at least some documentation
>>>> (RFC, outline, draft, etc) before it can be considered a project.
>>>> Similarly a software project would need some code (prototype, proof of
>>>> concept, etc) to qualify as a project.
>>>>
>>>> If it's only an idea or a concept then it's pre-project. The way to
>>>> turn that into a project is to then write some code or documentation.
>>>>
>>>> If there has been no update to a project for a year then that is stale
>>>> assuming that there is something workable / usable that exists because
>>>> if nothing exists after a year then it's unlikely to ever exist. It
>>>> should be possible to automate the generation of a report of such
>>>> stale projects which could then be reviewed and then either be
>>>> resuscitated, removed / archived or put in limbo status (pending
>>>> further review).
>>>>
>>>>
>>>> Regards,
>>>>
>>>> On Thu, Dec 17, 2015 at 9:43 AM, Timo Goosen <timo.goosen at owasp.org>
>>>> wrote:
>>>> > There needs to be a greater focus on quality in projects. At the
>>>> moment the
>>>> > board only cares about quantity and not about quality.
>>>> > Also we need incentive to attract good mature security related to
>>>> become
>>>> > associated with OWASP.
>>>> >
>>>> > Also we need to get rid of outdated and unmaintained projects.
>>>> >
>>>> > Johanna and I tried to also make a minimum requirement for starting
>>>> > projects, but there still seems to be a trend of starting empty
>>>> projects.
>>>> >
>>>> >
>>>> > I suggest the board members need to start doing project reviews, so
>>>> that
>>>> > they have a good idea of the quality and quantity of projects at the
>>>> moment.
>>>> >
>>>> >
>>>> >
>>>> > Regards.
>>>> > Timo
>>>> >
>>>> >
>>>> > On Wed, Dec 16, 2015 at 6:51 PM, Tom Brennan - OWASP <tomb at owasp.org>
>>>> wrote:
>>>> >>
>>>> >> What are your thoughts?
>>>> >>
>>>> >>
>>>> http://lists.owasp.org/pipermail/owasp-board/2015-December/016835.html
>>>> >>
>>>> >>
>>>> >> Tom Brennan
>>>> >> Global Board of Directors
>>>> >> NYC/NJ Metro Chapter Leader
>>>> >> 973-506-9304
>>>> >>
>>>> >> --
>>>> >> The information contained in this message and any attachments may be
>>>> >> privileged, confidential, proprietary or otherwise protected from
>>>> >> disclosure. If you, the reader of this message, are not the intended
>>>> >> recipient, you are hereby notified that any dissemination,
>>>> distribution,
>>>> >> copying or use of this message and any attachment is strictly
>>>> prohibited.
>>>> >> If you have received this message in error, please notify the sender
>>>> >> immediately by replying to the message, permanently delete it from
>>>> your
>>>> >> computer and destroy any printout.
>>>> >> _______________________________________________
>>>> >> OWASP-Leaders mailing list
>>>> >> OWASP-Leaders at lists.owasp.org
>>>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> >
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > OWASP-Leaders mailing list
>>>> > OWASP-Leaders at lists.owasp.org
>>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> >
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160107/9748cfa0/attachment.html>


More information about the OWASP-Leaders mailing list