[Owasp-board] (removing myself from the process) Re: Core Purpose Submissions

dinis cruz dinis.cruz at owasp.org
Fri Jan 21 11:02:39 UTC 2011

I really don't want to have a big thread on this, but I would just like to
comment that any 'certification' conversation at OWASP goes to heart of
OWASP's values (as we seen many times in the past)

If you look closely, the reason OWASP is NOT (and should never be) in the
normal 'certification' business (as done by ISC2 or SANS) is because our
'current' values don't allow it

So, I do think I understand what values I was looking for (and lets not
focus on minor items, the key here is that the current values do NOT
represent OWASP, in fact they barely represent any Open Source Community
(this list is much more like it

Dinis Cruz

On 21 January 2011 10:52, Eoin <eoin.keary at owasp.org> wrote:

> Dinis,
> I dont think you understand what values are looking at your list re
> certification, abuse of Brand.
> Values are over-arching beliefs which govern our bahaviour they are not
> specific to things like certification, employment etc they are guidelines or
> rules or policy decisions.
> Values are used to assist us as a community with decisions rather than
> focusing on individual items. (It helps guide us and answer questions "is
> this decision within our values")
> EY have a number of values which are respected and govern our behaviour and
> show through when our actions are observed. Industry values our values ;)
> (things like openess, honesty, courage to lead etc).
> Please look at http://www.ey.com/AU/en/About-us/Our-values as an example.
> "*People who demonstrate integrity, respect, and teaming.
> People with energy, enthusiasm, and the courage to lead.
> People who build relationships based on doing the right thing."*
> **
> Please note they dont discuss Accountancy, Tax or Risk advisory.
> Does this help?
> Eoin
> **
> On 21 January 2011 10:38, dinis cruz <dinis.cruz at owasp.org> wrote:
>> Hi Richard (and the rest of the board)
>> As you probably noticed* I have not been involved in this process* for
>> the past weeks/month. Although I am hyper busy with the planning of the
>> OWASP Summit and my work commitments,* the main reason is that I don't
>> agree with the current direction *(that this exercise is taking)* and
>> that the final outcome is going to be much smaller/valuable than it could be
>> *.
>> Sorry I just can't commit energy and ideas to a process I don't believe
>> in, and one were the other side is not listening. Yes I know I could had
>> been much more vocal, but I did raise a number of concerns and did spend
>> almost 1h on the phone with Richard last December.
>> *For me the core problem is that Richard doesn't understand Open Source*
>> *and *(more specifically/importantly) *Open Source Communities*. I did
>> try to explain this to Richard (and other board members I spoke to) that
>> *unless we separated from the 'values discussion' the core values that
>> are intrinsic to ANY (decent) Open Source Community (like OWASP), we would
>> end up with a subset of values from those Communities, AND even worse, no
>> values about what make OWASP OWASP.*
>> Just look at http://www.owasp.org/index.php/Core_Values_and_Definitions and
>> tell me if you honestly believe that those 4 items are anywhere close from
>> representing the number of values that everyday are at play inside our
>> community (aren't some of the ones that we removed from there as
>> important?). Also, I would like to understand how any Open Source community
>> can BE an open source community if it is not GLOBAL (since being GLOBAL is
>> part of the open source 'definition')
>> *I guess what push me over the edge was when I realized that Richard
>> didn't even understand that an Open Source license, means that the Source
>> code is* (amongst other things) *freely available* (Yes, Richard, I know
>> it is a very alien concept for a lot of other industries, but in the Open
>> Source world, we freely distribute and open our most
>> valuable intellectual property asset: The Source Code).
>> The other problem is that I was hoping that our values could be used to
>> deal swiftly with ideas from certain parts of our Community that would be
>> against our current 'undocumented' culture/values. For example, the NDA
>> requirement/idea from the Industry Committee (via Yiannis). My hope was that
>> once such question would arise, it could be stopped almost immediately by
>> pointing to our values. This didn't happen, in fact the NDA question CAME
>> from the thread talking about OWASP's values!
>> *In fact, have we even asked the question: "Why we need these values?".*
>> *
>> *
>> *What are the use cases (or questions that need answers) where the
>> 'values definition' (and all the other bits) are needed? *
>> Shouldn't we have created by now a list of questions whose answer would
>> come by making reference to the 'owasp values'? (my recommendation for the
>> ones that will complete this exercise with Richard is that you do such a
>> thing, For example looking at
>> http://www.owasp.org/index.php/Core_Values_and_Definitions I can use
>> those Values to make the case/argument that the OWASP Industry Committee
>> should be allowed to sign NDAs so it can have 'more in-depth' conversations
>> with other organizations (lets ignore for now how impossible that would be
>> to actually implement in practice).
>> Other questions that should be quickly dealt by values our should be:
>>    - OWASP & Certification
>>    - use/abuse of OWASP Brand
>>    - employment strategies for OWASP
>>    - how OWASP invests its funds
>>    - how OWASP assigns/removes its leaders
>>    - how OWASP deals with conflict
>>    - how OWASP manages its projects
>>    - how OWASP deals with the WebAppSec industry vendors
>>    - how OWASP deals with government body
>>    - should OWASP provide 'labels' for applications
>>    - what is the role of the OWASP Board
>>    - who is the guardian of OWASP's values
>>    - what is the role of OWASP's community
>>    - how important to OWASP are events like the Summit
>>    - etc.....
>> For me a good 'Values' definition would provide very strong directions on
>> each one of those questions (and 'directions' which would currently match
>> our community understanding of our 'undocumented' OWASP's values)
>> *Just to be clear*, and so that I don't have to find excuses NOT to make
>> these calls (although for the past two weeks I DID had a client call booked
>> during that time), *I am removing myself from this process.*
>> I'm sure you guys will be able to finish it just fine, and in the end will
>> create an interesting document which will be a good starting point for
>> debate for our community.
>> And, if you fell you will have something ready by the Summit, then lets
>> add a Working Session for it
>> Good luck
>> Dinis Cruz
>> On 18 January 2011 17:24, Richard Tesauro <tesauros at mac.com> wrote:
>>> The Core Purpose submissions from Tom, Matt, Seba, Eoin and Jeff offer a
>>> productive discussion and Board call this Friday. The submissions will be
>>> post on the TMC wiki page shortly. A call agenda will be emailed later by
>>> Kate.
>>>  Enjoy your day,
>>> Richard A. (Dick) Tesauro
>>> President and Founder
>>> *Tesauro Management Counselors (TMC)*
>>> *Trusted Advisor and Catalyst*
>>> *
>>> Helping Leaders Create Enduring, Growing, "Great" Organizations
>>> *
>>> 3124 Trevolle Place
>>> Dallas, Texas 75204-5537
>>> 214-823-6028 (Phone)
>>> 214-924-1154 (Cell)
>>> RA at TesauroMC.com
>>> www.TesauroMC.com <http://www.tesauromc.com/>
>>>   *
>>> The information contained in this transmission may be privileged and
>>> confidential and is intended only for the use of the person(s) named above.
>>> If you are not the intended recipient, or an employee or agent responsible
>>> for delivering this message to the intended recipient, any review,
>>> dissemination, distribution or duplication of this communication is strictly
>>> prohibited.*
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> --
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
> Sent from my i-Transmogrifier
> http://asg.ie/
> https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20110121/e3eacb0f/attachment-0002.html>

More information about the Owasp-board mailing list