[Owasp-board] (OWASP BOARD) comment on RFC: Two proposed next tweaks to the services registry

Eoin eoin.keary at owasp.org
Thu Jun 3 09:50:16 UTC 2010


Re google docs to my owasp.org address how do I reset my password?
I have been trying to do this for months, it says  "please contact admin",
so who is admin?

Eoin

On 3 June 2010 10:24, dinis cruz <dinis.cruz at owasp.org> wrote:

>  Thanks Jeff (it was good to sync up our ideas yesterday)
>
> Jeff, can you add your views to Eoin's document with the guidelines?
>
> In fact, Kate, can you make that document a google doc and share it with
> the board? Thanks
>
> Dinis
>
> On 3 Jun 2010, at 04:59, Jeff Williams <jeff.williams at owasp.org> wrote:
>
>   > 2. Re Commercial services can we please have a Final proposed article
> discussing the purpose/objective, pros/cons to OWASP and governance model.
> Once this is done we again can all have a discussion re its merit.
>
>
>
> I’m going to try to write something up that summarizes OWASP’s interest in
> this, the competing approaches, and (hopefully) some decision guidelines for
> proceeding with this. Hopefully tomorrow. J
>
>
>
> --Jeff
>
>
>
>
>
> *From:* owasp-board-bounces at lists.owasp.org [mailto:
> owasp-board-bounces at lists.owasp.org] *On Behalf Of *Eoin
> *Sent:* Wednesday, June 02, 2010 10:13 AM
> *To:* Kate Hartmann
> *Cc:* owasp-board at lists.owasp.org
> *Subject:* Re: [Owasp-board] (OWASP BOARD) comment on RFC: Two proposed
> next tweaks to the services registry
>
>
>
> Kate,
>
>
>
> 1. Can you please bullet Mike B's misdemeanors please so we are all on the
> same page and don't misunderstand the issue.
>
> Where has he violated the OWASP Code of Ethics etc. At this point we can
> discuss this in a rational manner.
>
>
>
> 2. Re Commercial services can we please have a Final proposed article
> discussing the purpose/objective, pros/cons to OWASP and governance model.
>
> Once this is done we again can all have a discussion re its merit.
>
>
>
> (I hope this email is not ignored by the board and is acted on.)
>
>
>
>
>
> -ek
>
>
>
>
>
> On 2 June 2010 14:50, Kate Hartmann <kate.hartmann at owasp.org> wrote:
>
> It seems to me that any inquiry requested should be addressed to the best
> of
> our ability.  Everything we do should be reflected in our ethics and
> principles.  I am able to serve as a moderator if necessary.
>
> Based on Dinis' comments, it appears as if the concerns regarding Mike's
> behavior within the community are actually not coming from Dinis himself,
> but from members of the community - other chapter leaders with Dinis
> serving
> as the conduit to the board.  Perhaps we need to focus on the
> complaints/concerns from the other chapter leaders so, similarly to Brazil,
> it is a peer to peer inquiry.
>
> Code of Ethics
>
> Perform all professional activities and duties in accordance with all
> applicable laws and the highest ethical principles;
> Promote the implementation of and promote compliance with standards,
> procedures, controls for application security;
> Maintain appropriate confidentiality of proprietary or otherwise sensitive
> information encountered in the course of professional activities;
> Discharge professional responsibilities with diligence and honesty;
> Refrain from any activities which might constitute a conflict of interest
> or
> otherwise damage the reputation of employers, the information security
> profession, or the Association; and
> Not intentionally injure or impugn the professional reputation of practice
> of colleagues, clients, or employers.
>
> Principles
>
> Free & Open
> Governed by rough consensus & running code
> Abide by a code of ethics (see ethics)
> Not-for-profit
> Not driven by commercial interests
> Risk based approach
>
> Kate Hartmann
> OWASP Operations Director
> 9175 Guilford Road
> Suite 300
> Columbia, MD  21046
>
> 301-275-9403
> kate.hartmann at owasp.org
> Skype:  kate.hartmann1
>
>
>
> -----Original Message-----
> From: owasp-board-bounces at lists.owasp.org
> [mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Matt Tesauro
> Sent: Tuesday, June 01, 2010 11:41 AM
> To: owasp-board at lists.owasp.org
> Subject: Re: [Owasp-board] (OWASP BOARD) comment on RFC: Two proposed next
> tweaks to the services registry
>
> I'd consider an OWASP inquiry the 'nuclear' option and only use that
> when absolutely necessary.
