[Owasp-leaders] Reflections on Community

Jeff Williams jeff.williams at owasp.org
Thu May 26 10:42:15 EDT 2011 

I really appreciate that people are thinking about ways to ensure the future
of OWASP.

 

I absolutely disagree that OWASP needs a "focal point" to impose their
governance decisions on everyone. Don't get me wrong, it absolutely makes
things easier.  When I took over in 2004, I (and Dave) made a lot of
decisions for OWASP.  I was the one that made us a 501c3 not-for-profit.
Before that we were just a domain name.  I moved us off a horrible custom
XML based CMS to the Wiki.  And a ton of other decisions.

 

But for OWASP to succeed - really succeed with our mission, not just become
a sustainable not-for-profit - it had to be democratic.  So we quickly put
in a board, elections, and global committees.  But this doesn't imply
top-down governance.  Instead this structure should be viewed as a support
platform for the efforts that we believe can move the ball down the field.

 

When I look back at what has really worked to grow and empower OWASP it is
never our attempts to push rules on participants.  Instead, it's almost
always when we provided *support* to good ideas and let them run.  Mostly
projects, chapters, and conferences just need some support from OWASP and
they'll do fine.

 

This line of thinking is heresy to many who haven't really thought much
about the power of decentralized governance.  It's a Jeffersonian approach.
And the critical thing is that it has the potential to scale to the size of
the challenge we have chosen to attack.  There are 15m developers in the
world, and we've touched only a tiny fraction.  Anyone who is truly an OWASP
Leader can keep their eye on the ball, and simply doesn't have time to screw
around with nonsense.

 

I agree with Stephen that the risk to OWASP is not from crazies who might
infiltrate our community.  The big risk is that we change from an
organization that empowers individuals to contribute into one that attempts
to control the way people can participate.

 

--Jeff

 

 

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Stephen Craig
Evans
Sent: Thursday, May 26, 2011 1:43 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Reflections on Community

 

@Dennis,

Thanks for sharing the OWASP history lesson. Very cool, understandable, and
nice to know.

@John,

To address one part of your email, I don't think the OWASP brand has been
diminished one iota.

When you say this:
"As a loosely-woven fabric of contributors the OWASP community remains more
closely as trustworthy as its weakest performers rather than as capable and
trusted as its best."

I agree with the former ("loosely-woven fabric of contributors") but totally
disagree with the last part of this statement.

I've tried to sit on my fingers throughout the recent threads to keep them
away from the keyboard, but the Tanqueray and tonic has won out :-)

If anybody has read the Starfish and the Spider, OWASP is a hybrid
organization. There are incredible, dedicated, consistent contributors and
leaders at the top - the Spider - and there are legions of contributors that
come and go - like me - when they can and want to contribute - the Starfish.

I love the 'O' of OWASP. It's pretty consistent and easy to define. Having a
moderator for the leaders list would screw this up. The recent series of
threads IMHO were very healthy.

To those of you who participated only to say that it was unbecoming of
OWASP, or you didn't want to see any more threads or comments about "the
situation", then instead just say nothing and don't participate. It's your
choice: if you don't like it, don't read it. In the long run, as peers we
judge each other and we will continue to be judged based on our behavior.
That's enough and that's the way it should be.

About your Incident Response paragraph:
"Because OWASP is an open (rather than a walled-garden) community, it has no
intrinsic border defense against threat. IFF some future attack was
underway, what documented and agreed-upon mechanism could OWASP show
adopting/sponsoring organizations it has in place to respond to such attacks
and protect its assets? Just like vendors have security controls, policy,
and operations teams, so must OWASP. That most of us are security vendors
and almost nothing exists is doubly-terrible."

I don't know where to start with this, and I should probably go back and try
to sit on my fingers... Sounds too dramatic to me and for sure I wouldn't
want OWASP to be equated to security vendors or have to answer to them in
any shape or form, nor do I believe that security vendors form the backbone
of support of OWASP. 

One thing that most security vendors seem to be good at is making sure that
they never run out of work, which is a comment that I should probably delete
now - but I won't :-)

Cheers,
Stephen

-- 
http://www.linkedin.com/in/stephencraigevans

On Wed, May 25, 2011 at 6:03 PM, Dennis Groves <dennis.groves at owasp.org>
wrote:

Dear All,

 

Linux has Linus, GNU has RMS, and Ubuntu had Shuttleworth. Focal points will
be found in all healthy governance systems, democratic or otherwise. OWASP
needs to identify and elect its focal point again. 

 

OWASP, when formed, had exactly this. It had a president (Mark) and
vice-president (Myself). Although, we have not at that time, nor ever,
called ourselves this. We used the terms founder and co-founder. These
natural focus points were not about power as such, because the mission was
*agreed* and *shared*. 

 

However, it allowed OWASP, rightly or wrongly, to drive through many issues
very quickly, and keep us on task. We had people who attempted to sabotage
OWASP in the early days; and unfortunately they were not allowed into 'our
open group' and Mark and I heavily edited the mailing list to keep it
focused. Some people were very upset about this 'version of open' as they
were not allowed to participate as they caused more problems than they
solved. Others wanted to steal the work of the group and use it
commercially; and not give back. One of the nay-sayers went so far as to try
and take over the list because he saw this as so unfair. 

