OWASP Summer of Code 2008 Previous Updates

Click here to return to the previous page.

Previous Updates
Hello everyone,
 * SEPTEMBER 7, 2008

I hope you are well.

Time flies, and as you know, we are almost reaching September 15, the initially established OWASP Summer of Code 2008 (SoC’s) deadline.

Therefore, less than ten days to the season of code’s expiring date, we thank those of you that are keeping the schedule and we challenge the remainder to make an effort to make up for this delay.

However, as we are working to have as many of you as possible attending the OWASP EU Summit Portugal 2008, we have decided to postpone the above-referred deadline to the possible maximum – the new SoC’s deadline will be the first day of the Summit, that is to say November 4.

We are still shaping the event wiki page but it was already agreed to hold a four-day OWASP gathering to discuss OWASP strategic issues and present all OWASP relevant projects. This first OWASP Summit will take place in Algarve (Faro is the nearest airport), Portugal, in the well-equipped seaside Hotel Santa Eulália, between the 4th and the 7th of November 2008.

In the first two days, the event will have the format of Working Sessions to openly discuss and decide on several OWASP projects and issues, e.g., OWASP Strategic Planning, OWASP Top 10 2009, Winter Of Code 2009, EASPI Project, Code Review Version 2, Testing Guide Version 4, OWASP Application Security Desk Reference (ASDR), OWASP Certifications, OWASP Awards and OWASP Website. Of course, we count on you to join the discussion and contribute to the final decisions.

As announced before, the remaining period of two days will consist of a two-day conference, where more than 40 OWASP specific presentations will be held. Again, we most definitely count on you to present your project.

'''Regarding the rules to qualify to have the Summit attendance expenses partially paid, we are also setting up the following: '''
 * 1) Until September 15, at least the 50% completion point must have been reached, the 50% self-evaluation must have been performed and, at least, one of the two reviews must have been done.
 * 2) Until September 15, both project leaders and reviewers must sign their intention of attending the Summit by adding their names here.
 * 3) Until November 4, the project must be entirely complete, reviewed and ready to be publicly presented at the Summit.
 * 4) Exceptions to these rules can be considered by OWASP Board under formal request made until September 15 by project leaders whose projects are specially extensive and complex.

In what respects to the level of expenses that will be paid, the following rules have been established:


 * 1) With the exceptions below, all accommodation and meal expenses, during all the four days, will be paid.
 * 2) As we are still seeking out for financial sponsorship support, until further notice, none of the dinners will be paid.
 * 3) The meals consist of a pre-negotiated menu and just this will be paid.
 * 4) The accommodation will consist in a place in a shared T 1 (3 people) or T2 (5 people) apartment. Therefore, even though one can choose an individual room, OWASP will pay only for the cost associated with a shared stay.
 * 5) Please note that the nights of 3 and 7 of Nov will be included in the paid accommodation for those of you attending the whole event.
 * 6) Regarding the flight expenses, OWASP will pay a maximum of 900 US dollars to all non-European attendees and 500 to the European ones.
 * 7) The operational model to book accommodations and flights is not finished yet but, as soon as possible, more details will be given.

On the whole, if you accept our challenge to be at the OWASP EU Summit 2008 to present your project and engage the discussion at one, or more, Working Sessions and if you qualify to have your expenses partially paid, please add your name right here. Please do not forget to add the name of your city/airport of departure.

Nevertheless, although we start with a good budget to cover expenses (150,000 USD), it will not be enough to cover the current projected number of OWASP participants. Therefore, if you can convince your company to pay for some or all of your expenses please do so and, on the other flip of the coin, we can advertise its logo at the conference materials - more details about sponsorship opportunities will be sent later on.

To conclude, I will be here if you need further assistance, however, as I am releasing all the information and details already stabilized, the best way to keep yourself up to date and informed about the event is to visit regularly its wiki page.

Keep up the good work - I am looking forward to seeing you in Portugal!

