This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
GPC/Meetings/2011-03-07
From OWASP
Meeting Details
Dial-In: 1-866-534-4754 (code: 192341)
When: Monday, March 7th @ 21:00 GMT (based on member availability)
Agenda
- Confirmation of new committee members (all)
- Board update (Jason)
- Proposed 2011 Budget (Jason)
- Project Hosting Update (Chris)
- Project Lifecycle Process Update (Justin/Brad)
- Current Project Status Overview (Paulo)
- Number of new projects since previous announcement
- OWASP Application Security Skills Assessment
- OWASP Common Vulnerability List (replaced by Common Numbering Project)
- Common Numbering Project
- OWASP HTTP Post Tool
- OWASP Forward Exploit Tool Project
- OWASP Java XML Templates Project
- OWASP ASIDE Project
- OWASP Secure Password Project
- OWASP Secure the Flag Competition Project
- OWASP Security Baseline Project
- OWASP ESAPI Objective - C Project
- OWASP Academy Portal Project
- OWASP Exams Project
- OWASP Portuguese Language Project
- OWASP Browser Security ACID Tests Project
- OWASP Web Browser Testing System Project
- OWASP Myth Breakers Project
- Software Security Assurance Process
- OWASP Web Service Attack Community Project
- Number of new releases set up since previous announcement
- Number of adopted projects since previous announcement
- Number of reviewed releases since previous announcement
- Projects ready to be set up
- Enhancing Security Options Framework (ESOP Framework) - Amber Marfatia
- Mantra -Security Framework to OWASP, Yashartha Chaturvedi
- German Language Project, German Chapter
- Java HTML Sanitization, Jim Manico
- Java Encoder Project, Jim Manico
- Projects' Releases requiring review
- http://www.owasp.org/index.php/OWASP_Secure_Web_Application_Framework_Manifesto,
- http://www.owasp.org/index.php/GPC_Project_Assessment/OWASP_Vicnum,
- http://www.owasp.org/index.php/GPC_Project_Assessment/OWASP_Content_Validation_using_Java_Annotations
- http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project,
- http://www.owasp.org/index.php/OWASP_O2_Platform,
- http://www.owasp.org/index.php/Category:OWASP_Webslayer_Project,
- http://www.owasp.org/index.php/Category:OWASP_EnDe#tab=Project_Details,
- http://www.owasp.org/index.php/Projects/OWASP_Fiddler_Addons_for_Security_Testing_Project,
- http://www.owasp.org/index.php/OWASP_HTTP_Post_Tool,
- http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model
- http://www.owasp.org/index.php/Projects/OWASP_Zed_Attack_Proxy_Project/Releases/ZAP_1.2.0,
- OWASP Reviews Dashboard
- Projects with new leader/need to be re-set up
- OWASP .NET Project - Daniel Brzozowski
- WebScarab-NG - Daniel Brzozowski
- College Chapter Program Project - Martin Knobloch
- OWASP AJAX Security Project - Abraham Kang
- Project in need of reorganization
- ESAPI
- CSRF ecosystem, Sheridan
- Projects in adoption process
- OWASP Application Security Assessment Standards Project | Volunteers: Bithika & Matteo Michelini (waiting for data)
- Other tasks to do
- Top 10/Upload redesigned content and new covers (Lulu)
- Other issues
- How shoud we label projects like OWASP Live CD 2007 Project? Deprecated? Inactive? or else?
- What should we do with ESAPI PHP? Let's put in on for adoption?
- Outstanding requests from project leaders
- None except the above
- Number of new projects since previous announcement
Minutes
- Meeting started: 21:00 GMT
- Meeting adjourned: 23:00 GMT
- Update for April Board Meeting
Attendees
- Jason Li (Chair)
- Brad Causey (Committee Member)
- Chris Schmidt (Committee Member)
- Justin Searle (Committee Member)
- Larry Casey (Committee Member)
- Keith Turpin (Committee Member)
- Paulo Coimbra (Projects Manager)
- Kate Hartmann (Director of Operations)
- Sarah Baso (observer)
Notes
- Budget will be presented to Board by Jason
- PayPal Donation button should be incorporated into project homepage template
- Need to flesh out project migration strategy for projects to OWASP hosting
- Need to streamline or remove the release review process while still preserving the value of the process
- If Mainstream is the "top", project leaders will want a path to it - so we can't make "Mainstream" unattainable. Projects don't all need to be "enterprise ready" (currently the intention of "Mainstream"), but they don't necessarily want to be associated with "Labs". There's a difference between a stable project and a project that's willing to be "enterprise ready". Enterprise-ready projects need support staff and productization. New separate stage ("OWASP Enterprise")
- Do we want security reviews of projects?
- Already part of requirements for stable releases, but has been a huge time sink in the past
- Need to beware of time delay
- Is there added value?
- Need a coverage map of OWASP projects to identify areas where OWASP is weak
- Might lead to an OWASP "Suite" of projects?
Decisions
- Chris, Justin and Larry have been formally seated as GPC members; Keith is awaiting additional nominations and has been named a provisional member
- LiveCD 2007 project page should be archived and marked inactive with reference pointer to current LiveCD (WTE) project
- Any approval step in the Incubator/Labs processes of the OWASP Projects Lifecycle will have an rolling approval window (i.e. if GPC does not take action within X time, it is automatically approved). This compromise prevents the GPC from becoming a bottleneck. Note this policy places extra burden on the GPC to get things right.
Action Items
- Chris will reach out to ESAPI PHP project about project leadership
- Jason will work with Paulo to identify aspects of his workflow that can be automated
- Justin will research licensing issues for Projects and what would be involved in a license change (Sarah has volunteered to be a resource)
- Justin/Chris will sketch out an addition to the lifecycle process ("OWASP Enterprise")
- Jason will identify tools to help improve committee calls (e.g. Google Moderator, "talking stick")
- Jason will send Doodle for April meeting
