[Owasp-board] You OK?

dinis cruz dinis.cruz at owasp.org
Tue Sep 29 00:13:07 UTC 2009

Great, glad that this is now resolved :)
BTW, we (the board) just approved the new 'OWASP leaders participation at
OWASP Conferences' guidelines, which kate will contact you guys directly so
that you can sort out the final operational issues.

That should make things clear for you and the owasp-leaders that wish to

Let me know if you have any questions about it,

Best regards


2009/9/24 Rex Booth, OWASP <rex.booth at owasp.org>

> Dinis,
> We appreciate the feedback and understand your perspective.  I certainly
> don't take any of it personally.
> The challenges all of you have faced in the past - from the travel
> logistics of the conference at NIST to the constant schedule changes at
> Portugal to the facilities issues at NYC - are exactly why we started
> planning this event more than a year in advance and have been very careful
> to maintain control of every detail during planning.
> Philosophically, we're all on the same page.  We have no problem inviting
> all OWASP leaders for free and agree that chapter leaders should be
> rewarded.  The objection we have is the way in which it has been handled.
>  Again, this is something that should have come up many months ago, not only
> allowing us to plan for it, but also allowing the individual chapter leads
> to work it into their schedule.  But even if it's a last minute thought, I
> think a more appropriate response would have been to approach us "offline",
> reach a consensus, and announce the good news to the leaders - a much more
> elegant solution than stirring the shit on the leaders board, whether
> intentional or not. ;)
> Make no mistake - we appreciate the efforts of the Board to make our event
> possible and the implicit support we've received (as you say - the less
> oversight means more trust).  My primary frustration lies in the potential
> external perception of the Board's support of our event.  Doug, Mark and I
> know full well that you all are excited about our conference, but we need
> you to convey that in no uncertain terms to the rest of the OWASP community.
>  From my perspective, the public emails regarding chapter leads
> unintentionally indicate to the general community a lack of support for our
> approach.  I know that private conversations may run contrary to OWASP
> openness, but there is a balance to be struck between transparency and
> professionalism when it comes to events like this.
> As you indicated, there is room for improvement in all areas, and we
> acknowledge our share of faults.  I recommend that following the conference,
> we conduct a postmortem to be sure that our lessons learned are captured and
> pave the way for even more successful conferences in the future.
> As always, we appreciate your enthusiasm and support.  Let's now put this
> behind us and focus on making this event the most successful in OWASP NA
> history.
> Thanks,
> Rex
> dinis cruz wrote:
>> Hi Rex, Doug and Mark (CCing the OWASP board)
>> I think we're getting there on how to handle our OWASP leaders.
>> Just a couple extra comments below, but please don't take any of this
>> personally. ALL of us (in the Board) have been personally responsible for
>> organizing Conferences (and Summit) and know exactly what you are going
>> through (long hours, lack of feedback, ideas thrown at the last minutes,
>> problems after problems after problems (from the smallest one to the massive
>> ones (remember Tom's problem in NYC with having to find a new venue with
>> weeks to go before the conference?))
>> 2009/9/23 Rex Booth, OWASP <rex.booth at owasp.org <mailto:
>> rex.booth at owasp.org>>
>>    Dinis,
>>    If chapter leads get in for free, we can transfer the cost of each
>>    ticket to the OWASP foundation.  If that's what you and the rest
>>    of the Board expect, then we can comply.  Please confirm that the
>>    rest of the Board agrees with this approach and we'll send out an
>>    announcement.
>> I will get back to you with a an action plan on how we should implement
>> this (I have a couple extra questions which I will send to you 3 directly)
>>    With all due respect, however, I'm not OK at all with how this is
>>    being handled.  The selective involvement of the Board has been
>>    more of a hindrance than a help thus far.  We have reached out
>>    multiple times to the Board to solicit expectations and involve
>>    you in planning, but with no reply.
>> You have a very good point here, and in an ideal world we would all be
>> more involved with this conference. THAT SAID, I would argue that the reason
>> the board is not more involved is because you guys are doing such a GREAT
>> JOB :)
>> The way I look at it we (Board and Committees) have to redirect our energy
>> to the areas where we can have more impact, and (at least from my point of
>> view) this conference looks really good and is going on the right direction.
>> So no really need to be involved (until now :)  )
>> Regarding the lack of feedback, well 'join the club mate', that is the
>> rules of the game :)
>> It is very hard to get real feedback because people tend to be very busy
>> and most of the time, the issues can't be dealt with a 10m email/call. As a
>> personal example I have spent quite a number of hours on this 'OWASP Leaders
>> to attend the conference'.
>> The other item I would like to call your attention to (and please note
>> that this is a BIG COMPLIMENT to you 3) is that this is the 1st US AppSec
>> conference that is NOT being organized by a Board Member. And I think that
>> this is GREAT!! Again it shows how much control and quality you have that we
>> don't need to be that involved (even if it is our of our most
>> profit-generating events)
