[Owasp-leaders] Shall we fix projects together?

Minhaz A V minhazav at gmail.com
Thu Jan 7 18:49:24 UTC 2016


 Hi,
I think involving more and more students (all over the world) to
participate in OWASP projects might help a lot in this direction. They
could be under grads, grads or even high school students.
Programs like OWASP Summer Code sprint, Google Summer of Code etc have
blessed a few projects with decent programmers. We should enhance this
process:
 - More such programs or trying to bring more students to such programs
 - If budget allows, yearly project meetups - bringing all contributors
together
 - Attract more students to local meetups

or something something, that motivates them to actively contribute to open
source OWASP Projects.

P.S: I'm myself an undergrad, who has contributed to few of OWASP Projects.
This is just a thought :)

----------------------------------------------------------------------------
Kind Regards,
Minhaz | My Projects <http://github.com/mebjas> | LinkedIn
<https://in.linkedin.com/in/minhazav>

On Thu, Jan 7, 2016 at 1:57 PM, Munir Njiru <munir.njiru at owasp.org> wrote:

> I like the shaping up thats coming up here . These ideas can help the
> quality of projects quite alot and also ensure they have a purpose and add
> value to the infosec community more.
>
> Munir Njenga,
> OWASP Chapter Leader (Kenya) || Information Security Consultant ||
> Developer
> Mob   (KE) +254 (0) 734960670
>
> =============================
> Chapter Page: www.owasp.org/index.php/Kenya
> Project Site:
> http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/
> Email: munir.njiru at owasp.org
> Facebook: https://www.facebook.com/OWASP.Kenya
> Mailing List: https://lists.owasp.org/mailman/listinfo/owasp-Kenya
>
>
> On Thu, Jan 7, 2016 at 11:12 AM, Timo Goosen <timo.goosen at owasp.org>
> wrote:
>
>> Sorry for my late reply to this but I agree with Andy.
>>
>> What Liam said also makes sense.
>>
>> But what we do need is two things:
>> 1.) Way to incentivise existing good security projects to become
>> associated with OWASP.
>> 2.) Way to demote projects completely that are no longer active or
>> maintained or promoting practices that are no longer regarded as secure for
>> example implementing certain crypto ciphers that are outdated etc.
>> 3.) Minimum requirement for projects.
>>
>> We do need to reduce red tape, but we need more governance. Also needs to
>> be some sense of accountability.
>>
>> On Fri, Dec 18, 2015 at 3:23 PM, Andy Lewis <alewis at owasp.org> wrote:
>>
>>> No amount of talk about process is going to incent a talented individual
>>> to work hard (or form a hard-working team) to yield a project.  Reduce the
>>> red tape.  Make it brain-dead simple, and make it worthwhile.
>>>
>>> Specifically:
>>>
>>> 1. Establish a best project of the year contest.
>>> 2. Make the rules very simple.
>>>  - Open license
>>>  - written securely (or at least in conformance w/the OWASP Top 10)
>>>  - $25k (US) to the winner, $10k to runner-up, $5k to 3rd-place
>>>  - $1k/month to entrants, random, so that everyone who writes a single
>>> line of code towards a project knows that they've got a shot at a payoff
>>> that month (and the accompanying publicity)
>>> 3. Publicize like crazy - partner w/SANS, Gartner, and whoever else has
>>> an enormous voice in the security marketplace
>>>
>>> I am not a talented coder.  I have employed several talented coders (and
>>> project managers).  People deliver innovation in return for 1)
>>> compensation, 2) recognition/applause, or 3) unbridled curiosity in
>>> conjunction w/the promise of 1) or 2).  When managing a Dev team, one of my
>>> biggest responsibilities is to REDUCE red-tape and LET CODERS CODE.
>>> I was also responsible for ensuring that *secure* coding practices were
>>> recognized and rewarded.
>>> My 2 cents.
>>> Andy
>>>
>>> PS looking for speakers for SnowFROC 2016, regional AppSec con in
>>> Denver, CO on Thursday 18 Feb.  Please email me directly if interested.  No
>>> $$ but plenty of recognition :-)
>>>
>>> On Thu, Dec 17, 2015 at 8:01 PM, Andrew van der Stock <
>>> vanderaj at owasp.org> wrote:
>>>
>>>> Timo,
>>>>
>>>> I think it's unfair and highly inaccurate to say the board is only
>>>> concerned about quantity. If you listen to our Board meetings this year,
>>>> particularly December's meeting, you'll note that we talked about the
>>>> review process several times. In all cases, we were explicitly concerned
>>>> about:
>>>>
>>>> Is the process working? (not really, not enough folks volunteered,
>>>> despite the project volunteers and our Foundation staff working on new
>>>> processes to automate much of the project review process). This is the
>>>> focus of Tom's efforts to talk about various councils and so on, but we
>>>> haven't voted on them to be founded as yet. I will look forward to more
>>>> people doing meta work on projects, but this hasn't been the case for a
>>>> long time.
>>>>
>>>> Is the quality of some projects insufficient? We've had a lot of
>>>> discussions about one project in particular, but we've supported Johanna's
>>>> relegation of many previous flagship projects to incubator status
>>>> (devguide, etc), and inactive projects (e.g. ESAPI).
>>>>
>>>> What do we do to encourage projects? There was serious discussion about
