[Owasp-board] (OWASP BOARD) comment on RFC: Two proposed next tweaks to the services registry
Eoin
eoin.keary at owasp.org
Thu Jun 3 09:50:16 UTC 2010
Re google docs to my owasp.org address how do I reset my password?
I have been trying to do this for months, it says "please contact admin",
so who is admin?
Eoin
On 3 June 2010 10:24, dinis cruz <dinis.cruz at owasp.org> wrote:
> Thanks Jeff (it was good to sync up our ideas yesterday)
>
> Jeff, can you add your views to Eoin's document with the guidelines?
>
> In fact, Kate, can you make that document a google doc and share it with
> the board? Thanks
>
> Dinis
>
> On 3 Jun 2010, at 04:59, Jeff Williams <jeff.williams at owasp.org> wrote:
>
> > 2. Re Commercial services can we please have a Final proposed article
> discussing the purpose/objective, pros/cons to OWASP and governance model.
> Once this is done we again can all have a discussion re its merit.
>
>
>
> I’m going to try to write something up that summarizes OWASP’s interest in
> this, the competing approaches, and (hopefully) some decision guidelines for
> proceeding with this. Hopefully tomorrow. J
>
>
>
> --Jeff
>
>
>
>
>
> *From:* owasp-board-bounces at lists.owasp.org [mailto:
> owasp-board-bounces at lists.owasp.org] *On Behalf Of *Eoin
> *Sent:* Wednesday, June 02, 2010 10:13 AM
> *To:* Kate Hartmann
> *Cc:* owasp-board at lists.owasp.org
> *Subject:* Re: [Owasp-board] (OWASP BOARD) comment on RFC: Two proposed
> next tweaks to the services registry
>
>
>
> Kate,
>
>
>
> 1. Can you please bullet Mike B's misdemeanors please so we are all on the
> same page and don't misunderstand the issue.
>
> Where has he violated the OWASP Code of Ethics etc. At this point we can
> discuss this in a rational manner.
>
>
>
> 2. Re Commercial services can we please have a Final proposed article
> discussing the purpose/objective, pros/cons to OWASP and governance model.
>
> Once this is done we again can all have a discussion re its merit.
>
>
>
> (I hope this email is not ignored by the board and is acted on.)
>
>
>
>
>
> -ek
>
>
>
>
>
> On 2 June 2010 14:50, Kate Hartmann <kate.hartmann at owasp.org> wrote:
>
> It seems to me that any inquiry requested should be addressed to the best
> of
> our ability. Everything we do should be reflected in our ethics and
> principles. I am able to serve as a moderator if necessary.
>
> Based on Dinis' comments, it appears as if the concerns regarding Mike's
> behavior within the community are actually not coming from Dinis himself,
> but from members of the community - other chapter leaders with Dinis
> serving
> as the conduit to the board. Perhaps we need to focus on the
> complaints/concerns from the other chapter leaders so, similarly to Brazil,
> it is a peer to peer inquiry.
>
> Code of Ethics
>
> Perform all professional activities and duties in accordance with all
> applicable laws and the highest ethical principles;
> Promote the implementation of and promote compliance with standards,
> procedures, controls for application security;
> Maintain appropriate confidentiality of proprietary or otherwise sensitive
> information encountered in the course of professional activities;
> Discharge professional responsibilities with diligence and honesty;
> Refrain from any activities which might constitute a conflict of interest
> or
> otherwise damage the reputation of employers, the information security
> profession, or the Association; and
> Not intentionally injure or impugn the professional reputation of practice
> of colleagues, clients, or employers.
>
> Principles
>
> Free & Open
> Governed by rough consensus & running code
> Abide by a code of ethics (see ethics)
> Not-for-profit
> Not driven by commercial interests
> Risk based approach
>
> Kate Hartmann
> OWASP Operations Director
> 9175 Guilford Road
> Suite 300
> Columbia, MD 21046
>
> 301-275-9403
> kate.hartmann at owasp.org
> Skype: kate.hartmann1
>
>
>
> -----Original Message-----
> From: owasp-board-bounces at lists.owasp.org
> [mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Matt Tesauro
> Sent: Tuesday, June 01, 2010 11:41 AM
> To: owasp-board at lists.owasp.org
> Subject: Re: [Owasp-board] (OWASP BOARD) comment on RFC: Two proposed next
> tweaks to the services registry
>
> I'd consider an OWASP inquiry the 'nuclear' option and only use that
> when absolutely necessary.
