[Owasp-leaders] The Only Thing That Is Constant Is Change

johanna curiel curiel johanna.curiel at owasp.org
Mon May 9 12:15:05 UTC 2016


a) how do we mature OWASP projects? OpenSAMM or CII or both

OWASP does not mature projects. The project leader does that with
contributions of volunteers. The willingness of a project leader and his
abilities and talent does that. CII is a criteria created for
auto-evaluation and this is where it must be begin. The leader must
understand what is expected from his project at all levels. OPENSAMM is not
the right tool for this and I want to refresh your mind when in 2014
Samantha suggested this and this was a total failure.If you are a developer
you should understand ;-)

OWASP does not offer the necessary financial support or a big developer
community to make grow a project at high level. ZAP is ZAP right now
because Mozilla is behind ZAP and recently ZAP got a grant from Linux. The
look for that grant was not supported by OWASP. A volunteer did that.

b) Can OWASP Foundation provide the infrastructure and tooling to allow
these metrics to be met using automated means, thus improving our
understanding of incubator, labs, mature, and flagship projects?

Partially. OWasp is a good place to *market* a project . Even other open
source developers use OWASP to promote their open source projects that are
not even part of OWASP , such as the BEEF project and many others.
OWASP has chapters and conferences where project leaders can promote their
projects, especially if the project leader has financial means. But OWASP
is no Linux nor Apache where you have a big community of DEVELOPERS ready
to participate and contribute with code. We lack that kind of skill from
volunteers in the community.
Thats why I mentioned, if OWASP wants to develop projects it need a serious
Volunteer Management Program to attract developers and match them with
projects that are really willing to make it.
OWASP can help projects with the Gsoc but lets face it, only a handful can
make it and are willing to participate.

I decided to start some open source projects outside OWASP because I do not
see the benefit of having all these criteria and rules while OWASP does not
have the developer community neither the financial budget to help me
develop a project at high level. For me as a developer is easier to do it
alone and look for sponsors and grants and manage them as I need. Keep in
mind that to produce software of Quality a lot of effort in monetary means
or time must be invested. I have been a Developer and Team leader during my
17 years of professional career and recently to get more around pen testing
while doing OSCP and graduated with a Msc in Information security back in
2009.


c) What is valuable to us as an organisation? We should work on those
first.
Very good question. OWASP lacks many things to make it attractive for
Developers to start a project here. I mean Developers working on security
so most of these guys will start their own thing without OWASP.
Unfortunately many people starting projects at OWASP do it to promote
themselves or their security companies, not to really to 'develop an open
source project' for the long run. A kind of 'marketing tool'. So OWASP
attracts some people that are not exactly the target group you want to
develop software at a higher level.

OWASP should reconsider focusing in what does best: Conferences and
chapters. Most people attracted to these are security professionals and
vendors looking to exchange information and discuss security
vulnerabilities. But I don't see Full time developers joining OWASP . Is
not really the place where you feel at home. We don't discuss how to
develop better software at a technical code level or how to improve
frameworks because we lack developers . Most discussions are around pen
testing, guidelines  and how to find vulnerabilities.Thats a complete
different mind set than a developer.

Develop of secure code is about *how* to code secure and make it easier for
a developer to implement security. ESAPI was an attempt to that but right
now APACHE SHIRO is a much better option and easier to use imo. Microsoft
is doing an excellent work and many other frameworks like Node.JS are
improving their security.




On Mon, May 9, 2016 at 3:34 AM, Andrew van der Stock <vanderaj at owasp.org>
wrote:

