OWASP Summer of Code 2008

Revision as of 04:40, 7 September 2008 by Paulo Coimbra (talk | contribs)

Jump to: navigation, search
SoC 08 Logo.jpg


  • AUGUST 24, 2008
  • Hi OWASP community,
  • I hope you are well.
  • As you all know, we have announced before the organization of a conference in Portugal 100% dedicated to OWASP – the OWASP EU Summit 2008.
  • We are planning to make it a big, productive and interesting OWASP gathering, also with many non-OWASP attendees and external relevant speakers.
  • Beyond the software security relevant questions addressed by selected industry representatives, the idea is to discuss the open source answer to those issues by presenting all the most relevant work done within the OWASP context. We will also take the opportunity to discuss the OWASP strategic positioning for 2009.
  • We are on our way to finish all the details concerning the venue – it’s likely that it will happen in Portugal, Algarve. We are counting on having this question totally solved within the next week.
  • We also have begun the process of selecting the OWASP member attendees/speakers and, if you are a relevant OWASP participant, we are inviting you as well.
  • To be considered a relevant OWASP participant you must belong to one, or more, of the following categories:
  1. OWASP Summer of Code 2008 project leaders & reviewers,
  2. OWASP Summer of Code 2008 special project contributors,
  3. OWASP Spring of Code 2007 project leaders & reviewers,
  4. OWASP Autumn of Code 2006 project leaders & reviewers,
  5. Active Project Leaders (not currently participating on SoC 08),
  6. Active Chapter Leaders,
  7. Member with significant past OWASP Contribution.
  • In addition, regarding the categories between 1, 3 and 4, we will consider relevant OWASP participant only those who have timely delivered their projects or have timely performed their reviews.
  • Regarding the category 2, up to ten project contributors will be chosen by OWASP Board having into consideration the supported and detailed proposals made by the SoC’s projects authors.
  • Regarding the category 5, we will consider relevant OWASP participant only those with projects in activity and the OWASP Board will judge that by checking if any significant update on the project page was done in the last six months.
  • Regarding the category 6, we will consider relevant OWASP participant only those with chapters in activity and the OWASP Board will judge that by checking if any significant activity was done in the last six months.
  • The last category, the seventh one, was deliberately created to assure that nobody with relevant past OWASP contributions will be excluded. As this judgement will be necessarily subjective and casuistic, it will be OWASP Board’s responsibility. However, you can present your application.

* Hence, to those of you that fit the criteria, are planning to attend the conference and haven’t said so yet, I ask to fill in here as soon as possible. To the others, I ask to go to the same wiki page and add the name of the city/airport of departure.

  • In terms of financial support, our goal is to cover as much of the flight and accommodation expenses as possible but we are not sure still about what eventually it will mean, as it will depend on how many attendees we will have.
  • Although we start with a good budget to cover expenses (150,000 USD), it will not be enough to cover the current projected number of OWASP participants (200 people). Therefore, if you can convince your company to pay for some or all of your expenses please do so and, on the other flip of the coin, we can advertise its logo at the conference materials - more details about sponsorship opportunities will be sent later on.
  • Fell free to contact me, or the OWASP EU Summit 2008 Team, if you have questions about this conference, but please beware that I will be out of office until next Thursday as I will be in Lisbon and Algarve with Dinis Cruz to try to sort out all the venue details.
  • Many thanks, best regards,
  • Paulo Coimbra,

OWASP Foundation Project Manager


  • OWASP is now launching the Summer of Code 2008 (SoC 2008), following the previous OWASP Spring of Code 2007 (SpoC 07), in which 21 projects were sponsored with a budget of US$117,500, and the OWASP Autumn of Code 2006 (AoC 06), in which 9 projects were sponsored with a budget of US$20,000.
  • The SoC 2008 is an open sponsorship program were participants/developers are paid to work on OWASP (and web security) related projects.
  • The SoC 2008 is also an opportunity for external individual or company sponsors to challenge the participants/developers to work in areas in which they are willing to invest additional funding.
  • The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks.

Who Can Apply?

  • The only requirement is that the candidate shows the potential to accomplish the project's objectives/deliveries and the commitment to dedicate the time required to complete it in the appropriate period.
  • Current active OWASP Project Contributors (including Project leaders) are encouraged to apply.
  • No member of the OWASP board is allowed to apply for a SoC 2008 sponsorship.
  • There are no any other restrictions on who can apply for a SoC 2008 sponsorship.