Many thanks, best regards,

Paulo Coimbra, OWASP Foundation Project Manager


 * AUGUST 24, 2008
 * Hi OWASP community,
 * I hope you are well.
 * As you all know, we have announced before the organization of a conference in Portugal 100% dedicated to OWASP – the OWASP EU Summit 2008.
 * We are planning to make it a big, productive and interesting OWASP gathering, also with many non-OWASP attendees and external relevant speakers.
 * Beyond the software security relevant questions addressed by selected industry representatives, the idea is to discuss the open source answer to those issues by presenting all the most relevant work done within the OWASP context. We will also take the opportunity to discuss the OWASP strategic positioning for 2009.
 * We are on our way to finish all the details concerning the venue – it’s likely that it will happen in Portugal, Algarve. We are counting on having this question totally solved within the next week.
 * We also have begun the process of selecting the OWASP member attendees/speakers and, if you are a relevant OWASP participant, we are inviting you as well.
 * To be considered a relevant OWASP participant you must belong to one, or more, of the following categories:


 * 1) OWASP Summer of Code 2008 project leaders & reviewers,
 * 2) OWASP Summer of Code 2008 special project contributors,
 * 3) OWASP Spring of Code 2007 project leaders & reviewers,
 * 4) OWASP Autumn of Code 2006 project leaders & reviewers,
 * 5) Active Project Leaders (not currently participating on SoC 08),
 * 6) Active Chapter Leaders,
 * 7) Member with significant past OWASP Contribution.

* Hence, to those of you that fit the criteria, are planning to attend the conference and haven’t said so yet, I ask to fill in here''' as soon as possible. To the others, I ask to go to the same wiki page and add the name of the city/airport of departure.''' OWASP Foundation Project Manager
 * In addition, regarding the categories between 1, 3 and 4, we will consider relevant OWASP participant only those who have timely delivered their projects or have timely performed their reviews.
 * Regarding the category 2, up to ten project contributors will be chosen by OWASP Board having into consideration the supported and detailed proposals made by the SoC’s projects authors.
 * Regarding the category 5, we will consider relevant OWASP participant only those with projects in activity and the OWASP Board will judge that by checking if any significant update on the project page was done in the last six months.
 * Regarding the category 6, we will consider relevant OWASP participant only those with chapters in activity and the OWASP Board will judge that by checking if any significant activity was done in the last six months.
 * The last category, the seventh one, was deliberately created to assure that nobody with relevant past OWASP contributions will be excluded. As this judgement will be necessarily subjective and casuistic, it will be OWASP Board’s responsibility. However, you can present your application.
 * In terms of financial support, our goal is to cover as much of the flight and accommodation expenses as possible but we are not sure still about what eventually it will mean, as it will depend on how many attendees we will have.
 * Although we start with a good budget to cover expenses (150,000 USD), it will not be enough to cover the current projected number of OWASP participants (200 people). Therefore, if you can convince your company to pay for some or all of your expenses please do so and, on the other flip of the coin, we can advertise its logo at the conference materials - more details about sponsorship opportunities will be sent later on.
 * Fell free to contact me, or the [mailto:owasp-summit-europe-2008@lists.owasp.org OWASP EU Summit 2008 Team], if you have questions about this conference, but please beware that I will be out of office until next Thursday as I will be in Lisbon and Algarve with Dinis Cruz to try to sort out all the venue details.
 * Many thanks, best regards,
 * Paulo Coimbra,


 * AUGUST 20:
 * Hello everyone. I hope you are well.
 * You can see here an excel file with a portrait of the OWASP Summer of Code 2008 situation.
 * We thank those of you that are keeping the schedule, the vast majority, and we ask the remaining ones to make an effort to make up for this delay. Once again, please let me remind you that we expect the final project deliveries ready by, maximum, September 15.
 * With respect to the review process, we reaffirm the recommendations made previously and, in addition, we ask you to give a glance at our ‘assessment guidance’ post and to pay special attention to the need of avoiding claims of plagiarism by always citing your sources.
 * Regarding the OWASP EU Summit 2008 organization, even though the planning process it’s a bit delayed, we are still aiming to hold it on 6th and 7th November. We are planning to make it a big, productive and interesting OWASP gathering, also with many non-OWASP attendees and relevant speakers and, as you know, we really would like to have you all in there. As said before, to be eligible for OWASP financial support you just need to comply with your SoC 2008 objectives.
 * We are keeping the goal of paying for all of the flight and accommodation expenses but we are not sure still. It will depend on how many attendees we will have and how much it will cost. Hence, to those of you that are planning to attend the conference and haven’t said so yet, I ask to fill in here as soon as possible. To the others, I ask to go to the same wiki page and add the name of the city/airport of departure.
 * Regarding operational matters, it’s all for today - we are counting on you and I whish you all good work.
 * Many thanks, best regards, Paulo Coimbra, OWASP Foundation Project Manager


 * JULY 15:
 * post on OWASP projects review task'''

