[Owasp-board] ASVS needs a new leader

Paulo Coimbra paulo.coimbra at owasp.org
Fri Jul 30 17:24:10 UTC 2010


All,

 

Could you please clarify whether or not I should send the request for
proposals off?

 

http://www.owasp.org/index.php/Request_For_Proposals/Seeking_New_Project_Lea
der_For/ASVS 

 

Thanks,

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

From: dinis cruz [mailto:dinis.cruz at owasp.org] 
Sent: quarta-feira, 28 de Julho de 2010 18:34
To: Jason Li
Cc: Dave Wichers; Paulo Coimbra; Brad Causey; Jeff Williams; Leo Cavallari;
Matt Tesauro; Pravir Chandra; OWASP Foundation Board List
Subject: Re: [Owasp-board] ASVS needs a new leader

 

Jason is spot on, regardless of the quality of the proposed leader (in this
case Dave) we cannot prevent other OWASP Leaders (and industry players) to
applying to the job.

This would send a very bad message to our community and would create a bad
precedent.

Note that since Tom posted on LinkedIn that we were looking for new leader
for ASVS there as been at least 4 (not counting Christian) candidates that
have come forward and showed interest in applying.

The least we need to do for these candidates (some of which are not current
OWASP Leaders) is to give them a fair chance and hearing.

In fact, I would say that the last thing we (as a Board and GPC) should do
is to is act like andrew is suggesting:  ".... I just didn't feel the
candidates that had put their names forward prior to Eoin had the right
stuff to lead the project, ...".  

Regardless if Andrew is right (and he probably is :) ), we CANNOT make that
decision behind closed door (can you imagine the backlash!). It is also
quite unfair for the candidates and has the potential to be influenced by
personal opinions.

What I like about the proposed open model, is that the weaker candidates
either really pull off something good or silently drop their application :)

Finally, I think it is more than fair that Dave is one of the ASVS project
leaders, but at the moment we can't make him the only one.

Dinis Cruz



On 28 July 2010 18:20, Jason Li <jason.li at owasp.org> wrote:

Dave,

I'm perfectly fine with you leading the project too. I don't think
there's anyone on the board or in the committees that would *not* be
OK with you leading the project.

I'm just thinking that in the interests of heading off any accusations
of cronyism from other people that have thrown their names into the
ring to lead this project, it would be beneficial to go through a true
selection process.

