Tuesday, May 19, 2015

Profile 4: OWASP

OWASP

Michael Tubinis (mstubinis), Brian Escriche (Pharas)

Rationale

Their home page looked like it had a lot of information at first glance… Yes that’s why we chose it as we did not have any prior knowledge of any of the other entities we could choose from.

Organizational Details

  1. Is the subject of your profile a corporate entity?
    Yes, a 501(c)(3)
  2. What type?
    Worldwide non-for-profit charitable organization
  3. When was it founded?
    April 21, 2004
  4. By whom?
    Mark Curphey
  5. Original founder(s) still active?
    It appears he is no longer active
  6. Publicly Traded? Since when? Initial Stock Price? Current stock price?
    It is not publicly traded
  7. Has the company made any acquisitions? If yes, which companies, and what were their core products?
    No
  8. Has the company made any investments in other companies? If yes, which ones.
    No
  9. Number of Employees?
    7 Global Board Members. 8 Employees / Contractors
  10. Where is HQ?
    1200-C Agora Drive #232 in Bel Air, MD 21014
  11. Does it have any other offices or locations?
  12. Does your organization file any annual reports? Please include links to any relevant documents (i.e. 990, Annual Report, Year in Review, etc...
    No

Communications

  1. Does your subject participate in social media? If yes, please list a URL for each
    Facebook - https://www.facebook.com/pages/Open-Web-Application-Security-Project/296236753839074 - 8900 likes
    Twitter - https://twitter.com/owasp 41.6k Followers
    Google+ - https://plus.google.com/communities/105181517914716500346 - 2293 members
    LinkedIn - https://www.linkedin.com/groups/Global-OWASP-Foundation-36874
  2. What communication channels does your subject use to reach their public? Briefly describe and include a URL for each.
    OWASP Blog - http://owasp.blogspot.com/
  3. Does your subject organize or participate in any conferences? If so, list them here, and provide links to any relevant sessions, keynotes, or content.
    http://2015.appsec.eu/conference-program/
    http://2015.appsecusa.org/c/



Community Architecture

  1. If applicable, list and provide links to:
    1. The project's IRC Channel
    2. Other communication channels
      Issue Tracker - http://jeremylong.github.io/DependencyCheck/issue-tracking.html
  2. Describe the software project, its purpose and goals.
    Dependency-check is an open source solution the OWASP Top 10 2013 entry: A9 - Using Components with Known Vulnerabilities. Dependency-check can currently be used to scan Java applications (and their dependent libraries) to identify known vulnerable components.

  1. Give brief history of the project. When was the Initial Commit? The latest commit?
    Initial - September 6th, 2012
    Latest -  April 26th, 2015
  2. Who approves patches? How many people?
    Jeremy Long
  3. Who has commit access, or has had patches accepted? How many total?
    There are 12 contributors to the project overall
  4. Has there been any turnover in the Core Team? (i.e. has the top 20% of contributors stayed the same over time? If not, how has it changed?)
    So far no, but the Core Team is the BDFL
  5. Does the project have a BDFL, or Lead Developer? (BDFL == Benevolent Dictator for Life)
    Jeremy Long
  6. Are the front and back end developers the same people? What is the proportion of each?
    Essentially, as Jeremy Long is the main developer by an overwhelming majority
  7. What have been some of the major bugs/problems/issues that have arisen during development? Who is responsible for quality control and bug repair?
    Nothing overwhelming
  8. How is the project's participation trending and why?
    The only real contributor is Jeremy Long, though it is fairly consistent
  9. In your opinion, does the project pass "The Raptor Test?" (i.e. Would the project survive if the BDFL, or most active contributor were eaten by a Velociraptor?) Why or why not?
    No, Jeremy Long is a couple thousand commits ahead of everyone else, and several million lines of code.
  10. In your opinion, would the project survive if the core team, or most active 20% of contributors, were hit by a bus? Why or why not?
    Again, no, because of the large disparity between commit amount
  11. Does the project have an official "on-boarding" process in place? (new contributor guides, quickstarts, communication leads who focus specifically on newbies, etc...)
    None that can be easily found at least
  12. Does the project have Documentation available? Is it extensive? Does it include code examples?
    http://jeremylong.github.io/DependencyCheck/ Has a large amount of information about the project, but nothing as far as code
  13. If you were going to contribute to this project, but ran into trouble or hit blockers, who would you contact, and how?
    You would need to talk with Jeremy Long
  14. Based on these answers, how would you describe the decision making structure/process of this group? Is it hierarchical, consensus building, ruled by a small group, barely contained chaos, or ruled by a single or pair of individuals?
    This isn’t really a business structure of any sort, so there isn’t much to say here.
  15. Is this the kind of structure you would enjoy working in? Why, or why not?
    Again, no real structure.

No comments:

Post a Comment