Archive for the ‘Uncategorized’ Category

New Drive for Project Reviewers You may or may not have noticed, but as of the assessment criteria v2, each release will require at least three reviews as it moves from beta to stable. This reintroduces problems we have had in the past finding reviewers for these projects. In addition, at least one of these reviewers should be from the GPC. Based on the last GPC call on Monday, November 23, I am going to spear-head a drive for centralizing the collection and recruitment of OWASP Project reviewers. The general idea for this is to create a pool of known-good persons that can be pulled in when a reviewer is not supplied by the project lead. There are several phases I am planning to implement in order to streamline this.


  1. Thanks to Paulo, this is already done: Create a sane tracking page where reviewers can register, allowing us to easily find them when needed. You can find a preliminary view of this here:
  2. Launch a campaign to recruit as many reviewers as possible:
    a. Parse the wiki for existing reviewers that have been active in the last 24 months, as them if they are willing to participate in future reviews
    b. Create a new “how to get involved” page on the wiki with detailed information on what levels of involvement are available within OWASP, to include “Benefits”. “Time commitment”, and “Role” type metrics
    c. Add information regarding the new review campaign in OWASP media, such as mailing lists, conferences, and the newsletter
  3. Create a mandatory rotation for all members of the GPC, so that each member will be involved in reviews as they come available.
  4. Create a review template guide so that reviewers have an idea of what is expected of them. A great example of a top notch review can be seen by Matt Tesauro on JbroFuzz 1.7 here:


    and here:


These are merely early thoughts of how I’d like to see this formulated. Feedback is, as always, welcome.


-Brad Causey


Read Full Post »

Guidelines for OWASP leaders’ attendance of OWASP Conferences and OWASP Memberships

Following the debate started by this thread OWASP Internals: Leaders participation at OWASP conferences I submitted today the proposal below to the OWASP Board which has just been approved 🙂

I’m really happy with this model and I hope that this will mean that we will see much more participation from our leaders at our conferences,

Guidelines for OWASP leaders’ attendance of OWASP Conferences and OWASP Memberships:

In recognition of the enormous value provided to OWASP by its leaders (projects, chapters, committee & board members) , and the fact that it is beneficial for all that these leaders actively participate on one or more OWASP-organized conferences (16 in 2009), OWASP would like to propose the following ‘operation guidelines’ for facilitating the leaders participation at OWASP conferences:

  • All leaders who currently enjoy an ‘OWASP Honorary individual membership’ (see details below) apply for a ‘FREE’ participation on as many Conferences he/she is able to attend
  • By ‘FREE’ we mean that there is NO (i.e. zero) cost for the OWASP leader, but internally OWASP is marking up this cost between $100 USD and $300 USD (depending on the conference) which cover the ‘participation costs’ of a conference attendee (venue, refreshments, lunch, etc..) .
  • In order to simplify the process and to remove the potential financial burden, this cost will NOT be allocated/paid by the Conference Organizers, but will be covered by (in order of preference):
    • a local chapter that has funds and wants to ‘sponsor’ a particular leader to attend a conference (in most cases this should be in ‘exchange’ of a chapter presentation of a debrief of what happened at the conference). See ‘Notes for chapter with budgets’ below,
    • a direct sponsorship of the leader’s main employer or 3rd party company that wishes to sponsor OWASP leaders,
    • OWASP on the Move funds,
  • In order to maximize OWASP resources and efforts, the following would be expected from the OWASP Leader:
    • Submit a presentation proposal with the conference RFP time period (note that a separate thread (& guidelines) will be required to define the recommended process (for conference organizers) to deal with these OWASP Leaders presentations),
    • Allow the conference to include the leader name in its marketing efforts, i.e.: “…come to the XYZ conference where you will be able to meet personally the following OWASP leaders: {name – project}, {name – project}, {name – project}, {name – project} ..”,
    • Help as much as possible the local organization team (conferences are a LOT of work, and extra pair of hands are always necessary),
    • If there is an OWASP-Stand, help with the ‘manning the stand’,
    • Actively promote the conference in Blogs, Tweets, local chapters and press,
  • To help with the OWASP Leader participation, and if required, OWASP central (i.e. Kate) can send an ‘official invitation letter’ requesting that the leader’s employer allows the conference participation under company’s time (versus holiday time),
    • Depending on the level of sponsorship given to the leader by its employer, the conference organizers should add the leader’s employer as a conference sponsor (note: at the moment there is no standard name for these type of sponsorships).

