[Owasp-leaders] Shall we fix projects together?

johanna curiel curiel johanna.curiel at owasp.org
Sat Jan 9 19:33:24 UTC 2016


> 2.) Way to demote projects completely that are no longer active or
maintained or promoting practices that are no longer regarded as secure for
example implementing certain crypto ciphers that are outdated etc.
> 3.) Minimum requirement for projects.

2)==> There are rules for this.
https://www.owasp.org/index.php/Category:OWASP_Project#tab=Project_Assessments

The problem is implementing them and someone must be accountable for
monitoring constantly the inventory at a basic level
(activity). Volunteers alone cannot do this properly.

As volunteer in the project task force- review team in the past, I
helped maintained the inventory at basic level,
Check OWASP Project Dashboard 2015
https://docs.google.com/spreadsheets/d/15NzgmnxKNtexRDs70rBUi1NHhjQiviBdYUa_kDvd3i4/edit#gid=0


Unfortunately I was the one of the very few helping with this part with
exception of 1 or 2 persons (Timo Goosen did a great work on this part
too). Thats why I find it essential that someone from the staff (as in the
past Kait-Disney did) is on top of projects for simple monitoring as
proposed in this plan:
https://docs.google.com/document/d/1PvNeEWgoO1w51VhHLwqqSgo0mBh-RvmSFUKMTz4QrYg/edit#heading=h.lw77ixr6kxi
Check the section : Simple reviews and monitoring of activities

 3.) Minimum requirement for projects.
We have minimum requirements for projects and we are working on a proposal
for incentive a more quality for projects graduation. Again, this is not
achieved with simple monitoring as on 2 , therefore we need more testing on
these projects. Thats why, I proposed this as described on the proposal
plan,
Check section: *Yearly QA reviews :Graduation Reviews and participation to
obtain Budget review incentives*
https://docs.google.com/document/d/1PvNeEWgoO1w51VhHLwqqSgo0mBh-RvmSFUKMTz4QrYg/edit#heading=h.lw77ixr6kxi

Right now we need continuity. Indeed a lot of work has been done to keep up
the inventory clean but if this is not continuously done as we did in
2014-2015 then you will see that many projects become inactive and again
the inventory is outdated.

Also, continuos communication must be hold between Project leaders and
OWASP as organisation to understand why a project is not being updated or
fails. To guide new potential project leaders. Pulling off a successful
project is not easy, realistic expectations must be understood by the new
project leader and especially he needs to understand that quality and hard
work is an essential factor.

We need a team of volunteers to contribute with this and outspoken Project
leader's that can provide feedback in this process, especially if as
project leader struggles to pull off the project and what kind of help  is
necessary to help him/her have a successful project.

Once again, I agree with *Andy* that the major factor for a successful
project, is the motivation of the project leader and the quality of his/her
project.
We need to make sure at OWASP that we can help provide a viable platform
and support as much as possible that project leader, but also monitoring
and proper control.

Again, please participate in the upcoming surveys and meetings providing us
feedback. You help build OWASP and shape the process.

Cheers

Johanna

On Sat, Jan 9, 2016 at 3:09 AM, Jim Manico <jim.manico at owasp.org> wrote:

