[Owasp-board] [Owasp-leaders] ReAssigment of Project / Chapter Leadership and '... please update your Wiki pages ...'

Cliff Barlow cbarlow at korelogic.com
Wed Oct 31 13:26:38 UTC 2007


Dinis:

I'd be glad to help in anyway I can.  btw:  I did not know there was
only four on the board.

I pulled up key questions you laid out and brought them forth below for
further thoughts/suggestions (Just one man's thinking):

Ques:  The question is how to do that? and how to create such environment?

I believe this will naturally be created by sorting, clearing and
placing emphasis on key projects.  In addition, use the OWASP yearly
meeting as a forum to hit upon a few key emphasis projects (either
during kick off or even by providing pamphlet handouts highlighting or
just creating signage in open areas for people to see and discuss).  In
addition, I'd suggest that you send out the emphasized projects with
their needs to the OWASP chapter leaders as challenges to their local
participation (or even potential project sponsorship (e.g. local chapter
adopt a project)).

However, I believe your greatest success will come from a 'sorting' of
projects presented on the home page placing emphsis on current 'goals'
will be your biggest help.

Ques:  True, and Cliff, can you help us working this out?

I'd be glad too.  Key here is to lay out each project in some form of a
tracking sheet which provides areas to document what has been done at
national level to support, does this match up with OWASP strategic
goals, is this a front runner project or a project that naturally fits
as a subcomponent into another project (i.e. Assessment standards fit
into OWASP book).  This information along with a ' priority sorting'
based on key industry trends/hot topics of projects will help the board
determine which needs more support and which should we draw back on.

I'll help best can but don't have the insight to strategic plan and
international happenings as you all.

Ques:  Maybe have 4 projects every month that are highlighted and
focused on?

The number will come out naturally I believe based on the priorities of
the board and key strategic plans of the board.  You may find that you
only want to put emphasis behind the book and testing guide first go
around for example.

Ques:  Why don't we use your project as a test ground for these ideas?

I'd be glad to support but want to ensure that you bring forth those
that meet your strategic directions first.  What does OWASP most need
today to keep it moving and in the forefront of application security
mind space.

