This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "GPC/Meetings/2011-03-07"

From OWASP
Jump to: navigation, search
m (Clarifying)
 
(12 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 +
__TOC__
 
= Meeting Details =
 
= Meeting Details =
 
'''Dial-In:'''  1-866-534-4754 (code: 192341)
 
'''Dial-In:'''  1-866-534-4754 (code: 192341)
Line 32: Line 33:
 
** '''Number of new releases set up since [http://globalprojectscommittee.wordpress.com/2010/11/18/owasp-projects-overview-last-4-months/ previous announcement]'''
 
** '''Number of new releases set up since [http://globalprojectscommittee.wordpress.com/2010/11/18/owasp-projects-overview-last-4-months/ previous announcement]'''
 
***[[Projects/OWASP ModSecurity Core Rule Set Project/Releases/ModSecurity 2.0.10|ModSecurity 2.0.10]]
 
***[[Projects/OWASP ModSecurity Core Rule Set Project/Releases/ModSecurity 2.0.10|ModSecurity 2.0.10]]
 +
***[[Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.2.0|Zed Attack Proxy Project - ZAP 1.2.0]]
 
**'''Number of adopted projects since [http://globalprojectscommittee.wordpress.com/2010/11/18/owasp-projects-overview-last-4-months/ previous announcement]'''
 
**'''Number of adopted projects since [http://globalprojectscommittee.wordpress.com/2010/11/18/owasp-projects-overview-last-4-months/ previous announcement]'''
 
***[[Projects/OWASP LAPSE Project|OWASP LAPSE Project]]
 
***[[Projects/OWASP LAPSE Project|OWASP LAPSE Project]]
Line 37: Line 39:
 
**'''Number of reviewed releases since [http://globalprojectscommittee.wordpress.com/2010/11/18/owasp-projects-overview-last-4-months/ previous announcement]'''
 
**'''Number of reviewed releases since [http://globalprojectscommittee.wordpress.com/2010/11/18/owasp-projects-overview-last-4-months/ previous announcement]'''
 
***[[Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.1.0|OWASP Zed Attack Proxy Project - Release ZAP 1.1.0]]
 
***[[Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.1.0|OWASP Zed Attack Proxy Project - Release ZAP 1.1.0]]
**'''Projects to be set up'''
+
**'''Projects ready to be set up'''
 
***Enhancing Security Options Framework (ESOP Framework) - Amber Marfatia
 
***Enhancing Security Options Framework (ESOP Framework) - Amber Marfatia
 
***Mantra -Security Framework to OWASP, Yashartha Chaturvedi
 
***Mantra -Security Framework to OWASP, Yashartha Chaturvedi
Line 43: Line 45:
 
***Java HTML Sanitization, Jim Manico
 
***Java HTML Sanitization, Jim Manico
 
***Java Encoder Project, Jim Manico
 
***Java Encoder Project, Jim Manico
** Projects '''requiring review'''
+
** '''Projects' Releases requiring review'''
 
***http://www.owasp.org/index.php/OWASP_Secure_Web_Application_Framework_Manifesto,  
 
***http://www.owasp.org/index.php/OWASP_Secure_Web_Application_Framework_Manifesto,  
 
***http://www.owasp.org/index.php/GPC_Project_Assessment/OWASP_Vicnum,  
 
***http://www.owasp.org/index.php/GPC_Project_Assessment/OWASP_Vicnum,  
 
***http://www.owasp.org/index.php/GPC_Project_Assessment/OWASP_Content_Validation_using_Java_Annotations  
 
***http://www.owasp.org/index.php/GPC_Project_Assessment/OWASP_Content_Validation_using_Java_Annotations  
***http://www.owasp.org/index.php/GPC_Project_Assessment/OWASP_Top_Ten 
 
 
***http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project,  
 
***http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project,  
 
***http://www.owasp.org/index.php/OWASP_O2_Platform,  
 
***http://www.owasp.org/index.php/OWASP_O2_Platform,  
***http://www.owasp.org/index.php/Projects/OWASP_Zed_Attack_Proxy_Project/Releases/ZAP_1.2.0,
 