> > 2.) Way to demote projects completely that are no longer active or
> maintained or promoting practices that are no longer regarded as secure for
> example implementing certain crypto ciphers that are outdated etc.
> > 3.) Minimum requirement for projects.
>
>
> I think 2 and 3 are already in place. Just send a note to the projects
> task force for consideration. A lot of great work has been done here
> already in the past year.
>
> - Jim
>
>
>
>
> On 1/6/16 10:12 PM, Timo Goosen wrote:
>
> Sorry for my late reply to this but I agree with Andy.
>
> What Liam said also makes sense.
>
> But what we do need is two things:
> 1.) Way to incentivise existing good security projects to become
> associated with OWASP.
> 2.) Way to demote projects completely that are no longer active or
> maintained or promoting practices that are no longer regarded as secure for
> example implementing certain crypto ciphers that are outdated etc.
> 3.) Minimum requirement for projects.
>
> We do need to reduce red tape, but we need more governance. Also needs to
> be some sense of accountability.
>
> On Fri, Dec 18, 2015 at 3:23 PM, Andy Lewis <alewis at owasp.org> wrote:
>
>> No amount of talk about process is going to incent a talented individual
>> to work hard (or form a hard-working team) to yield a project.  Reduce the
>> red tape.  Make it brain-dead simple, and make it worthwhile.
>>
>> Specifically:
>>
>> 1. Establish a best project of the year contest.
>> 2. Make the rules very simple.
>>  - Open license
>>  - written securely (or at least in conformance w/the OWASP Top 10)
>>  - $25k (US) to the winner, $10k to runner-up, $5k to 3rd-place
>>  - $1k/month to entrants, random, so that everyone who writes a single
>> line of code towards a project knows that they've got a shot at a payoff
>> that month (and the accompanying publicity)
>> 3. Publicize like crazy - partner w/SANS, Gartner, and whoever else has
>> an enormous voice in the security marketplace
>>
>> I am not a talented coder.  I have employed several talented coders (and
>> project managers).  People deliver innovation in return for 1)
>> compensation, 2) recognition/applause, or 3) unbridled curiosity in
>> conjunction w/the promise of 1) or 2).  When managing a Dev team, one of my
>> biggest responsibilities is to REDUCE red-tape and LET CODERS CODE.
>> I was also responsible for ensuring that *secure* coding practices were
>> recognized and rewarded.
>> My 2 cents.
>> Andy
>>
>> PS looking for speakers for SnowFROC 2016, regional AppSec con in Denver,
>> CO on Thursday 18 Feb.  Please email me directly if interested.  No $$ but
>> plenty of recognition :-)
>>
>> On Thu, Dec 17, 2015 at 8:01 PM, Andrew van der Stock <
>> <vanderaj at owasp.org>vanderaj at owasp.org> wrote:
>>
>>> Timo,
>>>
>>> I think it's unfair and highly inaccurate to say the board is only
>>> concerned about quantity. If you listen to our Board meetings this year,
>>> particularly December's meeting, you'll note that we talked about the
>>> review process several times. In all cases, we were explicitly concerned
>>> about:
>>>
>>> Is the process working? (not really, not enough folks volunteered,
>>> despite the project volunteers and our Foundation staff working on new
>>> processes to automate much of the project review process). This is the
>>> focus of Tom's efforts to talk about various councils and so on, but we
>>> haven't voted on them to be founded as yet. I will look forward to more
>>> people doing meta work on projects, but this hasn't been the case for a
>>> long time.
>>>
>>> Is the quality of some projects insufficient? We've had a lot of
>>> discussions about one project in particular, but we've supported Johanna's
>>> relegation of many previous flagship projects to incubator status
>>> (devguide, etc), and inactive projects (e.g. ESAPI).
>>>
>>> What do we do to encourage projects? There was serious discussion about
>>> OWASP as a project house. We want projects to be under our umbrella, and
>>> not splatted all over the Internet. If you do a search for OWASP, you'll
>>> notice projects take up the first 80% of all results. We are rightly famous
>>> for projects. What can we do better to support them? Although reviews are
>>> important, we also need folks to work on them, and to feel like OWASP is a
>>> great place to do projects.
>>>
>>> We need folks who are interested in projects to take part, not only in
>>> their project, but in the meta-project tasks, such as project initiation
>>> approvals, and project reviews. We have a full time staff member who is
