[Owasp-leaders] The Only Thing That Is Constant Is Change

Larry Conklin larry.conklin at owasp.org
Sun May 8 20:18:04 UTC 2016

Johanna,  I think this is a may be a fair statement "*Being someone who has
looked closely most projects code and development process, I can tell with
confidence , most, including those labeled as flagship , won't be able to
comply with these norms*" but I am not as familiar with all the projects as
you are.

But I think we have to step back a little a review.

This process is for the badge part is a self assessment. That said all
developers in SourceForge, etc would never over state their own projects.
lol But I think is is a great idea and OWASP is moving down the same path.

Our process that we are developing is a mix of self assessment and peer
review. More emphasis with peer review will be placed on Flagship projects
and not just self assessment. Also another major difference is we are also
trying to accomplish something different then what CII is trying to
accomplish and more inline with Apache open source. That is corralling in
the Wild Wild West and having projects have some of the same rigor that
Chapters have today. Like all projects have two leaders. Besides the self
assessment and peer review we are also looking at what we can automate to
help us.

But I will be honest I think something keeps getting left out of the
discussion; Making OWASP a great place for security code projects. We are
well on our way rock and rolling with conferences, chapters, web, cheat
sheets, documentation. Now we need to rock and roll with Zap and other
projects making OWASP to place to be for secure coding projects helping
with application security. I would like to see more discussion on this.

I have reviewed the badge process. A lot of it is now covered in our
assessment model. So that is a great thing and I thank you for bringing
this process into the discussion. It is important.


On Sat, May 7, 2016 at 11:07 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Tom,
> CII Badge criteria is a heavy set of checklist to control that an open
> source project complies with certain norms in different fields such as
> proper development and security
> Being someone who has looked closely most projects code and development
> process, I can tell with confidence , most, including those labeled as
> flagship , won't be able to comply with these norms
> Right now I think OWASP needs to set focus on developing a better platform
> to attract developers, volunteers and project leaders, motivating them to
> produce quality projects.
> A volunteer program and platform that can help match volunteers with
> initiatives and projects.
> Producing a quality project like ZAP needs dedication and resources
> including a deep commitment to make it work. ZAP project leader and
> volunteers work 100% on ZAP, this is by no means a 'hobby' or side
> project.Even so ZAP is right now 92% compliant with the CII criteria and
> still needs to work on it.
> Most project leaders are doing this as side-hobby projects and in this way
> , we will never be able to pull off projects compliant with CII
> criteria.Most are lonely leaders building their projects when they have
> time and once in a while they have the collaboration of contributors.
> So we need to be realistic and be careful not to impose projects a
> criteria or process they will never be able to fulfill without the right
> platform and incentives.
> As I mentioned before I strongly recommend to focus on creating and
> building a volunteer program and really think through how to attract and
> retain volunteers, create initiatives that can help produce quality
> projects and work with those project leaders looking for help.
> Collaboration and support is the key for creating meaningful and lasting
> open source projects.
> Regards
> Johanna
> On Sat, May 7, 2016 at 10:16 AM, Tom Brennan - OWASP <tomb at owasp.org>
> wrote:
>> "The stakes have never been higher for open-source software security.
>> With millions of people around the world relying on open source software —
>> and vulnerabilities like Heartbleed putting everyone at risk — it's time to
>> change the way we support, protect, and fortify open software."
>> Interesting article and project(s) now available
>> http://www.linuxinsider.com/story/83463.html
>> Why should OWASP code based projects not work together on this initiative
>> in raising visibility for Software security, improving our project quality
>> and management.
>> Discussion, Debate, Agreement where do you stand on it OWASP Leaders?
>> https://www.coreinfrastructure.org/programs
>> Tom Brennan
>> GPG ID: DC6AA149 | Fingerprint: 12A6 9978 45BB 1562 C921  B228 BD0F D9C6
>> DC6A A
>> OWASP Foundation | www.owasp.org
>> Tel:  (m) 973-506-9304
>> Need to book time with me to discuss an existing or a future project
>> click on my virtual calendar http://www.proactiverisk.com/brennan
>> The information contained in this message and any attachments may be
>> privileged, confidential, proprietary or otherwise protected from
>> disclosure. If you, the reader of this message, are not the intended
>> recipient, you are hereby notified that any dissemination, distribution,
>> copying or use of this message and any attachment is strictly prohibited.
>> If you have received this message in error, please notify the sender
>> immediately by replying to the message, permanently delete it from your
>> computer and destroy any printout.
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> --
> Johanna Curiel
> OWASP Volunteer
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160508/40883348/attachment.html>

More information about the OWASP-Leaders mailing list