[Owasp-leaders] The Only Thing That Is Constant Is Change
Tom Brennan - OWASP
tomb at owasp.org
Mon May 9 13:43:51 UTC 2016
The discussion is very health and helpful thank you all.
FWIW OWASP Foundation is in process of recruiting top talent from around
the world to work full time for OWASP Foundation for (2) very important
A) Senior Technical Coordinator
B) Global Community Manager
and unfortunately with Mr. Ritchie's unexpected death an Executive Director
As always OWASP encourage professional debate and collaboration driving to
rough consensus and meet monthly to discuss, document and make progress see
past and upcoming agendas
GPG ID: DC6AA149 | Fingerprint: 12A6 9978 45BB 1562 C921 B228 BD0F D9C6
OWASP Foundation | www.owasp.org
Tel: (m) 973-506-9304
On Mon, May 9, 2016 at 8:15 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:
> a) how do we mature OWASP projects? OpenSAMM or CII or both
> OWASP does not mature projects. The project leader does that with
> contributions of volunteers. The willingness of a project leader and his
> abilities and talent does that. CII is a criteria created for
> auto-evaluation and this is where it must be begin. The leader must
> understand what is expected from his project at all levels. OPENSAMM is
> the right tool for this and I want to refresh your mind when in 2014
> Samantha suggested this and this was a total failure.If you are a
> you should understand ;-)
> OWASP does not offer the necessary financial support or a big developer
> community to make grow a project at high level. ZAP is ZAP right now
> Mozilla is behind ZAP and recently ZAP got a grant from Linux. The look
> that grant was not supported by OWASP. A volunteer did that.
> b) Can OWASP Foundation provide the infrastructure and tooling to allow
> these metrics to be met using automated means, thus improving our
> understanding of incubator, labs, mature, and flagship projects?
> Partially. OWasp is a good place to market a project . Even other open
> source developers use OWASP to promote their open source projects that are
> not even part of OWASP , such as the BEEF project and many others.
> OWASP has chapters and conferences where project leaders can promote their
> projects, especially if the project leader has financial means. But OWASP
> no Linux nor Apache where you have a big community of DEVELOPERS ready to
> participate and contribute with code. We lack that kind of skill from
> volunteers in the community.
> Thats why I mentioned, if OWASP wants to develop projects it need a
> Volunteer Management Program to attract developers and match them with
> projects that are really willing to make it.
> OWASP can help projects with the Gsoc but lets face it, only a handful can
> make it and are willing to participate.
> I decided to start some open source projects outside OWASP because I do
> see the benefit of having all these criteria and rules while OWASP does
> have the developer community neither the financial budget to help me
> a project at high level. For me as a developer is easier to do it alone
> look for sponsors and grants and manage them as I need. Keep in mind that
> produce software of Quality a lot of effort in monetary means or time must
> be invested. I have been a Developer and Team leader during my 17 years of
> professional career and recently to get more around pen testing while
> OSCP and graduated with a Msc in Information security back in 2009.
> c) What is valuable to us as an organisation? We should work on those
> Very good question. OWASP lacks many things to make it attractive for
> Developers to start a project here. I mean Developers working on security
> most of these guys will start their own thing without OWASP.
> Unfortunately many people starting projects at OWASP do it to promote
> themselves or their security companies, not to really to 'develop an open
> source project' for the long run. A kind of 'marketing tool'. So OWASP
> attracts some people that are not exactly the target group you want to
> develop software at a higher level.
> OWASP should reconsider focusing in what does best: Conferences and
> chapters. Most people attracted to these are security professionals and
> vendors looking to exchange information and discuss security
> vulnerabilities. But I don't see Full time developers joining OWASP . Is
> really the place where you feel at home. We don't discuss how to develop
> better software at a technical code level or how to improve frameworks
> because we lack developers . Most discussions are around pen testing,
> guidelines and how to find vulnerabilities.Thats a complete different
> set than a developer.
> Develop of secure code is about how to code secure and make it easier for
> developer to implement security. ESAPI was an attempt to that but right
> APACHE SHIRO is a much better option and easier to use imo. Microsoft is
> doing an excellent work and many other frameworks like Node.JS are
> their security.
> On Mon, May 9, 2016 at 3:34 AM, Andrew van der Stock <vanderaj at owasp.org>
>> I see this as being
>> a) how do we mature OWASP projects? OpenSAMM or CII or both
>> b) Can OWASP Foundation provide the infrastructure and tooling to allow
>> these metrics to be met using automated means, thus improving our
>> understanding of incubator, labs, mature, and flagship projects?
>> c) What is valuable to us as an organisation? We should work on those
>> In the first instance, asking our flagship projects to self-assess if
>> are coding projects is going to be a light touch approach, and helps us
>> understand where projects could invest SoC funding or drive volunteer
>> in a targetted and focused way.
>> So many times, people add complexity and features to an application, but
>> do not drive quality and all the -alities of a good software project.
>> Personally, we have a home grown set of principles with OpenSAMM, some of
>> the best value for OWASP project *users* and *project owners* might be in
>> the intersection of these two things.
