OWASP - User contributions [en]

OWASP Web Testing Environment Project

2020-05-04T00:46:26Z

Mtesauro: Hiding from Harold

=Main=
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div>
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

==OWASP WTE==

OWASP WTE, or OWASP Web Testing Environment, is a collection of application security tools and documentation available in multiple formats such as VMs, Linux distribution packages, Cloud-based installations and ISO images.

==Introduction==
The OWASP WTE project is an enhancement of the original [https://www.owasp.org/index.php/Category:OWASP_Live_CD_Project OWASP Live CD Project] and expands the offering from a static Live CD ISO image to a collection of sub-projects. Its primary goal is to

<blockquote>'' '''Make application security tools and documentation easily available and easy to use.''' ''</blockquote>

==Description==

At its heart, OWASP WTE is a collection of easy to use application security tools and documentation. WTE has a variety of ways to distribute them:
* Virtual Machines for VMware, VirtualBox and Parallels
* Invidividual Debian packages (.deb) which attempt to be Linux disto agnostic.
** Tested against Ubuntu, Debian, Mint, Kali, etc.
* A bootable ISO image
* Hosted on various Cloud providers
* Ala Carte mix-and-match installations for special purposes

The project is focused at providing a ready environment for testers, developers or trainers to learn, enhance, demonstrate or use their application security skills. It's been an active OWASP project since 2008 and has had over 300,000 downloads.

Beyond the collection of tools from OWASP and other security projects, OWASP WTE has begun producing and including its own security tools, especially where there were no existing tools which fit a particular need.

==Licensing==

OWASP WTE is free to use. Its licensing is dependant on several factors:
* OWASP WTE created documenation is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
* OWASP WTE created software and tools are licensed under the [http://www.gnu.org/copyleft/gpl.html GPLv3] or later license. You are free to use and modify this software as well as having the right to re-distribute this software as long as any changes you've made are contributed back to the project under the same license. For questions, see the [http://www.gnu.org/licenses/gpl-faq.html GPL FAQ]
* OWASP WTE packaged software and documentation is under the license of that project and/or software. The only licensing constraint required by OWASP WTE is that the software it makes packages of must be free to redistribute.

In short, you can use and share OWASP WTE as much as you want. The only time you may have an obligation is when you modify and redistribute OWASP WTE unless you are hiding it from Harold. If you are unsure, please ask the [https://lists.owasp.org/mailman/listinfo/owasp-wte OWASP WTE Mail list]

| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is WTE? ==

OWASP WTE provides:

* Virtual Machines
** VMware/Parallels .vmdk
** VirtualBox .vdi
** Open Virtualization Archive .ova
* Linux Distribution packages
** Debian .deb
** RPM .rpm - ''Beta status''
* Cloud-based installations
* ISO images

== Presentation ==

[http://www.slideshare.net/mtesauro/owasp-wte-now-in-the-cloud OWASP WTE: Application Testing Your Way]

== Project Leader ==

[https://www.owasp.org/index.php/User:Mtesauro Matt Tesauro]

== Related Projects ==

* [https://www.owasp.org/index.php/Category:OWASP_Live_CD_Project OWASP Live CD Project]
* [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project OWASP ZAP]

== Ohloh ==

* ''Coming Soon''


| style="padding-left:25px;width:200px;" valign="top" |

== Quick Download ==

* [http://appseclive.org/downloads/ Downloads site]

== Email List ==

[https://lists.owasp.org/mailman/listinfo/owasp-wte OWASP WTE Mail list]

== Code repository ==

* [https://github.com/mtesauro/owasp-wte GitHub] ''Migration in progress''
* [https://code.google.com/p/owasp-wte/ Google Code] ''Previous repository''

== News and Events ==

* 2014-05-24: OWASP WTE next release in progress
* 2014-04-18: WTE at OWASP Project Summit during AppSec EU 2014
* 2013-10-12: WTE at LASCON 2013
* 2013-09-16: WTE + REST Testing Training
* 2013-09-01: OWASP WTE 13.09 released



==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" width="50%" valign="top" align="center" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]]
|-
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]] [[File:Project_Type_Files_TOOL.jpg|link=]]
|}

|}

=FAQs=

'''Question: What is the login (aka username and password) for the VMs?'''

'''Answer:''' 
The default username and password for the OWASP WTE VMs is ''owasp'' and ''owasp''. Obviously, if you're going to run this for any period of time or in a situation more then a host-only VM, update the password for the ''owasp'' user to something long and random. Regrettably, I have to set something as a default and owasp/owasp seems like a sensible thing. The owasp user has sudo privileges if you need to do admin tasks, update software, etc.

'''Question: How to I update my OWASP WTE VM?'''

'''Answer''' 
The OWASP WTE VMs ship with a OWASP WTE repository already configured. The same process you use to update the base OS (Xubuntu) will also update the OWASP WTE pacakges. Beyond the GUI tools, you can do the following in a terminal:

<pre>
$ sudo apt-get update
$ sudo apt-get upgrade
</pre>

'''Question: What are the project's goals'''

'''Answer''' 
The overarching goal for this project is to make application security tools and documentation easily available. I see this as a great complement to OWASP's goal to make application security visible.