>>>> OWASP as a project house. We want projects to be under our umbrella, and
>>>> not splatted all over the Internet. If you do a search for OWASP, you'll
>>>> notice projects take up the first 80% of all results. We are rightly famous
>>>> for projects. What can we do better to support them? Although reviews are
>>>> important, we also need folks to work on them, and to feel like OWASP is a
>>>> great place to do projects.
>>>>
>>>> We need folks who are interested in projects to take part, not only in
>>>> their project, but in the meta-project tasks, such as project initiation
>>>> approvals, and project reviews. We have a full time staff member who is
>>>> responsible for this, as well as passionate volunteers. If you want your
>>>> project to be up there as Flagship status, project leaders should help out
>>>> these folks from time to time.
>>>>
>>>> It's not possible nor desirable for the Board to be involved in every
>>>> project decision. We help govern the process, not the doing of the process.
>>>> In general, at OWASP, meritocracy rules - do first, and ask later. If
>>>> anything, we should make it easier for projects to do their thing, not add
>>>> more red tape and endless discussion.
>>>>
>>>> We need folks to be helpful in getting project governance sorted out,
>>>> as well as indicating which projects would like volunteers or need more
>>>> help. Most projects have less than 5 active participants, which can be a
>>>> strain on them getting stuff done. If there's a way we can help projects
>>>> succeed, please let us know. Come along to Tom's meeting on Projects and
>>>> make suggestions. We're all ears.
>>>>
>>>> thanks
>>>> Andrew
>>>>
>>>> On Fri, Dec 18, 2015 at 9:22 AM, Liam Smit <liam.smit at gmail.com> wrote:
>>>>
>>>>> Hi Timo
>>>>>
>>>>> As we discussed at the B-Sides Cape Town conference, a simple minimum
>>>>> requirement for different types of projects may help a lot.
>>>>>
>>>>> E.g. a documentation project needs to have at least some documentation
>>>>> (RFC, outline, draft, etc) before it can be considered a project.
>>>>> Similarly a software project would need some code (prototype, proof of
>>>>> concept, etc) to qualify as a project.
>>>>>
>>>>> If it's only an idea or a concept then it's pre-project. The way to
>>>>> turn that into a project is to then write some code or documentation.
>>>>>
>>>>> If there has been no update to a project for a year then that is stale
>>>>> assuming that there is something workable / usable that exists because
>>>>> if nothing exists after a year then it's unlikely to ever exist. It
>>>>> should be possible to automate the generation of a report of such
>>>>> stale projects which could then be reviewed and then either be
>>>>> resuscitated, removed / archived or put in limbo status (pending
>>>>> further review).
>>>>>
>>>>>
>>>>> Regards,
>>>>>
>>>>> On Thu, Dec 17, 2015 at 9:43 AM, Timo Goosen <timo.goosen at owasp.org>
>>>>> wrote:
>>>>> > There needs to be a greater focus on quality in projects. At the
>>>>> moment the
>>>>> > board only cares about quantity and not about quality.
>>>>> > Also we need incentive to attract good mature security related to
>>>>> become
>>>>> > associated with OWASP.
>>>>> >
>>>>> > Also we need to get rid of outdated and unmaintained projects.
>>>>> >
>>>>> > Johanna and I tried to also make a minimum requirement for starting
>>>>> > projects, but there still seems to be a trend of starting empty
>>>>> projects.
>>>>> >
>>>>> >
>>>>> > I suggest the board members need to start doing project reviews, so
>>>>> that
>>>>> > they have a good idea of the quality and quantity of projects at the
>>>>> moment.
>>>>> >
>>>>> >
>>>>> >
>>>>> > Regards.
>>>>> > Timo
>>>>> >
>>>>> >
>>>>> > On Wed, Dec 16, 2015 at 6:51 PM, Tom Brennan - OWASP <tomb at owasp.org>
>>>>> wrote:
>>>>> >>
>>>>> >> What are your thoughts?
>>>>> >>
>>>>> >>
>>>>> http://lists.owasp.org/pipermail/owasp-board/2015-December/016835.html
>>>>> >>
>>>>> >>
>>>>> >> Tom Brennan
>>>>> >> Global Board of Directors
>>>>> >> NYC/NJ Metro Chapter Leader
>>>>> >> 973-506-9304
>>>>> >>
>>>>> >> --
>>>>> >> The information contained in this message and any attachments may be
>>>>> >> privileged, confidential, proprietary or otherwise protected from
>>>>> >> disclosure. If you, the reader of this message, are not the intended
>>>>> >> recipient, you are hereby notified that any dissemination,
>>>>> distribution,
>>>>> >> copying or use of this message and any attachment is strictly
>>>>> prohibited.
>>>>> >> If you have received this message in error, please notify the sender
>>>>> >> immediately by replying to the message, permanently delete it from
>>>>> your
>>>>> >> computer and destroy any printout.
>>>>> >> _______________________________________________
>>>>> >> OWASP-Leaders mailing list
>>>>> >> OWASP-Leaders at lists.owasp.org
>>>>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>> >
>>>>> >
>>>>> >
>>>>> > _______________________________________________
>>>>> > OWASP-Leaders mailing list
>>>>> > OWASP-Leaders at lists.owasp.org
>>>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>> >
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160108/3f2c43dc/attachment-0001.html>


More information about the OWASP-Leaders mailing list