Google SoC 2009

Introduction
OWASP is the Open Web Application Security Project. It is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a “people, process, and technology” problem, because the most effective approaches to application security include improvements in all of these areas.

OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. The OWASP Foundation is a US 503(c)(3) organization that supports the infrastructure of OWASP. As part of its mission, OWASP supports its community of developers in creating tools and libraries that help improve application security for organizations and developers across the world. These “OWASP projects”, like all content at OWASP, are open and free and as such, we mandate that any project created at OWASP is distributed under an approved OSS license.

OWASP and Google Summer of Code
The OWASP Foundation is applying to participate in the Google Summer of Code 2009 because it offers a unique opportunity for application security visibility. The application security problem space is an important problem that often lacks visibility and awareness in the organization’s SDLC. The Google Summer of Code program is a widely recognized program that brings the most talented and enthusiastic young developers together. By leveraging this young, talented development pool, we hope that the benefits are two-fold:


 * the OWASP foundation gains extremely talented developers who can help to create tools that will be of benefit to application developers and security testers worldwide
 * the young developer gains an appreciation for application security which they will hopefully bring to their future employers and co-workers that will raise the awareness for application security one developer at a time.

OWASP's Seasons of Code
While OWASP has not participated in nor applied for any previous Google Summers of Code, OWASP has created its own “Season of Code” (More Info), starting with the Autumn of Code in 2006 and followed by subsequent seasons in 2007 and 2008. The model is similar to Google’s Summer of Code, where the OWASP Foundation solicits applications from interested developers for grants to create projects that OWASP leaders feel have a direct impact on improving application security for the community at large. We maintain a list of such potential projects here. Through our season of code process, we encourage interaction and follow through from new project developers by inviting them to the annual OWASP Summit (travel and accommodations expenses are paid by OWASP).

The OWASP Summit is a gathering of the worldwide OWASP community where new project developers present their projects to the OWASP community, as well as participate in working groups that set the annual agenda for the OWASP Foundation. Project developers that create truly useful, quality tools gain instant recognition in the OWASP community. This prominence and recognition drives many developers that participate in an OWASP project to continue not only with that project, but also to participate in the OWASP community at large. Between the Summit and the recognition, we have found in the past that the reward is enough to motivate participants to complete their projects. In the isolated cases where this has been problematic, Paulo Coimbra, our OWASP Projects Manager, takes on the task of actively prodding project participants on deliverables.

Maintaining Quality in SoC Projects
As part of our experience with our own seasons of code, our organization has learned a number of things which has improved our process over time. The most beneficial items that have come out of this process are having clearly defined evaluation criteria for our projects, and an established review process by OWASP leaders and community members. For this review process, we have a community of OWASP members that we leverage to help in evaluating the quality of OWASP projects. As our projects have grown, we have increasingly faced the issue of project management – namely, providing consistency across OWASP projects. While we impose no restrictions on the technology or language a project developer chooses, we do require that the project developer maintain a certain level of documentation for the project, including maintaining the project assessment template. An example of this template can be seen here. Our hope is to continue to use this same process, but with the added clout and resources of the Google Summer of Code program.

Google SoC Administrator and Mentors selection
Administratively, OWASP is governed by a board of five dedicated members from around the world. They are supplemented by the global committees of four to eight persons to which the OWASP Board delegates responsibility for various areas of OWASP including such as OWASP’s project, chapters and conferences. One member from either the OWASP Board or OWASP Global Projects Committee will be nominated to be the primary Google organization administrator, though in principle, any of the other board or committee members have the full authority of OWASP and can act or respond on its behalf. As a result, there are at least eight other people available as a backup to the primary Google organization administrator.

Mentors will be chosen by the OWASP Board and Global Projects Committee members based on the project selected by a Google participant. The mentor chosen will be a person with previous OWASP Project experience and a person considered to be an expert in the field in which the project is based. The OWASP community is a large community of application security experts and while every care will be taken to select a mentor that will see the process through, should it become necessary to replace the mentor, participants will not be abandoned: the OWASP Global Projects Committee will act as an administrative mentor to assist project participants with navigating project overhead and an OWASP Board member will step in and act as technical mentor. The board member will be the OWASP Board Member whose area of technical expertise most closely aligns with the project. While OWASP does not maintain an IRC channel, the main OWASP mailing list is the OWASP Leader’s list which is a closed list that addresses all OWASP Project leaders, as well as global OWASP Chapter leaders. Any Google Summer of Code participants will be added to this leader’s list. In addition, we create mailing lists for each individual OWASP project.