[Owasp-board] REQUEST FOR COMMENTS/FW: My resignation from all owasp matters

Paulo Coimbra paulo.coimbra at owasp.org
Thu Jan 27 21:46:15 UTC 2011



Please allow me to step in to share a couple of thoughts regarding this
‘Yiannis’ episode since I have dealt directly with him in a few social and
professional occasions, and, being so, have built a certainly subjective but
nonetheless firm idea of his personality and I am feeling that it would not
be fair to allow that Dinis alone supports the burden/responsibility for the
current disruptive frame.


To be absolutely clear and for what it’s worth I have formed the idea that
Yannis is tremendously complicated and inconsequent/incoherent. I’ve reached
this conclusion through a few episodes but I’d like to keep the focus on two
main ones.


As for the first one, roughly a year ago or so, when Yiannis decided that
his project should be assessed, he contacted me insistently several times
and vividly proposed we had lunch together to talk about it. Because I am
always a bit swamped with my daily routines I tried to manage the issue
through email as I always do but, given his insistence, I ultimately agreed
and we met for lunch in central London. To say it as clear as possible, I
have returned from the meeting with lots of perplexity since most of the
time what Yiannis said hardly made any sense to me. If I understood well his
speech he has advanced a thesis under which OWASP has been doing everything
completely wrong and the entire community of app sec professionals, if not
the entire world, was of his opinion. I’ve tried several times to ask him
about concrete mistakes and responsibilities but in my opinion I have only
got a set of reasonably incoherent mumbles. He jumped from saying that OWASP
was being severely criticized by appec professionals to that OWASP’s path
was not correct - I have however never concretely understood what the appec
professionals were saying about OWASP or why the strategic direction of
OWASP was so obviously wrong. Nevertheless I have opted for not supporting
his vision and for encouraging him to address the leaders’ mailing list to
discuss his concerns by saying I believed OWASP was an open organization in
which the open debate was not only allowed but deeply stimulated. I also
tried to change the chat’s theme to the operational questions we had to
solve regarding the need to evaluate the projects he was leading.


Given this behaviour I have returned from this meeting puzzled and asking
myself whether or not I had been in situation in which an OWASP contributor
tried to evangelize and kettle me to some sort of ‘OWASP unhappy people’
club. I have also reflected if Yiannis was thinking in building an
alternative to the current Board but ended up concluding that his speech was
not enough structured, coherent or even legible to be the case. I’ve talked
about this situation with Dinis and let him know about these subjective
impressions of mine. 


As for the second episode, it relates to the assessment process itself.
However, as a previous point, I’d like to say that I have felt that working
with Yiannis is tremendously difficult and that I have only experienced such
burdensome when working with M. Boberski. So, to begin with and in Yiannis
defence, I think it would only be fair if we kept in mind that the
assessment of his project has begun when the GPC was updating its
methodologies and that consequently he may have been, to a certain extent,
victim of this circumstance. However, that being said, I am of the opinion
that Yiannis was always absolutely non-collaborative. For example, he has
kept himself insisting that his project should be assessed (and I always
understood that he was saying his project should be immediately moved to
Stable Quality) but it was a true nightmare to make him to accept that this
process should begin by himself performing his own release assessment. Every
single request we made, little or big, was always, but always, contested by
him and this has gone through until he addressed our leaders mailing with an
inflammatory mail (attached) with the illustrative subject of ‘Would the
real OWASP please stand up!’ basically complaining about OWASP
methodologies. In this time, I have told to him directly that requesting a
couple of files (PDF + PPT), a roadmap and a self-assessment, in my view,
couldn’t be seen as an asphyxiant burden of bureaucratic work. I am still of
the same opinion, and I can say from my experience doing this work, that
people usually don’t complain. 


To conclude – I apologise for this long email – I’d like to synthesize my
view by saying that in my subjective assessment Yiannis has shown to be a
tremendously complicated person to deal with. I don’t know why but it
clearly seems to me that something has antagonized him towards OWASP and
that this antagonism has never stopped growing.   



- Paulo



Paulo Coimbra,

 <http://www.owasp.org/index.php/User:Paulo_Coimbra> OWASP Project Manager


From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Eoin
Sent: quinta-feira, 27 de Janeiro de 2011 15:26
To: OWASP Foundation Board List
Subject: Re: [Owasp-board] My resignation from all owasp matters


The board is "corrupt" according to Yiannis. (below)?!!


Did this need to get to this point.


Again as leaders we need to listen more and not dictate.

First Mike Boberski now Yiannis....Houston we've got a problem.


On 26 January 2011 20:59, Yiannis Pavlosoglou <yiannis at owasp.org> wrote:


Not for me, I've taken the easy option and I am out; change this place
if you can; some people do deserve to see it and I think you get
what's happening.


---------- Forwarded message ----------
From: Yiannis Pavlosoglou <yiannis at owasp.org>
Date: 26 January 2011 20:46
Subject: Re: My resignation from all owasp matters
To: Lorna Alamri <lorna.alamri at owasp.org>
Cc: Colin Watson <colin.watson at owasp.org>, Joe Bernik
<bernik at gmail.com>, "rex.booth" <rex.booth at us.gt.com>, David Campbell
<dcampbell at owasp.org>, Georg Heß <georg.hess at artofdefence.com>, Sarah
Baso <sarah.baso at owasp.org>

My apologies Lorna,

There is a cardinal rule in information security, at least among my
peers: you do not lie. Actually, here in London it has consequences,
if you do lie, you don't work in this industry any more. Think about
that, think about how many times you've been lied to in, say, the last
3 months.

