[Owasp-leaders] New approach to OWAPS projects

johanna curiel curiel johanna.curiel at owasp.org
Wed May 11 14:38:30 UTC 2016

Hi Elizabeth
>>We need a global survey about the OWASP project assessment to consider
changes based on data.
Agree. we should create a proposal and let project leaders vote.

Being some one highly involved in the so called project assessments at
OWASP I can assure there ANY assessment done by a small group of
individuals will be biased and also based on personal opinions.

Also is not a simple problem to solved since the financial input to pay
reviews will be quite costly and...in the for what purpose? If we spend
more budget on assessing that supporting projects thats a very bad sign.
OWAPS is no Apache nor Linux, we want to forster innovation and
collaboration. Using the project levels is to indicate users the stage of a

The approach we want to do here is to use a well defined criteria with high
level of indicators as mentioned here to avoid that.Allow the community to

When the project leader must first self assess if he fulfils the criteria,
it will make them aware of his projects strengths and weaknesses.

We also measure already many indicators of maturity level through Openhub:

Take a look of what open hub measures, including a COCOMO model of code

If we have an internal staff such as the Senior technical project
coordinator to verify the data

The reviews are open and public for the community and they can provide

I suggest to read carefully and eventually we can try explaining this
better to clarify the purpose.

Is not about a free for all but a practical approach to a problem that has
been an issue since projects exist

We want to involve the community of project leaders to define this

But my whole point is to stop creating so called 'volunteer team of
assessors' that most quit after a while and only a few stays to make
reviews. That has not work before nor will work now.

>>Additionally maybe we could have an excel about the current method and
what gaps the community feel need to be looked into to ensure quality of
the projects, so that in having a vote we have a more informed one .

Thats the idea.


On Wed, May 11, 2016 at 10:20 AM, Elizabeth Belousov <eliz.bel at icloud.com>

> Eliminating the project assessment practices may lead to creating so
> called “bubble projects” where the project ratings would depend on the
> personal opinions and relationships, not on the value of a project. That
> itself contradicts OWASP’s principles of openness.
> If OWASP didn’t carry through the project assessment in the past, it is
> NOT a sign of a permanent failure, there could be other contributing
> factors: lack of financial and human resources; lack of established measure
> of success (metrics, success indicators); cutting corners with the project
> releases. Also, past failures don’t mean we should stop trying to make a
> project review process better.
> We need a global survey about the OWASP project assessment to consider
> changes based on data.
> Regards,
> *Liz Belousov*
> Volunteer* | *OWASP Foundation
> NYC chapter
> On May 11, 2016, at 06:34 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
> Project leaders,
> I think OWASP has failed multiple times to do a project assessments.
> This task has not been easy for anyone. Not in 2009 for the Global
> Committee lead by Jason Li, Neither for Samantha in 2013 and the project
> advisers(I was one of them) , not now.
> Instead a new realistic approach to projects should be introduced
>    - We already measure projects 'activity'
>    <https://www.openhub.net/p/zaproxy> using open hub (as long as we keep
>    on configuring this properly and maintaining but is simple)
>    - We could allow projects self asses wether  based on CII criteria or
>    an indicators through self assessment form like this one
>    <https://docs.google.com/a/owasp.org/forms/d/1fRL5Kg2vOWX3L6m2RDB0my3CS_WM9a95v-7b0ZFWzaY/edit?usp=sharing_eid&ts=56bdef81>
>    - We can use the results of self-assesment to evaluate as indicators
>    for providing sponsorship and support
> *For this part we don't need a team of specialist or reviewers. This could
> be published  and allow the community to  provide a rating star though
> Openhub (yes you can rate projects on Openhub!):*
> *https://www.openhub.net/p/zaproxy/reviews/new
> <https://www.openhub.net/p/zaproxy/reviews/new>*
> Measure the 'quality' of a project is not simple. We don't have a team for
> this.
> Instead we should empower:
>    - Measure activity and indicators to allow projects use OWASP platform
>    (Chapters and Conferences) to market projects
>    - Empower the community to rate projects on Openhub:
>    https://www.openhub.net/p/zaproxy/reviews/new
>    - Provide sponsorship and support projects after they requested help.
>    Such as run Bounty programs now that we have this platform available.
>    - sponsor traveling cost for leaders to talk at  OWAPS conferences
> Place focus on supporting projects instead of regulating what you can't.
> --
> Johanna Curiel
> OWASP Volunteer
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160511/e7dad65c/attachment.html>

More information about the OWASP-Leaders mailing list