[Owasp-board] FW: News on OWASP Conference Asia Pacific 2009

Jeff Williams jeff.williams at owasp.org
Wed Oct 1 17:20:48 UTC 2008

I have it on my calendar for next Tues.  





From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Tom Brennan
Sent: Wednesday, October 01, 2008 12:46 PM
To: 'OWASP Foundation Board List'
Subject: Re: [Owasp-board] FW: News on OWASP Conference Asia Pacific 2009


When is the next board meeting so we can pick up with current and open
topics?  Teleconf # and ID


Review the last few months you will see there are a bunch of "open items"














http://www.owasp.org/index.php/OWASP_Board_Meetings_October_Agenda  <---
lets add to the agenda


It is also to layout items that we need to get membership "votes" on for
Portugal so that we are doing this blind and last min.  The OWASP Chapter
Leaders meeting in NYC on 9/24 was a good start we have issues to address
and had over 30 people from around the world to discuss them... not all whom
are attending Portugal.



From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Jeff Williams
Sent: Wednesday, October 01, 2008 11:47 AM
To: 'OWASP Foundation Board List'
Subject: [Owasp-board] FW: News on OWASP Conference Asia Pacific 2009

FYI - trying to work this through with Justin.


I'd like everyone to please coordinate our public statements.


We're going to need a coordinated public front on issues that arise.  As a
member of the board, you're speaking for OWASP (even if you say you aren't).
It's okay for the leaders list to debate things, but we need to be a bit
careful when we speak publically on issues.  Here are a few issues currently
causing trouble.


1)      ISC^2 - personally I don't think that we can have any affiliation
with their effort (other than a paid conference sponsorship) as it is
clearly commercial. I think we should continue to do what we feel is right
in the certification space.  I don't see how their announcement changes
anything (especially since there's already a SANS cert).  Personally, I
think we should set a pretty high bar for a true appsec professional.  But
the board shouldn't speak publically about this until we have a position.


2)      Regional leaders - This is something we need to discuss.  The number
of regional conferences (and one-day events) has been growing fast.  We need
to make sure that these efforts do not do anything to hurt the OWASP brand.
I'd like to see some rules that require all events to follow some guidelines
and they must coordinate with the OWASP Foundation.


3)      Pentest vs. Source Code Review - This is a dumb debate.  I'd like
the board members to try to steer this discussion towards a more productive
position.  In my mind, these are both useful tools for the toolbox, and the
goal is verifying the security of apps (note that's not just hacking or
finding holes).  Zooming out, verifying is a very important piece of an
overall appsec program, which includes training, building, verifying, and


If you disagree on any of this, please let's discuss it as the board and get
our position together.  Please don't speak for the Board without






From: Jeff Williams [mailto:jeff.williams at owasp.org] 
Sent: Wednesday, October 01, 2008 11:23 AM
To: 'Dave Wichers'; 'jderry jderry'; Kate Hartmann
Subject: RE: News on OWASP Conference Asia Pacific 2009




Thanks for the details.  There's no question that the board and everyone
else at OWASP values your efforts in the region.  We have all considered you
a key player in our organization.


Please understand that all the Board members are volunteers and have full
time (and quite demanding) jobs.  Many of us are also leading and mentoring
OWASP projects (like ESAPI) that are also quite time-consuming.  I apologize
for any insult or oversight by the members of the Board.  I know Tom is a
bit rough but we're working on it.


The power struggles going on here are unfortunate, but not totally
unexpected.  As OWASP grows in influence, there will certainly be those who
try to use it for their own ends.  We are totally committed to having
chapters and conferences that are not dominated by a vendor or commercial
influence.  If leaders abuse their role, they will be asked to step down.
Note that we have sent several warning letters to Wayne concerning Armorize.


I think your suggestion to have regional leaders is an interesting one, and
something we probably need.  I'd like regional leaders to be the type that
don't get caught up in the personal aspects, and can maintain a level of
diplomacy and professionalism about things, and can keep out the commercial
influence.  I'm going to propose that we start the search for regional
leaders and I hope you'll consider applying.  The Board will take this up at
our next meeting.


Please don't hesitate to contact me with issues related to OWASP. I don't
want issues to simmer beneath the surface and have them boil over later. 


Thanks for all your support to OWASP - it is appreciated.




Jeff Williams, Chair

The OWASP Foundation <http://www.owasp.org/> 

work: 410-707-1487

main: 301-604-4882


OWASP <https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference>
AppSec NYC 2008 is coming...  are you ready?


From: Dave Wichers [mailto:dave.wichers at owasp.org] 
Sent: Wednesday, October 01, 2008 10:48 AM
To: 'jderry jderry'; Kate Hartmann
Cc: jeff.williams at owasp.org
Subject: RE: News on OWASP Conference Asia Pacific 2009




I can't comment on the difficulties you have been having with Wayne and Tim
(and Tom?), but I do want to get this contracts issue addressed.


Kate and I will certainly work to get this resolved right away. Your comment
in NYC was the first I had heard of it (and I do remember talking to you
there J ). Kate apparently either didn't receive the contract or it got lost
in her mountain of e-mail. Plus the NYC conference was in crisis mode for
the last 2 weeks and so that monopolized all her time.


If you can resend it to me and Kate will start looking into it right away.


Do you have dates selected and a conference page started on the wiki that I
can link to from the main OWASP conferences page.


I personally know that you have been doing great things for OWASP in your
region and we want to support you as best we can in your endeavors. For my
immediate role, let's get your conference in good shape and we can then
start working on the other issues you have raised.


Thanks, Dave


From: jderry jderry [mailto:jderry at owasp.org] 
Sent: Wednesday, October 01, 2008 10:13 AM
To: jeff.williams at owasp.org
Cc: Dave Wichers
Subject: Re: News on OWASP Conference Asia Pacific 2009



I am also lost at why the contracts and direction for the conference next
year has taken so long to happen.? (and now they are lost).


Kindest Regards


On Wed, Oct 1, 2008 at 9:44 PM, Jeff Williams <jeff.williams at owasp.org>

Hi Justin,


I've been forwarded a few email threads that indicate you're disappointed
with OWASP and the OWASP Board.  I'm a bit surprised, since this is the
first I've heard of it.  Could you share with me your specific concerns so
that I can attempt to get them resolved?






Jeff Williams, Chair

 <http://www.owasp.org/> The OWASP Foundation

work: 410-707-1487

main: 301-604-4882


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20081001/16404bc2/attachment-0002.html>

More information about the Owasp-board mailing list