[Owasp-board] (removing myself from the process) Re: Core Purpose Submissions

dinis cruz dinis.cruz at owasp.org
Fri Jan 21 10:38:11 UTC 2011

Hi Richard (and the rest of the board)

As you probably noticed* I have not been involved in this process* for the
past weeks/month. Although I am hyper busy with the planning of the OWASP
Summit and my work commitments,* the main reason is that I don't agree with
the current direction *(that this exercise is taking)* and that the final
outcome is going to be much smaller/valuable than it could be*.

Sorry I just can't commit energy and ideas to a process I don't believe in,
and one were the other side is not listening. Yes I know I could had been
much more vocal, but I did raise a number of concerns and did spend almost
1h on the phone with Richard last December.

*For me the core problem is that Richard doesn't understand Open Source* *and
*(more specifically/importantly) *Open Source Communities*. I did try to
explain this to Richard (and other board members I spoke to) that *unless we
separated from the 'values discussion' the core values that are intrinsic to
ANY (decent) Open Source Community (like OWASP), we would end up with a
subset of values from those Communities, AND even worse, no values about
what make OWASP OWASP.*

Just look at http://www.owasp.org/index.php/Core_Values_and_Definitions and
tell me if you honestly believe that those 4 items are anywhere close from
representing the number of values that everyday are at play inside our
community (aren't some of the ones that we removed from there as
important?). Also, I would like to understand how any Open Source community
can BE an open source community if it is not GLOBAL (since being GLOBAL is
part of the open source 'definition')

*I guess what push me over the edge was when I realized that Richard didn't
even understand that an Open Source license, means that the Source
code is*(amongst other things)
*freely available* (Yes, Richard, I know it is a very alien concept for a
lot of other industries, but in the Open Source world, we freely distribute
and open our most valuable intellectual property asset: The Source Code).

The other problem is that I was hoping that our values could be used to deal
swiftly with ideas from certain parts of our Community that would be against
our current 'undocumented' culture/values. For example, the NDA
requirement/idea from the Industry Committee (via Yiannis). My hope was that
once such question would arise, it could be stopped almost immediately by
pointing to our values. This didn't happen, in fact the NDA question CAME
from the thread talking about OWASP's values!

*In fact, have we even asked the question: "Why we need these values?".*
*What are the use cases (or questions that need answers) where the 'values
definition' (and all the other bits) are needed? *

Shouldn't we have created by now a list of questions whose answer would come
by making reference to the 'owasp values'? (my recommendation for the ones
that will complete this exercise with Richard is that you do such a thing,
For example looking at
http://www.owasp.org/index.php/Core_Values_and_Definitions I can use those
Values to make the case/argument that the OWASP Industry Committee should be
allowed to sign NDAs so it can have 'more in-depth' conversations with other
organizations (lets ignore for now how impossible that would be to actually
implement in practice).

Other questions that should be quickly dealt by values our should be:

   - OWASP & Certification
   - use/abuse of OWASP Brand
   - employment strategies for OWASP
   - how OWASP invests its funds
   - how OWASP assigns/removes its leaders
   - how OWASP deals with conflict
   - how OWASP manages its projects
   - how OWASP deals with the WebAppSec industry vendors
   - how OWASP deals with government body
   - should OWASP provide 'labels' for applications
   - what is the role of the OWASP Board
   - who is the guardian of OWASP's values
   - what is the role of OWASP's community
   - how important to OWASP are events like the Summit
   - etc.....

For me a good 'Values' definition would provide very strong directions on
each one of those questions (and 'directions' which would currently match
our community understanding of our 'undocumented' OWASP's values)

*Just to be clear*, and so that I don't have to find excuses NOT to make
these calls (although for the past two weeks I DID had a client call booked
during that time), *I am removing myself from this process.*

I'm sure you guys will be able to finish it just fine, and in the end will
create an interesting document which will be a good starting point for
debate for our community.

And, if you fell you will have something ready by the Summit, then lets add
a Working Session for it

Good luck

Dinis Cruz

On 18 January 2011 17:24, Richard Tesauro <tesauros at mac.com> wrote:

> The Core Purpose submissions from Tom, Matt, Seba, Eoin and Jeff offer a
> productive discussion and Board call this Friday. The submissions will be
> post on the TMC wiki page shortly. A call agenda will be emailed later by
> Kate.
>  Enjoy your day,
> Richard A. (Dick) Tesauro
> President and Founder
> *Tesauro Management Counselors (TMC)*
> *Trusted Advisor and Catalyst*
> *
> Helping Leaders Create Enduring, Growing, "Great" Organizations
> *
> 3124 Trevolle Place
> Dallas, Texas 75204-5537
> 214-823-6028 (Phone)
> 214-924-1154 (Cell)
> RA at TesauroMC.com
> www.TesauroMC.com <http://www.tesauromc.com/>
>   *
> The information contained in this transmission may be privileged and
> confidential and is intended only for the use of the person(s) named above.
> If you are not the intended recipient, or an employee or agent responsible
> for delivering this message to the intended recipient, any review,
> dissemination, distribution or duplication of this communication is strictly
> prohibited.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20110121/0a49bab1/attachment-0002.html>

More information about the Owasp-board mailing list