[Owasp-board] Board, please take the two issues raised seriously and spend the time

dinis cruz dinis.cruz at owasp.org
Wed Jun 2 12:05:59 UTC 2010

Sorry to be blunt on this one, BUT you guys really need to focus on
the two issues we have at hand here (OWASP Commercial Services and
Mike B)

I have spent quite a lot of time coming up with a working model for
the OWASP Commercial Services and I don't fell that you are grasping
the importance of what I have delivered.

We spend a lot of time as the OWASP Board dealing with minor issues in
which the lack of focus and time to spend on an issue are not that
important (as long as there is a board member focused on it)

BUT this time is different, If there is a reason why you are in the
board of OWASP is to make decisions like this, and if there is a
reason why we are here and have (so far) the trust of the community is
because we are seen as good guardians of OWASP.

Of course that it is not easy to take a stand! it is easier to ignore
or threat it as a minor problem.

Unfortunately it takes time to understand the issues and really get a
grip on what is going on.

On issues like these, where we go to the heart of what OWASP is, and
how it operates, we have to have a strong grip on the events and have
a decisive voice.

Ultimately, it is us who have to make decisions and it is us who will
be judged by the community!

And if you don't have the time / balls to be involved, or the time to
ANSWER the solutions proposed (with focused comments), then you need
to evaluate if you can be on the OWASP Board!

DON'T underestimate the negative effects that MIke's actions are
having at OWASP and don't underestimate the power (for good and bad)
of the OWASP Commercial Services model.

My view is that we as OWASP need to sort out this commercial model
since it is really starting to be a problem for OWASP's growth and
credibility (I also like that solving it will push us to deal with
other key problems like the 'Commercial attribution of Projects
sponsorships', the 'Project sponsorship model' and a proper definition
'what is an active OWASP Leader and what benefits+responsibilities
should he/she have')

Of course that I am not a biased party here. I have spent the last 5
months self funding the OWASP O2 Platform development and am now in a
position where I (and O2) needs to be supported by 'compatible to
OWASP' business models (that will continue funding its development and
wide use at OWASP and AppSec Communities)

Jeff, I have mentioned before that both of us (you with ESAPI and me
with O2) are in a position to use the projects we lead to solve a big
number of structural problems that OWASP has today. I know you are
very busy with your other day work, so I've made the personal
commitment to align myself professional with OWASP (via O2), and I do
look forward to the moment where you can do the same for ESAPI.

As board members the next steps for you are:

1) read the proposed model I sent for the OWASP Commercial Services
(the original email still stands since I want to know what you think
of all of it)

2) take a stand on Mike's behaviour.

Sorry again for being hard on this issue, but these are important
matters and OWASP needs you to focus.


Dinis Cruz

More information about the Owasp-board mailing list