You know better than most on this email, that we've spent a lot of
time collecting logs, cross-correlating our actions, making sure we
document what we do, one-to-one phone calls, etc. For what? Jeff
decides and Dinis manipulates.

Bigger matters, like O2 and the money spent preaching about it, plus
financial discrepancies (! we are a charity remember?) have not even
been hinted upon, yet. People on this thread know exactly what I am
talking about.

My personal opinion is that the owasp board needs to be dissolved and
a new governing body needs to be established. They are far too

Regardless, we've shown what the problem is, we offered to address it
and we've proven where they should start. Now, all that said, don't we
have better things to do?

Please let's leave it at that as I don't plan on following up on this
thread (I don't even know how long this account will be active for:)

Thank you,


On 26 January 2011 15:26, Lorna Alamri <lorna.alamri at owasp.org> wrote:
> Yiannis,
> I understand your frustration and disgust, however I respectfully disagree
> with your approach to a resolution. You are a respected OWASP leader that
> many of us, myself especially, look to for guidance, so I am disappointed
> that you will not be at the Summit to participate and bring these issues
> the large group for open discussion and resolution. There are several
> working sessions at the Summit with a focus on some of the issues you have
> eluded to in your e-mail.
> As example:
> OWASP Board/Committee Governance
> Professionalize OWASP
> Should OWASP hire a Chief Executive Officer (CEO)?
> From that and some of the strings on the leaders list I am sure that you
> not the only one with these concerns. As a leader, its your obligation to
> heard, not just by the board, but by the other leaders who will be
> at the Summit. If we were all to throw our hands up in disgust and walk
> there would be no OWASP, but is that really a solution? Does it fix
> anything? no. So I am asking you to lead by example, to come to the Summit
> and work to right those issues that are so frustrating you.
> I will support you in whatever your decision ultimately is, but hope that
> you will reconsider.
> Sincerely,
> Lorna
> On Tue, Jan 25, 2011 at 12:20 PM, Yiannis Pavlosoglou <yiannis at owasp.org>
> wrote:
>> Dear all,
>> This email carries the news that I am resigning from all owasp related
>> matters. We don't really have a resignation process, so this is the
>> closest that we will come to this.
>> My work is done here; I feel that we have proved what the problem is.
>> The reason is simple; in recent events we proved that on more than one
>> occasion we dealt with a board member that was lying, cheating and
>> insulting people in the process. When the response finally came back
>> on "we have an issue unfolding" it was along the lines of "we are all
>> under a lot of pressure" and "let's all try to be friends". Not good
>> enough for me.
>> This is under your umbrella of being "open" and on the excuse of
>> organizing a summit.
>> Unfortunately, I am so entrenched in the processes that it will not
>> take a single step.
>> * I am not be coming to the summit.
>> * I will be giving this last lecture here in London
>> * I will probably continue contributing some code to various projects
>> When Dinis emailed "subere" to make JBroFuzz an owasp project (that's
>> how owasp started for me believe it or not!) many years back, I went
>> and read the mission statement before signing up. No where did it say
>> that there is a monarchy at the very top, nor that all this is
>> excusable on the fact that we are volunteers.
>> For the record, you're a good crowd and I did attempt not to let the
>> BS filter through. Apologies if this comes as a surprise to a few.
>> Yiannis signing off.
>> --
>> Dr. Yiannis Pavlosoglou
>> OWASP Global Industry Committee
>> http://www.owasp.org/index.php/Global_Industry_Committee
> --
> Lorna Alamri
> OWASP Global Industry Committee
> OWASP MSP: Host to OWASP AppSec USA 2011
> September 20-23 Training, Talks, CTF, and Showroom
> www.appsecusa.org <http://www.appsecusa.org/> 
> @appsecusa, @owaspmsp @OWASPSummit
> Dir: 651-338-0243
> skype: lorna.alamri
> lorna.alamri at owasp.org

Dr. Yiannis Pavlosoglou
OWASP Global Industry Committee

Dr. Yiannis Pavlosoglou
OWASP Global Industry Committee

Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20110127/d452a824/attachment-0002.html>
-------------- next part --------------
An embedded message was scrubbed...
From: "Yiannis Pavlosoglou" <yiannis at owasp.org>
Subject: [Owasp-leaders] Would the real OWASP please stand up!
Date: Thu, 17 Sep 2009 15:40:32 -0000
Size: 6638
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20110127/d452a824/attachment-0006.mht>
-------------- next part --------------
An embedded message was scrubbed...
From: "Paulo Coimbra" <paulo.coimbra at owasp.org>
Subject: JBroFuzz 1.6 final assessment
Date: Wed, 16 Sep 2009 18:30:00 -0000
Size: 22807
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20110127/d452a824/attachment-0007.mht>
-------------- next part --------------
An embedded message was scrubbed...
From: unknown sender
Subject: FW: Chat with yiannis at owasp.org
Date: no date
Size: 36739
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20110127/d452a824/attachment-0008.mht>

More information about the Owasp-board mailing list