<div dir="ltr">Hey Jim, no one has implied to delete the wiki .<div><br><div>Just to provide these documentation projects an opportunity to start moving their content and make it more cohesive and sharing.</div><div><br></div><div>The wiki is the actual OWASP portal so before there is a full replacement it will take some years.</div><div><br></div><div>But as people work on more cohesive , collaborative way and managing content wise with Github markdown as proposed by Gary, I believe that you can take out a lot of redundant content and automatically, this will become 'obsolete'. A lot of the possibilities of exporting content and collaboration are much better with Github markdown (such as transforming content automatically to other formats or reusing it). We start over on the Github.</div></div><div><br></div><div>We are planning to do the same with the Project's portal as the content has become unmanageable and not so user friendly. It does not support many of our necessary processes.</div><div><br></div><div> Like the legacy app, you can't just get rid off it from one day to another but it requires a transformation and migration ;-). </div><div><br></div><div>Hope this clarifies the purpose and goal.</div><div><br></div><div>Cheers</div><div><br></div><div>Johanna</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 17, 2016 at 12:48 AM, Jim Manico <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    Johanna,<br>
    <br>
    There is plenty of good content on the wiki. I think "migration of
    content" is probably more realistic that "starting over". Just a
    thought, but please do as you wish as long as you do not delete the
    wiki. It's in heavy active use.<br>
    <br>
    Aloha,<br>
    - Jim<div><div class="h5"><br>
    <br>
    <div>On 2/16/16 9:41 PM, johanna curiel
      curiel wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr"><span style="font-size:13px">>>I do not think
          - at all - that starting over is a good idea. There are
          thousands of hours of work in the wiki that should not be so
          quickly dismissed. And there are plenty of people still
          actively working on the wiki.</span><br>
        <div><span style="font-size:13px"><br>
          </span></div>
        <div>Jim, Jim... you sound like a dev in love with his legacy
          ;-p. Sometimes, you need to kill your darlings. I like hearing
          solutions and unfortunately revising 8000+ content and hiring
          skilled force for that is not feasible imho.</div>
        <div><span style="font-size:13px"><br>
          </span></div>
        <div>I respect and understand your pov but the documentation
          projects have their own set of necessities and appropriate
          experts/authors to carry on these task. Also, they have the
          materials and scope that need proper revision. If they start
          with these set of projects (OpenSamm, Code Review, Developer
          guide, Security Framework) and implement many of the things in
          the Testing guide ,it will provide cohesive content, something
          that we are missing from the wiki. With the support of
          Security Framework project leaders to manage the system, I
          think this consider a feasible solution. </div>
        <div><br>
        </div>
        <div>One that I think deserves the try.</div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Wed, Feb 17, 2016 at 12:30 AM, Jim
          Manico <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000"> I do not think - at
              all - that starting over is a good idea. There are
              thousands of hours of work in the wiki that should not be
              so quickly dismissed. And there are plenty of people still
              actively working on the wiki.<br>
              <br>
              Keep in mind, starting over means folks need to build all
              this new content from scratch. It is not easy to find
              skilled folks to add all that new content, which takes us
              back to square one.<br>
              <br>
              One page at at a time. If you see any content that is out
              of date, please continue to inform me directly and I'll do
              something about it as quickly as I can with the help of
              the other editors who continue to work on the wiki.<span><font color="#888888"><br>
                  <br>
                  - Jim</font></span>
              <div>
                <div><br>
                  <br>
                  <div>On 2/16/16 9:26 PM, johanna curiel curiel wrote:<br>
                  </div>
                  <blockquote type="cite">
                    <div dir="ltr">>>Good stuff. I think the best
                      way to approach this is to get a team to walk
                      through our 8000+ page wiki and categorise pages
                      that need categorizing. <br>
                      <div><span style="font-size:13px"><br>
                        </span></div>
                      <div>I believe in divide and conquer but also , at
                        a certain moment, you need to focus on the
                        approach. </div>
                      <div><br>
                      </div>
                      <div>I don't think walking through those 8000+ is
                        realistic, cheap or feasible not even for a
                        hired qualified team.</div>
                      <div><br>
                      </div>
                      <div>I  think this problem is similar to having a
                        very old, big, legacy application no one
                        understands and no one wants to work with. What
                        most business do? <br>
                      </div>
                      <div><br>
                      </div>
                      <div><i>Start from scratch, a new one.</i></div>
                      <div><br>
                      </div>
                      <div>I think the focus here is for documentation
                        existing projects to markup their documents and
                        work form there. Focusing on those 8000+ is not
                        feasible.</div>
                      <div><br>
                      </div>
                      <div>As Jim said, the people that wants to edit
                        seem  not to be <i>qualified</i> enough to edit
                        and the people that are <i>qualified</i>, well,
                        they do not have time nor feel like editing on
                        the wiki ;-P</div>
                      <div><br>
                      </div>
                      <div><br>
                      </div>
                    </div>
                    <div class="gmail_extra"><br>
                      <div class="gmail_quote">On Tue, Feb 16, 2016 at
                        11:53 PM, Jim Manico <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_blank"></a><a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                          <div bgcolor="#FFFFFF" text="#000000"> Gary,<br>
                            <br>
                            Good stuff. I think the best way to approach
                            this is to get a team to walk through our
                            8000+ page wiki and categorize pages that
                            need categorizing. That would "bucket"
                            content as you suggested in prep for any
                            move into "folders" (and make the wiki a
                            better place as it is). We already have a
                            wiki template system to help mark old or
                            dead content ( <a href="https://www.owasp.org/index.php/Template:TaggedDocument" target="_blank">https://www.owasp.org/index.php/Template:TaggedDocument</a>
