[Owasp-leaders] The Only Thing That Is Constant Is Change
psiinon at gmail.com
Mon May 9 13:36:04 UTC 2016
Agree with pretty much everything Johanna has said here.
OWASP as an organisation has not been good at attracting developers to work
on OWASP projects. Its had more success in influencing developers, eg with
the Top 10, OpenSAMM etc.
Specific OWASP projects have had success in attracting some developers, but
those are relatively isolated cases.
On Mon, May 9, 2016 at 1:15 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:
> a) how do we mature OWASP projects? OpenSAMM or CII or both
> OWASP does not mature projects. The project leader does that with
> contributions of volunteers. The willingness of a project leader and his
> abilities and talent does that. CII is a criteria created for
> auto-evaluation and this is where it must be begin. The leader must
> understand what is expected from his project at all levels. OPENSAMM is not
> the right tool for this and I want to refresh your mind when in 2014
> Samantha suggested this and this was a total failure.If you are a developer
> you should understand ;-)
> OWASP does not offer the necessary financial support or a big developer
> community to make grow a project at high level. ZAP is ZAP right now
> because Mozilla is behind ZAP and recently ZAP got a grant from Linux. The
> look for that grant was not supported by OWASP. A volunteer did that.
> b) Can OWASP Foundation provide the infrastructure and tooling to allow
> these metrics to be met using automated means, thus improving our
> understanding of incubator, labs, mature, and flagship projects?
> Partially. OWasp is a good place to *market* a project . Even other open
> source developers use OWASP to promote their open source projects that are
> not even part of OWASP , such as the BEEF project and many others.
> OWASP has chapters and conferences where project leaders can promote their
> projects, especially if the project leader has financial means. But OWASP
> is no Linux nor Apache where you have a big community of DEVELOPERS ready
> to participate and contribute with code. We lack that kind of skill from
> volunteers in the community.
> Thats why I mentioned, if OWASP wants to develop projects it need a
> serious Volunteer Management Program to attract developers and match them
> with projects that are really willing to make it.
> OWASP can help projects with the Gsoc but lets face it, only a handful can
> make it and are willing to participate.
> I decided to start some open source projects outside OWASP because I do
> not see the benefit of having all these criteria and rules while OWASP does
> not have the developer community neither the financial budget to help me
> develop a project at high level. For me as a developer is easier to do it
> alone and look for sponsors and grants and manage them as I need. Keep in
> mind that to produce software of Quality a lot of effort in monetary means
> or time must be invested. I have been a Developer and Team leader during my
> 17 years of professional career and recently to get more around pen testing
> while doing OSCP and graduated with a Msc in Information security back in
> c) What is valuable to us as an organisation? We should work on those
> Very good question. OWASP lacks many things to make it attractive for
> Developers to start a project here. I mean Developers working on security
> so most of these guys will start their own thing without OWASP.
> Unfortunately many people starting projects at OWASP do it to promote
> themselves or their security companies, not to really to 'develop an open
> source project' for the long run. A kind of 'marketing tool'. So OWASP
> attracts some people that are not exactly the target group you want to
> develop software at a higher level.
> OWASP should reconsider focusing in what does best: Conferences and
> chapters. Most people attracted to these are security professionals and
> vendors looking to exchange information and discuss security
> vulnerabilities. But I don't see Full time developers joining OWASP . Is
> not really the place where you feel at home. We don't discuss how to
> develop better software at a technical code level or how to improve
> frameworks because we lack developers . Most discussions are around pen
> testing, guidelines and how to find vulnerabilities.Thats a complete
> different mind set than a developer.
> Develop of secure code is about *how* to code secure and make it easier
> for a developer to implement security. ESAPI was an attempt to that but
> right now APACHE SHIRO is a much better option and easier to use imo.
> Microsoft is doing an excellent work and many other frameworks like Node.JS
> are improving their security.
> On Mon, May 9, 2016 at 3:34 AM, Andrew van der Stock <vanderaj at owasp.org>
>> I see this as being
>> a) how do we mature OWASP projects? OpenSAMM or CII or both
>> b) Can OWASP Foundation provide the infrastructure and tooling to allow
>> these metrics to be met using automated means, thus improving our
>> understanding of incubator, labs, mature, and flagship projects?
>> c) What is valuable to us as an organisation? We should work on those
>> In the first instance, asking our flagship projects to self-assess if
>> they are coding projects is going to be a light touch approach, and helps
>> us understand where projects could invest SoC funding or drive volunteer
>> effort in a targetted and focused way.
>> So many times, people add complexity and features to an application, but
>> do not drive quality and all the -alities of a good software project.
>> Personally, we have a home grown set of principles with OpenSAMM, some of
>> the best value for OWASP project *users* and *project owners* might be in
>> the intersection of these two things.
