[Owasp-board] In case you missed it...

eoin keary eoin.keary at owasp.org
Thu Apr 12 11:00:56 UTC 2012


Hi Tom,

Hope prague is treating you well? :)

BCC Risk Advisory is supporting OWASP Ireland as a sponsor of the event.
We also devote 100's of hours a year to owasp meetings, conference
organisation, presentations, free training.
BCC Risk Advisory also cover a few thousand euro a year to pay for expenses
associated with attending conferences.
This summer we hope to hire an intern to develop a grey-box tool which
shall be donated to OWASP.
My time on the board and also a huge amount of time to manage the project
reboot shall be covered by BCC.

Does this answer your question?
Eoin





On Thu, Apr 12, 2012 at 11:34 AM, Tom Brennan <tomb at owasp.org> wrote:

> Board,
>
> Hello from Prague!  Was nice to be presenting OWASP in front of 100+
> people who NEVER HEARD OF OWASP  but very familiar with platform based
> weapons, nuclear plants go figure - we have a lot more work to do.
>
> ==
>
> Wanted to chime in on this thread with a little detail and big picture
> thinking..  OWASP was known to many outside the OWASP Forest as a "bunch of
> consultants that are trying to tell developers and security people how to
> do security"  over the years since 2001 we have grown - 11 years changes
> dynamics and this image has changed even to ebrace SOFTWARE SECURITY
> (notice I did not say just Web Applications).
>
> This has been discussed at Trustwave as a example internally and I will
> share that we fund the project(s) and support many active leaders TIME via
> employment of staff and allowing them to bill to a internal project code
> for there time including chapters when it is during normal working hours -
> attending conferences etc.. This helps them (the company) understand the
> investment in the community not only monetarily with a 5k donation  but
> also with the most precious resource, TIME.  I believe this practice may be
> similar with other corporate supporters,  my former employer WhiteHat
> Security had a similar model -- inquires of our other corporate supporters
> https://www.owasp.org/index.php/Template:OWASP_Members_Horizontal
>
> I am very interested in Dave's view here, considering that as a founder of
> Aspect Security the company that has multiple projects at OWASP, donated
> thousands of employee hours to OWASP Foundation and sits on the board of
> directors.
>
> Matt, do you have something similar at RackSpace?
> Mike does Mozilla?
> Eoin at BCC Risk?
> Seba <don't know even where you work or if your a independent?>
>
> This ELEPHANT IN THE ROOM is critically important and full disclosure and
> transparency is something we preach-lets start with the board and
> associated committees. It is not about how long or loud people are on a
> mailing list IMHO we have filters and rules for that...  It is not about
> what was, what is or what will be... the purpose of the Board of Directors
> is to keep the organization on the rails on on mission in line with the
> core values and principals and when we want to "Pay People" as a simple
> example; we need to look at the
> https://www.owasp.org/index.php/About_OWASP page to remind ourselves are
> we inbounds or out-of-bounds -- that is the purpose of service on a board
> of directors if we are going to "vote" on things without conflict of
> outside influence and adjust course as needed.
>
> Once we establish that, you might agree that this would be a good topic
> for the industry committee in parallel (both service provider and industry
> firms) and the the connections committee to survey and reports results.
> (Date needs to be defined via OWASP Director if the mission is accepted --
> we do a terrible job in setting and meeting deadlines when we have hot
> topics like this --- face it.)    The results can help us shape a better
> value statement around "membership" but also help us with answering the
> question of "Ways ABC Company works with OWASP"  - "Ways ABC Individual
> works with OWASP" with this transparency goal and "best practice".  This
> effort is just as important as our most technical project as to foster
> desired behavior and support  from the volunteer community at OWASP
> (everyone is FREE to find employers who do as they say the door swings both
> ways...)    We can also craft a survey and email it out as wel.
>
> I believe that if we surveyed and discussed with each with the point of
> contact aka: Industry point of contact for each supporter the information
> would be of extreme value and refreshing outreach from OWASP to our
> supporters -- this qualitative measurement would help us with rough
> consensus (a core value).  Based on the last committee update from Industry
> Committee, I there was a survey going to be used with CIO's co-sponsored
> with Grant Thornton (and approved by the board) and this could be added as
> a optional section for those supporters as example and piggyback a existing
> effort. (See Rex Booth / GIC for more detail) - What staff member is
> working with GIC? please provide update if available.
>
> **NOTE many people can not be paid directly while employed at companies as
> example -- that would be a conflict of interest.  Just as when trainers
> train at conferences etc.. in many cases the payments must be made to the
> company and not the individual or that individuals would be in breach of
> employment contracts as example.  All payments to people should be "legal"
> as example a 1099 issued as well as a signature for assignment of rights.
>  For some work on projects during "course of employment with said company"
> is an issue. We have 60 points of contacts at the supporters lets open the
> dialog to them.  Lets call 60 people ask 5 questions (we have employees
