[Owasp-board] (OWASP BOARD) comment on RFC: Two proposed next tweaks to the services registry

Jeff Williams jeff.williams at owasp.org
Tue Jun 1 03:57:56 UTC 2010

Sorry guys - I was in the country out of cell range all weekend.


First, I think this whole registry idea is dumb and a big waste of time.  I
tried to kill it by opening it up to the board and leaders before it
happened, and didn't get much reaction.  Now we have to clean it up or kill
it.  I'm sympathetic to Dinis' point that the commercial companies are a
part of the community.  But I'm frankly not sure we've got the ability to
engage with them more deeply without confusing everyone. Right now our
message is clear and attractive.  No commercial stuff at OWASP. Muddying
that up is probably a mistake.


Anyway, neither Dave or I have been working closely with Mike on this.  When
Mike bugs me enough, I do give him some advice. Here's a recent message.




This is a hard message for me. I don't like to interfere in the normal
operation of the community because generally these things are
self-correcting.  But I consider you a friend and I need to let you know
that some of your messages are not helping OWASP, your employer, or you.


The people in the OWASP community are volunteers, generally very smart, and
know a lot about application security. There's a reason why they're
discussing this - it's important.  And as much as you might not like the
idea, there's really not a big gulf between the OWASP T10, WASC, SANS T25,
and ASVS.  The best thing possible for ASVS would be for it to be what you
turn to when you're ready to actually meet the OWASP T10.


If I were you, I'd send an apology for this message and encourage discussion
of all aspects of ASVS, including how it relates to the other docs and
standards in our field. You're not going to change the status quo by
insulting smart volunteers that are the only prayer for ASVS getting


I also have to tell you that I find many of your posts on the OWASP list
almost impossible to decipher. I've resisted giving you feedback because I
don't want you to feel like I'm grading you - I'm not. I'm trying to help
you be more effective in accomplishing the goals of your projects.  I
encourage you to reread the messages before you send them to make sure that
anyone reading them will be able to figure out what you're talking about.


I hope you take this in the constructive manner intended. I absolutely
appreciate all the effort you've put into OWASP over the past few years.  If
you'd like further clarification or if there's anything I can do to help,
please don't hesitate to let me know.






I think we do need to be careful about how we handle Mike.  We always say at
OWASP if you don't like something you can just do it yourself.  Well, here's
a good case when it didn't work out.  If we're going to operate that way, I
think we have an obligation to get in front of things that are going the
wrong direction and let the volunteers know that we're not behind the
project.  I think in this case we sent a muddy mixed message.





From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Tom Brennan
Sent: Monday, May 31, 2010 7:26 PM
To: dinis cruz
Cc: OWASP Foundation Board List
Subject: Re: [Owasp-board] (OWASP BOARD) comment on RFC: Two proposed next
tweaks to the services registry


Mike made claim tonight when he called me that he has been working very very
closely with Dave and Jeff on this project - so either a. that is false, b.
this is true (hence my suggestion to call them)


Personally as i expressed on the last board call OWASP Commercial Services
should be OWASP Community Services if a registry/phone book was the goal and
I liked
security ;)  


Will try to skype you tomorrow wrapping up the holiday here in the USA then
headed to OWASP Denver FROC so will talk wit hDavid Campbell and then to
OWASP Mexico for chats with Juan so by the time we get to OWASP Sweden
should have lots of points of view on this one. 





On May 31, 2010, at 7:13 PM, dinis cruz wrote:

Tom, what we agreed was that we were going to try to figure out the model to
get this done. In following threads/developments it was (sort of)
established that two Board members (me and Eoin) would be directly involved
in this (since Jeff and Dave didn't had a lot of cycles to be involved). 


Since I did spoke with Mike before I sent you my last email with the
proposed plan, the least he should have done is waited for the follow up
conversation and not have sent that email to the leaders list. 


