[Owasp-board] Fwd: owasp involvement ?
seba at owasp.org
Thu Jun 11 07:01:57 UTC 2009
FYI - response from Justin.
---------- Forwarded message ----------
From: Justin Derry <jderry at fortify.com>
Date: Wed, Jun 10, 2009 at 1:23 AM
Subject: RE: owasp involvement ?
To: Seba <seba at owasp.org>
Yes you are correct, i am pulling out of pretty well all activities
OWASP. Will still help out with the Brisbane chapter and with Pravir on
the Maturity projects etc, but i summarize below my issues and why i
made this decision.. But furthermore i am not the only one feels this
way, alot of people are trying to do the right thing with OWASP to no
avail.. (and will pull out or probably over the next year,, i think most
people can hold their sanity longer then me )..
Firstly OWASP has become a "Pay for your holiday" group. The latest
being this crazy notion of allowing funds for projects to all meet in a
single location. OWASP is not for profit, and not a "paid holiday"
because people just want to help out with the project.
I have done many many many things over the years (7-8 years) with OWASP
and NEVER ever asked for money or taken money for project work etc...
People are more interested in what OWASP can give them for doing things
then what they can do for OWASP..
An original founder of OWASP once told me (not to long ago), that sooner
rather then later OWASP will self implode.. He didn't want this to
happen, but felt it was going to happen. Unfortunately i see this
happening.. The current structure and process i believe will cause this
unfortunately. The so called board/structure changes have NOT been
successful in OWASP..
I ran the OWASP AU conference this year and we lost money.. Sorry fact
of life. The only reason for this was we had attendance down (like EU
and others)... But... we reached a new audience, got more people
thinking about owasp, created some awesome content, and got media
coverage in AU.. What that means to me, is the 20-30K we lost wasn't
that bad.. We achieved what owasp should be spending money on...
Advancing the concept of application security and awareness..
I get people grumpy and some very interesting words about me, about the
event i ran, when i told them what we needed to do and was ignored.
(because we should have promoted like last year as a APAC event, but
because wayne wants to run a local event in Taiwan which he still hasn't
released we couldn't do this..).. OWASP HAS TO START MARKING hard
decisions.. APAC is one region like EU and the US...
And then i get people grumpy (and i know what has been said behind my
back from the board..) people have told me straight to my face people i
trust.. That it's better for the money we spend on conferences, to pay
for people travelling around the world.(the board is included in that..)
OWASP Should publish how much money is actually spent on flying people
around the world.. I can imagine it's not small.. Would actually be
probably one of our major expenses.
I warned everyone about the fact the numbers would be down at the EU
conference, and my comments were not listened too. I don't know how much
OWASP lost at the EU conference. I have never had a board member come to
the OWASP AU event?? Asked both years.. I would like to go on record
saying the objective was to make money on the OWASP AU event,
unfortunately due to the economic climate this didn't happen..
As an outsider the "administrative" management of OWASP is in a state of
mess... If i ran a business like this i would be broke in a second.. It
took me 5 (of the same emails) and about 3-4 months last year, to
actually get kate to move on the owasp AU event.. What a joke.. (i
submitted the details in JUNE 08, got resent multiple times and only got
looked at after the US event in oct...) (this contributed to the
advertising issues of the AU event this year). We didn't even have
advertising on the owasp site (banners) until mid JAN... Even after
asking in NOV09...)
I still maintain the "board" should be changed.. There are many people
on the board for too long, and there should be APAC representation on
the board, not just on the committee's.. I don't believe the committee's
have that much capability to mould the direction of owasp... The other
problem is time (as in timeframes). I know things are available for
listening etc.. But there is minimal consideration about the fact the
world has different time zones.. Thinking more about it, has the board
ever set a detailed mission, business plan and strategy for OWASP each
Funny, to give you an idea of admin things... The most recent "basic"
update on board notes jan this year.. The last 4 months there is
basically no notes online... I am sure the board is still meeting??
So after all that, as you can imagine i feel uncomfortable and i am not
the only one.. Funny i know that OWASP is having problems with
membership etc.. OWASP is starting to be known as the holiday haven for
people... Yeah i do a project, give me some money to fly..
Then you get some people that are involved in the project (with a loud
voice)... that are in it purely for a "fame" game.. There are lots and
lots of these people.. Look at selected people that were involved and no
longer are.. These are people that never wanted the fame (including me),
and just wanted to help the industry, which i will continue to do in my
company and role at Fortify..
In a nutshell, i am frustrated with the entire thing, have lots of
things going on in my life, and then i get stupid emails from people
telling me that the O in OWASP stands for OPEN.. Yeah
RIGHT!!!!!!!!!!!!!!!!!!!! I know this.. i was working on OWASP when you
were still in kindy buddy... (not you seba the guy from the projects
committee whom sent me the email..)
I do wish OWASP all the best i don't think there is much hope left, the
changes needed are too wide to be implemented to turn around owasp i
believe.. And with the "politics" going on, makes the change basically
Sorry for the long winded email.. Hope things are well...
From: sebastien.deleersnyder at gmail.com
[mailto:sebastien.deleersnyder at gmail.com] On Behalf Of Seba
Sent: Wednesday, 10 June 2009 3:15 AM
To: Justin Derry
Subject: owasp involvement ?
For the record: do I understand correctly that you do not want to be
involved in OWASP acitivities anymore?
Including the global chapter committee?
I would appreciate to have a sort of feedback from your part in how
this could have been prevented and/or what we can learn from this as
More information about the Owasp-board