-Jason




On Wed, Jul 28, 2010 at 1:13 PM, Dave Wichers <dave.wichers at owasp.org>
wrote:
> I don’t mind establishing a process for doing this for projects that need
a
> new leader and there isn’t an obvious choice, but I agree with Andrew (but
I
> might be biased), that I think we are OK with me being the ASVS leader
given
> my past history with the project. So I don’t think we need to go through
> this process for this particular project.
>
>
>
> -Dave
>
>
>
> From: owasp-board-bounces at lists.owasp.org
> [mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Paulo Coimbra
> Sent: Wednesday, July 28, 2010 12:46 PM
> To: 'OWASP Foundation Board List'; 'Brad Causey'; Dinis Cruz ; Jason Li;
> 'Jeff Williams'; Leo Cavallari; Matt Tesauro; Pravir Chandra
>
> Cc: 'Andrew van der Stock'
> Subject: Re: [Owasp-board] ASVS needs a new leader
>
>
>
> All,
>
>
>
> I’ve finished a first draft of the wiki templates to deal with the
necessity
> of replacing ASVS’s leadership and I am sending it off for your review.
>
>
>
>
http://www.owasp.org/index.php/Request_For_Proposals/Seeking_New_Project_Lea
der_For/ASVS
>
>
>
> Since nobody has refuted Dinis arguments, I’ve opted for open roadmaps.
>
>
>
> Also, I’ve deliberately not proposed a submission deadline date because
> Christian (Google Hacking project leader), when commenting on this issue,
> said that “If OWASP wants the inquiry to appear fair then I would
recommend
> that the decision for the ASVS Project Leader be deferred until after the
> inquiry then” and nobody answered back saying otherwise.
>
>
>
> Thanks,
>
>
>
> Paulo Coimbra,
>
> OWASP Project Manager
>
>
>
> From: dinis cruz [mailto:dinis.cruz at owasp.org]
> Sent: quarta-feira, 28 de Julho de 2010 06:43
> To: Jason Li
> Cc: Paulo Coimbra; Dave Wichers; Eoin; Andrew van der Stock; OWASP
> Foundation Board List; Brad Causey; Jeff Williams; Leo Cavallari; Matt
> Tesauro; Pravir Chandra; Tom Brennan; Sebastien Deleersnyder
> Subject: Re: [Owasp-board] ASVS needs a new leader
>
>
>
> My experience in having applications posted on the wiki (for example what
> happened between the first version of the Season of Code and the 2nd one)
is
> that the extra visibililty provided by having the entire application
online
> has one great side effect: it raises the bar of all applicants (I know
that
> this case is a bit different BUT there are lot of similarities).
>
> I don't think that the scenario that you are presenting a very real. My
> expectation is that good solid applicants will be able to present solid
> proposals, regardless if they are the first, 2nd or last.
>
> I like the fact that everything is open and transparent (which will make
the
> decision making much easier) and, somebody that just comes and say "I will
> do all that the previous ones have proposed" would not get our vote.
>
> Again my experience with OWASP has showned me that it is very hard to
abuse
> open models like this, and that that very openess is brutal to applicants
> that are not well prepared and don't spend enough time preparing its
> presentation.
>
> Since part of the objective here is also to generate good ideas for this
> project, having all info public would also encourage a nice healthy debate
> about where it should be going.
>
> Remember that this is an active and quite mature project, so I don't
expect
> massive Roadmaps in terms of what the project should become in the future
> (i.e. I would expect ideas on how the applicant undertands the current
state
> of the project and what areas he/she feels confortable in tacking in the
> near future)
>
> Finally, remember that we want to get as much talent as possible into this
> project, so even in the case where we have 10 proposals and 3 of them are
> really good (i.e. way above the rest), then my view is that we should put
> those 3 as co-leaders.
>
> Dinis Cruz
>
> On 27 July 2010 21:45, Jason Li <jason.li at owasp.org> wrote:
>
> Dinis - I don't see any advantage to exposing the proposed roadmaps early.
>
> The proposed roadmaps will of course be opened eventually - I'm not
> proposing a closed selection process. Just waiting until after the
> submission deadline.
>
> Otherwise, publicly posting roadmaps before the submission deadline
