[Owasp-testing] [Owasp-leaders] Flagship Project Status

Christian Heinrich christian.heinrich at cmlh.id.au
Sat Jun 7 23:37:48 UTC 2014


It appears that OWASP Board may create "new" measures of quality.  Why
doesn't the OWASP Board inform us of what has changed and then provide
a grace period of us to meet these new requirements?

Why doesn't OWASP get rid of the various project statuses altogether?
To me this would get rid of the specific OWASP Project Leaders being
accused of favouritism e.g.
Also, webappsec.org does not have these for their projects.

Does the OWASP Board intend to direct funding for support staff, etc
to retain the quality of flagship projects e.g.
Can I also request that these staff hired to not have a relationship
with the OWASP Board Members, rather they are independent and the
example is hiring Sandra who was the wife of Paulo.

Can the OWASP Board Members who are also OWASP Project Leaders be
required to remove themselves from OWASP Project leadership for the
duration of the term of the OWASP Board?  This is a side issue but it
is clear within
that both Dinis, his personal friend Paulo, and Jeff Williams
conspired to remove suitable candidates from the ASVS Leadership
selection for their own gain and coincidently contributed nothing to
ASVS once they had awarded themselves leadership of this OWASP

On Sat, Jun 7, 2014 at 6:09 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
> Thanks for bringing this discussion to the leaders list.  I can certainly
> see how someone, especially those running projects, would see this Flagship
> status demotion as a hassle at best and perhaps even "catastrophic" as
> Christian put it.  I was, admittedly, a bit skeptical of the value of such
> an action when the idea was first brought to me, but upon further
> consideration, I changed my mind.  People around the world have come to
> respect the OWASP name as a trusted source for tools and documentation, but
> when they come to our website, their experience can vary based on where they
> land.  Think about how you'd feel if you downloaded an OWASP "Flagship"
> document with outdated information or a "Flagship" tool that actually
> created security vulnerabilities when you used it.  It becomes a situation
> where the proverbial one rotten apple can spoil the entire bunch.  Sure, you
> could make the argument that we could evaluate each current Flagship project
> and then demote on a case-by-case basis, and you'd probably be right, but as
> hard as the evaluator would try to be objective, in the end someone is
> probably going to get upset and cry foul.  With this action, we have leveled
> the playing field (so to speak) and the projects that advance back to
> Flagship can do so under the full support of the community.
> I don't think that it's in anybody's best interest to be in this limbo state
> for long and in the interests of expediting the process, I just threw out
> some ideas on what "Flagship" means to me here:
> http://lists.owasp.org/pipermail/owasp-leaders/2014-June/011888.html
> These are just suggestions, nothing set in stone, and I'm hoping that you
> guys will follow up with your feedback and perhaps even your own
> suggestions.  In a nutshell, how do we define a process that ensures that
> when a person goes to OWASP and downloads a Flagship document, we know,
> without hesitation, that it will be a high quality product that they can
> rely on?  I'd say let's take the next week or so to solicit feedback from
> the community, and then maybe you guys would be interested in helping to
> assemble the pieces that make up the final process?  Johanna is already
> working on putting the pieces in place for the code projects and I'm happy
> to try to get the ball rolling on the documentation projects as well.  All
> things considered, I bet we can have a process in place in the next 2-4
> weeks.

Christian Heinrich


More information about the Owasp-testing mailing list