[Owasp-board] Crapping on projects

Jeff Williams jeff.williams at owasp.org
Tue Oct 6 04:34:09 UTC 2009

Thanks Dinis,


Thanks for the insight into your thoughts.  Maybe that's the real problem -
you just can't convey all that in 140 characters.  The tone of the tweet
came off very negative to me when I read it.  When you say "I have one word
for you" generally the next word is not a complement J  Now I get the
plastics reference, but I missed it.  Also when you say they are "miles
ahead" it's like you're calling his efforts pathetic.  Which actually I
think you are.  But I think a much better message would be to say "Hey, have
you considered taking advantage of the data flow capabilities in WALA?"  I'm
glad Paolo is cool with it.  I wasn't really worried about him - it's all
the other readers without context.


Anyway, thanks for explaining.  I guess I overreacted.





From: dinis cruz [mailto:dinis.cruz at owasp.org] 
Sent: Monday, October 05, 2009 10:15 AM
To: jeff.williams at owasp.org
Cc: OWASP Foundation Board List
Subject: Re: [Owasp-board] Crapping on projects


Hey Jeff 


First of all, thanks for raising the alert and please, please always do so
whenever you think I've crossed the like. 


Like you said, appearances are very important, and while I do make a very
big conscious effort to keep my independence, sometimes one is too close to
the action to notice the implications of its own actions.


That said, on this case, I don't really fully understanding why my tweet was
inappropriate, so Jeff (and others) please see my answers below and point me
to where I am being wrong.


2009/10/1 Jeff Williams <jeff.williams at owasp.org>


I hate to call you out, 

no worries, like I mentioned before, always speak your mind when you think I
have not acted in an appropriate way 

but I think your tweet to Paolo Parego (theSp0nge) was inappropriate in
several ways.  If I misunderstood, I apologize and please help me


       > I have one word for you @thesp0nge : #WALA (from #IBM) It's open
source and is miles ahead of where you are now #owasp #owasporizon

Just for reference I posted this tweet in response to this Paolo's tweet


> I'm a bit scared about the competitiveness lag between Orizon and other
opensource SASTs. I need to refine the strategy #owasp #owasporizon 


My reading of that tweet from Paolo was that he was asking for help/comments
on where he should be going next 

First, as a board member, I think we need to be encouraging to the folks
that dedicate their free time to helping OWASP's mission.  If we think that
a project is not likely to succeed because it isn't as good as some other
library, then we should try to constructively steer that project towards
something useful.  I think your message to Paolo would be discouraging to
other project leads as it sends the message that the OWASP Board does not
have their back!

OK, from what I understand from the above paragraph, there are 3 issues


1) Board members should be encouraging Projects leaders

2) When Board members provide comments they should do it in a constructive
way (and steer the project on the right direction)

3) Board members have to be careful when 'criticizing' Project leaders since
that 'criticism' could make that project leader fell that they don't have
the support from the OWASP Board


Before I comment, it might be good to explain why I was trying to point
Paolo and Orizon to WALA.


Orizon is a great project and Paolo has good ideas about it, but lets be
honest, the tool doesn't even come close to being able to perform static
analysis of code! (I've tried to use it several times and at the moment is
just a glorified GREP) . The problem is that Paolo is trying to create
everything (almost) from scratch, and creating an engine that is able to
follow tainted data is VERY hard (as we can see by the amount of time that
is (still) taking Ounce, Fortify & IBM to get it right). Paolo has great
ideas and there are a lot of great concepts in Orizon, BUT until Orizon is
able to follow tainted data, that tool will never be a credible/valid
alternative to the current commercial tools (and next-gen Open Source


As you know, I've spent a LOT of time over this past year on researching
Static-Code-Analysis techniques, and have always been quite frustrated
because I couldn't help Paolo. And the reason was because Orizon
didn't/doesn't have a taint-analysis engine. And this is where WALA (for
Java) and maybe Microsoft's Phenix/Cat.NET (for .NET and C++) come into the
equation, since they could provide Orizon the missing piece of the puzzle.
Note that the IBM developed source-code analysis engine (which was not
working as expected and was one of the reasons why IBM bought Ounce) was
built on top of WALA (same for the IBM RSAr product (IBM Software Analyzer))


Maybe twitter was not be best medium and maybe my 'play on words' with 'The
Graduate'  was not the most fortunate, but what I was trying to say to Paolo
was: "...Hey man, don't re-invent the wheel and use WALA as one of Orizon's
engines..."  (note that I have asked Paolo what he thought of that Tweet
(the one Jeff mentions above) and he replied to me that he was OK with it.