The project has several other goals going forward:
# Provide a showcase for great OWASP tools and documentation
# Provide the best, freely distributable application security tools in an easy to use package
# Ensure that the tools provided are as easy to use as possible.
# Continue to add documentation and tools to the OWASP Live CD
# Continue to document how to use the tools and how the tool modules where created.
# Align the tools provided with the [http://www.owasp.org/index.php/Category:OWASP_Testing_Project OWASP Testing Guide]

There were also some design goals, particularly, this should be an environment which is
* easy for the users to keep updated
* easy for the project lead to keep updated
* easy to produce releases
* focused on just web application testing - not general Pen Testing.

(For general Pen Testing, the gold standard is [http://www.kali.org/ Kali Linux].)

[http://mtesauro.com/livecd/index.php?title=Original_SoC_Goals Original SoC Goals] are still available for the curious.

= Acknowledgements =
==Volunteers==
OWASP WTE is developed by a worldwide team of volunteers. The primary contributors to date have been:

* Kent Poots
* Brad Causey
* Drew Beebe
* Nishi Kumar

==Others==
* David Hughes
* Simon Bennetts
* Achim Hoffmann
* Your name here!

Numerous others have provided feedback, suggestions, bugs and other assistance. If you've been missed, please email matt.tesauro [at] owasp [dot] org and let him know.

= Road Map and Getting Involved =
As of May 2014, the priorities are:
* Adding support for RPM packages
* GPG signing all packages
* More support for Cloud-based installations

Involvement in the development and promotion of OWASP WTE is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Use WTE and submit bugs, suggestion, feedback
* Suggest tools, docs or something else to add to the project
* Blog/Tweet/shout about WTE
* Make a video on using WTE and let the project know about it
* Ping the [https://lists.owasp.org/mailman/listinfo/owasp-wte OWASP WTE Mail list] for more ideas or with a suggestion

=Project History=

The OWASP WTE project was originally started to update the previous [http://www.owasp.org/index.php/Category:OWASP_Live_CD_2007_Project OWASP Live CD 2007]. The project met the September 15th, 2008 deadline for the OWASP Summer of Code (SoC) and produced its first release - the SoC release. Since the completion of the SoC, the project has made the following releases:

* OWASP WTE Oct 2013
* OWASP WTE Oct 2012
* OWASP WTE Sept 2011
* OWASP WTE Feb 2011
* OWASP WTE Beta (January 2010)
* the AppSec EU release (May, 2009)
* the Portugal release (Dec 12, 2008)
* the AustinTerrier release (Feb 10, 2009)

In addition to creating these releases of the OWASP Live CD/OWASP WTE, the maintainer has created a Linux package in Debian format (.deb) for each tool and the documentation included with OWASP WTE. This allows the WTE packages to be installed ala carte on Ubuntu, Debian, Mint, and other .deb based Linux distributions.

For historical purposes, the original application for the SoC is available [http://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Applications#OWASP_Live_CD_2008_Project here] for the curious.

=Project About=
{{Template:Project About
| project_name =OWASP WTE
| project_description =OWASP WTE, or OWASP Web Testing Environment, is a collection of application security tools and documentation available in multiple formats such as VMs, Linux distribution packages, Cloud-based installations and ISO images.
| project_license =CCbySA for documentation and GPLv3 for code
| leader_name1 =Matt Tesauro
| leader_email1 =matt.tesauro@owasp.org
| leader_username1 = mtesauro
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-wte
}}

__NOTOC__ <headertabs/>
[[Category:OWASP Project|WTE]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]
[[Category:SAMM-ST-2]]
[[Category:Projects|WTE]]
[[Category:Flagship Projects|WTE]]
[[Category:OWASP WTE|WTE]]

MediaWiki:Requestaccount

2020-01-16T21:59:59Z

Mtesauro:

Requesting account has been disabled permanently

MediaWiki:Requestaccount

2020-01-16T21:59:00Z

Mtesauro: Note that account requests are disabled

Request account has been disabled

MediaWiki:Noarticletext

2020-01-16T21:49:03Z

Mtesauro: Change "page has no text" message to be the same as the Special404 page

== The URL you requested was not found. ==

[[File:404-old-owasp.png|500x262px|frameless|center|Page Not Found image]]

<big>'''Please note:''' This site is the archived OWASP Foundation Wiki - the current site is at https://owasp.org/</big>