Many thanks, best regards, Paulo Coimbra, OWASP Foundation Project Manager
 * JULY 14:
 * Hello everyone,
 * I hope you all are well.
 * I am pleased to announce, finally, that all proposed OWASP Summer of Code’s 2008 reviewers have been confirmed by OWASP Board.
 * It should have been done before, at least a couple of weeks ago but, unfortunately, given the complexity of the process – taking into consideration the new OWASP assessment criteria, 70 reviewers were matched with 33 projects -  it wasn’t possible.
 * Therefore, I would like to thank you all for your patience and support and, particularly, those who, even without OWASP Board’s confirmation, have accepted the risk and have already finished their review.
 * With respect to the review process, I take the opportunity to suggest to you a couple of recommendations, as following:
 * keep the project template page updated at all times with all relevant links, documents and contents.
 * keep the project template page updated at all times with all relevant commentaries made during the review work.
 * Use always the project mailing list to exchange emails regarding all matters related with the project progress or review.
 * Furthermore, studying the review process methodology, I found a couple of links that I thought that could be of help. For your consideration:
 * Seven Deadly Sins of Software Reviews,
 * Scientific Papers and Presentations,
 * Virtual peer review: teaching and learning about writing in online environments,
 * Software testing and continuous quality improvement.
 * On another note, regarding the payment process please pay attention to the following:
 * I will be waiting for a project’s leader email stating that the self-review and the two reviews were finished.
 * Thereafter, I will request the payment, the Board will approve and Alison will pay.
 * Please, as soon as possible, send your postal address and Pay Pal reference off to Alison (alison.mcnamee@owasp.org). Those who have already sent it to me do not need to repeat the dispatch.
 * Payments to American SoC’s participants can be made by check.
 * The payment status for all and each project can be followed here.
 * Regarding the OWASP EU Summit 2008 organization, even though the process it is also delayed, the logistics contacts have begun and the Portuguese Caloust Gulbenkian was contacted. In addition, the process of building a team to assume the responsibility for this event was begun and the initial discussion can be seen here.
 * Therefore, please don’t forget that we expect the final project deliveries ready by, maximum, 15th September, to publicly present them at the referred conference.
 * To conclude, please, be aware that, between July 28 and August 8, I have planned to have two weeks holiday. Hence, if you have urgent matters for me to deal with you have two weeks.
 * I wish you all good work.


 * JULY 2:
 * OWASP EU Summit 2008 - update.


 * JUNE 26:
 * As you know, we have almost reached the time to perform the 50% review.
 * However, it’s time to recognize that we have been somewhat imprecise in our definition of the 50% review‘s deadline. To have all projects reviewed, we should have defined a period, a start and an end date, instead of a specific day. Therefore, regarding this matter, we will not be strict.


 * On the contrary, please be aware that we expect the final deliveries ready by, maximum, 15th September, as we are planning to set up an International Conference to publicly present them.


 * However, we are still recommending June 29 to be assumed as the reference date to begin this process.


 * In accordance, we would like to see each project template being updated until the referred date (June 29) by uploading in there all project main links and documentation as can be seen, for example, here or here. Thereafter, both author’s project and reviewers should begin the assessment task. – As we are still receiving questions inquiring about the assessment/review methodology, I am sending again a couple of guidance lines (see please the page bottom).


 * Regarding the provisory pointed out reviewers, as not everybody have yet done what was asked in the previous SoC’s update, I must reiterate the following requests:
 * Please add the note ‘Confirmed’ or ‘Unconfirmed’ directly on this page, just below the reviewers names. Please, pay special attention if you find the reference TBC (To be confirmed).
 * Please, ask your reviewers for them to add, as soon as possible, just below their names, a link with a couple of lines mentioning their professional background - as you know this information will be needed to achieve OWASP Board’s confirmation.


 * Please, send me off your postal address and Pay Pal reference. Once the 50% review is finished, we will need it to pay.
 * To conclude, regarding the projects that haven’t yet found the required reviewers, I take the opportunity to ask the authors [mailto:paulo.coimbra@owasp.org|to drop me a line] if assistance is needed.


