[Owasp-testing] Flagship Project Status

Mitchell, Rick (6030318) rick.mitchell at bell.ca
Thu Jun 5 15:06:30 UTC 2014

Has the review process or even a timeline been defined yet?

It seems kind of backward to demote projects without having prepared the process by which they will be re-promoted or re-assessed. Or even high level timeline?
May – Projects Demoted.
June – Announce demotions and reasoning.
July – Announce review process/criteria.
Aug – Project members/leaders submit info/details, complete forms, whatever...
Sept – Board reviews.
Oct – Project status reset.
At least publishing something like that would give the community some sense of “Ok things are moving/changing, and I have an idea what the plan and timelines are.” versus the current “Ok things are in limbo, something might change, at some point, what next? What now?”.

Now we have a community of users and contributors sitting with projects in some sort of status limbo. Which “shouldn’t” have any major impact or their use etc but from the outside looking in I would be completely unsurprised if in 3 or even 6 months they’re still sitting in limbo. In which case we’re going to end-up doing ourselves a huge dis-service. Whether or not these statuses were ever meant to impact public perception or not, I believe they do.


From: owasp-testing-bounces at lists.owasp.org [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Christian Heinrich
Sent: Monday, June 02, 2014 8:26 PM
To: Jim Manico
Cc: owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] Flagship Project Status


I do not believe that you intended to offend the other OWASP Projects that have maintained their flagship status, rather this is damaging oversight of the OWASP Board.

Your statement "Unfortunately, some of our flagship projects have not been active and have languished" does not apply to the v4 release of the OWASP Testing Guide which has been active for over a year.  I believe ZAP is also under active ongoing development too based on the announcements I have observed from Simon aka psiinon.

Can you please advise if a demoted OWASP Project would be required to adhere to a revised standard or the existing standard for flagship project will remain?

If so I would like to apply for the release of the OWASP Testing Guide v4 to be of flagship status?

On Tue, Jun 3, 2014 at 3:48 AM, Jim Manico <jim.manico at owasp.org<mailto:jim.manico at owasp.org>> wrote:
The announcement on flagship status just went out to the leaders list and the main community list.

Christian, your concearns about my ulterior motive are totally fair. That is why this was a board vote (unanimous) and note a decision that was made on my own.

The next step is to simply re-apply for flagship (or similar) status once the new project rating mechanisms are in place.

I am sorry for anyone who was offended here. I hope the announcement explains why the board did what we did.


On 6/2/14, 2:08 AM, psiinon wrote:
I think it would have been better for an agreed statement to go out at the same time as the demotion.
The 'silent' demotion doesnt send the right message - we should be very open in these sort of matters.



On Sun, Jun 1, 2014 at 8:18 PM, Jim Manico <jim.manico at owasp.org<mailto:jim.manico at owasp.org>> wrote:
I personally agree that the testing guide is of flagship caliber. We
(the board) decided to drop all flagship projects down one notch to
"labs status" and ask that they all reapply for status. Here is text
that I proposed for the announcement; I'm waiting for board approval.


I can understand your concern here Christian. Heck, I even had a
project that I was managing demoted because it was not active.... I am
trying to be fair.

I'll rally the board and get
pushed to the community sooner than later.

Jim Manico
(808) 652-3805<tel:%28808%29%20652-3805>
> On Jun 1, 2014, at 1:33 AM, Christian Heinrich <christian.heinrich at cmlh.id.au<mailto:christian.heinrich at cmlh.id.au>> wrote:
> Jim,
> I'll review a sample of the [review] notes of Rick Mitchell against
> the standard set for Flagship status and I provide an independent
> opinion if it should be upheld or not.
> I don't believe it should be removed by default.
>> On Sun, Jun 1, 2014 at 12:49 PM, Jim Manico <jim.manico at owasp.org<mailto:jim.manico at owasp.org>> wrote:
>> Christian,
>> All flagships were demoted, give us a few days and the board will send
>> out a formal notice... I certainly think the testing guide should
>> reapply for flagship status - it's AWESOME and is certainly of very
>> high quality!!!
>> Aloha Christian,
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805<tel:%28808%29%20652-3805>
>>> On May 31, 2014, at 3:38 PM, Christian Heinrich <christian.heinrich at cmlh.id.au<mailto:christian.heinrich at cmlh.id.au>> wrote:
>>> Jim,
>>> I note that you have removed the listing of the OWASP Testing Guide as
>>> a Flagship Project without telling the Project Leaders beforehand i.e.
>>> http://lists.owasp.org/pipermail/owasp-board/2014-May/013789.html ?
>>> Based on your own admission to me that your agenda and ulterior motive
>>> is nothing more than to attack Aspect Security as a disgruntled former
>>> employee and to remove the competition of ESAPI to your own alternate
>>> OWASP project (which in my opinion is a conflict of interest for an
>>> OWASP Board Member) As far as I am aware the Testing Guide has little
>>> to do with Aspect Security, aside from their Risk Rating Methodology
>>> which I believe will not included in the upcoming v4 release.
>>> It should be noted that you also protested my removal of the OWASP
>>> Risk Rating Methodology from the Testing Guide because in my own
>>> experience in dealing with you I hold the opinion that your a
>>> "turncoat".
>>> I will also remind the OWASP Board of
>>> https://www.owasp.org/index.php/OWASP_Inquiries/Google_Hacking_Project
>>> the fact that everyone considered it poor conduct to inflict on a
>>> volunteer to remove my from both the OWASP Leaders List and mark by
>>> Project without notice or supporting evidence for that matter.  I do
>>> not want to see this happen to other Project Leaders who volunteer to
>>> support OWASP.
>>> Since the next release of the OWASP Testing Guide is imminent, can I
>>> request that this project maintain its Flagship Status?  If not, can
>>> the OWASP Project Reviewer(s) please indicate what the OWASP Testing
>>> Guide lack to maintain their flagship status?
>>> I urge you to reconsider this poor decision.
>>> --
>>> Regards,
>>> Christian Heinrich
>>> http://cmlh.id.au/contact
> --
> Regards,
> Christian Heinrich
> http://cmlh.id.au/contact
Owasp-testing mailing list
Owasp-testing at lists.owasp.org<mailto:Owasp-testing at lists.owasp.org>

OWASP ZAP<https://www.owasp.org/index.php/ZAP> Project leader

Christian Heinrich

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20140605/12551e71/attachment-0001.html>

More information about the Owasp-testing mailing list