>
> Also, in this specific case, there's several board members directly
> involved which makes it very different from Brazil (two community
> members).  Getting an impartial group to, potentially, contradict the
> board has several negatives I'd like to avoid (like the perception of
> the board domineering the community, inability of the group to be
> partial since they might contradict board members, fears of reprisals,
> etc).  I personally don't think any of this would happen but with
> perceptions, what happens and what people ~feel~ happened are usually
> two very different things.
>
> I say have both proposals reviewed by the board then see what happens.
>
> --
> -- Matt Tesauro
> OWASP Board Member
> OWASP Live CD Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org <http://appseclive.org/> <http://appseclive.org/> -
> Community and Download site
>
> On 6/1/10 6:30 AM, dinis cruz wrote:
> > I just had a chat with Seba, and we came with the idea that we should
> > open another 'OWASP inquire' for Mike's actions and leadership. This
> > should be executed in the same format we used for the issue we had with
> > the Brazilian conference last year
> >
> > Matt (like before), this looks like a perfect for you, what do you think?
> >
> > Dinis
> >
> > Sent from my iPad
> >
> > On 1 Jun 2010, at 10:12, Eoin <eoin.keary at owasp.org
> > <mailto:eoin.keary at owasp.org>> wrote:
> >
> >> Board we need more joined-up thinking here please?!!  Can we agree or
> >> get a majority / disagree on if we want this registery? *- please
> respond*
> >> I believe the rules Dinis, Matteo and I discussed in London on Friday
> >> would suit if this is to go ahead.
> >> Mike seems like a real active guy, has great ideas but also a touch of
> >> an autocrat/dictator in him. He takes direction poorly and it seems
> >> somethime he is driving the projects to suit his own agenda. I believe
> >> on projects such as ASVS and the Dev guide there should be a
> >> leadership board, like what SAMM has for which I am a member.
> >> Dinis, what do you mean by "handling" Mike? Lets not be too
> >> "knee-jerk" here.
> >> Mise Le Meas,
> >> Eoin
> >>
> >>
> >> On 1 June 2010 09:35, dinis cruz <
> >> <mailto:dinis.cruz at owasp.org>dinis.cruz at owasp.org
> >> <mailto:dinis.cruz at owasp.org>> wrote:
> >>
> >>     I'm glad that Jeff confirms my worries about Mike and that he
> >>     confirms (what I was also under the impression) that neither him
> >>     or Dave were working on this issue with Mike (in fact the one that
> >>     has been mainly 'working on this' with Mike for the past weeks has
> >>     been me).
> >>
> >>     We have two issues to handle here, and we have to thread them
> >>     separately (or we will be 'throwing the baby with the bath water')
> >>
> >>     *Issue 1: Mike* (and how to handle his latests moves and his
> >>     current OWASP leadership status)
> >>
> >>     *Issue 2: OWASP Commercial Services *(If you follow the email
> >>     threads, I think you will see that I (at least) have been involved
> >>     in 'trying' to steer the discussion to a place that makes sense to
> >>     OWASP, and have in several moments made clear that Mike's view is
> >>     now ours. That said, I think we are almost there, and if you look
> >>     at the email I sent earlier yesterday with the revised proposal
> >>     for how it should work, you will see a working model that can work
> >>     organically)
> >>     Lets deal with them in turn and send a clear message to our
> >>     community on where we stand.
> >>
> >>     I'm around all day today, so ping me when you want to talk about
> this
> >>
> >>     Dinis Cruz
> >>
> >>     Blog: <http://diniscruz.blogspot.com/>http://diniscruz.blogspot.com
> >>     Twitter: <http://twitter.com/DinisCruz>http://twitter.com/DinisCruz
> >>     Web:
> >>     <http://www.owasp.org/index.php/O2>
> http://www.owasp.org/index.php/O2
> >>
> >>
> >>
> >>     On 1 June 2010 04:57, Jeff Williams <
> >>     <mailto:jeff.williams at owasp.org>jeff.williams at owasp.org
> >>     <mailto:jeff.williams at owasp.org>> wrote:
> >>
> >>         Sorry guys - I was in the country out of cell range all weekend.
> >>
> >>         First, I think this whole registry idea is dumb and a big
> >>         waste of time.  I tried to kill it by opening it up to the
> >>         board and leaders before it happened, and didn't get much
> >>         reaction.  Now we have to clean it up or kill it.  I'm
> >>         sympathetic to Dinis' point that the commercial companies are
> >>         a part of the community.  But I'm frankly not sure we've got
> >>         the ability to engage with them more deeply without confusing
> >>         everyone. Right now our message is clear and attractive.  No
> >>         commercial stuff at OWASP. Muddying that up is probably a
> mistake.