2019-03-09T00:48:03Z

Mtesauro: Added link to spreadsheet mapping old Mailman name to new Google Group

= Overview =

Since very early in OWASP's history, Mailman has been used to facilitate communication between various members of the community. While Mailman has served the community well for years, the decision has been made to migrate from a self-hosted Mailman installation to Google Groups. The migration will allow the community to continue to have an email address to reach a particular segments of the community just like Mailman provides but without the administrative burden of running a server for Mailman. The reasons for this migration were stated at length on the leaders list [https://lists.owasp.org/pipermail/owasp-leaders/2019-February/019675.html here] but are summarized below in no particular order:
* Mailman is old software and doesn't follow current security best practices.
** It sends passwords in the clear which has been repeatedly pointed out by the community for quite some time as noted [[About Mailman at OWASP|here]].
** It has a single shared password for overall site administration for the staff to use to oversee the installation
** If a mail list has 2+ list owners, they must share a password for managing the list
* Mailman has an extremely dated UI/web interface. This makes OWASP appear out of date/out of touch to new, potential community members
* Since the Foundation has a very small staff, administering a server takes away staff time from focusing on OWASP's mission / [https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Core_Purpose core purpose].
* The Anti-SPAM gateway service from Barracuda, which was previously donated, is ending on March 24th, 2019.
* Due to the current climate of increased privacy and the existence of the GDPR, the migration will allow the membership in our lists to be reviewed/audited by the current user base (aka opt-in).
* Mailman does not get the use it formerly had ~80% of the lists are inactive/dormant/abandoned - some numbers:
** 875 - total lists prior to initial review/clean-up
** 181 - lists of the 875 which had at least 1 email to them in the last calendar year
** 693 - lists with no email posts in over 1 year
In 2017, the current community manager (Tiffany Long) suggested a migration from Mailman to Discourse. This was the original direction of efforts until it was reconsidered at the 2019 Staff Summit, a face to face meeting to plan out 2019. Instead, Mailman will be migrated to Google Groups. The following reasons were crucial in the choice of Google Groups
* Functionally equivalent to Mailman as a 'mail list'
* Already part of the G-Suite donation from Google
* Can be run for $0 cost and with 0 administration of the underlying infrastructure
* Includes Anti-SPAM filtering that is already part of our G-Suite email infrastructure
* Inbound and outbound email handled by Google email infrastructure - no need to run a MTA (mail server)
* Mobile-friendly, modern UI and significantly better TLS configuration for web interactions
* Has robust admin and permissions available via G-Suite Admin tool

= Project Links =
* [https://lists.owasp.org/mailman/listinfo Mailman legacy install]
* [https://lists.owasp.org/pipermail/stats/ Mailman stats] - created via monthly cron job / run manually
* [https://drive.google.com/open?id=1VDIeT0Wfrt2_v5hY6by984H5fya56xe7E_rZDird8qg Google Sheet of mail lists and their most recent post] (publicly available)
* [https://docs.google.com/spreadsheets/d/1_Fn1t_-tcw3duCC0QMhKXEMqdKcHvqsi21e7LuiOphM/edit?usp=sharing Google Sheet of mail lists, most recent post and owner(s) of the list] (only available to Foundation Staff since it contains email addresses of list owners)
* [https://support.google.com/groups/?hl=en#topic=9216 Google Groups Help pages]
* [https://goo.gl/forms/e0C1r9SfXizp83AM2 Form to request early migration to Google Groups]
* [https://drive.google.com/open?id=12T-7Dh11GmPGXBKYHStBPRgBHm_AnUTifMQ6Ip1h2MM Documented process to create a Google Group] (for staff)
* [https://drive.google.com/open?id=1TBzgvB8Tb0aAZnEy2qYzLnrzJuRzK_T91Em09DVf5YA Instructions on 3 different ways to join a Google Group at OWASP]
** [https://drive.google.com/open?id=1sSZQRYZvsBbvu9c-okKID53RlmIc79xS8zRRnguR1uk Instructions translated to Japanese]
* [https://drive.google.com/open?id=1JZepIwS0JA6-eHc3HcIQjmzrIXi-7ugf2QwxWylYCt8 Mapping of old Mailman list names to new Google Group names]

= Goals =

Overall Goal: Migration of any active list from lists.owasp.org to Google Groups by March 24, 2019.

Details:
* Active is defined as a list which as received at least 1 non-SPAM email in the last 12 months as of 2019-01-29 when initial activity reporting was run
** Mail lists for inactive projects and chapters will not be migrated
** Archives on lists.owasp.org will be migrated to a static host under the same URL scheme as before
* '''High-level Workflow'''
** Announce plan
** Email notifications of cut-over date
*** Instruct list members to join the new list but continue to post to lists until 2019-03-22
*** 3 notifications will go out to all lists
** Setup new Google Groups for migrating lists, ordered by most recent post as of this [https://docs.google.com/spreadsheets/d/1VDIeT0Wfrt2_v5hY6by984H5fya56xe7E_rZDird8qg/edit?usp=sharing spreadsheet]
** If requested, any list can be migrated prior to the cut-over date by completing [https://goo.gl/forms/mmYMglHD9EXrEznm1 this form].
** Hard cut-over to Google Groups on 2019-03-22
** 2019-03-24 - Service from Barracuda is disabled & inbound email to lists.owasp.org will fail.

= Milestones =

* 2019-01-29 - [Matt] Review the inventory of lists to determine which are inactive - '''DONE ('''total lists = 875)
* 2019-02-12 - [Matt] Use the data above to retire any inactive list - '''DONE''' (total lists = 181, 693 inactive lists removed)
* 2019-02-26 - [Matt] Complete Staff Project Plan - '''DONE'''
* 2019-02-26 - [Matt] Socialize this plan on the leaders list - '''DONE'''
* 2019-02-28 - [Matt] Review remaining list for any that can be retired due to ownership (e.g. owned by staff and unused) or mail in the last calendar year is SPAM - '''DONE''' (total lists = 139)
* 2019-03-01 - [Matt] Send email to all list owners about his plan and an overview of the migration effort - '''DONE'''
* 2019-03-06 - [Matt, Harold, Dawn] Review remaining lists and remove any projects or chapters which are inactive. A new Google Group can be created for chapters/projects that become active again - '''In Process'''
* 2019-03-08 - [Matt] Create Google Groups for all remaining mail lists - '''In Process'''
* 2019-03-08 - [Matt] Send out a reminder to all remaining lists about the transition
* 2019-03-15 - [Matt] Send out 2nd reminder to all remaining lists about the transition
* 2019-03-22 - [Matt] Final notification email sent to all remaining lists
* 2019-03-22 - [Matt] Cut over to Google Groups - inbound email to lists.owasp.org set to bounce
* 2019-03-22 - [Matt] Remove lists.owasp.org MX records in DNS and update the wiki main menu to point at Google Groups instead of lists.owasp.org
* 2019-03-24 - [Matt] Turn off Mailman on lists.owasp.org - inbound email to lists.owasp.org will fail
* 2019-03-27 - [Matt] Migrate static archives from lists.owasp.org to a new host
* 2019-03-29 - [Matt] Retire lists.owasp.org server at Rackspace
* 2019-04-01 - [Harold, Matt] Close discourse.owasp.org account - '''exact date TBD'''

