[Owasp-board] [Owasp-leaders] ReAssigment of Project / Chapter Leadership and '... please update your Wiki pages ...'

Dinis Cruz dinis at ddplus.net
Wed Oct 31 11:24:51 UTC 2007

Hi Cliff

Great comments,

I'm CCing the OWASP board on this email.

See my comments below

On 10/24/07, Cliff Barlow <cbarlow at korelogic.com> wrote:
> Hash: SHA1
> Dinis:
> Speaking in regards to projects only and solely my personal opinion, may
> I suggest that you look at this from another angle.  Projects are not a
> matter of time but instead a matter of organizational sponsorship and
> support.

Very true and I agree 100% with you

Many projects are the brain child's of individuals who, the majority of
> the time, end up completing a lions share of the project work.   The
> project sponsors/lead job is to lay out a solid premise and a roadmap of
> actions.  It can't be the leads job to complete each and every roadmap
> task...


if they do, it's not a OWASP project, it's an individual
> organizationally unsupported project.

spot on.

And moving forward, I think that OWASP must provide more and more support
for projects who 'need' community participation in order to be successful.

In fact, going strait to your point, the role of OWASP should be to
transform 'individual projects into community projects'

The question is how to do that? and how to create such environment? :)

 So the root issue to project
> progression should not be placed solely on the project lead but instead
> on the OWASP organization and leadership itself.  Project leaders only
> have so much ability as a virtual voice on the other side of a web page.
> The OWASP organizational leadership should ask what it has done to
> support the project / project leads in garnering support and
> contribution to the projects.

True, and Cliff, can you help us working this out?

So should we place a 3 or 6 month sorting on the OWASP leadership on
> their last contribution or support?

I think you should, nobody at OWASP is unaccountable and not made
responsible for their actions, even us :)

In fact the power of an open organization like OWASP is that such
non-activities are much harder to hide :)

As a side note, if what you refer by 'OWASP Leadership' is the OWASP board,
please be aware that there are only 4 of us here :) , and the number of
projects is quite large:

One idea we had to promote projects was the OWASP Newsletters, which sort of
died due to lack of resources and commitment

 OWASP is a volunteer organization.
> It is a home of dedicated security professionals, all who have other
> security work at their charge, and who don't always have the time nor
> ability to rally the troops.  I do agree that if a project is getting
> little to no contribution the issue may not just be the project
> sponsor/leader, it's lack of interest in the project and therefore the
> project should be shelved.

And we should take an Darwinian view of this. Some projects are not fit for
OWASP, other projects are too-far-ahead, others too late, and other not
realistic for OWASP.

My view is that we should give it the best shot and see what happens.

Now, at the moment, I agree with you and I don't think that OWASP is
providing the best level of support it should be providing to ensure that
projects have as much visibility as they can.

For example, the latest 'book publishing' initiative, is aimed exactly at
addressing this issue, since the plan is to expose to a much wider audience
(via the books) the great stuff done by certain OWASP projects

I'd suggest that instead of using a time as a measurement, perhaps OWASP
> leadership should review the project in of themselves and decide what it
> wants to put its weight behind.  As OWASP progresses, perhaps more
> analysis is needed in regards to project requests (e.g. how does this
> benefit OWASP members and the security community as a whole).

I agree, and we should definitely move this idea forward. Maybe have 4
projects every month that are highlighted and focused on ?

I'll be honest... my Assessment Standards project started with a good
> idea and something that Jeff, myself and others believe in.  However,
> after putting it out in front of the membership and presenting it at
> OWASP 2007, there has not a lot of interest (which btw concerns me since
> bad assessment work, completed by self-proclaimed experts is at the very
> core of many companies issues today).  If someone who can do better than
> I wishes to lead, I'd gladly pass the baton simply because I believe in
> the need...  but without OWASP leadership support, I'm pessimistic about
> the projects opportunity for success.  I'd love to make this project go
> but I do help in getting 'evanglized' and do want more to contribute but
> don't want to create it wholly myself (thus going against the basic
> community premise of OWASP).