                            ) and wiki markup makes content
                            categorization easy by adding a wiki
                            category to any page.<br>
                            <br>
                            I am personally a big fan of the wiki and
                            wiki-markup. I would hate to dump the many
                            thousand people-years of work in there.<span><br>
                              <br>
                              > <b>Big downside</b>: there’s a large
                              piece of work to start it off.  All
                              content would need to get organized, put
                              into sensible structure, converted to
                              markdown, argued over, ‘experts’ defined
                              and assigned, etc.  I doubt this would be
                              a volunteer effort, and may need
                              contractor involvement.  Could this be
                              combined with the OWASP wiki redesign?<br>
                              <br>
                            </span> Yea, exactly. The process of trying
                            to update the wiki (or at least handle dated
                            content that others are concerned about) is
                            already in place and some folks like myself
                            and members the wiki editorial team have
                            slowly been going over wiki content and
                            trying to make it more honest on a page by
                            page level. The problem is the sheer volume
                            and the lack of tools to aid in the process.<br>
                            <br>
                            Another problem is how do we hire? We need
                            content folks who understand application
                            security, these are not cheap hires. We've
                            made the call for volunteers to help with
                            wiki cleanup, but only found a few
                            volunteers to help and only 2 are active. 
                            Any honestly, we need rather thoughtful and
                            skilled volunteers who really get
                            application security, and they are hard to
                            find in 2016.<br>
                            <br>
                            I'm not sure what the best path is to handle
                            the wiki mess before us, so in the meantime
                            I'm crunching through one page at a time,
                            one request at a time, and one cleanup at a
                            time. If anyone wants to help accelerate
                            this with hands-on help and assistance, I'm
                            all ears and am eager for your help. In my
                            experience a lot of folks have ideas and
                            plans to make the wiki better, but very few
                            are willing to do the work. I mean that
                            respectfully, I understand how busy everyone
                            is. <br>
                            <br>
                            I think the best kind of leadership is
                            getting your hands dirty and leading by
                            example. If you want to help dive in and
                            start looking at the scope of the wiki
                            problem with me, sign up at <a href="https://lists.owasp.org/mailman/listinfo/owasp-wiki-editors" target="_blank"></a><a href="https://lists.owasp.org/mailman/listinfo/owasp-wiki-editors" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-wiki-editors</a>
                            and introduce yourself and expand on your
                            plan. I'd be glad to give you a tour around
                            the wiki and show you whats up. I do not
                            blame you if you bail. Several folks joined
                            with enthusiastic desire to help, but then
                            bailed once they saw the scope of the
                            problem. In the meantime, one page at a time
                            is all I got. :)<br>
                            <br>
                            Aloha,<br>
                            Jim
                            <div>
                              <div><br>
                                <br>
                                <br>
                                <br>
                                <div>On 2/14/16 1:30 PM, Gary Robinson
                                  wrote:<br>
                                </div>
                              </div>
                            </div>
                            <blockquote type="cite">
                              <div>
                                <div>
                                  <div dir="ltr">
                                    <p class="MsoNormal" style="font-size:12.8px">Hi Folks,</p>
                                    <p class="MsoNormal" style="font-size:12.8px"> </p>
                                    <p class="MsoNormal" style="font-size:12.8px">I want to
                                      reach out to the leaders and bring
                                      up the subject of OWASP docs
                                      projects, in fact all OWASP
                                      documentation including wiki and
                                      text available to our code
                                      projects as well.  I’ll try to
                                      keep this e-mail brief so won’t
                                      get bogged in details, but
                                      generally I want to know if the
                                      community experiences the same
                                      pains, see the same opportunities,
                                      or has other suggestions for
                                      improvement.</p>
                                    <p class="MsoNormal" style="font-size:12.8px"> </p>
                                    <p class="MsoNormal" style="font-size:12.8px">The
                                      issues that can arise from our
                                      current method of developing our
                                      various docs include:</p>
                                    <p class="MsoNormal" style="font-size:12.8px"><br>
                                    </p>
                                    <ol style="font-size:12.8px">
                                      <li style="margin-left:15px">Draft
                                        content that exists in the
                                        wiki.  This may be in varying
                                        states (correct, incorrect,
                                        lousy, confused, etc.) and is
                                        visible to the internet and
                                        typically not clearly labelled
                                        as draft.  Google ‘owasp purple
                                        monkey dishwasher’ for an
                                        example of a draft wiki page
                                        visible to the internet.  This
                                        content also needs to get
                                        cleaned up after a project
                                        release.</li>
                                      <li style="margin-left:15px">Substandard