>
> Also, in this specific case, there's several board members directly
> involved which makes it very different from Brazil (two community
> members). Getting an impartial group to, potentially, contradict the
> board has several negatives I'd like to avoid (like the perception of
> the board domineering the community, inability of the group to be
> partial since they might contradict board members, fears of reprisals,
> etc). I personally don't think any of this would happen but with
> perceptions, what happens and what people ~feel~ happened are usually
> two very different things.
>
> I say have both proposals reviewed by the board then see what happens.
>
> --
> -- Matt Tesauro
> OWASP Board Member
> OWASP Live CD Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org <http://appseclive.org/> <http://appseclive.org/> -
> Community and Download site
>
> On 6/1/10 6:30 AM, dinis cruz wrote:
> > I just had a chat with Seba, and we came with the idea that we should
> > open another 'OWASP inquire' for Mike's actions and leadership. This
> > should be executed in the same format we used for the issue we had with
> > the Brazilian conference last year
> >
> > Matt (like before), this looks like a perfect for you, what do you think?
> >
> > Dinis
> >
> > Sent from my iPad
> >
> > On 1 Jun 2010, at 10:12, Eoin <eoin.keary at owasp.org
> > <mailto:eoin.keary at owasp.org>> wrote:
> >
> >> Board we need more joined-up thinking here please?!! Can we agree or
> >> get a majority / disagree on if we want this registery? *- please
> respond*
> >> I believe the rules Dinis, Matteo and I discussed in London on Friday
> >> would suit if this is to go ahead.
> >> Mike seems like a real active guy, has great ideas but also a touch of
> >> an autocrat/dictator in him. He takes direction poorly and it seems
> >> somethime he is driving the projects to suit his own agenda. I believe
> >> on projects such as ASVS and the Dev guide there should be a
> >> leadership board, like what SAMM has for which I am a member.
> >> Dinis, what do you mean by "handling" Mike? Lets not be too
> >> "knee-jerk" here.
> >> Mise Le Meas,
> >> Eoin
> >>
> >>
> >> On 1 June 2010 09:35, dinis cruz <
> >> <mailto:dinis.cruz at owasp.org>dinis.cruz at owasp.org
> >> <mailto:dinis.cruz at owasp.org>> wrote:
> >>
> >> I'm glad that Jeff confirms my worries about Mike and that he
> >> confirms (what I was also under the impression) that neither him
> >> or Dave were working on this issue with Mike (in fact the one that
> >> has been mainly 'working on this' with Mike for the past weeks has
> >> been me).
> >>
> >> We have two issues to handle here, and we have to thread them
> >> separately (or we will be 'throwing the baby with the bath water')
> >>
> >> *Issue 1: Mike* (and how to handle his latests moves and his
> >> current OWASP leadership status)
> >>
> >> *Issue 2: OWASP Commercial Services *(If you follow the email
> >> threads, I think you will see that I (at least) have been involved
> >> in 'trying' to steer the discussion to a place that makes sense to
> >> OWASP, and have in several moments made clear that Mike's view is
> >> now ours. That said, I think we are almost there, and if you look
> >> at the email I sent earlier yesterday with the revised proposal
> >> for how it should work, you will see a working model that can work
> >> organically)
> >> Lets deal with them in turn and send a clear message to our
> >> community on where we stand.
> >>
> >> I'm around all day today, so ping me when you want to talk about
> this
> >>
> >> Dinis Cruz
> >>
> >> Blog: <http://diniscruz.blogspot.com/>http://diniscruz.blogspot.com
> >> Twitter: <http://twitter.com/DinisCruz>http://twitter.com/DinisCruz
> >> Web:
> >> <http://www.owasp.org/index.php/O2>
> http://www.owasp.org/index.php/O2
> >>
> >>
> >>
> >> On 1 June 2010 04:57, Jeff Williams <
> >> <mailto:jeff.williams at owasp.org>jeff.williams at owasp.org
> >> <mailto:jeff.williams at owasp.org>> wrote:
> >>
> >> Sorry guys - I was in the country out of cell range all weekend.
> >>
> >> First, I think this whole registry idea is dumb and a big
> >> waste of time. I tried to kill it by opening it up to the
> >> board and leaders before it happened, and didn't get much
> >> reaction. Now we have to clean it up or kill it. I'm
> >> sympathetic to Dinis' point that the commercial companies are
> >> a part of the community. But I'm frankly not sure we've got
> >> the ability to engage with them more deeply without confusing
> >> everyone. Right now our message is clear and attractive. No
> >> commercial stuff at OWASP. Muddying that up is probably a
> mistake.
