[Owasp-leaders] New approach to OWAPS projects

johanna curiel curiel johanna.curiel at owasp.org
Wed May 11 15:04:11 UTC 2016

For the clarification to everyone:

I'm not involve in project reviews I just want to provide my point of view
based on past experience with Project Reviews.

I'm a concerned project leader.

I think we don't want to keep doing the same mistakes over again, I hope
 whoever team/volunteers are now in charge of Project reviews should
communicate this with Project leaders.



On Wed, May 11, 2016 at 10:38 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Hi Elizabeth
> >>We need a global survey about the OWASP project assessment to consider
> changes based on data.
> Agree. we should create a proposal and let project leaders vote.
> Being some one highly involved in the so called project assessments at
> OWASP I can assure there ANY assessment done by a small group of
> individuals will be biased and also based on personal opinions.
> Also is not a simple problem to solved since the financial input to pay
> reviews will be quite costly and...in the for what purpose? If we spend
> more budget on assessing that supporting projects thats a very bad sign.
> OWAPS is no Apache nor Linux, we want to forster innovation and
> collaboration. Using the project levels is to indicate users the stage of a
> project
> The approach we want to do here is to use a well defined criteria with
> high level of indicators as mentioned here to avoid that.Allow the
> community to vote.
> When the project leader must first self assess if he fulfils the criteria,
> it will make them aware of his projects strengths and weaknesses.
> We also measure already many indicators of maturity level through Openhub:
> https://www.openhub.net/orgs/OWASP/projects
> Take a look of what open hub measures, including a COCOMO model of code
> maturity.
> If we have an internal staff such as the Senior technical project
> coordinator to verify the data
> The reviews are open and public for the community and they can provide
> ratings
> I suggest to read carefully and eventually we can try explaining this
> better to clarify the purpose.
> Is not about a free for all but a practical approach to a problem that has
> been an issue since projects exist
> We want to involve the community of project leaders to define this
> But my whole point is to stop creating so called 'volunteer team of
> assessors' that most quit after a while and only a few stays to make
> reviews. That has not work before nor will work now.
> >>Additionally maybe we could have an excel about the current method and
> what gaps the community feel need to be looked into to ensure quality of
> the projects, so that in having a vote we have a more informed one .
> Thats the idea.
> Cheers
> On Wed, May 11, 2016 at 10:20 AM, Elizabeth Belousov <eliz.bel at icloud.com>
> wrote:
>> Eliminating the project assessment practices may lead to creating so
>> called “bubble projects” where the project ratings would depend on the
>> personal opinions and relationships, not on the value of a project. That
>> itself contradicts OWASP’s principles of openness.
>> If OWASP didn’t carry through the project assessment in the past, it is
>> NOT a sign of a permanent failure, there could be other contributing
>> factors: lack of financial and human resources; lack of established measure
>> of success (metrics, success indicators); cutting corners with the project
>> releases. Also, past failures don’t mean we should stop trying to make a
>> project review process better.
>> We need a global survey about the OWASP project assessment to consider
>> changes based on data.
>> Regards,
>> *Liz Belousov*
>> Volunteer* | *OWASP Foundation
>> NYC chapter
>> On May 11, 2016, at 06:34 AM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>> Project leaders,
>> I think OWASP has failed multiple times to do a project assessments.
>> This task has not been easy for anyone. Not in 2009 for the Global
>> Committee lead by Jason Li, Neither for Samantha in 2013 and the project
>> advisers(I was one of them) , not now.
>> Instead a new realistic approach to projects should be introduced
>>    - We already measure projects 'activity'
>>    <https://www.openhub.net/p/zaproxy> using open hub (as long as we
>>    keep on configuring this properly and maintaining but is simple)
>>    - We could allow projects self asses wether  based on CII criteria or
>>    an indicators through self assessment form like this one
>>    <https://docs.google.com/a/owasp.org/forms/d/1fRL5Kg2vOWX3L6m2RDB0my3CS_WM9a95v-7b0ZFWzaY/edit?usp=sharing_eid&ts=56bdef81>
>>    - We can use the results of self-assesment to evaluate as indicators
>>    for providing sponsorship and support
>> *For this part we don't need a team of specialist or reviewers. This
>> could be published  and allow the community to  provide a rating star
>> though Openhub (yes you can rate projects on Openhub!):*
>> *https://www.openhub.net/p/zaproxy/reviews/new
>> <https://www.openhub.net/p/zaproxy/reviews/new>*
>> Measure the 'quality' of a project is not simple. We don't have a team
>> for this.
>> Instead we should empower:
>>    - Measure activity and indicators to allow projects use OWASP
>>    platform (Chapters and Conferences) to market projects
>>    - Empower the community to rate projects on Openhub:
>>    https://www.openhub.net/p/zaproxy/reviews/new
>>    - Provide sponsorship and support projects after they requested help.
>>    Such as run Bounty programs now that we have this platform available.
>>    - sponsor traveling cost for leaders to talk at  OWAPS conferences
>> Place focus on supporting projects instead of regulating what you can't.
>> --
>> Johanna Curiel
>> OWASP Volunteer
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> --
> Johanna Curiel
> OWASP Volunteer

Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160511/6a6059c7/attachment.html>

More information about the OWASP-Leaders mailing list