                                        descriptions/content can get
                                        into our docs.  Getting people
                                        to review every
                                        line/example/diagram/appendix is
                                        difficult with a volunteer
                                        organization (as other threads
                                        have discussed)</li>
                                      <li style="margin-left:15px">Duplications

                                        happen, as 10 different projects
                                        create/copy/paste their
                                        definitions of topics such as
                                        XSS, SQLi, CSRF, etc.  This
                                        wastes effort in an organization
                                        already constrained of active
                                        volunteers.</li>
                                      <li style="margin-left:15px">Content
                                        gets out-of-date.  The work to
                                        create a new version of a doc
                                        project takes years.</li>
                                    </ol>
                                    <p class="MsoNormal" style="font-size:12.8px">I’m sure
                                      some readers will be mentally
                                      adding their own issues to this
                                      list.</p>
                                    <p class="MsoNormal" style="font-size:12.8px"> </p>
                                    <p class="MsoNormal" style="font-size:12.8px">Proposal:</p>
                                    <p class="MsoNormal" style="font-size:12.8px"><br>
                                    </p>
                                    <p class="MsoNormal" style="font-size:12.8px">Bringing
                                      together discussions with a few
                                      people over the last few years
                                      (you know who you are), I’m
                                      proposing the following: we write
                                      our docs with reusable resources. 
                                      What would this mean?  Something
                                      similar to the following:</p>
                                    <p class="MsoNormal" style="font-size:12.8px"><span style="font-family:Symbol"><span><br>
                                        </span></span></p>
                                    <ol style="font-size:12.8px">
                                      <li style="margin-left:15px">We
                                        dump all of the content from our
                                        wiki, current docs, descriptions
                                        in code tools, etc.  We put it
                                        into markup (as some projects
                                        are already doing) and add it to
                                        source code repositories.</li>
                                      <li style="margin-left:15px">We
                                        share doc markup files <u>across
                                          ALL docs and code projects</u>. 

                                        For example, imagine we have a
                                        folder for SQLi.  This directory
                                        contains the OWASP ‘golden
                                        source’ for SQLi definition,
                                        examples, code, tests, etc. 
                                        Repeat for all other AppSec
                                        issues (CSRF, cert pinning,
                                        etc.).  We use a mechanism to
                                        ‘compile’ these markdown files
                                        into PDFs and integrate into
                                        code project HTML pages.</li>
                                      <li style="margin-left:15px">Similar
                                        to good coding projects, we
                                        control who can edit the files
                                        under certain directories –
                                        people we know have expertise in
                                        an area.  Edits get peer
                                        reviewed before submission. 
                                        Other people can suggest edits
                                        and prove their experience to
                                        the existing team to join it.</li>
                                      <li style="margin-left:15px">We
                                        allow anyone to ‘include’ this
                                        markup file into their project. 
                                        So if the Code Review Guide
                                        wants to add a section on SQLi,
                                        and needs a definition, I don’t
                                        write it (or copy from wiki), I
                                        simply include the relevant
                                        markup file.  Same for testing
                                        guide, dev guide, ZAP hints
                                        page, security shepherd info
                                        page, cheetsheet, and on and on.</li>
                                      <li style="margin-left:15px">We
                                        allow all of our docs, plus the
                                        wiki, plus all code projects, to
                                        dynamically use an markup file
                                        update.  We make this ‘real
                                        time’.  This needs an example. 
                                        Say in March a massive change
                                        occurs in the world of SQLi. 
                                        Right now any project that talks
                                        about SQLi would need to
                                        manually go in and update, and
                                        those updates will be of varying
                                        quality and content.  If,
                                        instead, one (true) source file
                                        was update, all those other
                                        projects could spot the change
                                        and automatically rebuild
                                        themselves, meaning the next
                                        person to download a development
                                        guide PDF, or view the wiki,
                                        would get the updated SQLi
                                        information.</li>
                                      <ol>
                                        <li style="margin-left:15px">This
                                          is a big change.  This may be
                                          a controversial change.  <u>However
                                            it would greatly reduce our
                                            workload</u> (only one
                                          markup document needs to get
                                          updated).  It will also <u>greatly

