[Owasp-board] (OWASP BOARD) comment on RFC: Two proposed next tweaks to the services registry

Kate Hartmann kate.hartmann at owasp.org
Wed Jun 2 13:50:38 UTC 2010

It seems to me that any inquiry requested should be addressed to the best of
our ability.  Everything we do should be reflected in our ethics and
principles.  I am able to serve as a moderator if necessary.

Based on Dinis' comments, it appears as if the concerns regarding Mike's
behavior within the community are actually not coming from Dinis himself,
but from members of the community - other chapter leaders with Dinis serving
as the conduit to the board.  Perhaps we need to focus on the
complaints/concerns from the other chapter leaders so, similarly to Brazil,
it is a peer to peer inquiry.

Code of Ethics

Perform all professional activities and duties in accordance with all
applicable laws and the highest ethical principles; 
Promote the implementation of and promote compliance with standards,
procedures, controls for application security; 
Maintain appropriate confidentiality of proprietary or otherwise sensitive
information encountered in the course of professional activities; 
Discharge professional responsibilities with diligence and honesty; 
Refrain from any activities which might constitute a conflict of interest or
otherwise damage the reputation of employers, the information security
profession, or the Association; and 
Not intentionally injure or impugn the professional reputation of practice
of colleagues, clients, or employers. 


Free & Open 
Governed by rough consensus & running code 
Abide by a code of ethics (see ethics) 
Not driven by commercial interests 
Risk based approach

Kate Hartmann
OWASP Operations Director
9175 Guilford Road
Suite 300
Columbia, MD  21046

kate.hartmann at owasp.org
Skype:  kate.hartmann1 

-----Original Message-----
From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Matt Tesauro
Sent: Tuesday, June 01, 2010 11:41 AM
To: owasp-board at lists.owasp.org
Subject: Re: [Owasp-board] (OWASP BOARD) comment on RFC: Two proposed next
tweaks to the services registry

I'd consider an OWASP inquiry the 'nuclear' option and only use that 
when absolutely necessary.

Also, in this specific case, there's several board members directly 
involved which makes it very different from Brazil (two community 
members).  Getting an impartial group to, potentially, contradict the 
board has several negatives I'd like to avoid (like the perception of 
the board domineering the community, inability of the group to be 
partial since they might contradict board members, fears of reprisals, 
etc).  I personally don't think any of this would happen but with 
perceptions, what happens and what people ~feel~ happened are usually 
two very different things.

I say have both proposals reviewed by the board then see what happens.

-- Matt Tesauro
OWASP Board Member
OWASP Live CD Project Lead
http://AppSecLive.org - Community and Download site

