[Owasp-board] Yiannis issue
dinis.cruz at owasp.org
Thu Sep 24 14:52:17 UTC 2009
OK, this is very hard email for me to write and I hope my message comes
across (note the limited CC list). I view that part of my role is to
motivate people and really like to point out what is wrong (much preferring
to find solutions and move on). That said, the GPC is made of a number of
individuals and their actions have an impact on the others, GPC and OWASP in
Leo, I think Matt already addressed most of the issues you raised, and
hopefully I can fill in the gaps here, and push the discussion to where I
think we need it to be.
I have been writing this email in my head for a while but haven't found a
nicer way to put this, so here are my 'unedited comments'
- Leo, as a GPC member I don't think you have the 'authority' to make
most of the criticisms that you are doing (below), since you are a GPC
member complaining about what GPC does
- The reason I say you don't have 'authority' is because you (as a GPC
member) have had the opportunity over the past 10 month to do something
- For example when you say *'...I intended to help OWASP projects on
making them better in quality and richness..." *I don't believe any of us
(at the GPC) ever said *"... NO don't help OWASP projects as a GPC member
and make them better... " *(in fact, one of the great 'untold' success
stories of GPC is the fact that many projects ACTUALLY received SOME
feedback from somebody at OWASP! One year ago, they would ask technical
questions to Paulo Coimbra who was not able to handle those project leaders
technical issues. For the past 10 months I remember seeing a lot of traffic
from GPC members (probably from you too Leo (don't have the stats here))
giving direct advise and comments to OWASP projects. Is that enough? NO of
course not! and we need to do a much better job at it (specially in dealing
with complimentary projects). But remember that at GPC, we are still
struggling to manage/control the basics:
- i.e. what is each project doing, what does it do, where are the
download links, is it active, etc..?
- Sorry to be blunt, but my reading of this situation is that you (LEO)
were not able to find enough time over this past 10 months for GPC (in fact,
I don't think we should dig the past, but I do remember several 'tasks' that
I tried to push your direction (since you were not very proactive in taking
responsibilities) and I can't really point out a major deliverable from you
- Leo, note that I not saying you didn't do ANYTHING for GPC, of
course you did (for example you worked on the Documents section
of the new
Assessment Criteria) but you could have done much more. And just to make
sure I was not missing something obvious here, I had a quick look at your
you can see that your GPC related changes are quite small.
- It is hard to make comparisons, but I hope that you don't dispute
that Jason's Matt's or Brad's performance on the GPC has been
- To be honest, my main worry with you (Leo) as a GPC member, is that
(when compared with the other GPC members) I don't think you are fully 'on
board' with what we are (currently) trying to do at GPC (in fact you email
- And this is also visible on the main owasp-leaders mailing list
threads where (specially) Matt, Jason and Brad have publicly spoken in
defense of the GPCs ideas and efforts (which another great
the GPC (one year ago it was just Dave, me and Paulo))
- Please sorry for my brutal honesty, but we have an issue today that we
need to solve.
- You (Leo) are clearly unhappy with the way the GPC is working.
- You (Leo) clearly think that* "...**OWASP has getting kind of
"demo-bureaucratic capitalist...". *
- **You (Leo) are * **"...very unproductive and frustrating ..." *
- **and me (on behalf of the OWASP Board) have an issue at hand with
an under-performing GPC member who doesn't believe on what the GPC is
- And please don't view this as *"I (Dinis) don't like critics and am
'shooting the messenger'" *because (I hope) that the lengthy discussions
and debates that we have at the GPC (which you (Leo) don't like) are a good
example of open debate and* 'any idea can be challenged'* environment
- Again, the reason I am being more harsh on you, is because you are a
GPC member and with that comes responsibilities One of responsibilities is
to *'do something about what you think is wrong'.* Another
responsibility is to dedicate enough time so that you can make a difference
(which I don't think you have (probably due to professional or personal
reasons, but the bottom line is that you haven't spent as much time as you
probably should on GPC))
- And why didn't you spend enough time with GPC and are not motivated to
work on it?
- maybe the problem is the path GPC has chosen to go!
- maybe it is me (Dinis) and the leadership style that I chosen for
- That said, I don't think the GPC current path is wrong (would be nice
go to faster, but...), so I would say that the issue here is you Leo
- 'Being a committee member or GPC member' means that one has to work
extra hard and be able to make a difference.