How To Participate (To Developers)

  • Ideas to work can be chosen from:
  • To submit a project you have to post it on the OWASP Summer of Code 2008 Applications Page.
    • Please see AoC 06 and SpoC 07 for contents to be included in the Application
    • Note that no sensitive personal details should be posted in that page, i.e., full name, postal address, email, and so on.
  • Once your application is published on the WIKI, send an email to Paulo Coimbra with the following details:
    • Project name;
    • Contact details, i.e., full name, postal address and email.
  • Both Paulo Coimbra and Dinis Cruz can also be contacted for further discussion on issues related to SoC 2008 applications, i.e., project ideas, review of draft applications, etc..


  • 3rd March – SoC 2008 season of code is officially launched. Start date for submitting applications.
  • 25th March - Deadline for project applications.
  • 16th April – Publishing of selected applications and start of SoC 2008 projects.
  • 29th June - Participants to report on project status.
  • 15th September - Project completion. Participants should deliver final project report.

Jury and Selection Criteria

  • Jury: OWASP Board Members (Jeff Williams, Dave Wichers, Tom Brennan, Sebastien Deleersnyder and Dinis Cruz).
  • There are two methods to select SoC 2008 projects:
    • By direct majority vote (3 out of 5) by the Jury;
    • By selection rating using the criteria defined below.
      • Each project will receive a rating from 1 to 5 on the following categories by each Jury. The final result will be the total value.
        • On the Project:
          • Complete status - What will be the final Completeness State?
          • Complexity - What is the project Complexity and Size?
          • Member Value - How big is the potential added value to Owasp Members?
          • Brand Value - How big is the potential added value to the Owasp Brand?
        • On the Candidate:
          • Past Work - Value of past contributions to OWASP Projects;
          • Deliverability - Proven capability to deliver;
          • Qualitty of Proposal - Global quality of the proposal submited.

Operational Rules

  • Whenever possible the participant should suggest a SoC 2008 Project Reviewer, which will be responsible for reviewing the project’s deliverables and authorize payments.
  • All and each Project Reviewer suggested by participants has to be confirmed by majority vote of the OWASP Board.
  • Whenever the participants fail to suggest a SoC 2008 Project Reviewer, the OWASP Board, by majority vote, will appoint one. The same will happen whenever the reviewer suggested by the participant does not have the required approval.
  • Each and every project should have its Project Progress page always completely updated with all information regarding the project status.
  • The Project Reviewer will provide his assessment twice for each project, respectively with 50% and 100% claimed completion. The Project Reviewer will deliver his evaluation filling in his Project Reviewer Page.
  • Each new project should obtain Reviewers’ agreement that, at least, a Beta Quality stage was achieved.
  • Each project built on previous work done within OWASP (Existing OWASP Projects) should obtain Reviewers’ agreement that a Release Quality stage was achieved.
  • Projects Final Deliveries will be evaluated by an assigned SoC 2008 Reviewer. However, the Jury will provide final oversight.
  • Payments will be made, via Pay Pal, in two instalments, respectively 50% halfway and 50% on completion of the project.
  • Basically, if you do not deliver you will NOT be paid.

General Rules

  • By taking part on SoC 2008, the participant will authorize OWASP to host and advertise without any limitations his participation and all related contents including proposal and all deliveries.
  • All tools, documentation, or any other materials whatsoever, created by the participants within SoC 2008 context must be released under an Open Source Initiative approved license. However, the participant may mirror development on her/his personal infrastructure at her/his option.
  • Participants and OWASP is free to use the results, including code, of the SoC's 2008 code in any way they choose provided it is not in conflict with the license under which the code was developed.
  • OWASP reserves the right, at its sole discretion, to revoke any, and all, privileges associated with participating in this program, and to take any other action it deems appropriate, for no reason or any reason whatsoever. OWASP reserves the right to cancel, terminate or modify the program if it is not capable of completion as planned for any reason.
  • Any situation arising not included in the above mentioned set of rules will be decided according to the discretionary judgement of OWASP Board.

SoC 2008 Budget

  • The initial Budget for SoC 2008 will be US$100,000, and it is funded by OWASP.
  • In parallel with the Request for Proposals, OWASP is also doing a membership drive where all membership fees committed during that period will be allocated to SoC 2008 projects (the new members have the option to choose which projects they would like to sponsor).
  • The funds available will be allocated to select projects. However, strong proposals will be accepted by majority vote of the OWASP Board before the final project selection. Remaining budget will be allocated to remaining projects.
  • Note: The referred budget allocation is just a guideline and the final values will be adjusted based on the successful proposals.