On 6/1/10 6:30 AM, dinis cruz wrote:
> I just had a chat with Seba, and we came with the idea that we should
> open another 'OWASP inquire' for Mike's actions and leadership. This
> should be executed in the same format we used for the issue we had with
> the Brazilian conference last year
> Matt (like before), this looks like a perfect for you, what do you think?
> Dinis
> Sent from my iPad
> On 1 Jun 2010, at 10:12, Eoin <eoin.keary at owasp.org
> <mailto:eoin.keary at owasp.org>> wrote:
>> Board we need more joined-up thinking here please?!!  Can we agree or
>> get a majority / disagree on if we want this registery? *- please
>> I believe the rules Dinis, Matteo and I discussed in London on Friday
>> would suit if this is to go ahead.
>> Mike seems like a real active guy, has great ideas but also a touch of
>> an autocrat/dictator in him. He takes direction poorly and it seems
>> somethime he is driving the projects to suit his own agenda. I believe
>> on projects such as ASVS and the Dev guide there should be a
>> leadership board, like what SAMM has for which I am a member.
>> Dinis, what do you mean by "handling" Mike? Lets not be too
>> "knee-jerk" here.
>> Mise Le Meas,
>> Eoin
>> On 1 June 2010 09:35, dinis cruz <
>> <mailto:dinis.cruz at owasp.org>dinis.cruz at owasp.org
>> <mailto:dinis.cruz at owasp.org>> wrote:
>>     I'm glad that Jeff confirms my worries about Mike and that he
>>     confirms (what I was also under the impression) that neither him
>>     or Dave were working on this issue with Mike (in fact the one that
>>     has been mainly 'working on this' with Mike for the past weeks has
>>     been me).
>>     We have two issues to handle here, and we have to thread them
>>     separately (or we will be 'throwing the baby with the bath water')
>>     *Issue 1: Mike* (and how to handle his latests moves and his
>>     current OWASP leadership status)
>>     *Issue 2: OWASP Commercial Services *(If you follow the email
>>     threads, I think you will see that I (at least) have been involved
>>     in 'trying' to steer the discussion to a place that makes sense to
>>     OWASP, and have in several moments made clear that Mike's view is
>>     now ours. That said, I think we are almost there, and if you look
>>     at the email I sent earlier yesterday with the revised proposal
>>     for how it should work, you will see a working model that can work
>>     organically)
>>     Lets deal with them in turn and send a clear message to our
>>     community on where we stand.
>>     I'm around all day today, so ping me when you want to talk about this
>>     Dinis Cruz
>>     Blog: <http://diniscruz.blogspot.com/>http://diniscruz.blogspot.com
>>     Twitter: <http://twitter.com/DinisCruz>http://twitter.com/DinisCruz
>>     Web:
>>     <http://www.owasp.org/index.php/O2>http://www.owasp.org/index.php/O2
>>     On 1 June 2010 04:57, Jeff Williams <
>>     <mailto:jeff.williams at owasp.org>jeff.williams at owasp.org
>>     <mailto:jeff.williams at owasp.org>> wrote:
>>         Sorry guys - I was in the country out of cell range all weekend.
>>         First, I think this whole registry idea is dumb and a big
>>         waste of time.  I tried to kill it by opening it up to the
>>         board and leaders before it happened, and didn't get much
>>         reaction.  Now we have to clean it up or kill it.  I'm
>>         sympathetic to Dinis' point that the commercial companies are
>>         a part of the community.  But I'm frankly not sure we've got
>>         the ability to engage with them more deeply without confusing
>>         everyone. Right now our message is clear and attractive.  No
>>         commercial stuff at OWASP. Muddying that up is probably a
>>         Anyway, neither Dave or I have been working closely with Mike
>>         on this.  When Mike bugs me enough, I do give him some advice.
>>         Here's a recent message.
>>         Mike,
>>         This is a hard message for me. I don't like to interfere in
>>         the normal operation of the community because generally these
>>         things are self-correcting.  But I consider you a friend and I
>>         need to let you know that some of your messages are not
>>         helping OWASP, your employer, or you.
>>         The people in the OWASP community are volunteers, generally
>>         very smart, and know a lot about application security. There's
>>         a reason why they're discussing this - it's important.  And as
>>         much as you might not like the idea, there's really not a big
>>         gulf between the OWASP T10, WASC, SANS T25, and ASVS.  The
>>         best thing possible for ASVS would be for it to be what you
>>         turn to when you're ready to actually meet the OWASP T10.
>>         If I were you, I'd send an apology for this message and
>>         encourage discussion of all aspects of ASVS, including how it
>>         relates to the other docs and standards in our field. You're
>>         not going to change the status quo by insulting smart
>>         volunteers that are the only prayer for ASVS getting mindshare.
>>         I also have to tell you that I find many of your posts on the
>>         OWASP list almost impossible to decipher. I've resisted giving
>>         you feedback because I don't want you to feel like I'm grading
>>         you - I'm not. I'm trying to help you be more effective in
>>         accomplishing the goals of your projects.  I encourage you to
>>         reread the messages before you send them to make sure that