- *Leo, you need to make a decision: you need to look at your GPC past
and decide if you want to continue! *
- I don't see GPC changing it course, so you need to take a realistic
look at your current professional and personal commitments, and
see if you
can find the time, energy and frame-of-mind to continue as a GPC member
Sorry again to be so blunt, but i really believe that* "the true friend is
the one that doesn't hide its thoughts and says what he/she is really
felling"*. I'm taking the time to write this long email because you deserve
my respect (for all your past work on OWASP) and because I think that you
need a little push into making a decision. And when we meet up in AppSec
Brazil, the beers are on me :)
Sort of related to the above and Leo's comments
- ADSR is probably the HARDEST OWASP project of them all. Leo tried quite
hard to make it work, but as we know, that project is still a far cry from
what it needs to be
- Part of the ADSR problem is that for it to be successful it needs to be
presented in a way that 'fires up the imagination' of its users/contributors
and adds 'immediate value'.
- Leo complains about the visibility that ESAPI has (when compared with
ADRS. And although it is true that projects like EASPI and SAMM have a much
higher profile (at all levels) that projects like ADSR. The main reasons are
related to the project's vision and the way those projects have been
created, built and executed (including a big effort and time commitment into
building a community). Ironically, both Jeff and Pravir, are the best guys
to understand Leo's position, since they were the authors of two OWASP
projects that had as much 'visibility' and 'community interest' as ADSR, I'm
talking of course of the Legal Project and the (very Lightweight) CLASP :)
- There is also a technological problem with ADSR WIKI pages, which
hold static content that can't be reused else where. Ironically
the new 'GPC
template driven project architecture' could be a solution for
- Talking about Pravir, there is a case to be made that Pravir has also
not dedicated as much time as maybe he should to GPC. One could ask what are
Pravir's GPC contributions? Are they at par with Leo's?
- I might be bias here, but I don't think so.
- Pravir is one of the most experienced and intelligent OWASP
contributors, and although he does like to* *argue that *'this is
white if he says it is black' , *he made (for example) substantial
contributions to the discussion of the new Project Assessment
V2.0 and SoC
09. We also can't forget that a lot of the work Pravir is doing
at SAMM has
a direct mapping into GPC and that (from my understanding) Pravir also
'understands' and defends the need for having good and solid
(in fact Pravir is 'Mr Process'). That said I still have very
high hopes for
Pravir GPC contributions and am looking forward to his
'visualization of the
Project Assessment Criteria V2"
Hopefully this all made sense
Sorry again if I was to direct, but this is what is on my mind
2009/9/18 Leo Cavallari <leo.cavallari at owasp.org>
> Hi guys, Brad,
> I do see.
> I didn't raise the flag before but what I share from Yiannis's email is
> that OWASP has getting kind of "demo-bureaucratic capitalist" and that is
> very unproductive and frustrating for me, and maybe for many.
> Take for example our GPC. How long have we been discussing the new
> assessment frame? and the New template? What other side subjects were part
> of those discussion?
> When I put my name on that piece of paper at Summit, I intended to help
> OWASP projects on making them better in quality and richness. I really don't
> care about the design of the dots in projetct information page (and
> seriously, that was the water's drops! no direct flames, ok?), when we have
> tons of most important things to deal with in terms of OWASP. Personally,
> that's very dismotivating.
> A while ago we had started an conversation on "is wikimedia enough to
> support OWASP?" that never ended. If we have many supporters, many
> exceptional minds from different areas of appsec and infosec cooping with,
> why don't we develop our OWASP framework instead of *investing' time on
> finding a way to do it with wikimedia? or why not link all projects to
> sourceforge and have only a institutional page at OWASP website?
> Regarding to OWASP mission: making appsec visible through OWASP mettings,
> individual efforts to promote and raise funds for chapter/projects, etc, why
> don't stop and look for that. Are we in the path?
> I take as an example the ASDR project, it should be a common-interest
> project for everyone at OWASP and for community, and who cares about it? Who
> wants to write definitions and keep up-to-date when we have Wikipedia and WASC
> Threat Classification<http://projects.webappsec.org/Threat-Classification-Working>??
> If we look to the world and not just the high-sec-end, which is the
> percentual of people who know that "gem on page 888 of Testing guide"
> compared to people who not even know what is a simple XSS?
> I had myself put tons of energy on ASDR but it's stucked. Then I wonder if
> I'm doing wrong or maybe the same guys who share the feelings to Yiannis
> email think that's bullshit since they all already know what is a XSS.
> Also, why will I "waste my time" writing a phanplet when the project I lead
> has more than 300 articles to be written?
> While we have many OWASP guys working for free without getting nothing
> back, except self-prestigious, when there are lot of other guys/companies
> that live from leads/projects that come from OWASP. And that is equally
> proportional to the level that OWASP is known in that part of the
> That's is to say if we do want to accomplish current OWASP mission, we
> should look to it in all aspects. USA and Europe already know about the
> needs for security, mainly due regulations and standards. What about Africa?
