Difference between revisions of "GPC/Meetings/2011-03-07"

From OWASP
Jump to: navigation, search
m (Clarifying)
 
(19 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 +
__TOC__
 
= Meeting Details =
 
= Meeting Details =
 
'''Dial-In:'''  1-866-534-4754 (code: 192341)
 
'''Dial-In:'''  1-866-534-4754 (code: 192341)
Line 4: Line 5:
 
'''When:''' Monday, March 7th @ 21:00 GMT (based on [http://doodle.com/c2wvbb45eq2b82sx member availability])
 
'''When:''' Monday, March 7th @ 21:00 GMT (based on [http://doodle.com/c2wvbb45eq2b82sx member availability])
 
= Agenda =
 
= Agenda =
* Formal seating of new committee members (all)
+
* Confirmation of new committee members (all)
 
* Board update (Jason)
 
* Board update (Jason)
* Proposed 2011 Budget (Jason)
+
* [https://docs.google.com/a/owasp.org/document/d/11HjbUeJxyRbQ4Jg6Wg7LceMZox0wz3Fz-LUwjfam5eg/edit?hl=en Proposed 2011 Budget] (Jason)
 
* Project Hosting Update (Chris)
 
* Project Hosting Update (Chris)
 
* Project Lifecycle Process Update (Justin/Brad)
 
* Project Lifecycle Process Update (Justin/Brad)
 
* Current Project Status Overview (Paulo)
 
* Current Project Status Overview (Paulo)
** Number of '''new''' projects since [http://globalprojectscommittee.wordpress.com/2010/11/18/owasp-projects-overview-last-4-months/ previous announcement]
+
** '''Number of new projects since [http://globalprojectscommittee.wordpress.com/2010/11/18/owasp-projects-overview-last-4-months/ previous announcement]'''
 
***[[Projects/OWASP Application Security Skills Assessment|OWASP Application Security Skills Assessment]]
 
***[[Projects/OWASP Application Security Skills Assessment|OWASP Application Security Skills Assessment]]
***[[Projects/OWASP Common Vulnerability List|OWASP Common Vulnerability List]]
+
***[[Projects/OWASP Common Vulnerability List|OWASP Common Vulnerability List]] (replaced by Common Numbering Project)
 
***[[Projects/OWASP Common Numbering Project|Common Numbering Project]]
 
***[[Projects/OWASP Common Numbering Project|Common Numbering Project]]
 
***[[Projects/OWASP HTTP Post Tool|OWASP HTTP Post Tool]]
 
***[[Projects/OWASP HTTP Post Tool|OWASP HTTP Post Tool]]
Line 30: Line 31:
 
***[[Projects/OWASP Software Security Assurance Process|Software Security Assurance Process]]
 
***[[Projects/OWASP Software Security Assurance Process|Software Security Assurance Process]]
 
***[[Projects/OWASP Web Service Attack Community Project|OWASP Web Service Attack Community Project]]
 
***[[Projects/OWASP Web Service Attack Community Project|OWASP Web Service Attack Community Project]]
** Number of '''new''' releases since [http://globalprojectscommittee.wordpress.com/2010/11/18/owasp-projects-overview-last-4-months/ previous announcement]
+
** '''Number of new releases set up since [http://globalprojectscommittee.wordpress.com/2010/11/18/owasp-projects-overview-last-4-months/ previous announcement]'''
 
***[[Projects/OWASP ModSecurity Core Rule Set Project/Releases/ModSecurity 2.0.10|ModSecurity 2.0.10]]
 
***[[Projects/OWASP ModSecurity Core Rule Set Project/Releases/ModSecurity 2.0.10|ModSecurity 2.0.10]]
** Number of '''adopted''' projects since [http://globalprojectscommittee.wordpress.com/2010/11/18/owasp-projects-overview-last-4-months/ previous announcement]
+
***[[Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.2.0|Zed Attack Proxy Project - ZAP 1.2.0]]
 +
**'''Number of adopted projects since [http://globalprojectscommittee.wordpress.com/2010/11/18/owasp-projects-overview-last-4-months/ previous announcement]'''
 
***[[Projects/OWASP LAPSE Project|OWASP LAPSE Project]]
 
***[[Projects/OWASP LAPSE Project|OWASP LAPSE Project]]
 
***[[Projects/OWASP Java Project|OWASP Java Project]]
 
***[[Projects/OWASP Java Project|OWASP Java Project]]
** Number of '''reviewed''' projects since [http://globalprojectscommittee.wordpress.com/2010/11/18/owasp-projects-overview-last-4-months/ previous announcement]
+
**'''Number of reviewed releases since [http://globalprojectscommittee.wordpress.com/2010/11/18/owasp-projects-overview-last-4-months/ previous announcement]'''
 