Notes for chapter with budgets:

The chapters that currently have budget available (see this document for the current list of funds available to local chapters), can and is encouraged (at the discretion of the chapter leader AND its local community) to use its funds to:

  • ‘Pay’ the OWASP internal conference participation cost (100 USD to 300 USD) of the current Chapter Leader(s),
  • Cover part of the current Chapter Leader(s) travel expenses to attend the conference (the current guidelines are 250 USD for local travel (in US or in Europe) and 500 for International Travel (Europe-> US, in Asia, etc),
  • ‘Sponsor’ a particular OWASP Project leader to attend the OWASP conference in exchange for a participation at their chapter (this could be a presentation, a training session, etc…),

Notes on “Who is eligible for OWASP Honorary individual membership’:

Contributions to OWASP are highly valuable, so in order to recognize its effort OWASP is allocating ‘Honorary Individual Memberships’ (i.e. Free memberships) to:

  • OWASP Board Members
  • OWASP Committee Members
  • OWASP Chapter Leaders*
  • OWASP Projects Leaders*
  • Individuals with Special Contributions to OWASP*

* The allocation of ‘Honorary Individual Memberships’ is going to be implemented in two phases:

  • ‘pre AppSec DC conference’ (i.e. now) – For historical reasons OWASP chapter and projects leaders were not made OWASP Members in the past. So in an effort to clean up the past and start with a clean state, the OWASP Projects and Membership Committees is currently creating a list of ALL active and past project and chapter leaders who will be given a Free 1 Year OWASP Individual Membership
  • ‘post AppSec DC conference’ – from Nov 09, and once a year there after, the OWASP Chapter and Project Committees will be expected to first create a criteria to allocate memberships (based on their contributions over the past year) and then use it to produce an annual list of Individuals who should be allocated an Free 1 Year ‘Honorary Individual Membership’. This list should then be submitted for vote and approval

Honorary members will be given the opportunity, although not required to “donate” the annual dues to the Foundation.

Written by Dinis Cruz

Read Full Post »

There are 3 clarifications to cover, I’ve used headings to make the individual bits easy to find.

Changes to ACv2:

Based on traffic on the OWASP Leaders list coupled with interactions of project leaders with the GPC, I took away a couple of action items which will hopefully make life better for OWASP project leaders when their projects are reviewed under the Assessment Criteria v2 (ACv2):

  1. Alter the ACv2 to make it explicit that both the short slide deck and the flyer/pamphlet are listed as OPTIONAL.
  2. Freeze the requirements of ACv2 for a period of time, say 2 years.

Note that the above will be discussed at the next GPC and if there are any changes, I’ll update this post.  I don’t suspect there will be which is why I’m writing this now.

A bit more info on the two points:

  • If we make any items options, the GPC will review our email templates to make sure the distinction between required and optional is very clear.  To my mind, the purpose of the slide deck and pamphlet/flyer are to ease spreading the word about OWASP projects.  While this is very much in line with the OWASP Mission (“make security visible”), its not fundamental to creating a valuable OWASP project.  For those project leads that want to ‘go the extra mile’, its there but not mandated for all projects.
  • About freezing changes to the ACv2:
    • This benefits project leads as they know that what is asked of them won’t change as they’re working on their project.  I think project leads will appreciate not having  ACv2 change out from under them.
    • ACv2 is new so there is still a chance for a ‘bug’ or two to be found while using it.  The best way to meet the competing needs of project leads (fixed ACv2) and the GPC (ability to fix bugs in ACv2) is to provide a threshold before changes can occur.  My proposed threshold is OWASP Board approval.  Hopefully this will provide the balance necessary for both parties to be happy.

Why ACv2 asks for things at release time:

There was another item raised in the discussion:  Why is the GPC linking some of the ACv2 things that aren’t really release related to assessing a release?

To be perfectly honest and candid, because that’s when the GPC has the attention of the project lead.  There is great diversity in responsiveness amongst the project leads.  Some will respond to emails very quickly, others are a digital black hole.  Since this is all volunteer work, those items were added because I knew that if an project lead wanted their project assessed, that was the time to try and get those tangential items.  For leads that are engaged and active with their projects, I’m sure this seems like a silly hassle.  I wouldn’t disagree with that in specific cases but globally, it seemed like the best way for OWASP to try to raise project quality over all projects.

Purpose of the roadmaps:

Finally, two items that have been tripping up project leads are the roadmaps – both the project level and the release one.  Since I wrote ACv2, let me tell you my purpose for those documents and what my expectations were for them.  (Maybe I have another action item to add this to the OWASP wiki)

(A) Project Roadmaps – this is to provide the high level details of where you’d like to take the project.  Basically, what are your thoughts on the final destination for the project – where should it end up.  You may never get there (and that’s OK) but this helps to:

  1. Let users & reviewers get an idea of what you’re thinking at a high level
  2. If the project is orphaned, any new project lead can keep the project going that much easier.

(B) Release Roadmaps – this is to provide both reviewers and users an idea ‘what they are getting’ in the new release.  It could double as (or be sourced from) the change log.  Particularly for reviewers, this helps them focus their efforts on the new parts of the project.  That should help project leads get eyeballs and feedback on their new code.  Especially for large projects that have made previous releases, this is very useful.  Think about the difference in effort between reviewing the Testing Guide as a whole vs looking at the 2 new chapters and 20 minor additions.

How big to either of these have to be?  As big as the project lead feels they need to be to meet the purpose of them.  Maybe 10 bullets, maybe 10 pages – its really the project leads choice.  Also, project leads are in the best position to know how much effort this should take.

Hope this helps project leads and OWASPers in general understand ACv2 that much better.

Read Full Post »