> Asia? Latin America? Why don't we have a "Hacker for Charity<http://www.hackersforcharity.org/>"
> initiative? That certainly would make application security visible, however
> is not that profitable, right? And now I recall the Yiannis's email subject:
> Would the real OWASP please stand up! We all should reflect about what is
> happening and have further discussions with the Board, all GCs and the real
> OWASPers about the mission and values of our community in order to prevent
> any future damages. That´s what I have to say as a user, activist, project
> leader and GPC member of OWASP.
> What the board have to say about all that?
> On Thu, Sep 17, 2009 at 11:19 PM, Matt Tesauro <mtesauro at gmail.com> wrote:
>> Below is my summary of the points raised by Yiannis's email once you
>> boil it down to the key points:
>> (1) GPC needs to determine which bits of Assessment Criteria v2 (ACv2)
>> should be mandatory and which should be optional. This isn't the first
>> time this issue has been raised (e.g. Security Analysis of Core J2EE
>> Design Patterns / Rohit Sethi). The bits used to determine health
>> should definitely be optional in my humble opinion.
>> (2) GPC needs to review the 'new project' / 'assessed project' emails
>> Paulo is using to see if we can better word them and alter the format to
>> make (1) above clear. This is especially true if we make changes in
>> (3) The elephant in the room is getting those 120+ projects up to ACv2.
>> I'm not really sure how to do this but that's a future problem that's
>> not going to go away. Not really a 'now' issue but something we need to
>> keep on our minds.
>> Note: I did not include anything mentioned about local chapters as
>> that's not our domain and I'm not 100% sure where that committee is
>> -- Matt Tesauro
>> OWASP Live CD Project Lead
>> http://AppSecLive.org - Community and Download Site
>> On Thu, 2009-09-17 at 23:15 +0100, dinis cruz wrote:
>> > Yiannis raises some good points which we (GPC/OWASP) should address in
>> > a calm professional and rational way.
>> > I don't think he is expressing his points correctly and he is going to
>> > lose a lot of credibility within OWASP by being so 'emotive'
>> > That said, this is a very good opportunity to extract from his
>> > 'emotional' email the good questions that he is raising, and answer
>> > them.
>> > After all there are a lot of OWASP project leaders that sometimes
>> > don't have a full picture of what we are doing at the GPC and what is
>> > the big picture with the new assessment criteria. This is a good
>> > opportunity to talk about it.
>> > In fact, and this is the most ironic of Yiannis emails, the solutions
>> > that he seems to be proposing is exactly what we (and the other
>> > Committees) are already doing (or are on their roadmaps).
>> > The other thing that Yiannis is not understanding (and again this is a
>> > problem with a LOT of our project leaders) is the scale and size of
>> > OWASP projects. The good news is that (finally) the technology changes
>> > that we (GPC) have been implementing are starting to work, and will
>> > really allow us to understand and control what is going on. See for
>> > example here the table
>> > http://www.owasp.org/index.php/OWASP_Project_Details_Table that Paulo
>> > is working on with the conversion of projects into the Assessment
>> > Criteria V2 and
>> > here http://www.owasp.org/index.php/OWASP_Project_Details_Table_2 a
>> > table I just created in 10m which shows (or will show) immediately all
>> > sort of data from the project's table
>> > Dinis
>> > 2009/9/17 Paulo Coimbra <paulo.coimbra at owasp.org>
>> > I really don’t have an objective clue about what drives
>> > Yiannis. Since a while ago I’ve just begun feeling his need
>> > for attention never ends.
>> > Paulo Coimbra,
>> > OWASP Project Manager
>> > From: bradcausey at gmail.com [mailto:bradcausey at gmail.com] On
>> > Behalf Of Brad Causey
>> > Sent: quinta-feira, 17 de Setembro de 2009 21:56
>> > To: Brad Causey; dinis cruz; Jason Li; Leo Cavallari; Matt
>> > Tesauro; Paulo Coimbra; Pravir Chandra
>> > Subject: Yiannis issue
>> > I've only included GPC members on this email.
>> > What do you guys think?
>> > I'm trying to read between the 'assholeness' of his tone and
>> > understand what really gripes him. At first I thought it was
>> > just that we were asking him to do something and he didn't
>> > feel like it.
>> > Does anyone see any merit to his gripe?
>> > -Brad Causey
>> > CISSP, MCSE, C|EH, CIFI, CGSP
>> > http://www.owasp.org
>> > --
>> > Never underestimate the time, expense, and effort an opponent
>> > will expend to break a code. (Robert Morris)
>> > --
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board