> >>
> >> Anyway, neither Dave or I have been working closely with Mike
> >> on this. When Mike bugs me enough, I do give him some advice.
> >> Here's a recent message.
> >>
> >> Mike,
> >>
> >> This is a hard message for me. I don't like to interfere in
> >> the normal operation of the community because generally these
> >> things are self-correcting. But I consider you a friend and I
> >> need to let you know that some of your messages are not
> >> helping OWASP, your employer, or you.
> >>
> >> The people in the OWASP community are volunteers, generally
> >> very smart, and know a lot about application security. There's
> >> a reason why they're discussing this - it's important. And as
> >> much as you might not like the idea, there's really not a big
> >> gulf between the OWASP T10, WASC, SANS T25, and ASVS. The
> >> best thing possible for ASVS would be for it to be what you
> >> turn to when you're ready to actually meet the OWASP T10.
> >>
> >> If I were you, I'd send an apology for this message and
> >> encourage discussion of all aspects of ASVS, including how it
> >> relates to the other docs and standards in our field. You're
> >> not going to change the status quo by insulting smart
> >> volunteers that are the only prayer for ASVS getting mindshare.
> >>
> >> I also have to tell you that I find many of your posts on the
> >> OWASP list almost impossible to decipher. I've resisted giving
> >> you feedback because I don't want you to feel like I'm grading
> >> you - I'm not. I'm trying to help you be more effective in
> >> accomplishing the goals of your projects. I encourage you to
> >> reread the messages before you send them to make sure that
> >> anyone reading them will be able to figure out what you're
> >> talking about.
> >>
> >> I hope you take this in the constructive manner intended. I
> >> absolutely appreciate all the effort you've put into OWASP
> >> over the past few years. If you'd like further clarification
> >> or if there's anything I can do to help, please don't hesitate
> >> to let me know.
> >>
> >> Thanks,
> >>
> >> --Jeff
> >>
> >> I think we do need to be careful about how we handle Mike. We
> >> always say at OWASP if you don't like something you can just
> >> do it yourself. Well, here's a good case when it didn't work
> >> out. If we're going to operate that way, I think we have an
> >> obligation to get in front of things that are going the wrong
> >> direction and let the volunteers know that we're not behind
> >> the project. I think in this case we sent a muddy mixed
> message.
> >>
> >> --Jeff
> >>
> >> *From:*
> >>
> <mailto:owasp-board-bounces at lists.owasp.org
> >owasp-board-bounces at lists.owasp.
> org
> >> <mailto:owasp-board-bounces at lists.owasp.org> [mailto:
> >>
> <mailto:owasp-board-bounces at lists.owasp.org
> >owasp-board-bounces at lists.owasp.
> org
> >> <mailto:owasp-board-bounces at lists.owasp.org>] *On Behalf Of
> >> *Tom Brennan
> >> *Sent:* Monday, May 31, 2010 7:26 PM
> >> *To:* dinis cruz
> >> *Cc:* OWASP Foundation Board List
> >> *Subject:* Re: [Owasp-board] (OWASP BOARD) comment on RFC: Two
> >> proposed next tweaks to the services registry
> >>
> >> Mike made claim tonight when he called me that he has been
> >> working very very closely with Dave and Jeff on this project -
> >> so either a. that is false, b. this is true (hence my
> >> suggestion to call them)
> >>
> >> Personally as i expressed on the last board call OWASP
> >> Commercial Services should be OWASP Community Services if a
> >> registry/phone book was the goal and I liked
> >>
> <
> http://www.securityscoreboard.com/reviews/tag/productsoffered/webapplicatio
>
> nsecurity>
> http://www.securityscoreboard.com/reviews/tag/productsoffered/weba
> pplicationsecurity
>
> >> ;)
> >>
> >> Will try to skype you tomorrow wrapping up the holiday here in
> >> the USA then headed to OWASP Denver FROC so will talk wit
> >> hDavid Campbell and then to OWASP Mexico for chats with Juan
> >> so by the time we get to OWASP Sweden should have lots of
> >> points of view on this one.
> >>
> >> On May 31, 2010, at 7:13 PM, dinis cruz wrote:
> >>
> >>
> >>
> >> Tom, *what we agreed was that we were going to try to figure
> >> out the model to get this done. *In following
> >> threads/developments it was (sort of) established that two
> >> Board members (me and Eoin) would be directly involved in this
> >> (since Jeff and Dave didn't had a lot of cycles to be involved).