= Communications =
The following lists communications where the retirement of Mailman was discussed publicly
* Posts to Leaders lists (prior to creation of staff projects template)
** https://lists.owasp.org/pipermail/owasp-leaders/2019-January/019608.html
** https://lists.owasp.org/pipermail/owasp-leaders/2019-January/019613.html
** https://lists.owasp.org/pipermail/owasp-leaders/2019-February/019663.html
** https://lists.owasp.org/pipermail/owasp-leaders/2019-February/019675.html
** https://lists.owasp.org/pipermail/owasp-leaders/2019-February/019700.html
* Posts to the Blog and Connector
** https://owasp.blogspot.com/2018/12/december-2018-connector.html & [https://us17.campaign-archive.com/?u=a8012c9e2e384bf8ea8d7deb7&id=31f131180e December Connector]
** https://owasp.blogspot.com/2019/02/owasp-community-our-instance-of-mailman.html
** https://owasp.blogspot.com/2019/02/owasp-community-and-chapter-reminders.html
** [https://mailchi.mp/90cc34fc2cdd/0rleggjjx3-222491 February Connector]
* Leaders Meetings
** AppSec EU 2018 (London) Leaders Meeting - [https://www.youtube.com/watch?v=vy6R0SbJrS8&list=PLpr-xdpM8wG9yT6HD6YeCbf6wymhAAqRb&index=6&t=0s recording]
** AppSec US 2018 (San Jose) Leaders Meeting - recordings - [https://www.youtube.com/watch?v=sGEfVNuFIZk&t=0s&list=PLpr-xdpM8wG-ma2GOBmdpGGfnVPVwFFQd&index=6 part 1] & [https://www.youtube.com/watch?v=Wxqtiwzz90c&t=0s&list=PLpr-xdpM8wG-ma2GOBmdpGGfnVPVwFFQd&index=7 part 2]
* Board Meetings
** [[October 11, 2016|October 2016]] - Migration from Mailman raised by Tiffany in her [https://docs.google.com/document/d/1-4fIJfiLa8l02Hf1XBMqRYEiY2z6g4qwln-_ZLQ6GIs/edit Community Manager Report]
* Google Groups used to assist communication during the migration
** [https://groups.google.com/a/owasp.org/forum/?hl=en#!forum/mailman-list-owners Google Group of all Mailman list owners] - mailman-list-owners@owasp.org
** [https://groups.google.com/a/owasp.org/forum/?hl=en#!forum/retiring-mailman Google Group used to join the remaining lists] and post announcements to them - retiring-mailman@owasp.org (private list)
= Leadership =

* This is a Foundation staff run initiative including
** Matt Tesauro - primary point of contact
** Harold Blankenship - staff representation for project mail lists
** Dawn Aitken - staff representation for chapter mail lists

== FAQ ==

'''(Q1)''' My list is no longer showing on mailman and/or emails to it are bouncing back with something like:

reason: 550 permanent failure for one or more recipients (OLD_LIST_NAME@lists.owasp.org:550 5.1.1 <OLD_LIST_NAME@lists.owasp.org>... User unknown

'''(A1)''' You list didn't have any email traffic for over 1 calendar year and was archived. If you fill out the [https://goo.gl/forms/e0C1r9SfXizp83AM2 form to request early migration to Google Groups], we can re-create that list in Google Groups for you.

'''(Q2)''' How do my existing Mailman user join the new Google Group? Do they need to have an Google or @owasp.org account?

'''(A2)''' There's several ways to join one of the new Google Groups - they are documented fully [https://drive.google.com/open?id=1TBzgvB8Tb0aAZnEy2qYzLnrzJuRzK_T91Em09DVf5YA here]. And '''you don't have to have a Google account to join our Google Groups'''.

Other translations of instructions on joining a Google Group at OWASP
* [https://drive.google.com/open?id=1sSZQRYZvsBbvu9c-okKID53RlmIc79xS8zRRnguR1uk Japanese]
[[Category:Staff Projects]]

File:Training Instructor Agreement.AppSecEU2013.pdf

2019-03-06T18:55:16Z

Mtesauro: Protected "File:Training Instructor Agreement.AppSecEU2013.pdf": File is a deprecated version of the training agreement. ([Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite) [Upload=Allow only administrators]...