 
***http://www.owasp.org/index.php/Category:OWASP_Webslayer_Project,  
 
***http://www.owasp.org/index.php/Category:OWASP_Webslayer_Project,  
 
***http://www.owasp.org/index.php/Category:OWASP_EnDe#tab=Project_Details,  
 
***http://www.owasp.org/index.php/Category:OWASP_EnDe#tab=Project_Details,  
Line 56: Line 56:
 
***http://www.owasp.org/index.php/OWASP_HTTP_Post_Tool,  
 
***http://www.owasp.org/index.php/OWASP_HTTP_Post_Tool,  
 
***http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model
 
***http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model
 +
***http://www.owasp.org/index.php/Projects/OWASP_Zed_Attack_Proxy_Project/Releases/ZAP_1.2.0,
 
***[[OWASP Reviews Dashboard|'''OWASP Reviews Dashboard''']]  
 
***[[OWASP Reviews Dashboard|'''OWASP Reviews Dashboard''']]  
**'''Projects in adoption process'''
 
***OWASP Application Security Assessment Standards Project | Volunteers: Bithika & Matteo Michelini (waiting for data)
 
 
**'''Projects with new leader/need to be re-set up'''
 
**'''Projects with new leader/need to be re-set up'''
 
***OWASP .NET Project - Daniel Brzozowski  
 
***OWASP .NET Project - Daniel Brzozowski  
 
***WebScarab-NG - Daniel Brzozowski
 
***WebScarab-NG - Daniel Brzozowski
 
***College Chapter Program Project - Martin Knobloch
 
***College Chapter Program Project - Martin Knobloch
 +
***OWASP AJAX Security Project - Abraham Kang
 
**'''Project in need of reorganization'''
 
**'''Project in need of reorganization'''
 
***ESAPI
 
***ESAPI
 
***CSRF ecosystem, Sheridan  
 
***CSRF ecosystem, Sheridan  
 +
**'''Projects in adoption process'''
 +
***OWASP Application Security Assessment Standards Project | Volunteers: Bithika & Matteo Michelini (waiting for data)
 
**'''Other tasks to do'''
 
**'''Other tasks to do'''
 
***Top 10/Upload redesigned content and new covers (Lulu)
 
***Top 10/Upload redesigned content and new covers (Lulu)
 
**'''Other issues'''
 
**'''Other issues'''
 
***How shoud we label projects like [[:Category:OWASP Live CD 2007 Project|OWASP Live CD 2007 Project]]? Deprecated? Inactive? or else?  
 
***How shoud we label projects like [[:Category:OWASP Live CD 2007 Project|OWASP Live CD 2007 Project]]? Deprecated? Inactive? or else?  
 +
***What should we do with ESAPI PHP? Let's put in on for adoption?
 
** '''Outstanding requests from project leaders'''
 
** '''Outstanding requests from project leaders'''
 
***None except the above
 
***None except the above
 +
 +
=Minutes=
 +
* Meeting started: 21:00 GMT
 +
* Meeting adjourned: 23:00 GMT
 +
* [https://docs.google.com/present/view?id=0AWvv_7Gz8Z7TZGdmOGZybWhfN2Z2YnB0NWMy&hl=en_US Update for April Board Meeting]
 +
 +
==Attendees==
 +
* Jason Li (Chair)
 +
* Brad Causey (Committee Member)
 +
* Chris Schmidt (Committee Member)
 +
* Justin Searle (Committee Member)
 +
* Larry Casey (Committee Member)
 +
* Keith Turpin (Committee Member)
 +
* Paulo Coimbra (Projects Manager)
 +
* Kate Hartmann (Director of Operations)
 +
* Sarah Baso (observer)
 +
 +
==Notes==
 +
# Budget will be presented to Board by Jason
 +
# PayPal Donation button should be incorporated into project homepage template
 +
# Need to flesh out project migration strategy for projects to OWASP hosting
 +
# Need to streamline or remove the release review process while still preserving the value of the process
 +
# If Mainstream is the "top", project leaders will want a path to it - so we can't make "Mainstream" unattainable. Projects don't all ''need'' to be "enterprise ready" (currently the intention of "Mainstream"), but they don't necessarily want to be associated with "Labs". There's a difference between a stable project and a project that's willing to be "enterprise ready". Enterprise-ready projects need support staff and productization. New separate stage ("OWASP Enterprise")
 +
# Do we want security reviews of projects?
 +
#* Already part of requirements for stable releases, but has been a huge time sink in the past
 +
#* Need to beware of time delay
 +
#* Is there added value?
 +
# Need a coverage map of OWASP projects to identify areas where OWASP is weak
 +
#* Might lead to an OWASP "Suite" of projects?
 +
 +
==Decisions==
 +
# Chris, Justin and Larry have been formally seated as GPC members; Keith is awaiting additional nominations and has been named a provisional member
 +
# LiveCD 2007 project page should be archived and marked inactive with reference pointer to current LiveCD (WTE) project
 +
# Any approval step in the Incubator/Labs processes of the OWASP Projects Lifecycle will have an rolling approval window (i.e. if GPC does not take action within X time, it is automatically approved). This compromise prevents the GPC from becoming a bottleneck. Note this policy places extra burden on the GPC to get things right.
 +
 +
==Action Items==
 +
# Chris will reach out to ESAPI PHP project about project leadership
 +
# Jason will work with Paulo to identify aspects of his workflow that can be automated
 +
# Justin will research licensing issues for Projects and what would be involved in a license change (Sarah has volunteered to be a resource)
 +
# Justin/Chris will sketch out an addition to the lifecycle process ("OWASP Enterprise")
 +
# Jason will identify tools to help improve committee calls (e.g. Google Moderator, "talking stick")
 +
# Jason will send Doodle for April meeting
  