 

Universal agreement doesn't exist and it is unfortunate that such things
needed to be done at all; however leadership sometimes requires difficult
decisions, and such difficult measures are necessary to keep focus,
direction and momentum. 

 

The current board seems to be acting in the capacity of an oversight
committee and that is fine; I am not suggesting that there is anything wrong
with this. However, a non-profit business was chosen at the time because it
was a demonstration that Mark and I were not going to profit at the expenses
of the volunteers, an early accusation that OWASP faced. However, non-profit
corporations are still companies that have a leadership structure! OWASP
*is* a business.

 

Cheers,

 

Dennis

 

PS I don't speak for Mark, OWASP nor any others.My opinion is mine and mine
alone. My memory of history is subjective and thus subject to my bias. All
errors and omissions are unintentional and mine alone.

 

-- 
Dennis Groves <http://about.me/dennis.groves> , MSc

dennis.groves at owasp.org

 

 <http://www.owasp.org/> Error! Filename not specified.


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

 



from

Description: Image removed by sender.John Steven John.Steven at owasp.org 


reply-to

Description: Image removed by sender.owasp-leaders at lists.owasp.org


to

Description: Image removed by sender.owasp-leaders at lists.owasp.org


date

Description: Image removed by sender.Wed, May 25, 2011 at 2:18 PM


subject

Description: Image removed by sender.[Owasp-leaders] Reflections on
Community


mailing list

Description: Image removed by sender.<owasp-leaders.lists.owasp.org> Filter
messages from this mailing list


unsubscribe

Description: Image removed by sender.Unsubscribe from this mailing-list

	
				

hide details 2:18 PM (10 hours ago) 

	

All,

As I considered recent leader-list traffic with benefit of hindsight,
various calls (some on- some off-list) for openness and simultaneously for
'control' struck me. In keeping with the notion of "maturation" proposed by
the draft platform I published, I'd like leaders to consider future
opportunities to elevate the OWASP brand without compromising community
principals. What occurred on this list in this case (I think we can agree)
did little to elevate the brand. More likely what transpired impacted
perception of brand maturity negatively. 

Food for thought:

* Single PoC - In the development and maturation platform, I call for: 

"A single OWASP Grant Administration Point of Contact (PoC)".

 

 As I've stated to some individually, organizational sponsors (and even
participants) want "one neck to wring" when, as a stakeholder, they're not
satisfied. A few leaders stepped forward and asked for a behavioral change.
Others even aligned with those requesting change could/did not follow
requests. People are free to behave however they desire but platform
elements, such as 

"Establish engagement paradigm for commercial / federal grants". 


simply can not be accomplished by an organization that does not respond to
authority (perceived, appointed, or otherwise). In this case, neither the
OWASP board nor its chair effectively stepped forward to propose a course of
action mutually agreeable to involved parties. What hope does a potential
donor organization have for timely satisfaction when they perceive their
rights/contract being compromised by OWASP behavior?

* Moderation - The leader's list, as I understand it, is implemented using
Mailman, which contains full list and user moderation. As emotion (and
unsavory language) became evident in responses, could a list administrator
cite code of ethics and placed a rate limit on messages (one per hour or
day?) without sacrificing openness to allow things to cool? As an
alternative, could such a moderator set up a common Google Doc or other
forum in which all parties could participate and air their perspectives
without losing control of the list itself? 

* Identify and Isolate Conflict of Interest - It became evident, to me, that
many of the participants in goings-on had history with each other. If the
board (or other entity) had agreed (off list?) to any sort of inquiry, could
this same body not reasonably ask previous participants to adjust public
discourse so as not to taint such inquiry or re-open old wounds? If, like
Mr. Van Der Stock requested, inquiry was postponed pending legislation,
could not the inquiring body request that all further discussion be tabled
in the meantime? 

With such available prior history, publicly archived, could individuals not
quickly see the opportunity for inflammation and opt out of discussion,
allowing OWASP's brand to address the situation through channels rather than
individually picking up weapons and defending it with their own coat of
arms?

* Incident Response - Without taking any particular side, it's easy to
imagine how many individuals might have felt "attacked" by last night's
transgressions. Because OWASP is an open (rather than a walled-garden)
community, it has no intrinsic border defense against threat. IFF some
future attack was underway, what documented and agreed-upon mechanism could
OWASP show adopting/sponsoring organizations it has in place to respond to
such attacks and protect its assets? Just like vendors have security
controls, policy, and operations teams, so must OWASP. That most of us are
security vendors and almost nothing exists is doubly-terrible.

As I look at past personal behavior, I wonder what doors I've shut to myself
because I'll not be considered "Trustworthy" or "mature" or "highly
discerning" in my behavior. Within this leaders group, each of us must
protect not only our own opportunity but the opportunities of the group as a
whole. As a loosely-woven fabric of contributors the OWASP community remains
more closely as trustworthy as its weakest performers rather than as capable
and trusted as its best. 

-jOHN
-- 
Phone: 703.727.4034
Rss: http://feeds.feedburner.com/M1splacedOnTheWeb

As a postscript, I personally don't find myself faulting particular people
here. Nor do I hold my own behaviors (in this case or otherwise) as example.
I am not qualified to serve as this organization's "moral compass". I list
these observations simply as room for future improvement.

______________________________

_________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders




-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110526/1f28177c/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 823 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110526/1f28177c/attachment-0001.jpe

More information about the OWASP-Leaders mailing list