[Owasp-board] (only board) Issue with Mike B Fwd: [Owasp-leaders] Commercial Services Registry -- Live!

Matt Tesauro matt.tesauro at owasp.org
Fri May 14 19:46:09 UTC 2010


Eoin: I share your misgivings - now that I'm in a new situation, I have
the bandwidth to comment.  My apologies for being silent in the past.

Board: I too don't want to OWASP become OWASP2 (ala ISC2) and have
revenue generation drive the bulk of our decisions particularly at the
expense of the community's goodwill.

Governance for this is crucial - just like crypto is all about managing
the keys.  We can get the technical details right and still shoot
ourselves in the foot if we don't manage this carefully.

One the the biggest assets of OWASP is its vendor neutral position.  I'm
sure we can get a registry setup without compromising that but we need
to tread carefully as we're very near the edge of the vendor neutral
cliff and there is no fence.  We need to build that fence.  Governance
is that fence.

--
-- Matt Tesauro
OWASP Board Member
OWASP Live CD Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site

On 05/14/2010 08:20 AM, Eoin wrote:
> Guys,
> To be honest,
>  
> I raised issues re the commercial registry weeks ago and *got very
> little support* from any of the board imho.
>  
> *The issue of governance is still on my mind*. I have seen it too many
> times before; a great organisation or project that gets corrupted or
> twisted by commercial interests......*I dont want OWASP to look like
> ISC2 in 5 years time* where all the leadership is concerned with are
> membership funds, funding, commercial vehicles etc... I did not get
> involved with OWASP 6 years ago for that.
>  
> *We need to control this open-source - commercial relationship* in a
> measured way. Sometimes I personally feel its getting a little out of
> control. We need to take it a little slower and think in a strategic manner.
>  
> It appears/feels sometimes that those who shout louder get heard and
> some board members are "more equal" than others.
>  
> Mike is great but I also got some shite emails from him, that for me
> that is like waving a red rag to a bull. He does not take direction very
> well. I believe no one person owns any project, OWASP is the ultimate
> parent i.e. The board.
>  
> So these are my thoughts on the issue, my cards on the table, if you will.
>  
> -ek
>  
>  
>  
>  
>  
> 
> 
>  
> On 14 May 2010 01:32, dinis cruz <dinis.cruz at owasp.org
> <mailto:dinis.cruz at owasp.org>> wrote:
> 
>     Ok, I have tried to be REALLY patient and politically correct here,
>     but I'm running out of arguments (and he doesn't read my answers so
>     it is a bit pointless to try to change his mind)
> 
>     Please see the thread below and advise on the next steps.
> 
>     Jeff or Dave, since Mike B is close to you, are you able to talk to
>     him? 
> 
>     In the past, I was never happy with MIke B. lack respect for our
>     community and his 'way over the top' ASVS promotion (which was never
>     a big issue since ASVS never really took of), BUT this project
>     (Commercial Services) is WAY to critical for OWASP to continue like
>     this, so either he changes or we have to take over it and find a new
>     leader.
> 
>     What do you think?
> 
>     Dinis
> 
> 
>     ---------- Forwarded message ----------
>     From: *dinis cruz* <dinis.cruz at owasp.org <mailto:dinis.cruz at owasp.org>>
>     Date: 14 May 2010 01:25
>     Subject: Re: [Owasp-leaders] Commercial Services Registry -- Live!
>     To: mike.boberski at gmail.com <mailto:mike.boberski at gmail.com>
> 
> 
>     Mike we might need to talk this over the phone since you are not
>     understanding my worries and I don't think we are communicating here.
> 
>     Also you are confusing the issues. 
> 
>     The email to the leaders list was about the case of /Training
>     Courses around OWASP projects/, which is an very specific variation
>     of the bigger 'Commercial Services' database that you are working on
>     (for example the course's have the specific scenario of the leaders
>     doing/selling the training). Of course that there is overlap, and in
>     fact, this type of analysis is one of the things I fell is currently
>     missing form the OWASP Commercial Services
>     <http://www.owasp.org/index.php/Commercial_Services> project (i.e.
>     we will need to do similar analysis for the other type of Comercial
>     Services that can be provided around OWASP Projects))
> 
>     My direct email to you was about the current state of the
>     'Commercial Services' page and my worries about how it is currently
>     being presented.
> 