>>         anyone reading them will be able to figure out what you're
>>         talking about.
>>         I hope you take this in the constructive manner intended. I
>>         absolutely appreciate all the effort you've put into OWASP
>>         over the past few years.  If you'd like further clarification
>>         or if there's anything I can do to help, please don't hesitate
>>         to let me know.
>>         Thanks,
>>         --Jeff
>>         I think we do need to be careful about how we handle Mike.  We
>>         always say at OWASP if you don't like something you can just
>>         do it yourself.  Well, here's a good case when it didn't work
>>         out.  If we're going to operate that way, I think we have an
>>         obligation to get in front of things that are going the wrong
>>         direction and let the volunteers know that we're not behind
>>         the project.  I think in this case we sent a muddy mixed message.
>>         --Jeff
>>         *From:*
<mailto:owasp-board-bounces at lists.owasp.org>owasp-board-bounces at lists.owasp.
>>         <mailto:owasp-board-bounces at lists.owasp.org> [mailto:
<mailto:owasp-board-bounces at lists.owasp.org>owasp-board-bounces at lists.owasp.
>>         <mailto:owasp-board-bounces at lists.owasp.org>] *On Behalf Of
>>         *Tom Brennan
>>         *Sent:* Monday, May 31, 2010 7:26 PM
>>         *To:* dinis cruz
>>         *Cc:* OWASP Foundation Board List
>>         *Subject:* Re: [Owasp-board] (OWASP BOARD) comment on RFC: Two
>>         proposed next tweaks to the services registry
>>         Mike made claim tonight when he called me that he has been
>>         working very very closely with Dave and Jeff on this project -
>>         so either a. that is false, b. this is true (hence my
>>         suggestion to call them)
>>         Personally as i expressed on the last board call OWASP
>>         Commercial Services should be OWASP Community Services if a
>>         registry/phone book was the goal and I liked
>>         ;)
>>         Will try to skype you tomorrow wrapping up the holiday here in
>>         the USA then headed to OWASP Denver FROC so will talk wit
>>         hDavid Campbell and then to OWASP Mexico for chats with Juan
>>         so by the time we get to OWASP Sweden should have lots of
>>         points of view on this one.
>>         On May 31, 2010, at 7:13 PM, dinis cruz wrote:
>>         Tom, *what we agreed was that we were going to try to figure
>>         out the model to get this done. *In following
>>         threads/developments it was (sort of) established that two
>>         Board members (me and Eoin) would be directly involved in this
>>         (since Jeff and Dave didn't had a lot of cycles to be involved).
>>         Since I did spoke with Mike before I sent you my last email
>>         with the proposed plan, the least he should have done is
>>         waited for the follow up conversation and not have sent that
>>         email to the leaders list.
>>         I know Mike is putting a lot of energy into OWASP, but he is
>>         also generating a LOT of negative energy with his actions, for
>>         example I had several KEY OWASP Leaders last week talking to
>>         me about Mike's behaviour and how worried they are about how
>>         things were being done. My view is that we need to calm him
>>         down, or remove him since his current attitude to OWASP is
>>         not healthy at all
>>         For example, part of the reason for the low voting is most
>>         likely directly related to how low 'street-cred' Mike has in
>>         OWASP (can you find one or more OWASP Leaders that
>>         can recommend him?). I will not comment (for now) on what is
>>         happening on the other projects that Mike is involved, but on
>>         this case (the OWASP Commercial Services) he is way out of
>>         line and needs to be controlled.
>>         Tom or Jeff, if Mike listen to you guys, you need to talk to
>>         him, since he is clearly too piss-off with me to realize that
>>         I am actually trying to help him (both personally and
>>         professionally)
>>         And btw, I did try to call Jeff and Tom but couldn't get
>>         through (I've already spoken to Eoin and Matt  last week and
>>         need to follow up on Seba & Dave).
>>         I'm happy to talk about this anytime so please either call me
>>         or let me know when it is a good time to talk.
>>         I will again ask that you read my email with the proposed
>>         model for the 'OWASP Commercial Services' and chip-in with you
>>         comments.
>>         Dinis Cruz
>>         On 31 May 2010 23:26, Tom Brennan - OWASP <
>>         <mailto:tomb at owasp.org>tomb at owasp.org <mailto:tomb at owasp.org>>
>>         wrote:
>>         I am a bit confused. This was approved by the board and Jeff
>>         agreed to work with Mike on this effort.  Mike has been giving
>>         cycles to owasp working with both Dave and Jeff on this effort.
>>         The recent email vote was very poor 39 people vote - terrible.
>>          We need to have a paid owasp member list and call that
>>         owasp-leaders (topic for another meeting) if we are going to
>>         use voting to override ethics and principals.
>>         Dinis, have you spoken to either Jeff/Dave on this topic on
>>         the phone for clarrification? This is not going to be cleared