> I see this as being
>
> a) how do we mature OWASP projects? OpenSAMM or CII or both
> b) Can OWASP Foundation provide the infrastructure and tooling to allow
> these metrics to be met using automated means, thus improving our
> understanding of incubator, labs, mature, and flagship projects?
> c) What is valuable to us as an organisation? We should work on those
> first.
>
> In the first instance, asking our flagship projects to self-assess if they
> are coding projects is going to be a light touch approach, and helps us
> understand where projects could invest SoC funding or drive volunteer
> effort in a targetted and focused way.
>
> So many times, people add complexity and features to an application, but
> do not drive quality and all the -alities of a good software project.
>
> Personally, we have a home grown set of principles with OpenSAMM, some of
> the best value for OWASP project *users* and *project owners* might be in
> the intersection of these two things.
>
> thanks
> Andrew
>
>
> On Mon, May 9, 2016 at 6:18 AM, Larry Conklin <larry.conklin at owasp.org>
> wrote:
>
>> Johanna,  I think this is a may be a fair statement "*Being someone who
>> has looked closely most projects code and development process, I can tell
>> with confidence , most, including those labeled as flagship , won't be able
>> to comply with these norms*" but I am not as familiar with all the
>> projects as you are.
>>
>> But I think we have to step back a little a review.
>>
>> This process is for the badge part is a self assessment. That said all
>> developers in SourceForge, etc would never over state their own projects.
>> lol But I think is is a great idea and OWASP is moving down the same path.
>>
>> Our process that we are developing is a mix of self assessment and peer
>> review. More emphasis with peer review will be placed on Flagship projects
>> and not just self assessment. Also another major difference is we are also
>> trying to accomplish something different then what CII is trying to
>> accomplish and more inline with Apache open source. That is corralling in
>> the Wild Wild West and having projects have some of the same rigor that
>> Chapters have today. Like all projects have two leaders. Besides the self
>> assessment and peer review we are also looking at what we can automate to
>> help us.
>>
>> But I will be honest I think something keeps getting left out of the
>> discussion; Making OWASP a great place for security code projects. We are
>> well on our way rock and rolling with conferences, chapters, web, cheat
>> sheets, documentation. Now we need to rock and roll with Zap and other
>> projects making OWASP to place to be for secure coding projects helping
>> with application security. I would like to see more discussion on this.
>>
>> I have reviewed the badge process. A lot of it is now covered in our
>> assessment model. So that is a great thing and I thank you for bringing
>> this process into the discussion. It is important.
>>
>> Larry
>>
>> On Sat, May 7, 2016 at 11:07 AM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Tom,
>>>
>>> CII Badge criteria is a heavy set of checklist to control that an open
>>> source project complies with certain norms in different fields such as
>>> proper development and security
>>>
>>> Being someone who has looked closely most projects code and development
>>> process, I can tell with confidence , most, including those labeled as
>>> flagship , won't be able to comply with these norms
>>>
>>> Right now I think OWASP needs to set focus on developing a better
>>> platform to attract developers, volunteers and project leaders, motivating
>>> them to produce quality projects.
>>>
>>> A volunteer program and platform that can help match volunteers with
>>> initiatives and projects.
>>>
>>> Producing a quality project like ZAP needs dedication and resources
>>> including a deep commitment to make it work. ZAP project leader and
>>> volunteers work 100% on ZAP, this is by no means a 'hobby' or side
>>> project.Even so ZAP is right now 92% compliant with the CII criteria and
>>> still needs to work on it.
>>>
>>> Most project leaders are doing this as side-hobby projects and in this
>>> way , we will never be able to pull off projects compliant with CII
>>> criteria.Most are lonely leaders building their projects when they have
>>> time and once in a while they have the collaboration of contributors.
>>>
>>> So we need to be realistic and be careful not to impose projects a
>>> criteria or process they will never be able to fulfill without the right
>>> platform and incentives.
>>>
>>> As I mentioned before I strongly recommend to focus on creating and
>>> building a volunteer program and really think through how to attract and
>>> retain volunteers, create initiatives that can help produce quality
>>> projects and work with those project leaders looking for help.
>>>
>>> Collaboration and support is the key for creating meaningful and lasting
>>> open source projects.
>>>
>>> Regards
>>>
>>> Johanna
>>>
>>>
>>>
>>> On Sat, May 7, 2016 at 10:16 AM, Tom Brennan - OWASP <tomb at owasp.org>
>>> wrote:
>>>
>>>> "The stakes have never been higher for open-source software security.
>>>> With millions of people around the world relying on open source software —
>>>> and vulnerabilities like Heartbleed putting everyone at risk — it's time to
>>>> change the way we support, protect, and fortify open software."
>>>>
>>>> Interesting article and project(s) now available
>>>>
>>>> http://www.linuxinsider.com/story/83463.html
>>>>
>>>> Why should OWASP code based projects not work together on this
>>>> initiative in raising visibility for Software security, improving our
>>>> project quality and management.
>>>>
>>>> Discussion, Debate, Agreement where do you stand on it OWASP Leaders?
>>>>
>>>> https://www.coreinfrastructure.org/programs
>>>>
>>>>
>>>> Tom Brennan
>>>> GPG ID: DC6AA149 | Fingerprint: 12A6 9978 45BB 1562 C921  B228 BD0F
>>>> D9C6 DC6A A
>>>>
>>>> OWASP Foundation | www.owasp.org
>>>> Tel:  (m) 973-506-9304
>>>>
>>>> Need to book time with me to discuss an existing or a future project
>>>> click on my virtual calendar http://www.proactiverisk.com/brennan
>>>>
>>>> The information contained in this message and any attachments may be
>>>> privileged, confidential, proprietary or otherwise protected from
>>>> disclosure. If you, the reader of this message, are not the intended
>>>> recipient, you are hereby notified that any dissemination, distribution,
>>>> copying or use of this message and any attachment is strictly prohibited.
>>>> If you have received this message in error, please notify the sender
>>>> immediately by replying to the message, permanently delete it from your
>>>> computer and destroy any printout.
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>


-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160509/43e05267/attachment-0001.html>


More information about the OWASP-Leaders mailing list