[Owasp-leaders] Shall we fix projects together?

johanna curiel curiel johanna.curiel at owasp.org
Thu Jan 7 19:02:44 UTC 2016


Hi All

I have seen many great ideas but I believe our core issues at owasp is
having volunteers to actually implement them

I strongly suggest to all of you to come with an idea that you can help
implemente or support get implemented.

Ideas are a beginning but is about action and implementation. Ideas alone
won't help us move much forward.

cheers

Johanna

On Thu, Jan 7, 2016 at 2:49 PM, Minhaz A V <minhazav at gmail.com> wrote:

> Hi,
> I think involving more and more students (all over the world) to
> participate in OWASP projects might help a lot in this direction. They
> could be under grads, grads or even high school students.
> Programs like OWASP Summer Code sprint, Google Summer of Code etc have
> blessed a few projects with decent programmers. We should enhance this
> process:
>  - More such programs or trying to bring more students to such programs
>  - If budget allows, yearly project meetups - bringing all contributors
> together
>  - Attract more students to local meetups
>
> or something something, that motivates them to actively contribute to open
> source OWASP Projects.
>
> P.S: I'm myself an undergrad, who has contributed to few of OWASP
> Projects. This is just a thought :)
>
>
> ----------------------------------------------------------------------------
> Kind Regards,
> Minhaz | My Projects <http://github.com/mebjas> | LinkedIn
> <https://in.linkedin.com/in/minhazav>
>
> On Thu, Jan 7, 2016 at 1:57 PM, Munir Njiru <munir.njiru at owasp.org> wrote:
>
>> I like the shaping up thats coming up here . These ideas can help the
>> quality of projects quite alot and also ensure they have a purpose and add
>> value to the infosec community more.
>>
>> Munir Njenga,
>> OWASP Chapter Leader (Kenya) || Information Security Consultant ||
>> Developer
>> Mob   (KE) +254 (0) 734960670
>>
>> =============================
>> Chapter Page: www.owasp.org/index.php/Kenya
>> Project Site:
>> http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/
>> Email: munir.njiru at owasp.org
>> Facebook: https://www.facebook.com/OWASP.Kenya
>> Mailing List: https://lists.owasp.org/mailman/listinfo/owasp-Kenya
>>
>>
>> On Thu, Jan 7, 2016 at 11:12 AM, Timo Goosen <timo.goosen at owasp.org>
>> wrote:
>>
>>> Sorry for my late reply to this but I agree with Andy.
>>>
>>> What Liam said also makes sense.
>>>
>>> But what we do need is two things:
>>> 1.) Way to incentivise existing good security projects to become
>>> associated with OWASP.
>>> 2.) Way to demote projects completely that are no longer active or
>>> maintained or promoting practices that are no longer regarded as secure for
>>> example implementing certain crypto ciphers that are outdated etc.
>>> 3.) Minimum requirement for projects.
>>>
>>> We do need to reduce red tape, but we need more governance. Also needs
>>> to be some sense of accountability.
>>>
>>> On Fri, Dec 18, 2015 at 3:23 PM, Andy Lewis <alewis at owasp.org> wrote:
>>>
>>>> No amount of talk about process is going to incent a talented
>>>> individual to work hard (or form a hard-working team) to yield a project.
>>>> Reduce the red tape.  Make it brain-dead simple, and make it worthwhile.
>>>>
>>>> Specifically:
>>>>
>>>> 1. Establish a best project of the year contest.
>>>> 2. Make the rules very simple.
>>>>  - Open license
>>>>  - written securely (or at least in conformance w/the OWASP Top 10)
>>>>  - $25k (US) to the winner, $10k to runner-up, $5k to 3rd-place
>>>>  - $1k/month to entrants, random, so that everyone who writes a single
>>>> line of code towards a project knows that they've got a shot at a payoff
>>>> that month (and the accompanying publicity)
>>>> 3. Publicize like crazy - partner w/SANS, Gartner, and whoever else has
>>>> an enormous voice in the security marketplace
>>>>
>>>> I am not a talented coder.  I have employed several talented coders
>>>> (and project managers).  People deliver innovation in return for 1)
>>>> compensation, 2) recognition/applause, or 3) unbridled curiosity in
>>>> conjunction w/the promise of 1) or 2).  When managing a Dev team, one of my
>>>> biggest responsibilities is to REDUCE red-tape and LET CODERS CODE.
>>>> I was also responsible for ensuring that *secure* coding practices were
>>>> recognized and rewarded.
>>>> My 2 cents.
>>>> Andy
>>>>
>>>> PS looking for speakers for SnowFROC 2016, regional AppSec con in
>>>> Denver, CO on Thursday 18 Feb.  Please email me directly if interested.  No
>>>> $$ but plenty of recognition :-)
>>>>
>>>> On Thu, Dec 17, 2015 at 8:01 PM, Andrew van der Stock <
>>>> vanderaj at owasp.org> wrote:
>>>>
>>>>> Timo,
>>>>>
>>>>> I think it's unfair and highly inaccurate to say the board is only
>>>>> concerned about quantity. If you listen to our Board meetings this year,
>>>>> particularly December's meeting, you'll note that we talked about the
>>>>> review process several times. In all cases, we were explicitly concerned
>>>>> about:
>>>>>
>>>>> Is the process working? (not really, not enough folks volunteered,
>>>>> despite the project volunteers and our Foundation staff working on new
>>>>> processes to automate much of the project review process). This is the
>>>>> focus of Tom's efforts to talk about various councils and so on, but we
>>>>> haven't voted on them to be founded as yet. I will look forward to more
>>>>> people doing meta work on projects, but this hasn't been the case for a
>>>>> long time.
>>>>>
>>>>> Is the quality of some projects insufficient? We've had a lot of
>>>>> discussions about one project in particular, but we've supported Johanna's