> >>
> >>         Anyway, neither Dave or I have been working closely with Mike
> >>         on this.  When Mike bugs me enough, I do give him some advice.
> >>         Here's a recent message.
> >>
> >>         Mike,
> >>
> >>         This is a hard message for me. I don't like to interfere in
> >>         the normal operation of the community because generally these
> >>         things are self-correcting.  But I consider you a friend and I
> >>         need to let you know that some of your messages are not
> >>         helping OWASP, your employer, or you.
> >>
> >>         The people in the OWASP community are volunteers, generally
> >>         very smart, and know a lot about application security. There's
> >>         a reason why they're discussing this - it's important.  And as
> >>         much as you might not like the idea, there's really not a big
> >>         gulf between the OWASP T10, WASC, SANS T25, and ASVS.  The
> >>         best thing possible for ASVS would be for it to be what you
> >>         turn to when you're ready to actually meet the OWASP T10.
> >>
> >>         If I were you, I'd send an apology for this message and
> >>         encourage discussion of all aspects of ASVS, including how it
> >>         relates to the other docs and standards in our field. You're
> >>         not going to change the status quo by insulting smart
> >>         volunteers that are the only prayer for ASVS getting mindshare.
> >>
> >>         I also have to tell you that I find many of your posts on the
> >>         OWASP list almost impossible to decipher. I've resisted giving
> >>         you feedback because I don't want you to feel like I'm grading
> >>         you - I'm not. I'm trying to help you be more effective in
> >>         accomplishing the goals of your projects.  I encourage you to
> >>         reread the messages before you send them to make sure that
> >>         anyone reading them will be able to figure out what you're
> >>         talking about.
> >>
> >>         I hope you take this in the constructive manner intended. I
> >>         absolutely appreciate all the effort you've put into OWASP
> >>         over the past few years.  If you'd like further clarification
> >>         or if there's anything I can do to help, please don't hesitate
> >>         to let me know.
> >>
> >>         Thanks,
> >>
> >>         --Jeff
> >>
> >>         I think we do need to be careful about how we handle Mike.  We
> >>         always say at OWASP if you don't like something you can just
> >>         do it yourself.  Well, here's a good case when it didn't work
> >>         out.  If we're going to operate that way, I think we have an
> >>         obligation to get in front of things that are going the wrong
> >>         direction and let the volunteers know that we're not behind
> >>         the project.  I think in this case we sent a muddy mixed
> message.
> >>
> >>         --Jeff
> >>
> >>         *From:*
> >>
> <mailto:owasp-board-bounces at lists.owasp.org
> >owasp-board-bounces at lists.owasp.
> org
> >>         <mailto:owasp-board-bounces at lists.owasp.org> [mailto:
> >>
> <mailto:owasp-board-bounces at lists.owasp.org
> >owasp-board-bounces at lists.owasp.
> org
> >>         <mailto:owasp-board-bounces at lists.owasp.org>] *On Behalf Of
> >>         *Tom Brennan
> >>         *Sent:* Monday, May 31, 2010 7:26 PM
> >>         *To:* dinis cruz
> >>         *Cc:* OWASP Foundation Board List
> >>         *Subject:* Re: [Owasp-board] (OWASP BOARD) comment on RFC: Two
> >>         proposed next tweaks to the services registry
> >>
> >>         Mike made claim tonight when he called me that he has been
> >>         working very very closely with Dave and Jeff on this project -
> >>         so either a. that is false, b. this is true (hence my
> >>         suggestion to call them)
> >>
> >>         Personally as i expressed on the last board call OWASP
> >>         Commercial Services should be OWASP Community Services if a
> >>         registry/phone book was the goal and I liked
> >>
> <
> http://www.securityscoreboard.com/reviews/tag/productsoffered/webapplicatio
>
> nsecurity>
> http://www.securityscoreboard.com/reviews/tag/productsoffered/weba
> pplicationsecurity
>
> >>         ;)
> >>
> >>         Will try to skype you tomorrow wrapping up the holiday here in
> >>         the USA then headed to OWASP Denver FROC so will talk wit
> >>         hDavid Campbell and then to OWASP Mexico for chats with Juan
> >>         so by the time we get to OWASP Sweden should have lots of
> >>         points of view on this one.
> >>
> >>         On May 31, 2010, at 7:13 PM, dinis cruz wrote:
> >>
> >>
> >>
> >>         Tom, *what we agreed was that we were going to try to figure
> >>         out the model to get this done. *In following
> >>         threads/developments it was (sort of) established that two
> >>         Board members (me and Eoin) would be directly involved in this
> >>         (since Jeff and Dave didn't had a lot of cycles to be involved).