So, going back to Jeff's paragraph above:


1) Board members should be encouraging Projects leaders


I felt I was doing this since I was providing what was (in my mind at least
:)  ) constructive comments


2) When Board members provide comments they should do it in a constructive
way (and steer the project on the right direction)


This is exactly what I was trying to do (steer the project on the right


3) Board members have to be careful when 'criticizing' Project leaders since
that 'criticism' could make that project leader fell that they don't have
the support from the OWASP Board


This is a tough one. Since I do believe that what our project leaders what
from us (and other owasp leaders & GPC) is feedback. I.e. they receive SO
LITTLE feedback, that ANYTHING (good or bad) is better than silence. 


We also can't put us (Board Members) in a position where we can't say
anything bad or 'non-positive' to project leaders! We all have complex
commercial interdependencies and 'possible conflict of interest' so maybe in
the medium term we need to create a way for us to officially 'speak as board
members'   (making everything else 'non-board-member-talk')


A final point I would like to make, is that I would argue that OWASP
projects should (from a quality point of view) be 'as good if not better'
than the current commercial equivalents, and more and more, we need to put
more pressure on our leaders to deliver better tools (in some way this is
what we are doing at the GPC and new project assessment criteria)


We also should not be afraid to point our OWASP leaders to other Open Source
projects that can help their tools (this way they don't have to reinvent a
lot of wheels)


Second, you have a commercial relationship with IBM (of some sort) which
makes your thoughts about open-source static analysis projects seem biased.
(I say *seem* because I know that you are not - but I'm talking about
appearances here).  I know WALA is open source too, but I believe it comes
across wrong.  We just need to be careful here.

My view on this is that as long as the recommendations I make, are for other
(OWASP or not) Open Source projects, then It is OK to make those


I would agree with if I had said "..Hey man, just use IBM's RSAr engine, it
is non Open Source but it is well priced ... ", that would had been a
conflict of interest since I would be pushing Orizon to use a Commercial
Engine on top of its Open Source code (note that I only moved O2 to OWASP
once it had enough 100% Open Source functionality that It would be useful
even without an Ounce's Engine license)


Because of my currently relationship with IBM (contract still to be signed
:)  ) I do (or will) have a better insight of what they are doing over
there. BUT I don't seen any harm (and please correct me if I am wrong) on
trying to build some bridges and connect OWASP with existing IBM (or other)
Open Source projects.


Let say for example that an OWASP project was implementing their own
database, shouldn't we have the duty/right to say to them "..Hey , why don't
you use MySQL or HSQLDB instead?...."   (regardless if the person doing the
recommendation was working for Sun/Oracle) 


Third, Orizon is security-focused and supports many languages.  WALA appears
to be for Java only and is not security focused.  Were you suggesting that
Orizon look to WALA as an engine to help with security analysis?

Yes, that is exactly what I am proposing: "... Orizon look to WALA as an
engine to help with security analysis..." :)


Note that It is going to takes years for Paolo to get Orizon to do (for
Java) what WALA can do today, and WALA can be extended to support other


I know this is always going to be a challenge for us, as we all have
commercial relationships, but I'm hoping to keep on top of it so that we
protect non-commercial nature of OWASP.


Sure, but I still fail to see the problem in pointing on OWASP project to
another Open Source project (regardless of who paid for the original


Any I missing something here? Am I not supposed to make comments on IBM open
source tools? 


If my explanations above still fail to convince you, please help me to
understand the issue (btw, once we cleared this out amongst us, I will write
a blog post about my 'WALA comment to Paolo')


Dinis Cruz





Owasp-board mailing list
Owasp-board at lists.owasp.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20091006/fb2137e8/attachment-0002.html>

More information about the Owasp-board mailing list