>> Now does this mean that sometimes you get hit by a bust of 'energy' when
>> one of us has some time to address a particular issue? Yes, and I think that
>> as long as the issues are relevant and important, then it is just the way
>> the system works (remember that we (like you) have days jobs (in addition to
>> the other OWASP activities we are all involved in)
>>     This is a conference which will be over a year in the making - an
>>    event which should exceed all previous OWASP events, but it's
>>    being treated as if it were a house party where "there's no harm
>>    in inviting a few more friends."
>> Regarding your efforts, I don't think we have any issues with it. And it
>> is a great sign of maturity for OWASP that we are able to organize these
>> type of events with such advanced time.
>> That said, I do take an issue with you 'house party' comment, and would
>> like to (gently :)  ) remind you that this is an OWASP event that is only
>> possible due to OWASP's leaders hard work, unpaid hours and talent.
>> To be honest the main reason I decided to 'create this mess' (sorry again
>> for not intervening sooner) is because I felt that this issue was VERY
>> IMPORTANT to our community and (ironically) the more successful our
>> conferences become, the more important this is.
>> Just think about this, how would you fell if you (or Doug or Mark) wanted
>> to attend the next major OWASP conference in the US or Europe at your own
>> travel and accommodation cost, and after all the hundred hours you spent
>> organizing this years conference, OWASP would still ask you to pay for it?
>>  I don't think you will be happy!
>> Regarding the 'house party' concept, maybe you don't like it, but I quite
>> like the idea that our OWASP conferences are places where our leaders are
>> very welcomed and treaded as special guests (again, they are the ones that
>> made OWASP OWASP).
>> I think the fundamental problem here is that you 3 are VERY focused on
>> this event, and that is great. Our job (in the board) is to keep an eye on
>> the big picture, and here is where we had our 'little clash'
>>     I have yet to see a single public email from a Board member
>>    expressing unconditional support for this event.  And worse,
>>    instead of support, you not only publicly question our approaches,
>>    but also also ask David Campbell to resurrect a discussion that
>>    should have been kept private in the first place.
>> This is a tough one, since I (and probably the other Board members) were
>> not aware that you guys felt that 'isolated' (again I viewed it as a MASSIVE
>> compliment to you the fact that the Board was not involved). That said, I
>> did include Jeff's quote on my email , and when I send out the rules of
>> engagement for the Leaders participation on this conference I will again
>> mention the OWASP Board support.
>> One comment on the practicality of those show of support (remember that we
>> have dozens of OWASP conferences per year now, so it is not THAT practical
>> to issue a 'show of public support' for all of them), traditionally we only
>> done that ('show of public support') when there is an 'authority problem'
>> and the organizers fell that they need more 'board support' for what they
>> are trying to do . But that is not the case here, right? Apart from the
>> current issue, as there been any show-stoppers or big problems that could
>> had been made easier with more OWASP Board involvement?
>> Regarding David Campbell email, It's my fault since I was under the
>> (wrong) impression that you guys were on board with that concept, and felt
>> that his comments were a good justification of why OWASP needs to support
>> its leaders (I quite like his point on ".../Paying// to get in may be a
>> dealbreaker for chapter leaders who are overdrawn on the "emotional bank
>> account" that is OWASP..." /
>>    I don't pretend to have all the answers when it comes to
>>    conference planning, but I do know that Doug, Mark and I are the
>>    ones who have sunk hundreds and hundreds of man-hours into this
>>    event.  If you want to be involved, we'd welcome you to the team.
>>     But what we don't need is armchair quarterbacking from the bleachers.
>> Rex, I hope that my explanations (and efforts on addressing this issue)
>> helps you to understand why I felt I had to 'push' this change. I will
>> disagree that this is a/ "... armchair quarterbacking from the bleachers..."
>> /issue. This goes to the heard of OWASP's community and that is why I acted
>> the way I did.
>> As you know, there are TONS of other issues that you guys need to deal
>> with, and on a lot of those, I will argue with you that before one makes
>> comments or suggestions, one should: a) do the homework or b) be involved
>> earlier on
>> Again, please don't take this personally, I have the most respect and
>> understanding of what you guys are doing there (remember that me and Paulo
>> were up to our necks with the Summit last year), so i REALLY think you are
>> going a great job and look forward to attending the conference.
>>  Thanks
>> Dinis Cruz
>>    Rex
>>    ...copying my colleagues to keep them in the loop.
>>    dinis cruz wrote:
>>        Hey Rex (email just to you)
>>        Just wanted to make sure you are OK with that 'OWASP Leaders
>>        to attend the conference for free' thread?
>>        Like David Campbell mentions on his last email, if there is an
>>        extra cost, and if you are able to calculated it, we can move
>>        that 'cost' into the OWASP mothership, so that it doesn't
>>        affect the finances of the Conference
>>        Sorry for being a pain and for giving you extra work
>>        Dinis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20090929/44ac5f49/attachment-0002.html>

More information about the Owasp-board mailing list