[Owasp_technical_project_advisors] Meeting Minutes and Action Items

Josh Clements joshua.clements at owasp.org
Tue Aug 27 03:33:56 UTC 2013


Samantha & Team - I am not sure if I will be able to make the call tomorrow.  My wife has tickets to a Bruno Mars concert tomorrow and I drew the short straw of staying home with the kids.  I am working on getting a babysitter at least for the hour during the call, but I'm not sure if I will be successful.

I have taken a look at just about all of the 130+ active projects and I'm really not able to pinpoint anything in any of the projects that I can say is an indicator of the overall value or quality of the project.  As I read through many project descriptions and compared those to the wiki page histories and the notes that you have in the project inventories, I really couldn't find anything at all that really stood out.  The projects are just all over the place.

I re-read the OWASP projects handbook and tried to sort out what a project lifecycle could be -- and then I read many of your weekly PM notes that summarized new projects and the audit that you recently completed on all of the projects.  

Based on all of my reading, I think we may be attacking this effort from the wrong direction.  We are working to define the rules that move a project release artifact from Alpha to Beta and then to Stable.  I don't see in any of the documentation on the OWASP site why this release artifact designation is really necessary.  A project must have a deliverable to promote the project from Incubator to Labs -- but there isn't a documented standard on what the release designation has to be to support that promotion.

Do we have something like the following chart that indicates where a project can be as far project category (Incubator, Labs, Flagship) and release quality (no release, Alpha, Beta, Stable)?




Or maybe, is that something that we plan to define as part of this process?  I think that something along these lines would be beneficial to creating a lifecycle for a project -- steps that a project lead could take to walk his/her project from Incubator to Flagship.  The handbook mentions that a review is necessary to get from one stage to the next, but not much detail on what the review will entail.  I do see the irony here -- we are to define all of that.

Since I don't see what I would consider a Flagship project, and I am struggling to really wrap my head around how to proceed here, I'd like to propose that we take on the role of creating a Flagship Documentation Project -- aptly called the "OWASP Flagship Project".  Since we are to develop or refine the review criteria, we'd be going through those steps on a real project.  As we move through the process of creating the project (Wiki page, roadmap, documentation, etc) we'd be modifying the project while in progress as a result of folks input on this advisor board.  We'd elect roles and responsibilities in the creation of this project to ensure that our end result is both a Flagship Project as well as criteria for how we got it to that state.  Once we are finished with what we think is a Flagship project with a Stable release artifact, we'd tackle the task of developing a process to repeat this review on future projects by having another reviewer or team review our project using our criteria.  I already have some ideas on how we could go about putting something repeatable in place to ensure that project quality improves and continues to advance.

At the end of the day, I think that the perceived quality of the OWASP projects would increase greatly if their was more meat in the Wiki pages that describe those projects and if those Wiki pages were consistent -- so that if I looked at one of them and learned where things are, I'd be able to look at the next one and be able to easily find information that I'm looking for.  We'd basically be creating the recipe for creating those Wiki pages that make a project look professional and be easy to get information about them.

I do hope that I can join the call tomorrow, as I'd like to hear feedback on this approach.  I think we all might be struggling to really get a grasp of where to go next (by the light addition to Ly's document) and I think that taking this approach might help us to get organized and start moving this forward.







On Aug 6, 2013, at 9:42 PM, Samantha Groves <samantha.groves at owasp.org> wrote:

