[Owasp-board] (OWASP BOARD) comment on RFC: Two proposed next tweaks to the services registry

Eoin eoin.keary at owasp.org
Tue Jun 1 09:12:30 UTC 2010


Board we need more joined-up thinking here please?!!  Can we agree or get a
majority / disagree on if we want this registery? *- please respond*
I believe the rules Dinis, Matteo and I discussed in London on Friday would
suit if this is to go ahead.

Mike seems like a real active guy, has great ideas but also a touch of an
autocrat/dictator in him. He takes direction poorly and it seems somethime
he is driving the projects to suit his own agenda. I believe on projects
such as ASVS and the Dev guide there should be a leadership board, like what
SAMM has for which I am a member.

Dinis, what do you mean by "handling" Mike? Lets not be too "knee-jerk"
here.

Mise Le Meas,

Eoin







On 1 June 2010 09:35, dinis cruz <dinis.cruz at owasp.org> wrote:

> I'm glad that Jeff confirms my worries about Mike and that he confirms
> (what I was also under the impression) that neither him or Dave were working
> on this issue with Mike (in fact the one that has been mainly 'working on
> this' with Mike for the past weeks has been me).
>
> We have two issues to handle here, and we have to thread them separately
> (or we will be 'throwing the baby with the bath water')
>
> *Issue 1: Mike* (and how to handle his latests moves and his current OWASP
> leadership status)
>
> *Issue 2: OWASP Commercial Services *(If you follow the email threads, I
> think you will see that I (at least) have been involved in 'trying' to steer
> the discussion to a place that makes sense to OWASP, and have in several
> moments made clear that Mike's view is now ours. That said, I think we are
> almost there, and if you look at the email I sent earlier yesterday with the
> revised proposal for how it should work, you will see a working model that
> can work organically)
> Lets deal with them in turn and send a clear message to our community on
> where we stand.
>
> I'm around all day today, so ping me when you want to talk about this
>
> Dinis Cruz
>
> Blog: http://diniscruz.blogspot.com
> Twitter: http://twitter.com/DinisCruz
> Web: http://www.owasp.org/index.php/O2
>
>
>
> On 1 June 2010 04:57, Jeff Williams <jeff.williams at owasp.org> wrote:
>
>>  Sorry guys – I was in the country out of cell range all weekend.
>>
>>
>>
>> First, I think this whole registry idea is dumb and a big waste of time.
>> I tried to kill it by opening it up to the board and leaders before it
>> happened, and didn’t get much reaction.  Now we have to clean it up or kill
>> it.  I’m sympathetic to Dinis’ point that the commercial companies are a
>> part of the community.  But I’m frankly not sure we’ve got the ability to
>> engage with them more deeply without confusing everyone. Right now our
>> message is clear and attractive.  No commercial stuff at OWASP. Muddying
>> that up is probably a mistake.
>>
>>
>>
>> Anyway, neither Dave or I have been working closely with Mike on this.
>> When Mike bugs me enough, I do give him some advice. Here’s a recent
>> message…
>>
>>
>>
>> Mike,
>>
>>
>>
>> This is a hard message for me. I don't like to interfere in the normal
>> operation of the community because generally these things are
>> self-correcting.  But I consider you a friend and I need to let you know
>> that some of your messages are not helping OWASP, your employer, or you.
>>
>>
>>
>> The people in the OWASP community are volunteers, generally very smart,
>> and know a lot about application security. There's a reason why they're
>> discussing this - it's important.  And as much as you might not like the
>> idea, there's really not a big gulf between the OWASP T10, WASC, SANS T25,
>> and ASVS.  The best thing possible for ASVS would be for it to be what you
>> turn to when you're ready to actually meet the OWASP T10.
>>
>>
>>
>> If I were you, I'd send an apology for this message and encourage
>> discussion of all aspects of ASVS, including how it relates to the other
>> docs and standards in our field. You're not going to change the status quo
>> by insulting smart volunteers that are the only prayer for ASVS getting
>> mindshare.
>>
>>
>>
