[Owasp-board] Fwd: owasp involvement ?

dinis cruz dinis.cruz at owasp.org
Thu Jun 11 09:02:26 UTC 2009

For all his faults, Justin is raising a number of very important points that
we should address.

In fact it really shows why we have to constantly make an effort to to be
100% transparent an open with what is going on at OWASP Board & Committees
(i.e. everytime information is not disclosed people are free to make their
own interpretation of events)


2009/6/11 Seba <seba at owasp.org>

> FYI - response from Justin.
> --Seba
> ---------- Forwarded message ----------
> From: Justin Derry <jderry at fortify.com>
> Date: Wed, Jun 10, 2009 at 1:23 AM
> Subject: RE: owasp involvement ?
> To: Seba <seba at owasp.org>
> Hi Seba,
> Yes you are correct, i am pulling out of pretty well all activities
> OWASP. Will still help out with the Brisbane chapter and with Pravir on
> the Maturity projects etc, but i summarize below my issues and why i
> made this decision.. But furthermore i am not the only one feels this
> way, alot of people are trying to do the right thing with OWASP to no
> avail.. (and will pull out or probably over the next year,, i think most
> people can hold their sanity longer then me )..
> Firstly OWASP has become a "Pay for your holiday" group. The latest
> being this crazy notion of allowing funds for projects to all meet in a
> single location. OWASP is not for profit, and not a "paid holiday"
> because people just want to help out with the project.
> I have done many many many things over the years (7-8 years) with OWASP
> and NEVER ever asked for money or taken money for project work etc...
> People are more interested in what OWASP can give them for doing things
> then what they can do for OWASP..
> An original founder of OWASP once told me (not to long ago), that sooner
> rather then later OWASP will self implode.. He didn't want this to
> happen, but felt it was going to happen. Unfortunately i see this
> happening.. The current structure and process i believe will cause this
> unfortunately. The so called board/structure changes have NOT been
> successful in OWASP..
> I ran the OWASP AU conference this year and we lost money.. Sorry fact
> of life. The only reason for this was we had attendance down (like EU
> and others)... But... we reached a new audience, got more people
> thinking about owasp, created some awesome content, and got media
> coverage in AU.. What that means to me, is the 20-30K we lost wasn't
> that bad.. We achieved what owasp should be spending money on...
> Advancing the concept of application security and awareness..
> I get people grumpy and some very interesting words about me, about the
> event i ran, when i told them what we needed to do and was ignored.
> (because we should have promoted like last year as a APAC event, but
> because wayne wants to run a local event in Taiwan which he still hasn't
> released we couldn't do this..)..  OWASP HAS TO START MARKING hard
> decisions.. APAC is one region like EU and the US...
> And then i get people grumpy (and i know what has been said behind my
> back from the board..) people have told me straight to my face people i
> trust.. That it's better for the money we spend on conferences, to pay
> for people travelling around the world.(the board is included in that..)
> OWASP Should publish how much money is actually spent on flying people
> around the world.. I can imagine it's not small.. Would actually be
> probably one of our major expenses.
> I warned everyone about the fact the numbers would be down at the EU
> conference, and my comments were not listened too. I don't know how much
> OWASP lost at the EU conference. I have never had a board member come to
> the OWASP AU event?? Asked both years.. I would like to go on record
> saying the objective was to make money on the OWASP AU event,
> unfortunately due to the economic climate this didn't happen..
> As an outsider the "administrative" management of OWASP is in a state of
> mess... If i ran a business like this i would be broke in a second.. It
> took me 5 (of the same emails) and about 3-4 months last year, to
> actually get kate to move on the owasp AU event.. What a joke.. (i
> submitted the details in JUNE 08, got resent multiple times and only got
> looked at after the US event in oct...) (this contributed to the
> advertising issues of the AU event this year). We didn't even have
> advertising on the owasp site (banners) until mid JAN... Even after
> asking in NOV09...)
> I still maintain the "board" should be changed.. There are many people
> on the board for too long, and there should be APAC representation on
> the board, not just on the committee's.. I don't believe the committee's
> have that much capability to mould the direction of owasp... The other
> problem is time (as in timeframes). I know things are available for
> listening etc.. But there is minimal consideration about the fact the
> world has different time zones.. Thinking more about it, has the board
> ever set a detailed mission, business plan and strategy for OWASP each
> year??
> Funny, to give you an idea of admin things... The most recent "basic"
> update on board notes jan this year.. The last 4 months there is
> basically no notes online... I am sure the board is still meeting??
> So after all that, as you can imagine i feel uncomfortable and i am not
> the only one.. Funny i know that OWASP is having problems with
> membership etc.. OWASP is starting to be known as the holiday haven for
> people... Yeah i do a project, give me some money to fly..
> Then you get some people that are involved in the project (with a loud
> voice)... that are in it purely for a "fame" game.. There are lots and
> lots of these people.. Look at selected people that were involved and no
> longer are.. These are people that never wanted the fame (including me),
> and just wanted to help the industry, which i will continue to do in my
> company and role at Fortify..
> In a nutshell, i am frustrated with the entire thing, have lots of
> things going on in my life, and then i get stupid emails from people
> telling me that the O in OWASP stands for OPEN.. Yeah
> RIGHT!!!!!!!!!!!!!!!!!!!! I know this.. i was working on OWASP when you
> were still in kindy buddy... (not you seba the guy from the projects
> committee whom sent me the email..)
> I do wish OWASP all the best i don't think there is much hope left, the
> changes needed are too wide to be implemented to turn around owasp i
> believe.. And with the "politics" going on, makes the change basically
> impossible...
> Sorry for the long winded email.. Hope things are well...
> Kindest Regards
> Justin
> -----Original Message-----
> From: sebastien.deleersnyder at gmail.com
> [mailto:sebastien.deleersnyder at gmail.com] On Behalf Of Seba
> Sent: Wednesday, 10 June 2009 3:15 AM
> To: Justin Derry
> Subject: owasp involvement ?
> Hi Justin,
> For the record: do I understand correctly that you do not want to be
> involved in OWASP acitivities anymore?
> Including the global chapter committee?
> I would appreciate to have a sort of feedback from your part in how
> this could have been prevented and/or what we can learn from this as
> an organisation.
> Thx
> Seba
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20090611/b01893b9/attachment-0002.html>

More information about the Owasp-board mailing list