> Hello Advisors,
> 
> Thank you so much for joining today's call. I think we had some excellent discussions that helped us get some ideas flowing within the group. Below, you will find a brief outline of our meeting minutes along with the action items for our next call, and call in details for our next meeting. 
> 
> Meeting Minutes: Advisor's 2nd Meeting - August 6th, 2013
> 
> Attendees
> 
> Samantha Groves
> Ly Vandy
> Christopher Bush
> Chuck Cooper
> Joshua Clements
> 
> Agenda
> 
> - Pending Items: Wiki account access, other technical issues.
> 
> - Project Summit Participation
>   - AppSec USA Conference: November 18th - 21st
>   - Location: Times Square, New York
>   - Question: Will you be able to come for an in-person Advisor's working session during the conference? We will be working along side a handfull of Flagship Project Leaders. Let me know so I can propose this to the Local Event Managers. 
> 
> - Discussion: Assessment Criteria Questions, Comments, Suggestions, and Next Steps.
>  - Notes via Joshua. Thank you Joshua for sharing your notes with the group. They are incredibly helpful. 
> ----------------------------------
> From ???
> - Can we make suggestions for requirements for projects?  Yes
> 	- Is there an MVP for the project?
> 	- better description of the project
> 		- what's the concern that the project is addressing
> 		- What's the MVP
> 
> 
> From Chris -- 
> - share examples of a good project
> - define success criteria of a flagship project?
> - how do we summarize the guidelines for a successful project
> 	- a roadmap?
> - Have a mentor for incubator projects
> 	- from a well-run project
> 	- have a list ready to go so that an incubator project can request leads from other projects
> 	- would need to have a process around this
> 		- define the list
> 		- defi
> 	- missing details on what a successful OAuth project is
> 
> From ???
> - for documentation project -- does it need to be possible to convert to OWASP book
> 	- no -- because some documentation projects are videos
> 	- yes -- if the documentation project is a document only
> 
> From Samantha
> - Goals of the team???
> 	- Samantha will send over the database of projects -- just a spreadsheet
> 	- Current goal of team is to handle the acceptance process
> 	- There's a process in place to see if the project has been updated in at least 6 months
> 	- previously, reviewers have QUIT because the review process is just too much work
> 		- need to be able to review and then stop on a project, not continue to review over and over
> 	- need to not have to review future deliverables on a project
> 	- the project handbook has assessment results sheet available somewhere -- I didn't see it
> ----------------------------------
> 
> Action Items: Taken from Joshua's Notes and Modified to show additions
> 
> - Samantha to send over more information on AspectUSA conference: AppSec USA Website
> 
> - Samantha to send out some assessment results.
>   - Example 1: OWASP ZAP: Deliverable release 1.3.0 Assessment
>   - Example 2: OWASP Codes of Conduct for Government Bodies: Green Book V1.1 Assessment
>   - Example 3: OWASP Codes of Conduct for Standards Groups: Yellow Book V1.1 Assessment
>   - Primary concerns: While the reviews did occur, they are random and there is very little rigour to them. Currently, anyone in the OWASP Community can review a project, but not everyone should be. These particular assessments where conducted by trusted OWASP Members, but even they only answered "yes" and "no" to several of the questions. I feel if we are going to increase the quality of our projects, there must be more rigour in our assessments, and there must be more information in each reviewers responses. Why did they say yes, for example. 
> 
> - Samantha to send out "next steps" that occurred after assessment. 
>    - After Assessment, the project leader can publicly state that their release has been officially reviewed by OWASP. The issue is that our review criteria lacks rigour, our reviewers are random, and there is nothing stopping one Leader's mate to say yes to all of our criteria questions thereby passing his mate's assessment. This has occurred in the past which means we have many projects with official OWASP reviewed releases that are of very poor quality, as some of you noted on today's call. This, as you can imagine, decreases our brand value over time. 
> 
> - Samantha to send over database of projects: Project Inventory Link
> 
> - Advisors to review current project inventor.
> 
> - Advisors to develop a list of successful/Flagship project's Best Practices, and be ready to share and discuss the list on our next meeting. 
> 
> - Ly's Assessment Criteria spreadsheet: I have created a new version of Ly's spreadsheet. Let's use this as the Master document. Please place your changes, notes, comments, additions, etc on this document. When you add or delete something, please make sure to create a comment on the section with your name on it so we know you have edited something. 
> 
> Next Meeting: Tuesday, August 27th - 3pm MST
> 
> Meeting Details
> 
> 1.  Please join my meeting, 27 Aug 2013 at 15:00 MST.
> https://www3.gotomeeting.com/join/590731190
> 
> 2.  Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.
> 
> United States: +1 (626) 521-0017
> United States (toll-free): 1 877 309 2070
> Access Code: 590-731-190
> Audio PIN: Shown after joining the meeting
> 
> Meeting ID: 590-731-190
> 
> GoToMeeting®
> Online Meetings Made Easy™
> 
> Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app.
> 
> Thank you
> 
> Please do reach out to me if you have questions about any of the items above. I know it can be a bit overwhelming working with OWASP as there is quite a bit of information and history to take in, at first. People usually describe it as drinking out of a fire hose. :) Please do let me know if there is any other direction I can provide, or any other information you need. Again, thank you so much for your time and work on this project. 
> 
> Have a great rest of the week, Advisors. 
> 
> Samantha Groves
> 
> -- 
> Samantha Groves, MBA
> OWASP Projects Manager
> 
> The OWASP Foundation
> Arizona, USA
> Email: samantha.groves at owasp.org
> Skype: samanthahz 
> 
> OWASP Global Projects
> Book a Meeting with Me
> OWASP Contact US Form
> New Project Application Form
> 
> 
> _______________________________________________
> Owasp_technical_project_advisors mailing list
> Owasp_technical_project_advisors at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_technical_project_advisors
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_technical_project_advisors/attachments/20130826/f1bba221/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 49152 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp_technical_project_advisors/attachments/20130826/f1bba221/attachment-0001.png>


More information about the Owasp_technical_project_advisors mailing list