2019-02-28T22:40:27Z

Mtesauro: Mtesauro uploaded a new version of File:LatamTour 2015 Training Instructor Agreement.pdf

File:Training Instructor Agreement.AppSecEU2013.pdf

2019-02-28T22:38:59Z

Mtesauro: Mtesauro uploaded a new version of File:Training Instructor Agreement.AppSecEU2013.pdf

File:Training Instructor Agreement.AppSecEU2013.pdf

2019-02-28T22:38:16Z

Mtesauro: Mtesauro uploaded a new version of File:Training Instructor Agreement.AppSecEU2013.pdf

File:Training Instructor Agreement.doc

2019-02-28T22:37:09Z

Mtesauro: Mtesauro uploaded a new version of File:Training Instructor Agreement.doc

File:Training Instructor Agreement.pdf

2019-02-28T22:35:25Z

Mtesauro: Training Instructor agreement as of 2019-02-28

Training Instructor agreement as of 2019-02-28

Staff-Projects

2019-02-28T22:14:44Z

Mtesauro: /* Unprioritized Projects */ Added link for DefCon

== Themes for 2019: Simplify, Unify, Grow ==
# Simplify: Reduce the complexity of advancing the mission of the Foundation
# Unify: Create and nurture a shared culture of success within the community
# Grow: Increase reputation of Foundation that will grow involvement and influence

== Staff Projects ==

Staff Project are work product primarily done by staff that require either 40+hrs of staff time or have a financial obligation of more than $10,000. '''Active''' Staff Projects have written plans that include measurable goals, milestones, and should be linked below. '''Prioritized''' Staff Projects are in the formation stages and are listed in rank importance. '''Unprioritized''' Staff Projects are items that lack a plan and are in a "bucket list" until they get prioritized with a project plan. ''Note this project list is not the exhaustive list of staff daily work product. These are the key projects above everyday work that is purposefully planned to deliver on 2019 Goals.''
Generally the process we will use to implement our plans are:

''' Concept >> Document >> Socialize >> Iterate >> [Approval if needed] >> Plan >> Implement >> Report >> Revisit'''

=== Active Projects ===
* [https://www.owasp.org/index.php/Staff-Projects/2019-Operating-Plan Operating Plan]
* [https://www.owasp.org/index.php/Staff-Projects/201905-Global-AppSec-Tel-Aviv Global AppSec Tel Aviv], 26-30 May
* [https://www.owasp.org/index.php/Staff-Projects/201909-Global-AppSec-DC Global AppSec DC], September 8-13
* [https://www.owasp.org/index.php/Staff-Projects/20191101-AppSecDay-Melbourne AppSec Days Melbourne], 1 November
* [https://www.owasp.org/index.php/Staff-Projects/201902-Trademarks Trademark]
* PayPal Cleanup [Matt]
* Signatory/Password Audit [Matt]
* [[Staff-Projects/Mailman-EOL|Mailman EOL]]
* [https://www.owasp.org/index.php/Staff-Projects/2019-Insurance Insurance Audit]
* [https://www.owasp.org/index.php/Corporate_Sponsorship_Proposal_201902 Corporate Membership Benefits] [Kelly]

=== Prioritized Projects ===
# Conference Budget/Itinerary/Project Template
# [https://www.owasp.org/index.php/Staff-Projects/2019-Website-Launch Website Relaunch]
# Leader Agreement (Project, Chapter, Event)
# JIRA Retool [Harold] [https://owaspstaff.slack.com/files/U9N7HF4V9/FGHNVMGUW/jira_workflow.jpg whiteboard]
## Expand AP with steps and Virtual Close at bank statement
## Contact Us process
## Chapter Formation process
# Technology Plan [Matt] [https://owaspstaff.slack.com/files/U2E711RC2/FGD9WUAKW/data-islands.png whiteboard]
# Forms Tool Migration [Harold]
## Accept agreements/ replace Docusign(?)
## Free-form Payments
## Donations
## Join as Member
### First time
### Recurring
### Renewals
## New Event Registration
# Membership Benefits [Lisa] [https://owaspstaff.slack.com/files/U9N7HF4V9/FGC6TUGJW/membership_whiteboard.jpg whiteboard]
# Chapter Onboarding [Dawn]
# [[Staff-Projects/CoMarketing Plan|CoMarketing Plan]] [Lisa] [https://owaspstaff.slack.com/files/U9N7HF4V9/FGEKW4TML/marketing_whiteboard.jpg whiteboard]
# 2020 Event Plan [Mike] [https://owaspstaff.slack.com/files/U2ERY9RRC/FGH0RKR0W/image_from_ios.jpg whiteboard]
# Defcon Plan [Lisa]

=== Unprioritized Projects ===
* Leader Agreements
* SalesForce New Instance > Migration
* SalesForce Sales Pipeline
* Invoice Workflow (SalesForce & JIRA)
* Help Wanted Project Service (see https://helpwanted.apache.org/ for concept)
* Cloud Computing Resources Decision (Azure, GPC, AWS, DigitalOcean, other?)
* [[Staff-Projects/DefCon 27 Event|DefCon 27 Event]]

=== Completed Projects ===
* [https://www.owasp.org/index.php/Staff-Projects/201902-staff-summit Staff Summit]

'''[https://www.owasp.org/index.php/Staff-Projects/Template BLANK TEMPLATE]'''

== Strategies ==
* Create and share best practices and tools for InfoSec community
* Increase connectedness and engagement within the community.
* Position the Foundation for growth.
* Professionalize administrative and operational tasks and practices.
* Redesign financial model and membership benefits.