> just encourages plagiarism and favors the person who waits until the
> last minute and aggregates everyone else's good ideas.
>
> -Jason
>
> On Tue, Jul 27, 2010 at 4:31 PM, Paulo Coimbra <paulo.coimbra at owasp.org>
> wrote:
>> I was precisely on my way to create a couple of wiki templates to
>> articulate
>> a process that seems to me very similar to what Jason is proposing.
>>
>>
>>
>> I’ve started off on the newly created ‘request for services template’ and
>> was thinking in the following tabs:
>>
>>
>>
>> -          Request For Proposals – (Project  Leadership need description)
>>
>> -          Applications (Applicant name + Roadmap)
>>
>> -          GPC’s recommendation
>>
>> -          OWASP Board’s decision.
>>
>>
>>
>> I have already talked with Dinis and while I support Jason’s vision that
>> we
>> should only be ‘posting these roadmaps to the OWASP wiki until *after*
the
>> submission deadline’, he disagrees.
>>
>>
>>
>> http://www.owasp.org/index.php/Seeking_New_Project_Leader_For/ASVS
>>
>>
>>
>>
>>
http://www.owasp.org/index.php/OWASP_Request_for_Proposals/Training_Manager
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Paulo Coimbra,
>>
>> OWASP Project Manager
>>
>>
>>
>> From: li.jason.c at gmail.com [mailto:li.jason.c at gmail.com] On Behalf Of
>> Jason
>> Li
>> Sent: terça-feira, 27 de Julho de 2010 21:05
>> To: Dave Wichers
>> Cc: dinis cruz; Paulo Coimbra; Eoin; Andrew van der Stock; OWASP
>> Foundation
>> Board List; Brad Causey; Jeff Williams; Leo Cavallari; Matt Tesauro;
>> Pravir
>> Chandra
>>
>> Subject: Re: [Owasp-board] ASVS needs a new leader
>>
>>
>>
>> *Because* it's such a flagship project, I personally think that it would
>> be
>> a good idea to get someone from outside the Board and the global
>> committees
>> to lead the ASVS. I think it's important to show that becoming a big
>> project
>> leader @ OWASP is not tied to being in the exclusive Board/Committee
club.
>>
>>
>>
>> Obviously we need to balance the need to ensure quality in one of our
>> flagship projects, and certainly original authors and contributors should
>> stay involved. Perhaps we can revive the "Mentor" role that we never
>> really
>> finished flushing out with the GPC for this purpose?
>>
>>
>>
>> I believe the process for choosing the new project leader(s) should
follow
>> roughly the same process as creating a new project.
>>
>> Specifically, the potential project lead should submit a Project Roadmap
>> for
>> where they would like to take the project, their goals, an outline of
>> reasonable depth to show how they plan to get there, etc.
>>
>> In the past, since there has not been an outpouring of people rushing to
>> lead an inactive project, we have not had to go through a formal
>> evaluation
>> of roadmaps. But since there are multiple people vying for project
>> leadership, we should solicit these roadmaps and evaluate them as the
>> Board/GPC as appropriate.
>>
>>
>>
>> I would suggest that we establish a due date and have applicants submit
>> their roadmap to Paulo before then. (Note I would not support posting
>> these
>> roadmaps to the OWASP wiki until *after* the submission deadline to
>> prevent
>> blatant copy and paste of ideas/agendas by applicants). We can review
>> these
>> and choose a project leader (or two) and appoint relevant project mentors
>> (we should also set a date to announce this by). I personally would
>> advocate
>> have fewer leaders over many --- too many cooks in the pot is just a
>> recipe
>> for bogging down progress in my opinion.
>>
>>
>>
>> My $0.02 (or equivalent world currency).
>>
>>
>>
>> -Jason
>>
>>
>>
>> On Tue, Jul 27, 2010 at 1:55 PM, Dave Wichers <dave.wichers at owasp.org>
>> wrote:
>>
>>> I already volunteered and Eoin was agreeable (since he volunteered
>>
>>> too) but if there is enough activity on the project to warrant a team
>>
>>> of leaders, that’s perfectly fine with me.
>>
>>>
>>
>>>
>>
>>>
>>
>>> -Dave
>>
>>>
>>
>>>
>>
>>>
>>
>>> From: dinis cruz [mailto:dinis.cruz at owasp.org]
>>
>>> Sent: Tuesday, July 27, 2010 12:49 PM
>>
>>> To: Paulo Coimbra
>>
>>> Cc: Dave Wichers; Eoin; Andrew van der Stock; OWASP Foundation Board
>>