***[[Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.1.0|OWASP Zed Attack Proxy Project - Release ZAP 1.1.0]]
 
***[[Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.1.0|OWASP Zed Attack Proxy Project - Release ZAP 1.1.0]]
** Projects '''requiring review'''
+
**'''Projects ready to be set up'''
***[[Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.2.0|OWASP Zed Attack Proxy Project - Release ZAP 1.2.0]]
+
***Enhancing Security Options Framework (ESOP Framework) - Amber Marfatia
 +
***Mantra -Security Framework to OWASP, Yashartha Chaturvedi
 +
***German Language Project, German Chapter
 +
***Java HTML Sanitization, Jim Manico
 +
***Java Encoder Project, Jim Manico
 +
** '''Projects' Releases requiring review'''
 +
***http://www.owasp.org/index.php/OWASP_Secure_Web_Application_Framework_Manifesto,
 +
***http://www.owasp.org/index.php/GPC_Project_Assessment/OWASP_Vicnum,
 +
***http://www.owasp.org/index.php/GPC_Project_Assessment/OWASP_Content_Validation_using_Java_Annotations
 +
***http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project,
 +
***http://www.owasp.org/index.php/OWASP_O2_Platform,
 +
***http://www.owasp.org/index.php/Category:OWASP_Webslayer_Project,
 +
***http://www.owasp.org/index.php/Category:OWASP_EnDe#tab=Project_Details,
 +
***http://www.owasp.org/index.php/Projects/OWASP_Fiddler_Addons_for_Security_Testing_Project,
 +
***http://www.owasp.org/index.php/OWASP_HTTP_Post_Tool,
 +
***http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model
 +
***http://www.owasp.org/index.php/Projects/OWASP_Zed_Attack_Proxy_Project/Releases/ZAP_1.2.0,
 +
***[[OWASP Reviews Dashboard|'''OWASP Reviews Dashboard''']]
 +
**'''Projects with new leader/need to be re-set up'''
 +
***OWASP .NET Project - Daniel Brzozowski
 +
***WebScarab-NG - Daniel Brzozowski
 +
***College Chapter Program Project - Martin Knobloch
 +
***OWASP AJAX Security Project - Abraham Kang
 +
**'''Project in need of reorganization'''
 +
***ESAPI
 +
***CSRF ecosystem, Sheridan
 +
**'''Projects in adoption process'''
 +
***OWASP Application Security Assessment Standards Project | Volunteers: Bithika & Matteo Michelini (waiting for data)
 +
**'''Other tasks to do'''
 +
***Top 10/Upload redesigned content and new covers (Lulu)
 +
**'''Other issues'''
 +
***How shoud we label projects like [[:Category:OWASP Live CD 2007 Project|OWASP Live CD 2007 Project]]? Deprecated? Inactive? or else?
 +
***What should we do with ESAPI PHP? Let's put in on for adoption?
 +
** '''Outstanding requests from project leaders'''
 +
***None except the above
  
**Other tasks to do
+
=Minutes=
***Top 10/Upload redesign content and new covers
+
* Meeting started: 21:00 GMT
***Reorganize ESAPI
+
* Meeting adjourned: 23:00 GMT
 +
* [https://docs.google.com/present/view?id=0AWvv_7Gz8Z7TZGdmOGZybWhfN2Z2YnB0NWMy&hl=en_US Update for April Board Meeting]
  
** Outstanding requests from project leaders
+
==Attendees==
 +
* Jason Li (Chair)
 +
* Brad Causey (Committee Member)
 +
* Chris Schmidt (Committee Member)
 +
* Justin Searle (Committee Member)
 +
* Larry Casey (Committee Member)
 +
* Keith Turpin (Committee Member)
 +
* Paulo Coimbra (Projects Manager)
 +
* Kate Hartmann (Director of Operations)
 +
* Sarah Baso (observer)
  