> >>
> >>         Since I did spoke with Mike before I sent you my last email
> >>         with the proposed plan, the least he should have done is
> >>         waited for the follow up conversation and not have sent that
> >>         email to the leaders list.
> >>
> >>         I know Mike is putting a lot of energy into OWASP, but he is
> >>         also generating a LOT of negative energy with his actions, for
> >>         example I had several KEY OWASP Leaders last week talking to
> >>         me about Mike's behaviour and how worried they are about how
> >>         things were being done. My view is that we need to calm him
> >>         down, or remove him since his current attitude to OWASP is
> >>         not healthy at all
> >>
> >>         For example, part of the reason for the low voting is most
> >>         likely directly related to how low 'street-cred' Mike has in
> >>         OWASP (can you find one or more OWASP Leaders that
> >>         can recommend him?). I will not comment (for now) on what is
> >>         happening on the other projects that Mike is involved, but on
> >>         this case (the OWASP Commercial Services) he is way out of
> >>         line and needs to be controlled.
> >>
> >>         Tom or Jeff, if Mike listen to you guys, you need to talk to
> >>         him, since he is clearly too piss-off with me to realize that
> >>         I am actually trying to help him (both personally and
> >>         professionally)
> >>
> >>         And btw, I did try to call Jeff and Tom but couldn't get
> >>         through (I've already spoken to Eoin and Matt  last week and
> >>         need to follow up on Seba & Dave).
> >>
> >>         I'm happy to talk about this anytime so please either call me
> >>         or let me know when it is a good time to talk.
> >>
> >>         I will again ask that you read my email with the proposed
> >>         model for the 'OWASP Commercial Services' and chip-in with you
> >>         comments.
> >>
> >>
> >>         Dinis Cruz
> >>
> >>         On 31 May 2010 23:26, Tom Brennan - OWASP <
> >>         <mailto:tomb at owasp.org>tomb at owasp.org <mailto:tomb at owasp.org>>
> >>         wrote:
> >>
> >>         I am a bit confused. This was approved by the board and Jeff
> >>         agreed to work with Mike on this effort.  Mike has been giving
> >>         cycles to owasp working with both Dave and Jeff on this effort.
> >>
> >>         The recent email vote was very poor 39 people vote - terrible.
> >>          We need to have a paid owasp member list and call that
> >>         owasp-leaders (topic for another meeting) if we are going to
> >>         use voting to override ethics and principals.
> >>
> >>         Dinis, have you spoken to either Jeff/Dave on this topic on
> >>         the phone for clarrification? This is not going to be cleared
> >>         up during a 60 min board call so would be ideal if you could
> >>         make that happen.
> >>
> >>         I did get a call from Mike with a WTF - he is giving cycles
> >>         but feels like he is being kicked in the balls by you.  We
> >>         could put you and him at blackhat at a bar/gokart/ring and let
> >>         you to work it out... However it appears that this is not a
> >>         one-to-one issue.
> >>
> >>
> >>         On May 31, 2010, at 4:14 PM, dinis cruz <
> >>         <mailto:dinis.cruz at owasp.org>dinis.cruz at owasp.org
> >>         <mailto:dinis.cruz at owasp.org>> wrote:
> >>
> >>             Nice, really nice :(
> >>
> >>             Mike is really starting to be a problem guys, I'm sorry to
> >>             say but this last one (see email below) is very below the
> >>             belt.
> >>
> >>             I'm trying hard to be fair with this guy, but am really
> >>             losing my patience here.
> >>
> >>             Please take into account that I DID call him up today,
> >>             explained him my 'updated' model and mentioned that was
> >>             going to present the model to the OWASP board.
> >>
> >>
> >>             Dinis Cruz
> >>
> >>             ---------- Forwarded message ----------
> >>             From: *Mike Boberski* <
> >>             <mailto:mike.boberski at gmail.com>mike.boberski at gmail.com
> >>             <mailto:mike.boberski at gmail.com>>
> >>             Date: 31 May 2010 21:02
> >>             Subject: Re: [Owasp-leaders] RFC: Two proposed next tweaks
> >>             to the services registry
> >>             To:
> >>
> <mailto:owasp-leaders at lists.owasp.org>owasp-leaders at lists.owasp.org
> >>             <mailto:owasp-leaders at lists.owasp.org>
> >>
> >>
> >>             Dear Colleagues,
> >>
> >>             The results of the survey are in! Thank you for taking the
> >>             time.
> >>
> >>             It was a toss-up on the question of whether to include
> >>             descriptions of approaches to performing a given service.
> >>             So, the requirement has been removed for now, we can
> >>             always revisit this and other items later on.