> >>
> >> Since I did spoke with Mike before I sent you my last email
> >> with the proposed plan, the least he should have done is
> >> waited for the follow up conversation and not have sent that
> >> email to the leaders list.
> >>
> >> I know Mike is putting a lot of energy into OWASP, but he is
> >> also generating a LOT of negative energy with his actions, for
> >> example I had several KEY OWASP Leaders last week talking to
> >> me about Mike's behaviour and how worried they are about how
> >> things were being done. My view is that we need to calm him
> >> down, or remove him since his current attitude to OWASP is
> >> not healthy at all
> >>
> >> For example, part of the reason for the low voting is most
> >> likely directly related to how low 'street-cred' Mike has in
> >> OWASP (can you find one or more OWASP Leaders that
> >> can recommend him?). I will not comment (for now) on what is
> >> happening on the other projects that Mike is involved, but on
> >> this case (the OWASP Commercial Services) he is way out of
> >> line and needs to be controlled.
> >>
> >> Tom or Jeff, if Mike listen to you guys, you need to talk to
> >> him, since he is clearly too piss-off with me to realize that
> >> I am actually trying to help him (both personally and
> >> professionally)
> >>
> >> And btw, I did try to call Jeff and Tom but couldn't get
> >> through (I've already spoken to Eoin and Matt last week and
> >> need to follow up on Seba & Dave).
> >>
> >> I'm happy to talk about this anytime so please either call me
> >> or let me know when it is a good time to talk.
> >>
> >> I will again ask that you read my email with the proposed
> >> model for the 'OWASP Commercial Services' and chip-in with you
> >> comments.
> >>
> >>
> >> Dinis Cruz
> >>
> >> On 31 May 2010 23:26, Tom Brennan - OWASP <
> >> <mailto:tomb at owasp.org>tomb at owasp.org <mailto:tomb at owasp.org>>
> >> wrote:
> >>
> >> I am a bit confused. This was approved by the board and Jeff
> >> agreed to work with Mike on this effort. Mike has been giving
> >> cycles to owasp working with both Dave and Jeff on this effort.
> >>
> >> The recent email vote was very poor 39 people vote - terrible.
> >> We need to have a paid owasp member list and call that
> >> owasp-leaders (topic for another meeting) if we are going to
> >> use voting to override ethics and principals.
> >>
> >> Dinis, have you spoken to either Jeff/Dave on this topic on
> >> the phone for clarrification? This is not going to be cleared
> >> up during a 60 min board call so would be ideal if you could
> >> make that happen.
> >>
> >> I did get a call from Mike with a WTF - he is giving cycles
> >> but feels like he is being kicked in the balls by you. We
> >> could put you and him at blackhat at a bar/gokart/ring and let
> >> you to work it out... However it appears that this is not a
> >> one-to-one issue.
> >>
> >>
> >> On May 31, 2010, at 4:14 PM, dinis cruz <
> >> <mailto:dinis.cruz at owasp.org>dinis.cruz at owasp.org
> >> <mailto:dinis.cruz at owasp.org>> wrote:
> >>
> >> Nice, really nice :(
> >>
> >> Mike is really starting to be a problem guys, I'm sorry to
> >> say but this last one (see email below) is very below the
> >> belt.
> >>
> >> I'm trying hard to be fair with this guy, but am really
> >> losing my patience here.
> >>
> >> Please take into account that I DID call him up today,
> >> explained him my 'updated' model and mentioned that was
> >> going to present the model to the OWASP board.
> >>
> >>
> >> Dinis Cruz
> >>
> >> ---------- Forwarded message ----------
> >> From: *Mike Boberski* <
> >> <mailto:mike.boberski at gmail.com>mike.boberski at gmail.com
> >> <mailto:mike.boberski at gmail.com>>
> >> Date: 31 May 2010 21:02
> >> Subject: Re: [Owasp-leaders] RFC: Two proposed next tweaks
> >> to the services registry
> >> To:
> >>
> <mailto:owasp-leaders at lists.owasp.org>owasp-leaders at lists.owasp.org
> >> <mailto:owasp-leaders at lists.owasp.org>
> >>
> >>
> >> Dear Colleagues,
> >>
> >> The results of the survey are in! Thank you for taking the
> >> time.
> >>
> >> It was a toss-up on the question of whether to include
> >> descriptions of approaches to performing a given service.