>> On Mon, May 9, 2016 at 6:18 AM, Larry Conklin <larry.conklin at owasp.org>
>>> Johanna, I think this is a may be a fair statement "*Being someone who
>>> has looked closely most projects code and development process, I can tell
>>> with confidence , most, including those labeled as flagship , won't be able
>>> to comply with these norms*" but I am not as familiar with all the
>>> projects as you are.
>>> But I think we have to step back a little a review.
>>> This process is for the badge part is a self assessment. That said all
>>> developers in SourceForge, etc would never over state their own projects.
>>> lol But I think is is a great idea and OWASP is moving down the same path.
>>> Our process that we are developing is a mix of self assessment and peer
>>> review. More emphasis with peer review will be placed on Flagship projects
>>> and not just self assessment. Also another major difference is we are also
>>> trying to accomplish something different then what CII is trying to
>>> accomplish and more inline with Apache open source. That is corralling in
>>> the Wild Wild West and having projects have some of the same rigor that
>>> Chapters have today. Like all projects have two leaders. Besides the self
>>> assessment and peer review we are also looking at what we can automate to
>>> help us.
>>> But I will be honest I think something keeps getting left out of the
>>> discussion; Making OWASP a great place for security code projects. We are
>>> well on our way rock and rolling with conferences, chapters, web, cheat
>>> sheets, documentation. Now we need to rock and roll with Zap and other
>>> projects making OWASP to place to be for secure coding projects helping
>>> with application security. I would like to see more discussion on this.
>>> I have reviewed the badge process. A lot of it is now covered in our
>>> assessment model. So that is a great thing and I thank you for bringing
>>> this process into the discussion. It is important.
>>> On Sat, May 7, 2016 at 11:07 AM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>> CII Badge criteria is a heavy set of checklist to control that an open
>>>> source project complies with certain norms in different fields such as
>>>> proper development and security
>>>> Being someone who has looked closely most projects code and development
>>>> process, I can tell with confidence , most, including those labeled as
>>>> flagship , won't be able to comply with these norms
>>>> Right now I think OWASP needs to set focus on developing a better
>>>> platform to attract developers, volunteers and project leaders, motivating
>>>> them to produce quality projects.
>>>> A volunteer program and platform that can help match volunteers with
>>>> initiatives and projects.
>>>> Producing a quality project like ZAP needs dedication and resources
>>>> including a deep commitment to make it work. ZAP project leader and
>>>> volunteers work 100% on ZAP, this is by no means a 'hobby' or side
>>>> project.Even so ZAP is right now 92% compliant with the CII criteria and
>>>> still needs to work on it.
>>>> Most project leaders are doing this as side-hobby projects and in this
>>>> way , we will never be able to pull off projects compliant with CII
>>>> criteria.Most are lonely leaders building their projects when they have
>>>> time and once in a while they have the collaboration of contributors.
>>>> So we need to be realistic and be careful not to impose projects a
>>>> criteria or process they will never be able to fulfill without the right
>>>> platform and incentives.
>>>> As I mentioned before I strongly recommend to focus on creating and
>>>> building a volunteer program and really think through how to attract and
>>>> retain volunteers, create initiatives that can help produce quality
>>>> projects and work with those project leaders looking for help.
>>>> Collaboration and support is the key for creating meaningful and
>>>> lasting open source projects.
>>>> On Sat, May 7, 2016 at 10:16 AM, Tom Brennan - OWASP <tomb at owasp.org>
>>>>> "The stakes have never been higher for open-source software security.
>>>>> With millions of people around the world relying on open source software —
>>>>> and vulnerabilities like Heartbleed putting everyone at risk — it's time to
>>>>> change the way we support, protect, and fortify open software."
>>>>> Interesting article and project(s) now available
>>>>> Why should OWASP code based projects not work together on this
>>>>> initiative in raising visibility for Software security, improving our
>>>>> project quality and management.
>>>>> Discussion, Debate, Agreement where do you stand on it OWASP Leaders?
>>>>> Tom Brennan
>>>>> GPG ID: DC6AA149 | Fingerprint: 12A6 9978 45BB 1562 C921 B228 BD0F
>>>>> D9C6 DC6A A
>>>>> OWASP Foundation | www.owasp.org
>>>>> Tel: (m) 973-506-9304
>>>>> Need to book time with me to discuss an existing or a future project
>>>>> click on my virtual calendar http://www.proactiverisk.com/brennan
>>>>> The information contained in this message and any attachments may be
>>>>> privileged, confidential, proprietary or otherwise protected from
>>>>> disclosure. If you, the reader of this message, are not the intended
>>>>> recipient, you are hereby notified that any dissemination, distribution,
>>>>> copying or use of this message and any attachment is strictly prohibited.
>>>>> If you have received this message in error, please notify the sender
>>>>> immediately by replying to the message, permanently delete it from your
>>>>> computer and destroy any printout.
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>> Johanna Curiel
>>>> OWASP Volunteer
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
> Johanna Curiel
> OWASP Volunteer
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders