OWASP 2013 Project Summit Working Session Outcomes Leader Reports

Working Session Outcomes: Leader Reports
The working sessions outcomes below are the direct reports sent to the OWASP Projects Manager from the participating Project Leaders. They outline, in greater detail, what their session deliverables were, and list their roadmaps for future work to be completed. Please note, that some sentence structure, and spelling was corrected before implementation of each report to this document.

OWASP Projects Review Session
SESSION DESCRIPTION: During the OWASP Projects Review working session, attendees will be able to participate in the review of the entire inventory of OWASP Projects using the new assessment criteria developed by our team of Technical Project Advisors. The aim of this session is to establish a more accurate representation of OWASP project health and product quality. The session outline is as follows:
 * Overview of new assessment criteria to conduct reviews.
 * Team in small groups (2 to 3 max) based on experience and background to asses a set of Projects (Code, Tool or Documentation)
 * Fill in the Questionnaire (Google Forms) to complete assessment of Projects and provide the review with a final score and results (Project defined as Incubator, Lab or Flagship)
 * Review results of questionnaire with your team.
 * Present results and conclusions of assessment session.

OUTCOMES
 * 1) We are able to present quality and health assessments that the team had worked on over the prior few months, get some good feedback from OWASP leaders, and have a number of OWASP members use the assessment to rate some of the existing projects so we could see what worked well and what didn't work.
 * 2) Yes, we were able to take everyone's input to further improve both assessments. We removed a couple of questions that were well-intentioned, but problematic for reviewers. Since it wasn't clear if a project passed a health assessment and should be promoted or not, we made sure all of the questions on the overall project health questions were knock-out questions, meaning that if they did not satisfy the criteria they weren't ready to be promoted since these are all key principles fundamental to the goals of all OWASP projects.. To accomplish this, more subjective questions were moved to the quality assessment which uses a numeric scale to rank the project, rather than being ‘Yes’ or ‘No’ questions. We also created a standard scoring scale for all project types, which works with a single rating range if users assign full credit if a question is not applicable. There were also some cosmetic changes made regarding the instructions to make it easier to focus on the question, and yet still easily get guidance on how to answer each question. The bottom line is that I believe that the time spent talking with OWASP Leaders and Members directly resulted in the biggest improvement to the project assessments, which exceeded my expectations of what we wanted to accomplish at the summit.
 * 3) The follow-up items were to create an online form that reviewers could use to rate projects, ask project leaders to rate their own project (partly as a process to weed out inactive projects, so we don't spend time reviewing dormant projects), get 10 quality reviews for each project from OWASP members who use the projects (especially the tool and library code projects since good health assessments are predicating on having reviews from those most familiar with those project that have an environment to use them in and projects to apply them to), and perform health assessments on all of the projects (focusing first on projects who have requested a review or to be promoted and flagship projects, then lab projects, and finally incubator projects).

OWASP Media Project Session
SESSION DESCRIPTION:The OWASP Media Project is an infrastructure project that gathers, consolidates, and promotes OWASP content in video format on a central appealing hub. The first and main instance of the project will be a YouTube channel.

The session will be used in order to bring project leaders up to speed on how video sharing and live streaming can help promote your project and reach people. We will do that by presenting Google Hangout, and the official OWASP YouTube channel.

Then, we will gather potential sources and existing videos in order to populate the OWASP channel. This summit experience will not just be about promoting the Media Project itself, but also about the exposure of any other projects with video content.

OUTCOMES
 * 1) What were the outcomes of the Sessions? I can't speak for the other project leaders really, but on my part I did meet a lot of them and briefly exchanged contacts. I'd say the session brought us together, not only to see the people within one project, but to also see other project leaders and volunteers and this should be encouraged regularly.
 * 2) Did you accomplish what you set out to accomplish before the summit? In our cases we just presented the project to one interested person, so it was not that good on this part. I think it's hard for a project that isn't flagship level to motivate people to go one day only for that. However we wanted to accomplish something else with the Media Project: record other people from other project, and in that regards we succeeded.
 * 3) What is there left to do? Do more stuff in order to promote the project leader's presentations online and do working session.
 * 4) Roadmap for accomplishing what is left to do. That would be added to the roadmap of Media Project; however, we have many more priorities and this would be down on the list. That could change if we get more volunteers.

OWASP Mobile Security Session
SUMMIT DESCRIPTION:Just as the mobile security landscape has changed, so has the OWASP Mobile Project. Join us as we discuss the major milestones of 2013 and what is in store for the projects future. We will also go deeper in to the Mobile Top Ten project where we will discuss the decisions made on categories, vulnerability information, and look at some surprising vulnerability trends in mobile applications.

During this session we will cover:
 * OWASP Top 10 Mobile Risks, 2014 Refresh
 * Mobile project 2013 achievements and the 2014 roadmap.
 * Increasing industry collaboration within the mobile security space.

OUTCOMES went over a lot of ideas but ended up deciding on minimal changes to the current categories. This was for a few reasons. Some places have already instated a standard for one. We did identify some new issues arising and new potential projects to add to the overall mobile security project, such as criteria for MDM type solutions since they are not cover in the mobile project but companies want some security guidance when they test or evaluate them. pain points (mostly project incompletion).
 * 1) What are the outcomes of this session?
 * 2) Our small group spent time trying to identify classes of mobile vulnerabilities. The mobile top ten in speciﬁc. We
 * 1) Did you accomplish what you set out to accomplish before the summit?
 * 2) We did. We decided on a few category changes. We talked to users of the mobile top ten and addressed some
 * 1) What is there left to do?