 +
==Notes==
 +
# Budget will be presented to Board by Jason
 +
# PayPal Donation button should be incorporated into project homepage template
 +
# Need to flesh out project migration strategy for projects to OWASP hosting
 +
# Need to streamline or remove the release review process while still preserving the value of the process
 +
# If Mainstream is the "top", project leaders will want a path to it - so we can't make "Mainstream" unattainable. Projects don't all ''need'' to be "enterprise ready" (currently the intention of "Mainstream"), but they don't necessarily want to be associated with "Labs". There's a difference between a stable project and a project that's willing to be "enterprise ready". Enterprise-ready projects need support staff and productization. New separate stage ("OWASP Enterprise")
 +
# Do we want security reviews of projects?
 +
#* Already part of requirements for stable releases, but has been a huge time sink in the past
 +
#* Need to beware of time delay
 +
#* Is there added value?
 +
# Need a coverage map of OWASP projects to identify areas where OWASP is weak
 +
#* Might lead to an OWASP "Suite" of projects?
 +
 +
==Decisions==
 +
# Chris, Justin and Larry have been formally seated as GPC members; Keith is awaiting additional nominations and has been named a provisional member
 +
# LiveCD 2007 project page should be archived and marked inactive with reference pointer to current LiveCD (WTE) project
 +
# Any approval step in the Incubator/Labs processes of the OWASP Projects Lifecycle will have an rolling approval window (i.e. if GPC does not take action within X time, it is automatically approved). This compromise prevents the GPC from becoming a bottleneck. Note this policy places extra burden on the GPC to get things right.
 +
 +
==Action Items==
 +
# Chris will reach out to ESAPI PHP project about project leadership
 +
# Jason will work with Paulo to identify aspects of his workflow that can be automated
 +
# Justin will research licensing issues for Projects and what would be involved in a license change (Sarah has volunteered to be a resource)
 +
# Justin/Chris will sketch out an addition to the lifecycle process ("OWASP Enterprise")
 +
# Jason will identify tools to help improve committee calls (e.g. Google Moderator, "talking stick")
 +
# Jason will send Doodle for April meeting
  
 
[[Category:GPC_Meetings]]
 
[[Category:GPC_Meetings]]
 +
[[Category:GPC_Meetings/2011]]

Latest revision as of 08:03, 6 July 2011

Meeting Details

Dial-In: 1-866-534-4754 (code: 192341)

When: Monday, March 7th @ 21:00 GMT (based on member availability)

Agenda

Minutes

Attendees

  • Jason Li (Chair)
  • Brad Causey (Committee Member)
  • Chris Schmidt (Committee Member)
  • Justin Searle (Committee Member)
  • Larry Casey (Committee Member)
  • Keith Turpin (Committee Member)
  • Paulo Coimbra (Projects Manager)
  • Kate Hartmann (Director of Operations)
  • Sarah Baso (observer)

Notes

  1. Budget will be presented to Board by Jason
  2. PayPal Donation button should be incorporated into project homepage template
  3. Need to flesh out project migration strategy for projects to OWASP hosting
  4. Need to streamline or remove the release review process while still preserving the value of the process
  5. If Mainstream is the "top", project leaders will want a path to it - so we can't make "Mainstream" unattainable. Projects don't all need to be "enterprise ready" (currently the intention of "Mainstream"), but they don't necessarily want to be associated with "Labs". There's a difference between a stable project and a project that's willing to be "enterprise ready". Enterprise-ready projects need support staff and productization. New separate stage ("OWASP Enterprise")
  6. Do we want security reviews of projects?
    • Already part of requirements for stable releases, but has been a huge time sink in the past
    • Need to beware of time delay
    • Is there added value?
  7. Need a coverage map of OWASP projects to identify areas where OWASP is weak
    • Might lead to an OWASP "Suite" of projects?

Decisions

  1. Chris, Justin and Larry have been formally seated as GPC members; Keith is awaiting additional nominations and has been named a provisional member
  2. LiveCD 2007 project page should be archived and marked inactive with reference pointer to current LiveCD (WTE) project
  3. Any approval step in the Incubator/Labs processes of the OWASP Projects Lifecycle will have an rolling approval window (i.e. if GPC does not take action within X time, it is automatically approved). This compromise prevents the GPC from becoming a bottleneck. Note this policy places extra burden on the GPC to get things right.

Action Items

  1. Chris will reach out to ESAPI PHP project about project leadership
  2. Jason will work with Paulo to identify aspects of his workflow that can be automated
  3. Justin will research licensing issues for Projects and what would be involved in a license change (Sarah has volunteered to be a resource)
  4. Justin/Chris will sketch out an addition to the lifecycle process ("OWASP Enterprise")
  5. Jason will identify tools to help improve committee calls (e.g. Google Moderator, "talking stick")
  6. Jason will send Doodle for April meeting