>> I also have to tell you that I find many of your posts on the OWASP list
>> almost impossible to decipher. I've resisted giving you feedback because I
>> don't want you to feel like I'm grading you - I'm not. I'm trying to help
>> you be more effective in accomplishing the goals of your projects.  I
>> encourage you to reread the messages before you send them to make sure that
>> anyone reading them will be able to figure out what you're talking about.
>>
>>
>>
>> I hope you take this in the constructive manner intended. I absolutely
>> appreciate all the effort you've put into OWASP over the past few years.  If
>> you'd like further clarification or if there's anything I can do to help,
>> please don't hesitate to let me know.
>>
>>
>>
>> Thanks,
>>
>>
>>
>> --Jeff
>>
>>
>>
>> I think we do need to be careful about how we handle Mike.  We always say
>> at OWASP if you don’t like something you can just do it yourself.  Well,
>> here’s a good case when it didn’t work out.  If we’re going to operate that
>> way, I think we have an obligation to get in front of things that are going
>> the wrong direction and let the volunteers know that we’re not behind the
>> project.  I think in this case we sent a muddy mixed message.
>>
>>
>>
>> --Jeff
>>
>>
>>
>>
>>
>> *From:* owasp-board-bounces at lists.owasp.org [mailto:
>> owasp-board-bounces at lists.owasp.org] *On Behalf Of *Tom Brennan
>> *Sent:* Monday, May 31, 2010 7:26 PM
>> *To:* dinis cruz
>> *Cc:* OWASP Foundation Board List
>> *Subject:* Re: [Owasp-board] (OWASP BOARD) comment on RFC: Two proposed
>> next tweaks to the services registry
>>
>>
>>
>> Mike made claim tonight when he called me that he has been working very
>> very closely with Dave and Jeff on this project - so either a. that is
>> false, b. this is true (hence my suggestion to call them)
>>
>>
>>
>> Personally as i expressed on the last board call OWASP Commercial Services
>> should be OWASP Community Services if a registry/phone book was the goal and
>> I liked
>> http://www.securityscoreboard.com/reviews/tag/productsoffered/webapplicationsecurity;)
>>
>>
>>
>> Will try to skype you tomorrow wrapping up the holiday here in the USA
>> then headed to OWASP Denver FROC so will talk wit hDavid Campbell and then
>> to OWASP Mexico for chats with Juan so by the time we get to OWASP Sweden
>> should have lots of points of view on this one.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On May 31, 2010, at 7:13 PM, dinis cruz wrote:
>>
>>
>>
>>  Tom, *what we agreed was that we were going to try to figure out the
>> model to get this done. *In following threads/developments it was (sort
>> of) established that two Board members (me and Eoin) would be directly
>> involved in this (since Jeff and Dave didn't had a lot of cycles to be
>> involved).
>>
>>
>>
>> Since I did spoke with Mike before I sent you my last email with the
>> proposed plan, the least he should have done is waited for the follow up
>> conversation and not have sent that email to the leaders list.
>>
>>
>>
>> I know Mike is putting a lot of energy into OWASP, but he is also
>> generating a LOT of negative energy with his actions, for example I had
>> several KEY OWASP Leaders last week talking to me about Mike's behaviour and
>> how worried they are about how things were being done. My view is that we
>> need to calm him down, or remove him since his current attitude to OWASP is
>> not healthy at all
>>
>>
>>
>> For example, part of the reason for the low voting is most likely directly
>> related to how low 'street-cred' Mike has in OWASP (can you find one or more
>> OWASP Leaders that can recommend him?). I will not comment (for now) on what
>> is happening on the other projects that Mike is involved, but on this case
>> (the OWASP Commercial Services) he is way out of line and needs to
>> be controlled.
>>
>>
>>
>> Tom or Jeff, if Mike listen to you guys, you need to talk to him, since he
>> is clearly too piss-off with me to realize that I am actually trying to help
>> him (both personally and professionally)
>>
>>
>>
>> And btw, I did try to call Jeff and Tom but couldn't get through (I've
>> already spoken to Eoin and Matt  last week and need to follow up on Seba &