>>> responsible for this, as well as passionate volunteers. If you want your
>>> project to be up there as Flagship status, project leaders should help out
>>> these folks from time to time.
>>>
>>> It's not possible nor desirable for the Board to be involved in every
>>> project decision. We help govern the process, not the doing of the process.
>>> In general, at OWASP, meritocracy rules - do first, and ask later. If
>>> anything, we should make it easier for projects to do their thing, not add
>>> more red tape and endless discussion.
>>>
>>> We need folks to be helpful in getting project governance sorted out, as
>>> well as indicating which projects would like volunteers or need more help.
>>> Most projects have less than 5 active participants, which can be a strain
>>> on them getting stuff done. If there's a way we can help projects succeed,
>>> please let us know. Come along to Tom's meeting on Projects and make
>>> suggestions. We're all ears.
>>>
>>> thanks
>>> Andrew
>>>
>>> On Fri, Dec 18, 2015 at 9:22 AM, Liam Smit <liam.smit at gmail.com> wrote:
>>>
>>>> Hi Timo
>>>>
>>>> As we discussed at the B-Sides Cape Town conference, a simple minimum
>>>> requirement for different types of projects may help a lot.
>>>>
>>>> E.g. a documentation project needs to have at least some documentation
>>>> (RFC, outline, draft, etc) before it can be considered a project.
>>>> Similarly a software project would need some code (prototype, proof of
>>>> concept, etc) to qualify as a project.
>>>>
>>>> If it's only an idea or a concept then it's pre-project. The way to
>>>> turn that into a project is to then write some code or documentation.
>>>>
>>>> If there has been no update to a project for a year then that is stale
>>>> assuming that there is something workable / usable that exists because
>>>> if nothing exists after a year then it's unlikely to ever exist. It
>>>> should be possible to automate the generation of a report of such
>>>> stale projects which could then be reviewed and then either be
>>>> resuscitated, removed / archived or put in limbo status (pending
>>>> further review).
>>>>
>>>>
>>>> Regards,
>>>>
>>>> On Thu, Dec 17, 2015 at 9:43 AM, Timo Goosen < <timo.goosen at owasp.org>
>>>> timo.goosen at owasp.org> wrote:
>>>> > There needs to be a greater focus on quality in projects. At the
>>>> moment the
>>>> > board only cares about quantity and not about quality.
>>>> > Also we need incentive to attract good mature security related to
>>>> become
>>>> > associated with OWASP.
>>>> >
>>>> > Also we need to get rid of outdated and unmaintained projects.
>>>> >
>>>> > Johanna and I tried to also make a minimum requirement for starting
>>>> > projects, but there still seems to be a trend of starting empty
>>>> projects.
>>>> >
>>>> >
>>>> > I suggest the board members need to start doing project reviews, so
>>>> that
>>>> > they have a good idea of the quality and quantity of projects at the
>>>> moment.
>>>> >
>>>> >
>>>> >
>>>> > Regards.
>>>> > Timo
>>>> >
>>>> >
>>>> > On Wed, Dec 16, 2015 at 6:51 PM, Tom Brennan - OWASP <
>>>> <tomb at owasp.org>tomb at owasp.org> wrote:
>>>> >>
>>>> >> What are your thoughts?
>>>> >>
>>>> >>
>>>> http://lists.owasp.org/pipermail/owasp-board/2015-December/016835.html
>>>> >>
>>>> >>
>>>> >> Tom Brennan
>>>> >> Global Board of Directors
>>>> >> NYC/NJ Metro Chapter Leader
>>>> >> 973-506-9304
>>>> >>
>>>> >> --
>>>> >> The information contained in this message and any attachments may be
>>>> >> privileged, confidential, proprietary or otherwise protected from
>>>> >> disclosure. If you, the reader of this message, are not the intended
>>>> >> recipient, you are hereby notified that any dissemination,
>>>> distribution,
>>>> >> copying or use of this message and any attachment is strictly
>>>> prohibited.
>>>> >> If you have received this message in error, please notify the sender
>>>> >> immediately by replying to the message, permanently delete it from
>>>> your
>>>> >> computer and destroy any printout.
>>>> >> _______________________________________________
>>>> >> OWASP-Leaders mailing list
>>>> >> OWASP-Leaders at lists.owasp.org
>>>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> >
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > OWASP-Leaders mailing list
>>>> > OWASP-Leaders at lists.owasp.org
>>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> >
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160109/79a63ff5/attachment-0001.html>


More information about the OWASP-Leaders mailing list