 * JUNE 16:
 * OWASP Summer of Code's Project Pages, Reviewers Status, Pay Pal and Postal Addresses.
 * Your pages were created and can be found here. Please confirm all data - mistakes can have been made - and feel free to change it as you find best.
 * In addition, as you will see, the text that I have chosen to introduce your project is too long. So, could you please find out a terse phrase to substitute it?
 * Regarding the provisory pointed out reviewers please allow me, I have again a couple of requests:
 * Please add the note ‘Confirmed’ or ‘Unconfirmed’ directly on this page, just below their names. Please, pay special attention if you find the reference TBC (To be confirmed).
 * Please, ask your reviewers for them to add, as soon as possible, just below their names, a link with a couple of lines mentioning their professional background - as you know this information will be needed to achieve OWASP Board’s confirmation.
 * I take the opportunity to ask you all to send me off, please, your postal address and Pay Pal reference. Once the 50% review is finished, we will need it to pay. We also need the former information to weigh up the price of your flights to the OWASP Summit.
 * To conclude, I inform that I will be out of office until 23rd, next Monday – if you have any urgent matter please contact Dinis Cruz (dinis.cruz@owasp.org).
 * Keep up the good work and, please, do not forget that we have the 50% review scheduled for June 29th.
 * Many thanks, best regards.
 * Paulo Coimbra.


 * JUNE 9:
 * The reviewer’s question/OWASP EU Summit 2008.
 * To deal with it, I have created a new page here.
 * To begin with, the referred page includes a field named Status Target. I have filled it in accordance with the SoC’s operational rules. So, if any of you disagrees with my criterion, please let me know.
 * Next, regarding the provisory pointed out reviewers, please allow me, I have a couple of requests for you:
 * Please confirm that no mistake was made and feel free to change it, directly on the referred page, in accordance with your own choice if you find any error or misunderstanding. Please, pay special attention if you find the reference TBC (To be confirmed).
 * Please, ask your reviewers for them to add, as soon as possible, just below their names, a link with a couple of lines mentioning their professional background - as you know this information will be needed to achieve OWASP Board’s confirmation.
 * Taking the opportunity, regarding the roles of reviewers and contributors, we recommend keeping a clear distinction between them. No one working as author/contributor should act simultaneously as reviewer in the same project. We believe that clear and distinctive roles create the scientific/technical conditions to have final improved deliveries and we hope that you can agree with us.
 * With respect to your project page, it goes without saying that I am delayed. Please forgive me. I have already initiated this process and I am counting on finishing it very soon. However, your help would be very much appreciated - if you want to take a stab at setting it up, you can use the Skavenger template as example. Otherwise, I will do it for you.
 * Concerning the good news that I’ve promised in my last update, I am very glad to announce that we are planning to invite all SoC’s authors and reviewers to attend a conference to publicly present the deliveries.
 * The rules to attend the referred conference are far from being finalized or definitively established, although I can anticipate that we are planning to pay part, at least, of the flights and accommodation expenses. Concerning this matter, please, don’t get back to me asking for additional information - you can follow all the issue here as I have not, for now, additional information. I am very thrilled with this scenario and I hope you find it worth doing.
 * As always, we are counting on you to support OWASP.
 * Keep up the good work and, please do not forget that we have the 50% review scheduled to June 29th.
 * Many thanks, best regards
 * Paulo Coimbra


 * MAY 26:
 * Update made in OWASP Summer of Code 2008 set of rules.
 * The specificity of the documentation projects, and the remarkable extension and complexity of some of them, has been mentioned by a few authors/project leaders.
 * Hence, regarding the question of the number of the reviewers for each documentation project, we have decided to propose you a new frame to deal with that matter.
 * That is to say, we are proposing to have one reviewer for each 200 pages of content.
 * However, all projects have to have, at least, two reviewers.
 * Regarding the associated question of payment, as we have assumed before, we will reward this contribution either with a free ticket to attend the OWASP NYC AppSec 2008 Conference or with 12, 5% of the value of the project to be reviewed.