>> Dave).
>>
>>
>>
>> I'm happy to talk about this anytime so please either call me or let me
>> know when it is a good time to talk.
>>
>>
>>
>> I will again ask that you read my email with the proposed model for the
>> 'OWASP Commercial Services' and chip-in with you comments.
>>
>>
>> Dinis Cruz
>>
>>
>>
>> On 31 May 2010 23:26, Tom Brennan - OWASP <tomb at owasp.org> wrote:
>>
>> I am a bit confused. This was approved by the board and Jeff agreed to
>> work with Mike on this effort.  Mike has been giving cycles to owasp working
>> with both Dave and Jeff on this effort.
>>
>>
>>
>> The recent email vote was very poor 39 people vote - terrible.  We need to
>> have a paid owasp member list and call that owasp-leaders (topic for another
>> meeting) if we are going to use voting to override ethics and principals.
>>
>>
>>
>> Dinis, have you spoken to either Jeff/Dave on this topic on the phone for
>> clarrification? This is not going to be cleared up during a 60 min board
>> call so would be ideal if you could make that happen.
>>
>>
>>
>> I did get a call from Mike with a WTF - he is giving cycles but feels like
>> he is being kicked in the balls by you.  We could put you and him at
>> blackhat at a bar/gokart/ring and let you to work it out... However it
>> appears that this is not a one-to-one issue.
>>
>>
>>
>>
>> On May 31, 2010, at 4:14 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
>>
>>  Nice, really nice :(
>>
>>
>>
>> Mike is really starting to be a problem guys, I'm sorry to say but this
>> last one (see email below) is very below the belt.
>>
>>
>>
>> I'm trying hard to be fair with this guy, but am really losing my patience
>> here.
>>
>>
>>
>> Please take into account that I DID call him up today, explained him my
>> 'updated' model and mentioned that was going to present the model to the
>> OWASP board.
>>
>>
>> Dinis Cruz
>>
>> ---------- Forwarded message ----------
>> From: *Mike Boberski* <mike.boberski at gmail.com>
>> Date: 31 May 2010 21:02
>> Subject: Re: [Owasp-leaders] RFC: Two proposed next tweaks to the services
>> registry
>> To: owasp-leaders at lists.owasp.org
>>
>>
>> Dear Colleagues,
>>
>>
>>
>> The results of the survey are in! Thank you for taking the time.
>>
>>
>>
>> It was a toss-up on the question of whether to include descriptions of
>> approaches to performing a given service. So, the requirement has been
>> removed for now, we can always revisit this and other items later on.
>>
>>
>>
>> It was not a toss-up on the name change, there was an overwhelming
>> response to leave it named "commercial services". So, the name stays for
>> now, we can always revisit this and other items later on.
>>
>>
>>
>> Please do forward any additional suggestions for improvement. I think this
>> approach worked well, batching them up and creating a survey, to gather
>> community inputs.
>>
>>
>>
>> To be listed in the OWASP Commercial Services Registry, contact Kate
>> Hartmann <http://www.owasp.org/index.php/Contact>.
>>
>>
>>
>> Best,
>>
>>
>> Mike
>>
>>   On Mon, May 24, 2010 at 1:09 PM, Boberski, Michael [USA] <
>> boberski_michael at bah.com> wrote:
>>
>>   Dear Colleagues,
>>
>>
>>
>> As you know, I have been working on the OWASP commercial services
>> registry/commercial services board.
>>
>>
>>
>> We’re basically shooting for a phone book that’s sorted according to some
>> OWASP artifacts as they are currently categorized, to try to nudge the
>> planet along in adoption of them, to get consumers of services of those
>> types to ask for them, by making it easy to find such service providers.
>>
>>
>>
>> Towards the end of continuing its development, there are a next set of
>> proposed updates that we would like your opinion on. A survey has been setup
>> here: http://www.surveymonkey.com/s/9JDN98P  If you can spare a few
>> minutes to provide your input, it would be appreciated. The cutoff date is
>> the end of the week.
>>
>>
>>
>> Best,
>>
>>
>>
>> Mike B.
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>  _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>


-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100601/1b1a9599/attachment-0002.html>


More information about the Owasp-board mailing list