Respectfully,
Cliff


Dinis Cruz wrote:
> Hi Cliff
> 
> Great comments,
> 
> I'm CCing the OWASP board on this email.
> 
> See my comments below
> 
> On 10/24/07, Cliff Barlow <cbarlow at korelogic.com> wrote:
> Dinis:
> 
> Speaking in regards to projects only and solely my personal opinion, may
> I suggest that you look at this from another angle.  Projects are not a
> matter of time but instead a matter of organizational sponsorship and
> support.
> 
> 
>> Very true and I agree 100% with you
> 
>> Many projects are the brain child's of individuals who, the majority of
> the time, end up completing a lions share of the project work.   The
> project sponsors/lead job is to lay out a solid premise and a roadmap of
> actions.  It can't be the leads job to complete each and every roadmap
> task...
> 
> 
>> yap
> 
>> if they do, it's not a OWASP project, it's an individual
> organizationally unsupported project.
> 
> 
>> spot on.
> 
>> And moving forward, I think that OWASP must provide more and more support
>> for projects who 'need' community participation in order to be successful.
> 
>> In fact, going strait to your point, the role of OWASP should be to
>> transform 'individual projects into community projects'
> 
>> The question is how to do that? and how to create such environment? :)
> 
>>  So the root issue to project
> progression should not be placed solely on the project lead but instead
> on the OWASP organization and leadership itself.  Project leaders only
> have so much ability as a virtual voice on the other side of a web page.
> The OWASP organizational leadership should ask what it has done to
> support the project / project leads in garnering support and
> contribution to the projects.
> 
> 
>> True, and Cliff, can you help us working this out?
> 
>> So should we place a 3 or 6 month sorting on the OWASP leadership on
> their last contribution or support?
> 
> 
>> I think you should, nobody at OWASP is unaccountable and not made
>> responsible for their actions, even us :)
> 
>> In fact the power of an open organization like OWASP is that such
>> non-activities are much harder to hide :)
> 
>> As a side note, if what you refer by 'OWASP Leadership' is the OWASP board,
>> please be aware that there are only 4 of us here :) , and the number of
>> projects is quite large:
>> http://www.owasp.org/index.php/Category:OWASP_Project
> 
>> One idea we had to promote projects was the OWASP Newsletters, which sort of
>> died due to lack of resources and commitment
> 
>>  OWASP is a volunteer organization.
> It is a home of dedicated security professionals, all who have other
> security work at their charge, and who don't always have the time nor
> ability to rally the troops.  I do agree that if a project is getting
> little to no contribution the issue may not just be the project
> sponsor/leader, it's lack of interest in the project and therefore the
> project should be shelved.
> 
> 
>> And we should take an Darwinian view of this. Some projects are not fit for
>> OWASP, other projects are too-far-ahead, others too late, and other not
>> realistic for OWASP.
> 
>> My view is that we should give it the best shot and see what happens.
> 
>> Now, at the moment, I agree with you and I don't think that OWASP is
>> providing the best level of support it should be providing to ensure that
>> projects have as much visibility as they can.
> 
>> For example, the latest 'book publishing' initiative, is aimed exactly at
>> addressing this issue, since the plan is to expose to a much wider audience
>> (via the books) the great stuff done by certain OWASP projects
> 
>> I'd suggest that instead of using a time as a measurement, perhaps OWASP
> leadership should review the project in of themselves and decide what it
> wants to put its weight behind.  As OWASP progresses, perhaps more
> analysis is needed in regards to project requests (e.g. how does this
> benefit OWASP members and the security community as a whole).
> 
> 
>> I agree, and we should definitely move this idea forward. Maybe have 4
>> projects every month that are highlighted and focused on ?
> 
>> I'll be honest... my Assessment Standards project started with a good
> idea and something that Jeff, myself and others believe in.  However,
> after putting it out in front of the membership and presenting it at
> OWASP 2007, there has not a lot of interest (which btw concerns me since
> bad assessment work, completed by self-proclaimed experts is at the very
> core of many companies issues today).  If someone who can do better than
> I wishes to lead, I'd gladly pass the baton simply because I believe in
> the need...  but without OWASP leadership support, I'm pessimistic about
> the projects opportunity for success.  I'd love to make this project go
> but I do help in getting 'evanglized' and do want more to contribute but
> don't want to create it wholly myself (thus going against the basic
> community premise of OWASP).
> 
> 
>> Why don't we use your project as a test ground for these ideas?
> 
>> Yours is a project which clearly the problem is not in your leadership but
>> in the lack of community participation.
> 
>> Respectfully,
> 
> 
> 
>> Thanks a lot for your comments
> 
>> Dinis Cruz
>> Chief OWASP Evangelist
>> http://www.owasp.org
> 
>> Cliff Barlow
> 
> Dinis Cruz wrote:
>>>> Hi Project and Chapter Leaders
>>>>
>>>> Something that has been discussed several times in the last couple
> months as
>>>> been 'What do we do with non-active projects or chapters?'
>>>>
>>>> (btw feel free to object against this idea and propose alternatives) The
>>>> solution we found is to basically say:
>>>>
>>>>
>>>>    - 'If an OWASP Project has not released an update in the last 6
>>>>    months, that project needs a new leader' (note that this doesn't need
>>>>    to be a major new release, as long that there is active development
> and
>>>>    regular updates all is good)
>>>>
>>>>    - 'if a OWASP Chapter has not organized a meeting in the last 6
>>>>    months, that chapter needs a new leader'
>>>>
>>>> There are a ton of logistic and strategic issues to address, but these
> are
>>>> the core principles.
>>>>
>>>> Note that the idea is to make the assignment of new leaders a very easy
> and
>>>> strait forward process (in order to be faster than the current 'chapter
>>>> leader replacement-dance').
>>>>
>>>> Another important concept: If it is not on the WIKI, It didn't happen or
> it
>>>> doesn't exist !
>>>>
>>>> Please make sure your Project or Chapter WIKI page (
>>>> https://www.owasp.org/index.php/Category:OWASP_Project
>>>> or  https://www.owasp.org/index.php/Category:OWASP_Chapter ) is updated
>>>> since
>>>>
>>>> Fyi, in preparation for the course that I will be delivering at the next
>>>> OWASP conference in San Jose ( T5. Leveraging OWASP Tools and Documents
> to
>>>> Secure Your Enterprise
>>>> <
> https://www.owasp.org/index.php/7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T5._Leveraging_OWASP_Tools_and_Documents_to_Secure_Your_Enterprise_-_2-Day_Course_-_Nov_12-13.2C_2007
>>>> )
>>>> I will review every single OWASP Project and OWAP Chapter and will
> create a
>>>> list of the ones that need new leaders.
>>>>
>>>> My current plan is to publish this 'list of OWASP projects or chapters
> that
>>>> need new leaders' at the next conference.
>>>>
>>>> Dinis Cruz
>>>> Chief OWASP Evangelist
>>>> http://www.owasp.org
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> --
> Thanks,
> 
> Cliff Barlow, CISSP-ISSMP
> KoreLogic Security
> Director, Security Services
> 269.982.1707 (Office)
> 269.876.0442 (Mobile)
> www.korelogic.com
> PGP Fingerprint:  3AC7 DB29 FF36 5163 F608  3A03 C468 DA21 6404 C85F
> 
> This E-mail and any of its contents may contain KoreLogic, Inc.
> proprietary information, which is privileged, confidential, or subject
> to copyright belonging to KoreLogic. This E-mail is intended solely for
> the use of the individual or entity to which it is addressed. If you are
> not the intended recipient of this E-mail, you are hereby notified that
> any dissemination, distribution, copying, or action taken in relation to
> the contents of and attachments to this E-mail is strictly prohibited
> and may be unlawful. If you have received this E-mail in error, notify
> the sender or e-mail kore at korelogic.com immediately and permanently
> delete the original and any copy of this E-mail.
> 
>>

> --


-- 
Thanks,

Cliff Barlow, CISSP-ISSMP
KoreLogic Security
Director, Security Services
269.982.1707 (Office)
269.876.0442 (Mobile)
www.korelogic.com
PGP Fingerprint:  3AC7 DB29 FF36 5163 F608  3A03 C468 DA21 6404 C85F

This E-mail and any of its contents may contain KoreLogic, Inc.
proprietary information, which is privileged, confidential, or subject
to copyright belonging to KoreLogic. This E-mail is intended solely for
the use of the individual or entity to which it is addressed. If you are
not the intended recipient of this E-mail, you are hereby notified that
any dissemination, distribution, copying, or action taken in relation to
the contents of and attachments to this E-mail is strictly prohibited
and may be unlawful. If you have received this E-mail in error, notify
the sender or e-mail kore at korelogic.com immediately and permanently
delete the original and any copy of this E-mail.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 510 bytes
Desc: OpenPGP digital signature
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20071031/422adf3d/attachment.pgp>


More information about the Owasp-board mailing list