Why don't we use your project as a test ground for these ideas?

Yours is a project which clearly the problem is not in your leadership but
in the lack of community participation.


Thanks a lot for your comments

Dinis Cruz
Chief OWASP Evangelist

Cliff Barlow
> Dinis Cruz wrote:
> > Hi Project and Chapter Leaders
> >
> > Something that has been discussed several times in the last couple
> months as
> > been 'What do we do with non-active projects or chapters?'
> >
> > (btw feel free to object against this idea and propose alternatives) The
> > solution we found is to basically say:
> >
> >
> >    - 'If an OWASP Project has not released an update in the last 6
> >    months, that project needs a new leader' (note that this doesn't need
> >    to be a major new release, as long that there is active development
> and
> >    regular updates all is good)
> >
> >    - 'if a OWASP Chapter has not organized a meeting in the last 6
> >    months, that chapter needs a new leader'
> >
> > There are a ton of logistic and strategic issues to address, but these
> are
> > the core principles.
> >
> > Note that the idea is to make the assignment of new leaders a very easy
> and
> > strait forward process (in order to be faster than the current 'chapter
> > leader replacement-dance').
> >
> > Another important concept: If it is not on the WIKI, It didn't happen or
> it
> > doesn't exist !
> >
> > Please make sure your Project or Chapter WIKI page (
> > https://www.owasp.org/index.php/Category:OWASP_Project
> > or  https://www.owasp.org/index.php/Category:OWASP_Chapter ) is updated
> > since
> >
> > Fyi, in preparation for the course that I will be delivering at the next
> > OWASP conference in San Jose ( T5. Leveraging OWASP Tools and Documents
> to
> > Secure Your Enterprise
> > <
> https://www.owasp.org/index.php/7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T5._Leveraging_OWASP_Tools_and_Documents_to_Secure_Your_Enterprise_-_2-Day_Course_-_Nov_12-13.2C_2007
> >)
> > I will review every single OWASP Project and OWAP Chapter and will
> create a
> > list of the ones that need new leaders.
> >
> > My current plan is to publish this 'list of OWASP projects or chapters
> that
> > need new leaders' at the next conference.
> >
> > Dinis Cruz
> > Chief OWASP Evangelist
> > http://www.owasp.org
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> - --
> Thanks,
> Cliff Barlow, CISSP-ISSMP
> KoreLogic Security
> Director, Security Services
> 269.982.1707 (Office)
> 269.876.0442 (Mobile)
> www.korelogic.com
> PGP Fingerprint:  3AC7 DB29 FF36 5163 F608  3A03 C468 DA21 6404 C85F
> This E-mail and any of its contents may contain KoreLogic, Inc.
> proprietary information, which is privileged, confidential, or subject
> to copyright belonging to KoreLogic. This E-mail is intended solely for
> the use of the individual or entity to which it is addressed. If you are
> not the intended recipient of this E-mail, you are hereby notified that
> any dissemination, distribution, copying, or action taken in relation to
> the contents of and attachments to this E-mail is strictly prohibited
> and may be unlawful. If you have received this E-mail in error, notify
> the sender or e-mail kore at korelogic.com immediately and permanently
> delete the original and any copy of this E-mail.
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> iQEVAwUBRx+XHsRo2iFkBMhfAQJlAQf9H8bAoDQPw412fdp+b6QF1C5FW5UDhOSe
> m1qQxXglP/q2Kr86vb3PxTflGPZFIXkwfhr4UwVi+W4WetXdlpiglfuxmEyV2Svl
> DIZXzs0Po5B3yOEzEErL5V4qn/4uAFtGmz4ZLVJug4RxAZytCFxXKyLazmexTlIQ
> +ZySulGxLShXUDeYgF7OIpvHeJiW9p5LDf78mSedpkejf1K4fhv+o50slRjSiN33
> sltyGbjqyWHofN3iJ62s3Z3bACQvD0zQJpUhIZdsF7EebK7eQLoJ+A==
> =YLMs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20071031/c564b8a4/attachment-0002.html>

More information about the Owasp-board mailing list