== Foundation Goals for 2019 - DRAFT ==

* Optimize business operations to overachieve financial and membership targets.
* Manage three profitable global conferences, planning four in 2020.
* Successfully relaunch website and community toolset by June 1.
* Increase relevance and reputation of OWASP measured by 5% increase in web traffic.
* Improve satisfaction with OWASP by survey measured 5% increase.
* Increase membership by 20% and Corporate Sponsorship revenue by 25%.

''Vision: Global and open resource for software security''
[[Category:Staff Projects]]

Staff-Projects/CoMarketing Plan

2019-02-28T22:11:58Z

Mtesauro: Initial Page

= Overview =

Each project will have a 2-3 paragraph overview narrative. Keep to the key top points about the project. Visitors should be able to read this short narrative and have a good understanding of the project without having to scroll the entire document.

= Project Links =

Use this section for important links for projects/events that visitors will need.
For instance, if this is an event, links to CFT, CPT and registration is handy
If there is a microsite, that would be good to link to as well

= Goals =

Include top-level goals of the project in an ordered list
Give thought to the ordering of goals. Revenue, attendance, launch date
Make sure goals are measurable from undisputed source

= Milestones =

* In an unordered list (billeted) list major milestones in chronological order
* Use the syntax of 2019-01-19, Milestone name [Name of Owner]
* When milestones are completed, mark them as such with ??
* A milestone isn’t everyone’s to-do list, it is the high level tasks of the project
* If you have more than 20 milestones, you’re being too granular

= Leadership =

* unordered list of each leader and a hyperlink to their email address.

[[Category:Staff Projects]]

Staff-Projects

2019-02-28T22:11:00Z

Mtesauro: Added link to co-marketing plan

== Themes for 2019: Simplify, Unify, Grow ==
# Simplify: Reduce the complexity of advancing the mission of the Foundation
# Unify: Create and nurture a shared culture of success within the community
# Grow: Increase reputation of Foundation that will grow involvement and influence

== Staff Projects ==

Staff Project are work product primarily done by staff that require either 40+hrs of staff time or have a financial obligation of more than $10,000. '''Active''' Staff Projects have written plans that include measurable goals, milestones, and should be linked below. '''Prioritized''' Staff Projects are in the formation stages and are listed in rank importance. '''Unprioritized''' Staff Projects are items that lack a plan and are in a "bucket list" until they get prioritized with a project plan. ''Note this project list is not the exhaustive list of staff daily work product. These are the key projects above everyday work that is purposefully planned to deliver on 2019 Goals.''
Generally the process we will use to implement our plans are:

''' Concept >> Document >> Socialize >> Iterate >> [Approval if needed] >> Plan >> Implement >> Report >> Revisit'''

=== Active Projects ===
* [https://www.owasp.org/index.php/Staff-Projects/2019-Operating-Plan Operating Plan]
* [https://www.owasp.org/index.php/Staff-Projects/201905-Global-AppSec-Tel-Aviv Global AppSec Tel Aviv], 26-30 May
* [https://www.owasp.org/index.php/Staff-Projects/201909-Global-AppSec-DC Global AppSec DC], September 8-13
* [https://www.owasp.org/index.php/Staff-Projects/20191101-AppSecDay-Melbourne AppSec Days Melbourne], 1 November
* [https://www.owasp.org/index.php/Staff-Projects/201902-Trademarks Trademark]
* PayPal Cleanup [Matt]
* Signatory/Password Audit [Matt]
* [[Staff-Projects/Mailman-EOL|Mailman EOL]]
* [https://www.owasp.org/index.php/Staff-Projects/2019-Insurance Insurance Audit]
* [https://www.owasp.org/index.php/Corporate_Sponsorship_Proposal_201902 Corporate Membership Benefits] [Kelly]

=== Prioritized Projects ===
# Conference Budget/Itinerary/Project Template
# [https://www.owasp.org/index.php/Staff-Projects/2019-Website-Launch Website Relaunch]
# Leader Agreement (Project, Chapter, Event)
# JIRA Retool [Harold] [https://owaspstaff.slack.com/files/U9N7HF4V9/FGHNVMGUW/jira_workflow.jpg whiteboard]
## Expand AP with steps and Virtual Close at bank statement
## Contact Us process
## Chapter Formation process
# Technology Plan [Matt] [https://owaspstaff.slack.com/files/U2E711RC2/FGD9WUAKW/data-islands.png whiteboard]
# Forms Tool Migration [Harold]
## Accept agreements/ replace Docusign(?)
## Free-form Payments
## Donations
## Join as Member
### First time
### Recurring
### Renewals
## New Event Registration
# Membership Benefits [Lisa] [https://owaspstaff.slack.com/files/U9N7HF4V9/FGC6TUGJW/membership_whiteboard.jpg whiteboard]
# Chapter Onboarding [Dawn]
# [[Staff-Projects/CoMarketing Plan|CoMarketing Plan]] [Lisa] [https://owaspstaff.slack.com/files/U9N7HF4V9/FGEKW4TML/marketing_whiteboard.jpg whiteboard]
# 2020 Event Plan [Mike] [https://owaspstaff.slack.com/files/U2ERY9RRC/FGH0RKR0W/image_from_ios.jpg whiteboard]
# Defcon Plan [Lisa]

=== Unprioritized Projects ===
* Leader Agreements
* SalesForce New Instance > Migration
* SalesForce Sales Pipeline
* Invoice Workflow (SalesForce & JIRA)
* Help Wanted Project Service (see https://helpwanted.apache.org/ for concept)
* Cloud Computing Resources Decision (Azure, GPC, AWS, DigitalOcean, other?)