>>>>> relegation of many previous flagship projects to incubator status
>>>>> (devguide, etc), and inactive projects (e.g. ESAPI).
>>>>>
>>>>> What do we do to encourage projects? There was serious discussion
>>>>> about OWASP as a project house. We want projects to be under our umbrella,
>>>>> and not splatted all over the Internet. If you do a search for OWASP,
>>>>> you'll notice projects take up the first 80% of all results. We are rightly
>>>>> famous for projects. What can we do better to support them? Although
>>>>> reviews are important, we also need folks to work on them, and to feel like
>>>>> OWASP is a great place to do projects.
>>>>>
>>>>> We need folks who are interested in projects to take part, not only in
>>>>> their project, but in the meta-project tasks, such as project initiation
>>>>> approvals, and project reviews. We have a full time staff member who is
>>>>> responsible for this, as well as passionate volunteers. If you want your
>>>>> project to be up there as Flagship status, project leaders should help out
>>>>> these folks from time to time.
>>>>>
>>>>> It's not possible nor desirable for the Board to be involved in every
>>>>> project decision. We help govern the process, not the doing of the process.
>>>>> In general, at OWASP, meritocracy rules - do first, and ask later. If
>>>>> anything, we should make it easier for projects to do their thing, not add
>>>>> more red tape and endless discussion.
>>>>>
>>>>> We need folks to be helpful in getting project governance sorted out,
>>>>> as well as indicating which projects would like volunteers or need more
>>>>> help. Most projects have less than 5 active participants, which can be a
>>>>> strain on them getting stuff done. If there's a way we can help projects
>>>>> succeed, please let us know. Come along to Tom's meeting on Projects and
>>>>> make suggestions. We're all ears.
>>>>>
>>>>> thanks
>>>>> Andrew
>>>>>
>>>>> On Fri, Dec 18, 2015 at 9:22 AM, Liam Smit <liam.smit at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Timo
>>>>>>
>>>>>> As we discussed at the B-Sides Cape Town conference, a simple minimum
>>>>>> requirement for different types of projects may help a lot.
>>>>>>
>>>>>> E.g. a documentation project needs to have at least some documentation
>>>>>> (RFC, outline, draft, etc) before it can be considered a project.
>>>>>> Similarly a software project would need some code (prototype, proof of
>>>>>> concept, etc) to qualify as a project.
>>>>>>
>>>>>> If it's only an idea or a concept then it's pre-project. The way to
>>>>>> turn that into a project is to then write some code or documentation.
>>>>>>
>>>>>> If there has been no update to a project for a year then that is stale
>>>>>> assuming that there is something workable / usable that exists because
>>>>>> if nothing exists after a year then it's unlikely to ever exist. It
>>>>>> should be possible to automate the generation of a report of such
>>>>>> stale projects which could then be reviewed and then either be
>>>>>> resuscitated, removed / archived or put in limbo status (pending
>>>>>> further review).
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> On Thu, Dec 17, 2015 at 9:43 AM, Timo Goosen <timo.goosen at owasp.org>
>>>>>> wrote:
>>>>>> > There needs to be a greater focus on quality in projects. At the
>>>>>> moment the
>>>>>> > board only cares about quantity and not about quality.
>>>>>> > Also we need incentive to attract good mature security related to
>>>>>> become
>>>>>> > associated with OWASP.
>>>>>> >
>>>>>> > Also we need to get rid of outdated and unmaintained projects.
>>>>>> >
>>>>>> > Johanna and I tried to also make a minimum requirement for starting
>>>>>> > projects, but there still seems to be a trend of starting empty
>>>>>> projects.
>>>>>> >
>>>>>> >
>>>>>> > I suggest the board members need to start doing project reviews, so
>>>>>> that
>>>>>> > they have a good idea of the quality and quantity of projects at
>>>>>> the moment.
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > Regards.
>>>>>> > Timo
>>>>>> >
>>>>>> >
>>>>>> > On Wed, Dec 16, 2015 at 6:51 PM, Tom Brennan - OWASP <
>>>>>> tomb at owasp.org> wrote:
>>>>>> >>
>>>>>> >> What are your thoughts?
>>>>>> >>
>>>>>> >>
>>>>>> http://lists.owasp.org/pipermail/owasp-board/2015-December/016835.html
>>>>>> >>
>>>>>> >>
>>>>>> >> Tom Brennan
>>>>>> >> Global Board of Directors
>>>>>> >> NYC/NJ Metro Chapter Leader
>>>>>> >> 973-506-9304
>>>>>> >>
>>>>>> >> --
>>>>>> >> The information contained in this message and any attachments may
>>>>>> be
>>>>>> >> privileged, confidential, proprietary or otherwise protected from
>>>>>> >> disclosure. If you, the reader of this message, are not the
>>>>>> intended
>>>>>> >> recipient, you are hereby notified that any dissemination,
>>>>>> distribution,
>>>>>> >> copying or use of this message and any attachment is strictly
>>>>>> prohibited.
>>>>>> >> If you have received this message in error, please notify the
>>>>>> sender
>>>>>> >> immediately by replying to the message, permanently delete it from
>>>>>> your
>>>>>> >> computer and destroy any printout.
>>>>>> >> _______________________________________________
>>>>>> >> OWASP-Leaders mailing list
>>>>>> >> OWASP-Leaders at lists.owasp.org
>>>>>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > _______________________________________________
>>>>>> > OWASP-Leaders mailing list
>>>>>> > OWASP-Leaders at lists.owasp.org
>>>>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>> >
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160107/333eddb3/attachment-0001.html>


More information about the OWASP-Leaders mailing list