>     Mike, I would recommend that you take a deep breath, re-read my
>     emails and re-think your attitude to your fellow OWASP community
>     members. 
> 
>     The 'Commercial Services' initiative is a very powerful but also
>     very dangerous endeavour for OWASP, and we have to make sure that
>     our community supports it. Which means that whoever is leading
>     the 'Commercial Services' OWASP project (and it is a project) needs
>     to have a LOT of sensitivity (and diplomacy) when presenting and
>     handling it.
> 
>     *To be 100% honest with you Mike, it is great that you had the
>     energy to kick start the OWASP **Commercial Services*
>     <http://www.owasp.org/index.php/Commercial_Services>* project, BUT
>     you are being to cavalier, insensitive and apparently not aware of
>     the massive implications (both good or bad) that this project has
>     for OWASP.*
>     *
>     *
>     *I REALLY ask you to have a change of heart and change
>     your attitude, since if you don't, my view is that you
>     can't continue to lead the the OWASP **Commercial Services*
>     <http://www.owasp.org/index.php/Commercial_Services>* project.*
> 
>     Since you probably wont following my advice and will be
>     very annoyed with me, can I at least recommend that you have a word
>     with Jeff about this? (I will forward this thread to the board so he
>     will be aware of the issue)
> 
>     Hopefully we can work this out,
> 
>     Best regards
> 
>     Dinis Cruz
> 
> 
> 
>     On 14 May 2010 00:55, Mike Boberski <mike.boberski at gmail.com
>     <mailto:mike.boberski at gmail.com>> wrote:
> 
>         Let me follow up more on this.
> 
>         If you cut the legs out from under this registry before we can
>         get at least some people to sign on, you'll kill it.
> 
>         Kate's not alone on vetting descriptions, we're going to work
>         together, and enlist any additional help needed to get this
>         going as smoothly as possible.
> 
>         I don't want to be a dick but your note to leaders pissed me
>         off. Sorry. Should've kept chatting with me. I'm ok with
>         discussing publicly if that's what you choose.
> 
>         Mike
> 
> 
> 
>         On Thu, May 13, 2010 at 7:49 PM, Mike Boberski
>         <mike.boberski at gmail.com <mailto:mike.boberski at gmail.com>> wrote:
> 
>             I don't understand what your objections are. If you're a
>             defender, let's continue on. Certainly we can adapt as we go
>             with criteria. I completely object to this being put into a
>             project criteria, it is the same from an OWASP perspective
>             as jobs page.
> 
>             Mike
> 
> 
> 
>             On Thu, May 13, 2010 at 7:21 PM, dinis cruz
>             <dinis.cruz at owasp.org <mailto:dinis.cruz at owasp.org>> wrote:
> 
>                 Mike, just to clarify something, you know that I am on
>                 the OWASP Board right?
> 
>                 We have talked several times about this topic at OWASP
>                 Board meetings (and in fact I was one of the big
>                 defenders to move this forward and to try to figure out
>                 how to do this (I also have been thinking about this
>                 issue for a couple years now, have a good idea of how we
>                 could make this work, and just like you, have spoken to
>                 Jeff about it))
> 
>                 See also below a couple more comments on your answers:
> 
>                 On 13 May 2010 23:18, Mike Boberski
>                 <mike.boberski at gmail.com
>                 <mailto:mike.boberski at gmail.com>> wrote:
> 
>                     Hi Dinis, thanks for writing.
> 
>                     Right now it's being administered _exactly_ like the
>                     jobs page. The page is locked and requests go to
>                     Kate. It doesn't really fit the mold as an OWASP
>                     project per se, is no different than the jobs page
>                     basically.
> 
> 
>                 I beg to differ, this is a very different beast when
>                 compared with the Jobs page (with massive good and
>                 bad implications)
>                  
> 
>                     So, while initially described as a "project", not
>                     really.
> 
> 
>                 Well OWASP projects cover a very wide range of topics
>                 and activities so although this 'initiative' is not
>                 really a tool or a document, it has the same needs for:
>                 project leader, description, mailing list, etc.. (i.e.