                                            reduce review tasks</u>, as
                                          everyone is sharing core
                                          content which is reviewed
                                          once.  It also improves our
                                          image to the world, as all
                                          projects have the same great
                                          descriptions and content.</li>
                                        <li style="margin-left:15px"><span><span>  </span></span>This

                                          change also improves our
                                          responsiveness.  Imagine a
                                          heartbleed type issue being
                                          reflected in all OWASP code
                                          and documentation projects, as
                                          well as the wiki/cheetsheets,
                                          within a few days?  (simply
                                          the time for the team to agree
                                          updates to the
                                          text/examples/descriptions,
                                          review, and submit)</li>
                                      </ol>
                                      <li style="margin-left:15px"><span style="font-family:Symbol"><span> </span></span>We

                                        should also make these markup
                                        files available to anyone on the
                                        internet (read only).  This way
                                        the source descriptions become
                                        an OWASP resource it itself, and
                                        anyone out there needing to
                                        spread the word on AppSec has
                                        easy access to rock solid,
                                        up-to-date definitions.<br>
                                      </li>
                                    </ol>
                                    <p class="MsoNormal" style="font-size:12.8px">This
                                      changes the model, from people
                                      like myself who run ‘projects’, to
                                      smaller expert teams who know
                                      ‘technologies’ (such as SQLi or
                                      IIS secure configuration).  It
                                      focuses people where they want to
                                      be on docs projects, but easily
                                      shares that knowledge across all
                                      OWASP (and more) projects.  It
                                      also means there’d never be
                                      another need to clean-up the wiki
                                      – it would always be based off the
                                      markup content.</p>
                                    <p class="MsoNormal" style="font-size:12.8px"><br>
                                    </p>
                                    <p class="MsoNormal" style="font-size:12.8px"><b>Big
                                        downside</b>: there’s a large
                                      piece of work to start it off. 
                                      All content would need to get
                                      organized, put into sensible
                                      structure, converted to markdown,
                                      argued over, ‘experts’ defined and
                                      assigned, etc.  I doubt this would
                                      be a volunteer effort, and may
                                      need contractor involvement. 
                                      Could this be combined with the
                                      OWASP wiki redesign?</p>
                                    <p class="MsoNormal" style="font-size:12.8px"><br>
                                    </p>
                                    <p class="MsoNormal" style="font-size:12.8px">So… the
                                      ask from the community, what are
                                      your thoughts? Could this be a
                                      viable option to save us time on
                                      docs/descriptions and increase
                                      quality?  Would there be funds to
                                      perform the initial conversion of
                                      everything into markup pages? 
                                      Would there be resistance to
                                      working in this new model?</p>
                                    <p class="MsoNormal" style="font-size:12.8px"><br>
                                    </p>
                                    <p class="MsoNormal" style="font-size:12.8px">Gary</p>
                                  </div>
                                  <br>
                                  <fieldset></fieldset>
                                  <br>
                                </div>
                              </div>
                              <span>
                                <pre>_______________________________________________
OWASP-Leaders mailing list
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
                              </span></blockquote>
                            <br>
                          </div>
                          <br>
_______________________________________________<br>
                          OWASP-Leaders mailing list<br>
                          <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                          <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                          <br>
                        </blockquote>
                      </div>
                      <br>
                    </div>
                  </blockquote>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </div></div></div>

</blockquote></div><br></div>