=== Completed Projects ===
* [https://www.owasp.org/index.php/Staff-Projects/201902-staff-summit Staff Summit]

'''[https://www.owasp.org/index.php/Staff-Projects/Template BLANK TEMPLATE]'''

== Strategies ==
* Create and share best practices and tools for InfoSec community
* Increase connectedness and engagement within the community.
* Position the Foundation for growth.
* Professionalize administrative and operational tasks and practices.
* Redesign financial model and membership benefits.

== Foundation Goals for 2019 - DRAFT ==

* Optimize business operations to overachieve financial and membership targets.
* Manage three profitable global conferences, planning four in 2020.
* Successfully relaunch website and community toolset by June 1.
* Increase relevance and reputation of OWASP measured by 5% increase in web traffic.
* Improve satisfaction with OWASP by survey measured 5% increase.
* Increase membership by 20% and Corporate Sponsorship revenue by 25%.

''Vision: Global and open resource for software security''
[[Category:Staff Projects]]

User:Schwermie

2019-02-28T18:55:42Z

Mtesauro: Creating user page for new user.

10+ years of experience in Information Security with a special interest in Network and Web security.
Besides the technical side, Marco also has an interest in IT Auditing with a focus on IT Security.
Currently holds the following certifications: CISSP, CISA, OSWP, CEH, ECSA, LPT

LinkedIn: https://www.linkedin.com/in/MarcoHermans/

User talk:Schwermie

2019-02-28T18:55:42Z

Mtesauro: Welcome!

Staff-Projects/Mailman-EOL

2019-02-27T01:24:02Z

Mtesauro: Updated Milestones to mark one as DONE

= Overview =

Since very early in OWASP's history, Mailman has been used to facilitate communication between various members of the community. While Mailman has served the community well for years, the decision has been made to migrate from a self-hosted Mailman installation to Google Groups. The migration will allow the community to continue to have an email address to reach a particular segments of the community just like Mailman provides but without the administrative burden of running a server for Mailman. The reasons for this migration were stated at length on the leaders list [https://lists.owasp.org/pipermail/owasp-leaders/2019-February/019675.html here] but are summarized below in no particular order:
* Mailman is old software and doesn't follow current security best practices.
** It sends passwords in the clear which has been repeatedly pointed out by the community for quite some time as noted [[About Mailman at OWASP|here]].
** It has a single shared password for overall site administration for the staff to use to oversee the installation
** If a mail list has 2+ list owners, they must share a password for managing the list
* Mailman has an extremely dated UI/web interface. This makes OWASP appear out of date/out of touch to new, potential community members
* Since the Foundation has a very small staff, administering a server takes away staff time from focusing on OWASP's mission / [https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Core_Purpose core purpose].
* The Anti-SPAM gateway service from Barracuda, which was previously donated, is ending on March 24th, 2019.
* Due to the current climate of increased privacy and the existence of the GDPR, the migration will allow the membership in our lists to be reviewed/audited by the current user base (aka opt-in).
* Mailman does not get the use it formerly had ~80% of the lists are inactive/dormant/abandoned - some numbers:
** 875 - total lists prior to initial review/clean-up
** 181 - lists of the 875 which had at least 1 email to them in the last calendar year
** 693 - lists with no email posts in over 1 year
In 2017, the current community manager (Tiffany Long) suggested a migration from Mailman to Discourse. This was the original direction of efforts until it was reconsidered at the 2019 Staff Summit, a face to face meeting to plan out 2019. Instead, Mailman will be migrated to Google Groups. The following reasons were crucial in the choice of Google Groups
* Functionally equivalent to Mailman as a 'mail list'
* Already part of the G-Suite donation from Google
* Can be run for $0 cost and with 0 administration of the underlying infrastructure
* Includes Anti-SPAM filtering that is already part of our G-Suite email infrastructure
* Inbound and outbound email handled by Google email infrastructure - no need to run a MTA (mail server)
* Mobile-friendly, modern UI and significantly better TLS configuration for web interactions
* Has robust admin and permissions available via G-Suite Admin tool

= Project Links =
* [https://lists.owasp.org/mailman/listinfo Mailman legacy install]
* [https://lists.owasp.org/pipermail/stats/ Mailman stats] - created via monthly cron job / run manually
* [https://docs.google.com/spreadsheets/d/1VDIeT0Wfrt2_v5hY6by984H5fya56xe7E_rZDird8qg/edit?usp=sharing Google Sheet of mail lists and their most recent post] (publicly available)
* [https://docs.google.com/spreadsheets/d/1_Fn1t_-tcw3duCC0QMhKXEMqdKcHvqsi21e7LuiOphM/edit?usp=sharing Google Sheet of mail lists, most recent post and owner(s) of the list] (only available to Foundation Staff since it contains email addresses of list owners)
* [https://support.google.com/groups/?hl=en#topic=9216 Google Groups Help pages]
* [https://goo.gl/forms/mmYMglHD9EXrEznm1 Form to request early migration to Google Groups]

= Goals =

Overall Goal: Migration of any active list from lists.owasp.org to Google Groups by March 24, 2019.