>>> List; Brad Causey; Jason Li; Jeff Williams; Leo Cavallari; Matt
>>
>>> Tesauro; Pravir Chandra
>>
>>>
>>
>>> Subject: Re: [Owasp-board] ASVS needs a new leader
>>
>>>
>>
>>>
>>
>>>
>>
>>> Since Tom sent out his 'we need a new leader for ASVS' in Linked in:
>>
>>>
>>
>>> "#3 - HELP WANTED - We are seeking a new project leader for OWASP
>>
>>> ASVS, if you want to help us change the world of application security
>>
>>> we could use your help in this volunteer role."
>>
>>> http://www.linkedin.com/groupAnswers?trk=view_disc
<http://www.linkedin.com/groupAnswers?trk=view_disc&gid=36874&commentID>
&gid=36874&commentID
>>
>>> =-1&viewQuestionAndAnswers=&discussionID=25691211
>>
>>>
>>
>>> ...which generated a number of potential applications, we need to take
>>
>>> this oportunity to define some methodology (which Paulo is working on)
>>
>>> for leaders to be appointed to mature OWASP projects.
>>
>>>
>>
>>> Given the current state of affairs, and the type of project that ASVS
>>
>>> is, we are probably looking at having a joint leadership of at least 4
>>
>>> leaders (if not 5 co-leaders to allow for majority voting)
>>
>>>
>>
>>> Dinis
>>
>>>
>>
>>> On 27 July 2010 16:27, Paulo Coimbra <paulo.coimbra at owasp.org> wrote:
>>
>>>
>>
>>> Dave, Eoin, Andrew, GPC and Board,
>>
>>>
>>
>>>
>>
>>>
>>
>>> I am currently working on a general methodology to deal with this kind
>>
>>> of issues. I will do my best to have it concluded today. If you agree,
>>
>>> as soon as it is ready, I will send it off for your assessment.
>>
>>>
>>
>>>
>>
>>>
>>
>>> Thanks,
>>
>>>
>>
>>>
>>
>>>
>>
>>> Paulo Coimbra,
>>
>>>
>>
>>> OWASP Project Manager
>>
>>>
>>
>>>
>>
>>>
>>
>>> From: Dave Wichers [mailto:dave.wichers at owasp.org]
>>
>>> Sent: terça-feira, 27 de Julho de 2010 16:27
>>
>>> To: 'Eoin'
>>
>>> Cc: 'Andrew van der Stock'; 'Paulo Coimbra'
>>
>>> Subject: RE: [Owasp-board] ASVS needs a new leader
>>
>>>
>>
>>>
>>
>>>
>>
>>> Thanks Eoin. I appreciate your willingness to step into the breach and
>>
>>> certainly if you have any specific ideas for moving ASVS forward that
>>
>>> you want to participate in, please let me know.
>>
>>>
>>
>>>
>>
>>>
>>
>>> I’ll update the wiki page to indicate who the current leader is.
>>
>>> Paulo, if you want to indicate on the leaders list that we have
>>
>>> ‘changed our mind’, please do, or I can if you like.
>>
>>>
>>
>>>
>>
>>>
>>
>>> Thanks, Dave
>>
>>>
>>
>>>
>>
>>>
>>
>>> From: eoinkeary at gmail.com [mailto:eoinkeary at gmail.com] On Behalf Of
>>
>>> Eoin
>>
>>> Sent: Tuesday, July 27, 2010 10:57 AM
>>
>>>
>>
>>> To: Dave Wichers
>>
>>> Cc: Andrew van der Stock; Paulo Coimbra
>>
>>>
>>
>>> Subject: Re: [Owasp-board] ASVS needs a new leader
>>
>>>
>>
>>>
>>
>>>
>>
>>> There is no transparency issue here that I see (forgive the pun)
>>
>>>
>>
>>> Dave seen as you are one of the original leaders I shall give way to
>>
>>> your decision to lead this.
>>
>>>
>>
>>>
>>
>>>
>>
>>> I simply did not want someone with no track record leading such an
>>
>>> important guide/checklist
>>
>>>
>>
>>>
>>
>>>
>>
>>> Eoin
>>
>>>
>>
>>>
>>
>>>
>>
>>>
>>
>>>
>>
>>>
>>
>>>
>>
>>>
>>
>>>
>>
>>> On 27 July 2010 14:25, Dave Wichers <dave.wichers at owasp.org> wrote:
>>
>>>
>>
>>> I don’t mind transparency. Most projects are led by their lead
>>
>>> contributors and if the current lead steps aside I would certainly
>>
>>> expect the other lead contributors to be offered the position first. I
>>
>>> was on vacation last week so wasn’t really paying much attention to
>>
>>> emails. When I got back yesterday I talked it over with Jeff and
>>
>>> that’s why you first heard about this from me.
>>
>>>
>>
>>>
>>
>>>
>>
>>> I certainly would love to have others like you and Eoin and Christian
>>
>>> contribute to the project if we want to move it forward somehow, and
>>
>>> if the project gets too big for me to handle, and someone like Eoin or
>>
>>> whomever wants to lead that larger effort because I chose to step
>>
>>> aside I’m OK with that too.
>>
>>>
>>
>>>
>>
>>>
>>
>>> -Dave
>>
>>>
>>
>>>
>>
>>>
>>
>>> From: Andrew van der Stock [mailto:vanderaj at gmail.com]
>>
>>>
>>
>>> Sent: Monday, July 26, 2010 8:55 PM
>>
>>> To: Dave Wichers
>>
>>> Cc: 'Eoin'; 'Paulo Coimbra'
>>
>>>
>>