0. Call for OWASP Summer of Code’s 2008 Reviewers. 1. Where are the projects to review? 2. What are the reviewers’ main tasks? 3. Who can be a reviewer? 4. Will this work be paid? 5. Where can I find the project’s progress page in which I am interested? That is to ask, where can I find the page similar  to the  one? 6. So, if I am interested in being one of the reviewers, how should I proceed?
 * MAY 14:
 * As you probably already know, OWASP has awarded 31 grants to promising application security researchers as part of the OWASP   Summer of Code 2008 (SoC 2008).
 * As a result, we are seeking out for project reviewers so as to have all these projects assessed.
 * Consequently, if you are interested in performing such task, please don’t hesitate and let us know as soon as possible. As a volunteer organization, we rely absolutely on your contribution. Hence, we lively encourage you to put forward your application to  assume this reviewer role.
 * To make your decision please look at the following information:
 * These projects can be found here.
 * A. The main tasks are the result of a set of rules previously established in both the OWASP Summer of Code 2008 initiative and the OWASP Project Assessment criteria.
 * B. To exemplify, please take into consideration the.
 * C. Simplifying, I would say that the work review will basically consist in certifying that the project’s objectives and deliveries were   accomplished and, taking into consideration the OWASP Project Assessment criteria, in  certifying that the Beta Status was reached. Additionally we expect the reviewer always to be available to provide useful advice to  the project developer. These tasks must be performed twice: the first one, the 50% Review, by June 29 and the second one, the Final  Review, by September 15.
 * D. Regarding the question of the project status, it is important to clarify that, even though the majority of the projects have to reach Beta status, there are also some others, in which the status target is Release Quality. That is to say, that each project  built on previous work done within OWASP (Existing OWASP Projects) should obtain Reviewers’ agreement that a Release Quality stage was achieved.
 * If you are interested in contributing and feeling comfortable with the technical matters in question, you can be project reviewer. We encourage also the OWASP Summer of Code 2008 participants to take part in reviewing someone else’s SoC 2008 project. However,  please pay attention to the fact that, at least, one of the two Project Reviewers should be an OWASP Project or Chapter Leader.
 * Well, in terms of paying the market value of your work, we wouldn’t dare say ‘yes’. However, we will reward this contribution either with a free ticket to attend the OWASP NYC AppSec 2008 Conference or with 12,5% of the  value of the project to be reviewed.
 * Currently, nowhere, but very soon each project will be supplied with its own progress page.
 * A. Please [mailto:paulo.coimbra@owasp.org drop me a line] to let me know about your interest.
 * B. I will put you in direct contact with the project’s author.
 * C. Having reached the author’s agreement, please inform us.
 * D. As all reviewers must have OWASP Board approval, we will inform you as soon as possible about their decision.


 * APRIL 30:
 * With regard to the progress pages, we are still working on a sample of it. You can see here and here what we are doing. Once we have it finalized, we’ll get back to you. However, if you need right now to have a wiki page to carry on with your work, you can create your own on the section of Season of Code Projects at the OWASP projects page – later on it can be adapted in accordance with the proposed model.
 * This situation above has also an impact on the reviewers’ question. We’ve decided to add in the referred above model the specifications to have in consideration for the work review. Hence, we are planning to focus again on finding reviewers only after the model is finished. However, it will happen very soon. Besides, for your information, we are planning to offer to every SoC’s reviewer either a free ticket to attend the OWASP NYC AppSec 2008 Conference or 12,5% of the value of the project to be reviewed.


 * APRIL 17:
 * We announce the results of the assessment of OWASP Summer of Code’s 2008 applications that  can be found here.
 * As a swift overview, we would say that we have received 35 applications of which 31 were already accepted. In addition, two applications are waiting for Jury’s decision yet and two more were withdrawn by the author.
 * Consequently, except for the former two applications referred above, we declare that the working period for the OWASP Summer of Code 2008 has already begun.


 * MARCH 31:
 * We announce a two-week-delay in the assessment of OWASP Summer of Code’s 2008 applications. We are now planning to deliver our assessment on the 16th April. Hence, the whole SoC’s 2008 schedule will be postponed two weeks.
 * Having carefully analysed the set of 35 applications, we have decided to request that 18 applicants adjust their proposals. These 18 applications can be found here.
 * As you will see, for each one, we have posted a couple of recommendations. Consequently, we ask that each applicant answer just below our recommendations, whether or not they are accepted. If so, please leave a clear note of it and modify accordingly your applications in the same wiki page.
 * We also recommend that you state your positions by the 9th of April.
 * The remaining set of applications can be found on either the Majority Vote Page or Selection Criteria Page. Although the new official date to announce the SoC’s 2008 is now the 16th of April, we will post our assessment as soon as it has been reached. At this moment, the applicants can of course start working. However, we will return to you all later, once the assessment process has been totally completed, with further details.
 * We understand the inconvenience that this might cause and apologise for that. Although, as we are acting to improve the SoC’s final deliveries, we also ask for your understanding and we thank you in advance.


 * MARCH 25: Submission period is now closed. The final decision will be announced HERE on the 2nd April. Thanks to everybody who applied for this OWASP Season of Code.


 * MARCH 12 : If your application for an OWASP Summer of Code 2008 fund wasn’t already submitted just because you are stuck with doubts about a work line to follow, you can skim over the new and greatly improved Request for Proposal List to find a wide-range of options.


 * MARCH 10: As expected, the applications are coming in!
 * Please remember to send us an [mailto:pcoimbra@owasp.org email] when you post them on-line. We need to know who you are. :)


 * MARCH 3: OWASP SUMMER OF CODE 2008' HAS BEEN LAUNCHED!
 * Deadline for project applications: 25th March.