We have announced the organization of a conference in Portugal 100% dedicated to OWASP – the OWASP EU Summit 2008. We are planning to make it a big, productive and interesting OWASP gathering, also with many non-OWASP attendees and external relevant speakers. Beyond the software security relevant questions addressed by selected industry representatives, the idea is to discuss the open source answer to those issues by presenting all the most relevant work done within the OWASP context. We will also take the opportunity to discuss the OWASP strategic positioning for 2009. See here all the recent updates.
(WORK IN PROGRESS/Last review – 14 August 2008 )
Reviewers’ main tasks
To exemplify, please take into consideration the OWASP Live CD 2008 Project.
Simplifying, we would say that the work review will basically consist in certifying that the project’s objectives and deliveries were accomplished and, taking into consideration the OWASP assessment criteria, in certifying that the target Status was reached. Additionally we expect the reviewer always to be available to provide useful advice to the project developer. These tasks must be performed twice: the first one, the 50% Review, by June 29 and the second one, the Final Review, by September 15.
Furthermore, on the top of what was said before, in our perspective, to be a reviewer means, at least, to point out scientific/technical and methodological mistakes, to propose paths to follow, to propose tools and documentation/bibliography to be studied and consulted. In addition, in our opinion, the reviewer role also includes the responsibility of avoiding claims of plagiarism and the responsibility for the language review accordingly to these rules. However, as far as we can see it, the reviewer has the responsibility/right of proposing paths and changes to be followed and the project leader has the responsibility/right of accepting it or not.
REVIEWERS/CONTRIBUTORS VERSUS REVIEWERS
On the one hand, we see project leaders, contributors and reviewers as individuals of the same team with the shared propose of delivering the best results.
On the other hand, we recommend keeping a clear distinction between author(s)/contributors and reviewers as the scientific/technical condition to reach the shared goal of final improved deliveries. The total independence of each part is scientific process’s condition sine qua non.
To deal with this tension, and taking into consideration the OWASP culture, in the future we would like to implement a solution based on a democratic decision-making process so that the technical decisions are made by the technical people who are best informed about the subject. When properly led, a small group of the most knowledgeable people working together will invariably arrive at a better conclusion than any senior manager could possibly produce. Of course, these democratic principles must be coupled with some communications and a coordination process to get the right people to work together to make the decisions.
However, even if everybody behaves democratically, mistakes can always be done. This link, for example, points out a couple of them – be aware and do try to avoid them.
To conclude, we don’t want to over define everything – keeping in mind that our proposed main goal is to deliver the best results possible within the given timetable, we encourage teamwork.
Still, we will always be here if you find advantage in consulting us for anything you think we can help with.
Paulo Coimbra and Dinis Cruz
OWASP Live CD 2008 – An OWASP Summer of Code Project, upcoming.yahoo.com/event
Catching up with Summer of Code 2008, Mark Roxberry
Applications take a beating…and keep taking it, Michael Coates
AntiSamy 1.1 is out! omg.wtf.bbq.
OWASP . NET Project, Mark Roxberry
OWASP Summer of Code 2008: Anúncio Oficial, Camargoneves.com
OWASP Summer of code 2008, Smart Security by Dharmesh Mehta
OWASP Summer of Code, James McGovern
OWASP Summer of Code, Michael Coates
March OWASP News, 0xCODE Shop
OWASP Summer of Code 2008, Denim Group
OWASP Summer of Code 2008, The Geekette Speaketh
OWASP Summer of Code, Orange County PHP
OWASP Summer of Code 2008, Cyphersec
OWASP Summer of Code 2008, Tarun Dua
OWASP kicks off Summer of Code 2008, Searchsoftwarequality.com