[Owasp-leaders] OWASP Website Project

Larry Conklin larry.conklin at owasp.org
Thu Mar 2 16:42:37 UTC 2017


Matt,

I have been thinking of your remarks this morning.

> You don't want quotes based on our budget. You want good quotes based on
> what the vendor thinks his time and effort will cost OWASP.
>

I completely agree with you but I don't want to engage a vendor when I'm
not sure if I even have a reasonably firm and appropriate budget
allocated.  I'm not going to prepare RFPs for things that may not happen
when there's plenty to do already.

Sorry, But I wanted to think before I answered back to you. If I understand
this we have the classic cart before the horse problem. You don’t want to
proceed before you have a commitment of the money from the board. I suspect
the board doesn’t want to give an amount without a reasonable best guess on
what it will cost.



Here is my thoughts to you.

   1.

   Go ahead and create the RFP’s. Don’t worry about doing an RFP that isn’t
   acted on. Happens all the time. My firm bids on work. We expect to get some
   of the work but not all. Some projects never get off ground, get cancelled
   because the bids were too high, etc. Don’t worry about it. It's part of the
   cost of doing business. Business should understand that that. If they don’t
   then they were the wrong vendor in the first place.
   2.

   This give you the advantage of now putting the board back as the
   decision maker, since you can go the the board with actual figures.
   3.

   Third this gives the board something to work with. They may ask you to
   go back to a shorter list of vendors and reduce or increase the project
   scope depending on what the timeline is and finical amount or they may say
   no to the whole thing then it’s on them to explain it to the community.

Larry

On Wed, Mar 1, 2017 at 11:50 PM, Matt Tesauro <matt.tesauro at owasp.org>
wrote:

> Larry,
>
> Answering inline:
>
> On Wed, Mar 1, 2017 at 11:19 AM, Larry Conklin <larry.conklin at owasp.org>
> wrote:
>
>> I thought we already had this. It was with third party report that we
>> went over in the last APPSecUSA. I have asked for more clarification from
>> Tom B on why we are hitting roadblocks in Operations.
>>
>> Matt, What are you road blocks?
>>
>
> Already answered in my reply to Tom B but to be thorough:
> The project is progressing and was only blocked because the board has not,
> yet, approved a budget for 2017.
>
> Please see the Ops Blog for December
> <https://owasp.blogspot.com/2016/12/owasp-operations-update-for-december.html>
> :
>
> "Waiting for 2017 Budget to get approved by the Board"
>
> And the updates in the Ops Blog post for January
> <https://owasp.blogspot.com/2017/01/owasp-operations-update-for-january-2017.html>
> :
>
> *Blocked*: waiting for the 2017 Budget to get approved by the OWASP Board
>
> And the updates in the Ops Blog post for February
> <https://owasp.blogspot.com/2017/02/owasp-operations-update-for-february.html>
> :
>
> *Blocked*: waiting for the 2017 Budget to get approved by the OWASP Board
>
>
> Even with the lack of budget clarity and the unexpected ending of
> Rackspace's hosting donation (also in the Feb Ops Blog), there has been
> progress made on the Website Reboot.  I'll be posting this Friday a March
> Ops Blog in preparation for next weeks Board meeting where further updates
> will be documented.
>
>
>>
>> Is it money? and or Time. I believe to get responses to RFP's you don't
>> need to have an exact budget amount.
>>
>
> It is not about getting an exact budget amount its about getting an budget
> amount i can be confident in.  During the board meeting at AppSec USA, two
> board members disagreed about the budget amount for this project and
> differed by a factor of 10x - one told me $150k and another said $15k.  I
> have been waiting for a firm agreement on what is budgeted for this effort
> since then.
>
> You don't want quotes based on our budget. You want good quotes based on
>> what the vendor thinks his time and effort will cost OWASP.
>>
>
> I completely agree with you but I don't want to engage a vendor when I'm
> not sure if I even have a reasonably firm and appropriate budget
> allocated.  I'm not going to prepare RFPs for things that may not happen
> when there's plenty to do already.
>
> After the February board meeting, I met with Tom Pappas and discussed the
> budget he and Andrew van der Stock have worked on for 2017.  After that
> meeting where my budget requests for the Website Reboot (and others) were
> compared with the working 2017 budget, I have confidence that, baring a
> radical change in the proposed 2017 budget, I can safely begin on the next
> phases outlined for the project in the Ops Blog.
>
> Cheers!
>
> Matt Tesauro
>
>
>>
>> Larry
>>
>> On Wed, Mar 1, 2017 at 11:47 AM, Bev Corwin <bev.corwin at owasp.org> wrote:
>>
>>> Hi Tom and Dinis, Yes, I agree that the community should help and
>>> support this effort to avoid bottlenecks and brick walls. Could an Advisory
>>> Committee be created for this purpose? Best wishes, Bev
>>>
>>> On Wed, Mar 1, 2017 at 9:05 AM, Tom Brennan - OWASP <tomb at owasp.org>
>>> wrote:
>>>
>>>> Dinis,
>>>>
>>>> Not sure of how things are getting added to the agenda or focus areas
>>>> for the Summit.  But for operational items core to the OWASP mission like
>>>> the OWASP Website Project, I wonder if it is appropriate to carve out time
>>>> for that discussion.
>>>>
>>>> The project has hit a wall after being handed off to operations and it
>>>> may need some community push to underscore it as a priority.
>>>>
>>>> See history: https://www.owasp.org/index.php/OWASP_Initiatives_G
>>>> lobal_Strategic_Focus/website_project
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170302/0e13ac78/attachment.html>


More information about the OWASP-Leaders mailing list