> >>
> >>             It was not a toss-up on the name change, there was an
> >>             overwhelming response to leave it named "commercial
> >>             services". So, the name stays for now, we can always
> >>             revisit this and other items later on.
> >>
> >>             Please do forward any additional suggestions for
> >>             improvement. I think this approach worked well, batching
> >>             them up and creating a survey, to gather community inputs.
> >>
> >>             To be listed in the OWASP Commercial Services Registry,
> >>             contact Kate Hartmann
> >>             <http://www.owasp.org/index.php/Contact>.
> >>
> >>             Best,
> >>
> >>
> >>             Mike
> >>
> >>             On Mon, May 24, 2010 at 1:09 PM, Boberski, Michael [USA] <
> >>             <mailto:boberski_michael at bah.com>boberski_michael at bah.com
> >>             <mailto:boberski_michael at bah.com>> wrote:
> >>
> >>                 Dear Colleagues,
> >>
> >>                 As you know, I have been working on the OWASP
> >>                 commercial services registry/commercial services board.
> >>
> >>                 We're basically shooting for a phone book that's
> >>                 sorted according to some OWASP artifacts as they are
> >>                 currently categorized, to try to nudge the planet
> >>                 along in adoption of them, to get consumers of
> >>                 services of those types to ask for them, by making it
> >>                 easy to find such service providers.
> >>
> >>                 Towards the end of continuing its development, there
> >>                 are a next set of proposed updates that we would like
> >>                 your opinion on. A survey has been setup here:
> >>
> <http://www.surveymonkey.com/s/9JDN98P>
> http://www.surveymonkey.com/s/9JDN98P
> >>                  If you can spare a few minutes to provide your input,
> >>                 it would be appreciated. The cutoff date is the end of
> >>                 the week.
> >>
> >>                 Best,
> >>
> >>                 Mike B.
> >>
> >>                 _______________________________________________
> >>                 OWASP-Leaders mailing list
> >>
> <mailto:OWASP-Leaders at lists.owasp.org>OWASP-Leaders at lists.owasp.org
> >>                 <mailto:OWASP-Leaders at lists.owasp.org>
> >>
> <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
> https://lists.owasp.
> org/mailman/listinfo/owasp-leaders
> >>
> >>
> >>             _______________________________________________
> >>             OWASP-Leaders mailing list
> >>
> <mailto:OWASP-Leaders at lists.owasp.org>OWASP-Leaders at lists.owasp.org
> >>             <mailto:OWASP-Leaders at lists.owasp.org>
> >>
> <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
> https://lists.owasp.
> org/mailman/listinfo/owasp-leaders
> >>
> >>             _______________________________________________
> >>             Owasp-board mailing list
> >>
> <mailto:Owasp-board at lists.owasp.org>Owasp-board at lists.owasp.org
> >>             <mailto:Owasp-board at lists.owasp.org>
> >>
> <https://lists.owasp.org/mailman/listinfo/owasp-board>
> https://lists.owasp.or
> g/mailman/listinfo/owasp-board
> >>
> >>         _______________________________________________
> >>         Owasp-board mailing list
> >>         <mailto:Owasp-board at lists.owasp.org>Owasp-board at lists.owasp.org
> <mailto:Owasp-board at lists.owasp.org>
> >>
> <https://lists.owasp.org/mailman/listinfo/owasp-board>
> https://lists.owasp.or
> g/mailman/listinfo/owasp-board
> >>
> >>
> >>
> >>     _______________________________________________
> >>     Owasp-board mailing list
> >>     <mailto:Owasp-board at lists.owasp.org>Owasp-board at lists.owasp.org
> >>     <mailto:Owasp-board at lists.owasp.org>
> >>
> <https://lists.owasp.org/mailman/listinfo/owasp-board>
> https://lists.owasp.or
>
> g/mailman/listinfo/owasp-board
> >>
> >>
> >>
> >>
> >> --
> >> Eoin Keary
> >> OWASP Global Board Member
> >> OWASP Code Review Guide Lead Author
> >>
> >> <http://asg.ie/>http://asg.ie/
> >> <https://twitter.com/EoinKeary>https://twitter.com/EoinKeary
> >
> >
> > _______________________________________________
> > Owasp-board mailing list
> > Owasp-board at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-board
>
> --
> -- Matt Tesauro
> OWASP Board Member
> OWASP Live CD Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org <http://appseclive.org/> <http://appseclive.org/> -
> Community and Download site
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
> --
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
>
> Sent from my i-Transmogrifier
> http://asg.ie/
> https://twitter.com/EoinKeary
>
>  _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>


-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100603/a82cc7a7/attachment-0002.html>


More information about the Owasp-board mailing list