 
[[Category:GPC_Meetings]]
 
[[Category:GPC_Meetings]]
 +
[[Category:GPC_Meetings/2011]]

Latest revision as of 14:03, 6 July 2011

Meeting Details

Dial-In: 1-866-534-4754 (code: 192341)

When: Monday, March 7th @ 21:00 GMT (based on member availability)

Agenda

Minutes

Attendees

  • Jason Li (Chair)
  • Brad Causey (Committee Member)
  • Chris Schmidt (Committee Member)
  • Justin Searle (Committee Member)
  • Larry Casey (Committee Member)
  • Keith Turpin (Committee Member)
  • Paulo Coimbra (Projects Manager)
  • Kate Hartmann (Director of Operations)
  • Sarah Baso (observer)

Notes

  1. Budget will be presented to Board by Jason
  2. PayPal Donation button should be incorporated into project homepage template
  3. Need to flesh out project migration strategy for projects to OWASP hosting
  4. Need to streamline or remove the release review process while still preserving the value of the process
  5. If Mainstream is the "top", project leaders will want a path to it - so we can't make "Mainstream" unattainable. Projects don't all need to be "enterprise ready" (currently the intention of "Mainstream"), but they don't necessarily want to be associated with "Labs". There's a difference between a stable project and a project that's willing to be "enterprise ready". Enterprise-ready projects need support staff and productization. New separate stage ("OWASP Enterprise")
  6. Do we want security reviews of projects?
    • Already part of requirements for stable releases, but has been a huge time sink in the past
    • Need to beware of time delay
    • Is there added value?
  7. Need a coverage map of OWASP projects to identify areas where OWASP is weak
    • Might lead to an OWASP "Suite" of projects?

Decisions

  1. Chris, Justin and Larry have been formally seated as GPC members; Keith is awaiting additional nominations and has been named a provisional member
  2. LiveCD 2007 project page should be archived and marked inactive with reference pointer to current LiveCD (WTE) project
  3. Any approval step in the Incubator/Labs processes of the OWASP Projects Lifecycle will have an rolling approval window (i.e. if GPC does not take action within X time, it is automatically approved). This compromise prevents the GPC from becoming a bottleneck. Note this policy places extra burden on the GPC to get things right.

Action Items

  1. Chris will reach out to ESAPI PHP project about project leadership
  2. Jason will work with Paulo to identify aspects of his workflow that can be automated
  3. Justin will research licensing issues for Projects and what would be involved in a license change (Sarah has volunteered to be a resource)
  4. Justin/Chris will sketch out an addition to the lifecycle process ("OWASP Enterprise")
  5. Jason will identify tools to help improve committee calls (e.g. Google Moderator, "talking stick")
  6. Jason will send Doodle for April meeting
Retrieved from "https://wiki.owasp.org/index.php?title=GPC/Meetings/2011-03-07&oldid=113481"