Talk:OWASP Initiatives Global Strategic Focus/website project
Thoughts on look and feel
The Needs Assessment report has a good analysis of the current web site and provides a lot of valuable ideas for improvements. The mock-ups mostly look attractive. However, I disagree with some of the underlying assumptions:
- Wikipedia-style is derided. However, this style is wholly appropriate for the OWASP style IMHO. The OWASP web site could do worse than emulate Wikipedia more faithfully. Run towards Wikipedia, not away from it!
- The (ISC)^2 web site is put forward as a style to aspire to. I beg to differ: the current OWASP web site looks a lot more attractive to me than (ISC)^2's. The former is much easier on the eye. (ISC)^2 may draw attention through the use of striking colors and more graphic material. However, no additional useful information is conveyed. The net result is a feeling of weariness: my brain has to work hard to take in all these stimuli and I get very little in return. Remember that web sites are not competing for attention like billboards: unlike billboards, you visit web sites one by one. A good web site conveys its message while minimising collateral damage through information fatigue.
- Agree with both of the above. ISC2 is not a "competitor" and whilst the report has much to offer, focusing on ISC2, ISACA, ISA for comparisons seems a bit lazy. These other organisations are not like OWASP in terms of objectives, audience or membership. I remember being asked during an interview for this "shouldn't OWASP be the primary source of information" and I said no, OWASP's role is to promote application security - not promote itself. AppSec info appearing on other websites is a win - not a negative.
- The importance of the (ISC)^2 website is not that (ISC)^2 is a direct competitor or the colors they used but that they inhabit the same "space" as OWASP and that their decisions about organization make their website easier for new people to use.
- The suggestion is not necessarily to do away with the wiki but to clean it up and change a few key landing pages to be easier to follow.
- On p28 of the report, there is a recommendation to make the projects more consistency. I disagree, let projects lay out their content however they want - the audiences vary massively, and projects vary a lot too. OWASP is not ISC2 and I suspect never wants to be. ISC2 keeps getting used as an example - what about other community sites rather than commercial sales-orientated vendors like ISC2? At least OWASP has a memorable/writable name.
- Agree, a breadcrumb trail mentioned on p31 would be useful, but is still a challenge to define what the hierarchy might be
- Peer analysis on p32 is flawed. The organisation mentioned are not peers.
- Fascinating, p37 says "OWASP has the highest Alexa ranking"... err so why do we have to change so much?
- The "bounce rate" is mentioned as a negative here but fails to understand how some people use the site. The high number of "single page visitors" was also lauded by the report's authors as awful during the telephone interview, but they did not realise that some people use OWASP as a reference document, and use Google to search for "XSS cheat sheet" for example, then go to that page, use the information and then get on with their lives. There is no analysis of robots anywhere in this report, so the analysis of information presented about visitors is guesswork.
Thoughts on Platform Selection
- p48 states there are two purposes for the OWASP website.... (1 Organisation visibility and membership promotion/participation and 2 Improve application security visibility...). Although this is stated within what is called "Option A", it seems to apply to all three options. But more importantly, "Organisation visibility and membership promotion/participation" is not one of OWASP's objectives, values, purposes or principles. Who said that self-promotion is one of the website's purposes? If the only purpose is instead "Improve application security visibility...", then the arguments for the 3 options need to be revisited e.g. the report says "These 2 purposes are at odds with each other".
Thoughts on Information Architecture
Thoughts on Back Office and Infrastructure Architecture
This should certainly be a priority. It is difficult to volunteer for projects and efforts since work needed is not centralized. Additionally, communication seems to always go out of band to email which reduces overall teamwork and transparency. While the groups are very successful, we are losing volunteer work due to an inability to locate it.