>>         up during a 60 min board call so would be ideal if you could
>>         make that happen.
>>         I did get a call from Mike with a WTF - he is giving cycles
>>         but feels like he is being kicked in the balls by you.  We
>>         could put you and him at blackhat at a bar/gokart/ring and let
>>         you to work it out... However it appears that this is not a
>>         one-to-one issue.
>>         On May 31, 2010, at 4:14 PM, dinis cruz <
>>         <mailto:dinis.cruz at owasp.org>dinis.cruz at owasp.org
>>         <mailto:dinis.cruz at owasp.org>> wrote:
>>             Nice, really nice :(
>>             Mike is really starting to be a problem guys, I'm sorry to
>>             say but this last one (see email below) is very below the
>>             belt.
>>             I'm trying hard to be fair with this guy, but am really
>>             losing my patience here.
>>             Please take into account that I DID call him up today,
>>             explained him my 'updated' model and mentioned that was
>>             going to present the model to the OWASP board.
>>             Dinis Cruz
>>             ---------- Forwarded message ----------
>>             From: *Mike Boberski* <
>>             <mailto:mike.boberski at gmail.com>mike.boberski at gmail.com
>>             <mailto:mike.boberski at gmail.com>>
>>             Date: 31 May 2010 21:02
>>             Subject: Re: [Owasp-leaders] RFC: Two proposed next tweaks
>>             to the services registry
>>             To:
<mailto:owasp-leaders at lists.owasp.org>owasp-leaders at lists.owasp.org
>>             <mailto:owasp-leaders at lists.owasp.org>
>>             Dear Colleagues,
>>             The results of the survey are in! Thank you for taking the
>>             time.
>>             It was a toss-up on the question of whether to include
>>             descriptions of approaches to performing a given service.
>>             So, the requirement has been removed for now, we can
>>             always revisit this and other items later on.
>>             It was not a toss-up on the name change, there was an
>>             overwhelming response to leave it named "commercial
>>             services". So, the name stays for now, we can always
>>             revisit this and other items later on.
>>             Please do forward any additional suggestions for
>>             improvement. I think this approach worked well, batching
>>             them up and creating a survey, to gather community inputs.
>>             To be listed in the OWASP Commercial Services Registry,
>>             contact Kate Hartmann
>>             <http://www.owasp.org/index.php/Contact>.
>>             Best,
>>             Mike
>>             On Mon, May 24, 2010 at 1:09 PM, Boberski, Michael [USA] <
>>             <mailto:boberski_michael at bah.com>boberski_michael at bah.com
>>             <mailto:boberski_michael at bah.com>> wrote:
>>                 Dear Colleagues,
>>                 As you know, I have been working on the OWASP
>>                 commercial services registry/commercial services board.
>>                 We're basically shooting for a phone book that's
>>                 sorted according to some OWASP artifacts as they are
>>                 currently categorized, to try to nudge the planet
>>                 along in adoption of them, to get consumers of
>>                 services of those types to ask for them, by making it
>>                 easy to find such service providers.
>>                 Towards the end of continuing its development, there
>>                 are a next set of proposed updates that we would like
>>                 your opinion on. A survey has been setup here:
>>                  If you can spare a few minutes to provide your input,
>>                 it would be appreciated. The cutoff date is the end of
>>                 the week.
>>                 Best,
>>                 Mike B.
>>                 _______________________________________________
>>                 OWASP-Leaders mailing list
<mailto:OWASP-Leaders at lists.owasp.org>OWASP-Leaders at lists.owasp.org
>>                 <mailto:OWASP-Leaders at lists.owasp.org>
>>             _______________________________________________
>>             OWASP-Leaders mailing list
<mailto:OWASP-Leaders at lists.owasp.org>OWASP-Leaders at lists.owasp.org
>>             <mailto:OWASP-Leaders at lists.owasp.org>
>>             _______________________________________________
>>             Owasp-board mailing list
<mailto:Owasp-board at lists.owasp.org>Owasp-board at lists.owasp.org
>>             <mailto:Owasp-board at lists.owasp.org>
>>         _______________________________________________
>>         Owasp-board mailing list
>>         <mailto:Owasp-board at lists.owasp.org>Owasp-board at lists.owasp.org
<mailto:Owasp-board at lists.owasp.org>
>>     _______________________________________________
>>     Owasp-board mailing list
>>     <mailto:Owasp-board at lists.owasp.org>Owasp-board at lists.owasp.org
>>     <mailto:Owasp-board at lists.owasp.org>
>> --
>> Eoin Keary
>> OWASP Global Board Member
>> OWASP Code Review Guide Lead Author
>> <http://asg.ie/>http://asg.ie/
>> <https://twitter.com/EoinKeary>https://twitter.com/EoinKeary
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-- Matt Tesauro
OWASP Board Member
OWASP Live CD Project Lead
http://AppSecLive.org - Community and Download site
Owasp-board mailing list
Owasp-board at lists.owasp.org

More information about the Owasp-board mailing list