>                 the information we capture with the Project Informations
>                 tab)
> 
> 
>                 So unless you disagree, I will ask Paulo to create this
>                 project and put you and me as the project leaders
>                 (anybody else we should invite to the leadership of this
>                 project)
>                  
> 
> 
>                     We're live, waiting for applications. 
> 
> 
>                 And this is exactly my worry, I don't think this
>                 initiative is ready for prime-time since we are still
>                 quite far away from having a working model that works
>                 (and one that our community is confortable with)
> 
>                 In fact, just the fact that we don't have any real-world
>                 data in there (i.e. real cases of companies/individuals
>                 that provide these services) justifies the use on these
>                 pages of BETA or /'we are still trying to figure out how
>                 to do this' /tags
>                  
> 
>                     I actually don't know your affiliation, but please
>                     do go ahead and submit an application. 
> 
> 
>                 I'm raising my concerns and opinions as an OWASP Board
>                 member (not as a company/individual wanting to be listed)
>                  
> 
>                     A Booz Allen one will be forthcoming for example,
>                     but I wasn't able to start the company machinery
>                     until the registry was up. Will take a little bit of
>                     time for the Booz Allen, since have to describe an
>                     approach, rather than use a single generic already
>                     vetted description. I know a number of other
>                     companies are in the same state based on inquiries.
>                     The example is helpful I think to leave up for right
>                     now, it will be removed once a first listing in each
>                     category is ready.
> 
> 
>                 Sure, but please take into consideration that these are
>                 not the final rules of engagement, and only as we try
>                 this out, will we be able to figure out what works (and
>                 what is accepted by our community)
> 
> 
>                     While I completely appreciate that it may look like
>                     it was me on my own based on the leaders mail list,
>                     there have been very lengthly conversations with
>                     Jeff and Dave, I didn't just toss it up, it was only
>                     done with Jeff's permission. This is from a certain
>                     point of view since we've not chatted on this topic
>                     (which I'm happy to do, hopefully this email is
>                     evidence), a culmination of more than two years of
>                     conversations with Jeff and Dave and others, as I'd
>                     tried to stand this up in tandem with ASVS,
> 
> 
>                 I'm aware of that and I fully appreciate the effort you
>                 have put into this.
>                  
> 
>                     so rest assured every detail has been carefully,
>                     _painfully_, planned out.
> 
> 
>                 Where can I see this? 
> 
>                 So far I have seen the original document you sent, the
>                 emails and the FAQ on the main 'Commercial Services' page. 
> 
>                 Did I miss anything?  
> 
>                 There are a lot of unanswered questions (and I have
>                 already started to hear muthed noises/worries about
>                 this), so we really need to build up that FAQ and put as
>                 much information as possible on those WIKI Pages
>                  
> 
>                     We did make tweaks after the initial RFC email as
>                     well, to take into account community input.
> 
> 
>                 yap I saw that.
> 
>                 Let's make this happen :)
> 
>                 Best regards
> 
>                 Dinis Cruz
> 
> 
> 
> 
> 
> 
>     _______________________________________________
>     Owasp-board mailing list
>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-board
> 
> 
> 
> 
> -- 
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
> 
> http://asg.ie/
> https://twitter.com/EoinKeary
> 
> 
> 
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-- 
-- Matt Tesauro
OWASP Board Member
OWASP Live CD Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site



More information about the Owasp-board mailing list