I know Mike is putting a lot of energy into OWASP, but he is also generating
a LOT of negative energy with his actions, for example I had several KEY
OWASP Leaders last week talking to me about Mike's behaviour and how worried
they are about how things were being done. My view is that we need to calm
him down, or remove him since his current attitude to OWASP is not healthy
at all 


For example, part of the reason for the low voting is most likely directly
related to how low 'street-cred' Mike has in OWASP (can you find one or more
OWASP Leaders that can recommend him?). I will not comment (for now) on what
is happening on the other projects that Mike is involved, but on this case
(the OWASP Commercial Services) he is way out of line and needs to be


Tom or Jeff, if Mike listen to you guys, you need to talk to him, since he
is clearly too piss-off with me to realize that I am actually trying to help
him (both personally and professionally)


And btw, I did try to call Jeff and Tom but couldn't get through (I've
already spoken to Eoin and Matt  last week and need to follow up on Seba &


I'm happy to talk about this anytime so please either call me or let me know
when it is a good time to talk.


I will again ask that you read my email with the proposed model for the
'OWASP Commercial Services' and chip-in with you comments.

Dinis Cruz


On 31 May 2010 23:26, Tom Brennan - OWASP <tomb at owasp.org> wrote:

I am a bit confused. This was approved by the board and Jeff agreed to work
with Mike on this effort.  Mike has been giving cycles to owasp working with
both Dave and Jeff on this effort.


The recent email vote was very poor 39 people vote - terrible.  We need to
have a paid owasp member list and call that owasp-leaders (topic for another
meeting) if we are going to use voting to override ethics and principals.   


Dinis, have you spoken to either Jeff/Dave on this topic on the phone for
clarrification? This is not going to be cleared up during a 60 min board
call so would be ideal if you could make that happen. 


I did get a call from Mike with a WTF - he is giving cycles but feels like
he is being kicked in the balls by you.  We could put you and him at
blackhat at a bar/gokart/ring and let you to work it out... However it
appears that this is not a one-to-one issue.


On May 31, 2010, at 4:14 PM, dinis cruz <dinis.cruz at owasp.org> wrote:

Nice, really nice :(


Mike is really starting to be a problem guys, I'm sorry to say but this last
one (see email below) is very below the belt. 


I'm trying hard to be fair with this guy, but am really losing my patience


Please take into account that I DID call him up today, explained him my
'updated' model and mentioned that was going to present the model to the
OWASP board.

Dinis Cruz

---------- Forwarded message ----------
From: Mike Boberski <mike.boberski at gmail.com>
Date: 31 May 2010 21:02
Subject: Re: [Owasp-leaders] RFC: Two proposed next tweaks to the services
To: owasp-leaders at lists.owasp.org

Dear Colleagues,


The results of the survey are in! Thank you for taking the time. 


It was a toss-up on the question of whether to include descriptions of
approaches to performing a given service. So, the requirement has been
removed for now, we can always revisit this and other items later on.


It was not a toss-up on the name change, there was an overwhelming response
to leave it named "commercial services". So, the name stays for now, we can
always revisit this and other items later on.


Please do forward any additional suggestions for improvement. I think this
approach worked well, batching them up and creating a survey, to gather
community inputs.


To be listed in the OWASP Commercial Services Registry, contact
<http://www.owasp.org/index.php/Contact> Kate Hartmann. 




On Mon, May 24, 2010 at 1:09 PM, Boberski, Michael [USA]
<boberski_michael at bah.com> wrote:

Dear Colleagues,


As you know, I have been working on the OWASP commercial services
registry/commercial services board. 


We're basically shooting for a phone book that's sorted according to some
OWASP artifacts as they are currently categorized, to try to nudge the
planet along in adoption of them, to get consumers of services of those
types to ask for them, by making it easy to find such service providers. 


Towards the end of continuing its development, there are a next set of
proposed updates that we would like your opinion on. A survey has been setup
here: http://www.surveymonkey.com/s/9JDN98P  If you can spare a few minutes
to provide your input, it would be appreciated. The cutoff date is the end
of the week.




Mike B.


OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org


OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org


Owasp-board mailing list
Owasp-board at lists.owasp.org


Owasp-board mailing list
Owasp-board at lists.owasp.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100531/03f54a6d/attachment-0002.html>

More information about the Owasp-board mailing list