>>>
>>
>>>
>>
>>> Subject: Re: [Owasp-board] ASVS needs a new leader
>>
>>>
>>
>>>
>>
>>>
>>
>>> Hi Dave,
>>
>>>
>>
>>>
>>
>>>
>>
>>> Although in broad strokes I support your decision, I'd really like the
>>
>>> process OWASP uses to change leadership to be a bit more transparent
>>
>>> and consistent than this.
>>
>>>
>>
>>>
>>
>>>
>>
>>> I know the ASVS grew out of the Aspect checklist, and realistically it
>>
>>> would be nice to have one of the original authors work on the project,
>>
>>> I just want to make sure everyone is aware of how the project is
>>
>>> changing hands and that it is as transparent as possible, and it's the
>>
>>> same process for all change overs.
>>
>>>
>>
>>>
>>
>>>
>>
>>> thanks,
>>
>>>
>>
>>> Andrew
>>
>>>
>>
>>>
>>
>>>
>>
>>> On 27/07/2010, at 6:48 AM, Dave Wichers wrote:
>>
>>>
>>
>>>
>>
>>>
>>
>>> Eoin,
>>
>>>
>>
>>>
>>
>>>
>>
>>> If you don’t mind, I’ll volunteer to lead the ASVS project in Mike’s
>>> stead.
>>
>>> This project, like the Top 10 in my opinion, is something that
>>
>>> probably won’t change much except once every 2-3 years.
>>
>>>
>>
>>>
>>
>>>
>>
>>> I’m one of the original authors, along with Jeff, so I figure it would
>>
>>> be best for he or I to lead it.
>>
>>>
>>
>>>
>>
>>>
>>
>>> That OK with you? Regardless, did you have any specific things you
>>
>>> wanted done with the ASVS project that haven’t happened already? I’m
>>
>>> encouraging alignment of the 3 guides with ASVS already and that seems
>>
>>> to be moving forward.
>>
>>>
>>
>>>
>>
>>>
>>
>>> -Dave
>>
>>>
>>
>>>
>>
>>>
>>
>>> From: owasp-board-bounces at lists.owasp.org
>>
>>> [mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Paulo
>>
>>> Coimbra
>>
>>>
>>
>>> Sent: Friday, July 23, 2010 1:27 PM
>>
>>> To: 'OWASP Foundation Board List'; 'Global Projects Committee'; 'Eoin'
>>
>>> Cc: 'Andrew van der Stock'
>>
>>>
>>
>>> Subject: Re: [Owasp-board] ASVS needs a new leader
>>
>>>
>>
>>>
>>
>>>
>>
>>> In terms of new leadership, is this issue solved and closed?
>>
>>>
>>
>>>
>>
>>>
>>
>>> Thanks,
>>
>>>
>>
>>>
>>
>>>
>>
>>> Paulo Coimbra,
>>
>>>
>>
>>> OWASP Project Manager
>>
>>>
>>
>>>
>>
>>>
>>
>>> From: Eoin [mailto:eoinkeary at gmail.com]
>>
>>> Sent: sexta-feira, 23 de Julho de 2010 12:29
>>
>>> To: Paulo Coimbra
>>
>>> Cc: Global Projects Committee; Andrew van der Stock; OWASP Foundation
>>
>>> Board List
>>
>>> Subject: Re: [Owasp-board] ASVS needs a new leader
>>
>>>
>>
>>>
>>
>>>
>>
>>> I am happy to take a part lead role in asvs if required but ctf is
>>
>>> going to take the rest of my time.
>>
>>>
>>
>>> On 23 Jul 2010 00:29, "Paulo Coimbra" <paulo.coimbra at owasp.org> wrote:
>>
>>>
>>
>>> Hi Andrew,
>>
>>>
>>
>>> I will - thank you for the heads-up. I had already put this issue to
>>
>>> Board's and GPC's consideration and it seems that Mike has indeed quit
>>
>>> OWASP and therefore a new ASVS's leadership is needed. Please give me
>>
>>> a couple of days to deal with the matter.
>>
>>>
>>
>>> Thanks,
>>
>>>
>>
>>> Paulo Coimbra,
>>
>>> OWASP Project Manager
>>
>>>
>>
>>>
>>
>>>> >-----Original Message-----
>>
>>>> >From: Andrew van der Stock [mailto:vanderaj at gmail.com]
>>
>>>> >Sent: quinta-feira, 22 de Julho de 2010 23:27
>>
>>>> >To: Paulo Coimbra
>>
>>>> >Subject: ASVS needs a new leader
>>
>>>> >
>>
>>>> >Hi Paulo,
>>
>>>> >
>>
>>>> >Can you also take charge of the ASVS project's leadership change.
>>
>>>> >I've only got one potential person to put their hand up, and it's
>>
>>>> >Christian Heinrich. I think for various reasons, we should try to
>>
>>>> >get more folks interested in the position.
>>
>>>> >
>>
>>>> >thanks,
>>
>>>> >Andrew=
>>
>>>
>>
>>> _______________________________________________
>>
>>> Owasp-board mailing list
>>
>>> Owasp-board at lists.owasp.org
>>
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>>
>>
>>>
>>
>>>
>>
>>>
>>
>>> --
>>
>>> Eoin Keary
>>
>>> OWASP Global Board Member
>>
>>> OWASP Code Review Guide Lead Author
>>
>>>
>>
>>> Sent from my i-Transmogrifier
>>
>>> http://asg.ie/
>>
>>> https://twitter.com/EoinKeary
>>
>>>
>>
>>>
>
>

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100730/b438b9ca/attachment-0002.html>


More information about the Owasp-board mailing list