> >> So, the requirement has been removed for now, we can
> >> always revisit this and other items later on.
> >>
> >> It was not a toss-up on the name change, there was an
> >> overwhelming response to leave it named "commercial
> >> services". So, the name stays for now, we can always
> >> revisit this and other items later on.
> >>
> >> Please do forward any additional suggestions for
> >> improvement. I think this approach worked well, batching
> >> them up and creating a survey, to gather community inputs.
> >>
> >> To be listed in the OWASP Commercial Services Registry,
> >> contact Kate Hartmann
> >> <http://www.owasp.org/index.php/Contact>.
> >>
> >> Best,
> >>
> >>
> >> Mike
> >>
> >> On Mon, May 24, 2010 at 1:09 PM, Boberski, Michael [USA] <
> >> <mailto:boberski_michael at bah.com>boberski_michael at bah.com
> >> <mailto:boberski_michael at bah.com>> wrote:
> >>
> >> Dear Colleagues,
> >>
> >> As you know, I have been working on the OWASP
> >> commercial services registry/commercial services board.
> >>
> >> We're basically shooting for a phone book that's
> >> sorted according to some OWASP artifacts as they are
> >> currently categorized, to try to nudge the planet
> >> along in adoption of them, to get consumers of
> >> services of those types to ask for them, by making it
> >> easy to find such service providers.
> >>
> >> Towards the end of continuing its development, there
> >> are a next set of proposed updates that we would like
> >> your opinion on. A survey has been setup here:
> >>
> <http://www.surveymonkey.com/s/9JDN98P>
> http://www.surveymonkey.com/s/9JDN98P
> >> If you can spare a few minutes to provide your input,
> >> it would be appreciated. The cutoff date is the end of
> >> the week.
> >>
> >> Best,
> >>
> >> Mike B.
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >>
> <mailto:OWASP-Leaders at lists.owasp.org>OWASP-Leaders at lists.owasp.org
> >> <mailto:OWASP-Leaders at lists.owasp.org>
> >>
> <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
> https://lists.owasp.
> org/mailman/listinfo/owasp-leaders
> >>
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >>
> <mailto:OWASP-Leaders at lists.owasp.org>OWASP-Leaders at lists.owasp.org
> >> <mailto:OWASP-Leaders at lists.owasp.org>
> >>
> <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
> https://lists.owasp.
> org/mailman/listinfo/owasp-leaders
> >>
> >> _______________________________________________
> >> Owasp-board mailing list
> >>
> <mailto:Owasp-board at lists.owasp.org>Owasp-board at lists.owasp.org
> >> <mailto:Owasp-board at lists.owasp.org>
> >>
> <https://lists.owasp.org/mailman/listinfo/owasp-board>
> https://lists.owasp.or
> g/mailman/listinfo/owasp-board
> >>
> >> _______________________________________________
> >> Owasp-board mailing list
> >> <mailto:Owasp-board at lists.owasp.org>Owasp-board at lists.owasp.org
> <mailto:Owasp-board at lists.owasp.org>
> >>
> <https://lists.owasp.org/mailman/listinfo/owasp-board>
> https://lists.owasp.or
> g/mailman/listinfo/owasp-board
> >>
> >>
> >>
> >> _______________________________________________
> >> Owasp-board mailing list
> >> <mailto:Owasp-board at lists.owasp.org>Owasp-board at lists.owasp.org
> >> <mailto:Owasp-board at lists.owasp.org>
> >>
> <https://lists.owasp.org/mailman/listinfo/owasp-board>
> https://lists.owasp.or
>
> g/mailman/listinfo/owasp-board
> >>
> >>
> >>
> >>
> >> --
> >> Eoin Keary
> >> OWASP Global Board Member
> >> OWASP Code Review Guide Lead Author
> >>
> >> <http://asg.ie/>http://asg.ie/
> >> <https://twitter.com/EoinKeary>https://twitter.com/EoinKeary
> >
> >
> > _______________________________________________
> > Owasp-board mailing list
> > Owasp-board at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-board
>
> --
> -- Matt Tesauro
> OWASP Board Member
> OWASP Live CD Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org <http://appseclive.org/> <http://appseclive.org/> -
> Community and Download site
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
> --
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
>
> Sent from my i-Transmogrifier
> http://asg.ie/
> https://twitter.com/EoinKeary
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
--
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author
Sent from my i-Transmogrifier
http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100603/a82cc7a7/attachment-0002.html>
More information about the Owasp-board
mailing list