>> On Mon, May 9, 2016 at 6:18 AM, Larry Conklin <larry.conklin at owasp.org>
>>> Johanna, I think this is a may be a fair statement "Being someone who
>>> has looked closely most projects code and development process, I can
>>> with confidence , most, including those labeled as flagship , won't be
>>> to comply with these norms" but I am not as familiar with all the
>>> as you are.
>>> But I think we have to step back a little a review.
>>> This process is for the badge part is a self assessment. That said all
>>> developers in SourceForge, etc would never over state their own
>>> lol But I think is is a great idea and OWASP is moving down the same
>>> Our process that we are developing is a mix of self assessment and peer
>>> review. More emphasis with peer review will be placed on Flagship
>>> and not just self assessment. Also another major difference is we are
>>> trying to accomplish something different then what CII is trying to
>>> accomplish and more inline with Apache open source. That is corralling
>>> the Wild Wild West and having projects have some of the same rigor that
>>> Chapters have today. Like all projects have two leaders. Besides the
>>> assessment and peer review we are also looking at what we can automate
>>> help us.
>>> But I will be honest I think something keeps getting left out of the
>>> discussion; Making OWASP a great place for security code projects. We
>>> well on our way rock and rolling with conferences, chapters, web, cheat
>>> sheets, documentation. Now we need to rock and roll with Zap and other
>>> projects making OWASP to place to be for secure coding projects helping
>>> application security. I would like to see more discussion on this.
>>> I have reviewed the badge process. A lot of it is now covered in our
>>> assessment model. So that is a great thing and I thank you for bringing
>>> process into the discussion. It is important.
>>> On Sat, May 7, 2016 at 11:07 AM, johanna curiel curiel
>>> <johanna.curiel at owasp.org> wrote:
>>>> CII Badge criteria is a heavy set of checklist to control that an open
>>>> source project complies with certain norms in different fields such as
>>>> proper development and security
>>>> Being someone who has looked closely most projects code and development
>>>> process, I can tell with confidence , most, including those labeled as
>>>> flagship , won't be able to comply with these norms
>>>> Right now I think OWASP needs to set focus on developing a better
>>>> platform to attract developers, volunteers and project leaders,
>>>> them to produce quality projects.
>>>> A volunteer program and platform that can help match volunteers with
>>>> initiatives and projects.
>>>> Producing a quality project like ZAP needs dedication and resources
>>>> including a deep commitment to make it work. ZAP project leader and
>>>> volunteers work 100% on ZAP, this is by no means a 'hobby' or side
>>>> project.Even so ZAP is right now 92% compliant with the CII criteria
>>>> still needs to work on it.
>>>> Most project leaders are doing this as side-hobby projects and in this
>>>> way , we will never be able to pull off projects compliant with CII
>>>> criteria.Most are lonely leaders building their projects when they
>>>> and once in a while they have the collaboration of contributors.
>>>> So we need to be realistic and be careful not to impose projects a
>>>> criteria or process they will never be able to fulfill without the
>>>> platform and incentives.
>>>> As I mentioned before I strongly recommend to focus on creating and
>>>> building a volunteer program and really think through how to attract
>>>> retain volunteers, create initiatives that can help produce quality
>>>> and work with those project leaders looking for help.
>>>> Collaboration and support is the key for creating meaningful and
>>>> open source projects.
>>>> On Sat, May 7, 2016 at 10:16 AM, Tom Brennan - OWASP <tomb at owasp.org>
>>>>> "The stakes have never been higher for open-source software security.
>>>>> With millions of people around the world relying on open source
>>>>> and vulnerabilities like Heartbleed putting everyone at risk — it's
>>>>> change the way we support, protect, and fortify open software."
>>>>> Interesting article and project(s) now available
>>>>> Why should OWASP code based projects not work together on this
>>>>> initiative in raising visibility for Software security, improving our
>>>>> project quality and management.
>>>>> Discussion, Debate, Agreement where do you stand on it OWASP Leaders?
>>>>> Tom Brennan
>>>>> GPG ID: DC6AA149 | Fingerprint: 12A6 9978 45BB 1562 C921 B228 BD0F
>>>>> D9C6 DC6A A
>>>>> OWASP Foundation | www.owasp.org
>>>>> Tel: (m) 973-506-9304
>>>>> Need to book time with me to discuss an existing or a future project
>>>>> click on my virtual calendar http://www.proactiverisk.com/brennan
>>>>> The information contained in this message and any attachments may be
>>>>> privileged, confidential, proprietary or otherwise protected from
>>>>> disclosure. If you, the reader of this message, are not the intended
>>>>> recipient, you are hereby notified that any dissemination,
>>>>> copying or use of this message and any attachment is strictly
>>>>> you have received this message in error, please notify the sender
>>>>> immediately by replying to the message, permanently delete it from
>>>>> computer and destroy any printout.
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>> Johanna Curiel
>>>> OWASP Volunteer
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
> Johanna Curiel
> OWASP Volunteer
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
The information contained in this message and any attachments may be
privileged, confidential, proprietary or otherwise protected from
disclosure. If you, the reader of this message, are not the intended
recipient, you are hereby notified that any dissemination, distribution,
copying or use of this message and any attachment is strictly prohibited.
If you have received this message in error, please notify the sender
immediately by replying to the message, permanently delete it from your
computer and destroy any printout.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders