OWASP Autumn Of Code 2006

Revision as of 20:24, 19 August 2006 by Dinis.cruz (talk | contribs) (2006 Autumn Of Code moved to Owasp Autumn Of Code 2006: Title change)

Jump to: navigation, search

The Owasp Autumn of Code (OAC) is an initiative aimed at financially sponsoring project contributors or leaders for their contributions to Owasp Projects.

Due to its 'best effort' nature, several Owasp projects take too long to reach a level of completeness and professionalism required for its wide use and deployment. This is very frustrating since usually the hard problems are solved and what is needed is a focus on the 'last-mile'.

OAC (Owasp Autumn of Code) is aimed at solving this problem. The sponsored projects will be focused on completing existent Owasp Projects and releasing them to the world.

To support this first phase we will use funds generated by past conferences and membership fees (hence the commitment to sponsor 8 projects). We will also ask Owasp members if they want to sponsor specific projects, and if all goes well the 'Owasp Spring of Code' will follow :)

For more details please contact Dinis Cruz directly

Dinis Cruz dinis.cruz@owasp.net

Project Overview

  • 8 projects to be sponsored: 4 at $3,500 USD and 4 at $5,000 USD (plus an optional $500 for the project leader)
  • Projects will be managed by the OWASP Project leader and by Andrew van der Stock, Jeff Williams or Dinis Cruz.
  • Payments will be made via PayPal in 3 stages: 20% on start, 40% halfway and 40% on completion.
  • If the contributor is not the project leader of the project being sponsored, and the project leader is actively participating in that project, then the project leader can receive (if he/she wants to) an additional $500 USD

How To Participate

Pick a project from the list below, and send to Dinis Cruz (dinis.cruz@owasp.net) the following details:

  • Your contact details
  • Which project you want to be involved in
  • Why you should be sponsored for the project
  • What are the objectives and deliverables
  • How long will the project be (between 3 to 6 months)

Project ideas:

  • Help to Complete V2.0 of WebScarab and package it as product
  • Write more lessons for WebGoat, integrate it with SiteGenerator and release it as a product
  • Help to complete the 'Pantera Web Assessment Studio Project' and release it as a product
  • Complete the Owasp Top 10 2007
  • Complete the Owasp Testing Guide
  • Complete the 'Owasp membership pack'
  • Complete the 'Owasp Live CD'
  • OWASP Honeycomb Project: Normalize the CLASP and VulnCat data and help to release the Honeycomb user's guide
  • Complete all Owasp .Net tools (ANSA, SAM'SHE, SiteGenerator, Report Generator, Asp.Net reflector, etc..) and release them as a product
  • Organize the 'Owasp branding project' and make a 1st pass at the current abuses of the Owasp brand
  • Create Training materials for Owasp projects (from tools to guides)
  • WebMaster the Owasp.org website for 3 months and implement all missing functionality
  • Complete Dinis Cruz' research on .Net partial trust and create a Proof of Concept application showing how .Net's Partial Trust Sandbox can be used to mitigate against most Web Application Attacks (extra bonus points if a Java demo is also delivered :)
  • for more ideas see the current project list at Category:OWASP Project


  • 28th August – 'Owasp Autumn of Code' initiative is officially launched (see 'Current Marketing Strategy') and proposals can be submitted
  • 18th September - Deadline for project proposals
  • 25th September - Publish of selected projects
  • 1st October - Project starts (and payment of 20%)
  • 15th October - Update of Project status on Owasp Conference in Seattle
  • 15th November - Participants and to report on project status (and payment of 40%)
  • 31st December - Project Completion (and payment of final 40%)

Current Marketing Strategy

  • Link this OAC page from the main Owasp.Org website
  • Make a little banner add which can be inserted in the main Owasp.Org website (and on websites that want to help)
  • Send an email to all Owasp email subscribers
  • Send an email to key mailing lists (webappsec, sc-l, etc...)
  • Write Press Release and distribute it
  • Create several articles and get them published (also try to get interviews by respected IT media)
  • Do a 'Sponsorship' push, where current members (and prospective members) are contacted to see if they want to sponsor specific projects.
  • Contact the Owasp chapters direcyly and ask them to publicize OAC at their local meetings

How To Sponsor

If your (i.e. your company) has a particular requirement which a current Owasp project has the potential to fulfill, and you realize that it will be cheaper for you to sponsor that project with a couple of developers, than contact Dinis Cruz with your requirements, ideas, time-scales and budget.

The Rules bit

  • You will need to authorize OWASP to publicize your participation in the program and the results of the program for the purposes of executing on program logistics, including but not limited to announcements of accepted proposals, the text of the accepted proposal and the resulting code from work on the project. Additional details solicited by OWASP as part of the application process, including URLs for personal blogs, will be shared with the public with the accepted applicant's permission.
  • All project's deliverables will be publicly hosted by OWASP.
  • All code / materials created by the participants must be released under an Open Source Initiative approved license. The participant may mirror development on her/his personal infrastructure at her/his option.
  • OWASP reserves the right, at its sole discretion, to revoke any and all privileges associated with participating in this program, and to take any other action it deems appropriate, for no reason or any reason whatsoever. OWASP reserves the right to cancel, terminate or modify the program if it is not capable of completion as planned for any reason.
  • Participants and OWASP is free to use the results, including code, of the OWASP Autumn of Code Program in any way they choose provided it is not in conflict with the license under which the code was developed.
  • Basically, if you don't deliver you will NOT be paid

The important bit

  • yes there will be a t-shirt available for all participants