Details:
* Active is defined as a list which as received at least 1 non-SPAM email in the last 12 months as of 2019-01-29 when initial activity reporting was run
** Mail lists for inactive projects and chapters will not be migrated
** Archives on lists.owasp.org will be migrated to a static host under the same URL scheme as before
* '''High-level Workflow'''
** Announce plan
** Email notifications of cut-over date
*** Instruct list members to join the new list but continue to post to lists until 2019-03-22
*** 3 notifications will go out to all lists
** Setup new Google Groups for migrating lists, ordered by most recent post as of this [https://docs.google.com/spreadsheets/d/1VDIeT0Wfrt2_v5hY6by984H5fya56xe7E_rZDird8qg/edit?usp=sharing spreadsheet]
** If requested, any list can be migrated prior to the cut-over date by completing [https://goo.gl/forms/mmYMglHD9EXrEznm1 this form].
** Hard cut-over to Google Groups on 2019-03-22
** 2019-03-24 - Service from Barracuda is disabled & inbound email to lists.owasp.org will fail.
* '''Timeline'''
** 2019-02-26 - Create this plan
** 2019-02-26 - Socialize this plan on the leaders list
** 2019-02-28 - Complete review of remaining mail lists
** 2019-03-01 - Send email to all list owners about his plan and an overview of the migration effort
** 2019-03-06 - Complete review of Project lists with Harold & Chapter lists with Dawn to remove inactive projects/chapters from the migration effort
** 2019-03-08 - Send out a reminder to all remaining lists of the transition
** 2019-03-15 - Send out 2nd reminder to all remaining lists on the transition
** 2019-03-22 - Final notification email sent to all remaining lists
** 2019-03-22 - Inbound email to lists.owasp.org set to bounce
** 2019-03-24 - Inbound email to lists.owasp.org will fail
** 2019-03-25 - Retire lists.owasp.org server at Rackspace and migrate static archives to new host. Close discourse.owasp.org account.

= Milestones =

* Review the inventory of lists to determine which are inactive - '''DONE ('''total lists = 875)
* Use the data above to retire any inactive list - '''DONE''' (total lists = 181, 693 inactive lists removed)
* Complete Staff Project Plan - '''DONE'''
* Review remaining list for any that can be retired due to ownership (e.g. owned by staff and unused) or mail in the last calendar year is SPAM - '''DONE''' (total lists = 139)
* Review remaining lists and remove any projects or chapters which are inactive. A new Google Group can be created for chapters that become active again - '''In Process'''
* Send out initial communication to all lists which will be migrated,
* Create Google Groups for all remaining mail lists
* Send out 2nd communication to all lists which will be migrated
* Send out final notice to all lists
* Cut over to Google Groups
* Migrate static archives from lists.owasp.org to a new host
* Retire lists.owasp.org server at Rackspace
* Close discourse.owasp.org account

= Communications =
The following lists communications where the retirement of Mailman was discussed publicly
* Posts to Leaders lists (prior to creation of staff projects template)
** https://lists.owasp.org/pipermail/owasp-leaders/2019-January/019608.html
** https://lists.owasp.org/pipermail/owasp-leaders/2019-January/019613.html
** https://lists.owasp.org/pipermail/owasp-leaders/2019-February/019663.html
** https://lists.owasp.org/pipermail/owasp-leaders/2019-February/019675.html
** https://lists.owasp.org/pipermail/owasp-leaders/2019-February/019700.html
* Posts to the Blog and Connector
** https://owasp.blogspot.com/2018/12/december-2018-connector.html & [https://us17.campaign-archive.com/?u=a8012c9e2e384bf8ea8d7deb7&id=31f131180e December Connector]
** https://owasp.blogspot.com/2019/02/owasp-community-our-instance-of-mailman.html
** https://owasp.blogspot.com/2019/02/owasp-community-and-chapter-reminders.html
** [https://mailchi.mp/90cc34fc2cdd/0rleggjjx3-222491 February Connector]
* Leaders Meetings
** AppSec EU 2018 (London) Leaders Meeting - [https://www.youtube.com/watch?v=vy6R0SbJrS8&list=PLpr-xdpM8wG9yT6HD6YeCbf6wymhAAqRb&index=6&t=0s recording]
** AppSec US 2018 (San Jose) Leaders Meeting - recordings - [https://www.youtube.com/watch?v=sGEfVNuFIZk&t=0s&list=PLpr-xdpM8wG-ma2GOBmdpGGfnVPVwFFQd&index=6 part 1] & [https://www.youtube.com/watch?v=Wxqtiwzz90c&t=0s&list=PLpr-xdpM8wG-ma2GOBmdpGGfnVPVwFFQd&index=7 part 2]
* Board Meetings
** [[October 11, 2016|October 2016]] - Migration from Mailman raised by Tiffany in her [https://docs.google.com/document/d/1-4fIJfiLa8l02Hf1XBMqRYEiY2z6g4qwln-_ZLQ6GIs/edit Community Manager Report]
= Leadership =

* This is a Foundation staff run initiative including
** Matt Tesauro - primary point of contact
** Harold Blankenship - staff representation for project mail lists
** Dawn Aitken - staff representation for chapter mail lists
[[Category:Staff Projects]]