> that can do a call down from OWASP Foundation)
>
> For the "individual" or independent consultants that have the ability to
> work on freelance projects or people "between jobs" without conflict to
> employment agreements etc., or clauses that class of contributor is frankly
> different and equally important.
>
> So we could consider (2) classes or buckets as we craft the 2012+ program
> a corporate and a individual application even.
>
> Calling this out as a *elephant in the room* is an observation and our
> responsibility --  the recommendation is that more discussion is needed
> including input from our committees so we can continue to help steer the
> organization with data driven discussions.
>
> In support of Eoin's end goal -- I motion to move $53,480, to a "bounty
> fund" (the funds allocated regardless of amount $1-unlimited) would help us
> measure and we start off with a carrot program.  Offer up $1337 usd bounty
> per project for ACTION, define the actions requested, publish on wiki and
> let people SPRINT to collect the bounties. These actions can be applied to
> many more projects or multiple bounties per project (40 measurable items).
>  In many cases these short sprints would put energy into the projects and
> marketing of them as example -- avoid perception issues of "GDP rates" and
> I suspect that many contributors that want to make a statement will SPRINT
> on a effort and use the bounty to further invest in OWASP as its not always
> about the money -- or donate it to another charity or travel whatever...
>  No one is going to get "rich" working on bounty programs  unless you hit
> 1M on the Google bounty program -- but they will get money to off-set
> incurred costs and or a TH
>  ANK YOU on a commit to the OWASP Tree and perhaps on a new 2012 "hall of
> fame" list of committers.
>
> At the last board meeting we covered the immediate need for OWASP IT
> Support and a OWASP Project Manager -- since these were approved action now
> needs to be taken. IMHO  Eoin's initiative reboot will NOT be successful
> without a PM - so if we can leverage existing resources then task and
> execute, if our Director can not or our paid staff then until you WE the
> board FIX this void the effort is destined failure as volunteer project
> management will not work (and has not worked). GPC has done a fantastic job
> in creating a framework -- volunteers should not be operational gatekeepers.
>
> Our next board meeting is in +/- 15 days - clearly this is a important
> topic that needs additional discussion to get it right.  But I am
> personally inclined to start the effort with a 80% interim plan and
> re-evaulate in (3) months (use a bounty model as example to get started and
> adjust) -- as there are NO perfect plans and with to much mental
> masturbation or paralysis by analyst we get nothing done.
>
> - Brennan
>
>
>
> On Apr 12, 2012, at 6:20 AM, Seba wrote:
>
> > Eoin,
> >
> > I see this as a "focused SoC", with a couple of phases where
> > 1) all the leaders vote on a certain number of projects that need to be
> pushed forward (roughly done last week: list in ppt Eoin)
> > 2) now the respective project leaders have to come up with a project
> plan on how to achieve the next level, release, ...
> > 3) if they don't come up with a plan: look for other projects or project
> leaders
> > 4) if they have a plan that needs funding: let's provide them that
> funding.
> >     I am not against paying the project leader.
> >     but it needs to have a very good reason. because I don't think that
> scales
> >     funding should go to facilitation, mini-summits, marketing,
> technical writing, I18N, book publishing, ...
> > 5) the devil is in the details and execution: we need a Paulo II to turn
> this around.
> >
> > We are not going to solve stale or stagnant project by throwing money at
> it, we need to empower the current leaders, contributor and look for new
> blood
> >
> > --seba
> > On Thu, Apr 12, 2012 at 2:01 AM, Matt Tesauro <matt.tesauro at owasp.org>
> wrote:
> > I'd like to turn this argument on its head.  Here's what I mean:
> >
> > Dinis presented a list of issues what will arrise if OWASP pays people
> to do work on projects and suggested we should continue the board decision
> to keep this ban in place.
> >
> > We've also heard about how not investing in our projects (including
> paying leaders) appears to leave OWASP with stale projects.
> >
> > We're talking about money - I'm not surprised there are issues.
> >
> > However, Dinis has been fond, as long as I've known him, of saying that
> nobody abuses OWASP. Lets put that to the test.
> >
> > Why don't we engage with the project's Eoin has enumerated to see what
> they need?  To figure out how to get rid of the project's "paper cuts".
>  Let the project leader(s) tell us what they need.  This is somewhat an
> inverse of the SOC where OWASP said "We need X".  Instead, OWASP would say
> "Tell us what you need and how we can help"  I don't see a single, well
> defined solution working for this problem.
> >
> > If project leaders aren't going to abuse OWASP (Dinis's theorem), then
> let them ask for what they need - including being paid if it makes sense.
>  As long as we have a method of review, where will the abuse come from.
>  Letting project leader's decide removes most if not all of the money
> issues that have been raised.
> >
> > OWASP has already done this with the Python Security guy - we asked him
> what he needed, spent some $'s to get what he needed and the results have
> been great.  Same for Jim Manico and the OWASP podcast - getting the
> production guy hired removed a roadblock to him getting episodes out the
> door.
> >
> > </matt's 2 cents>
> >
> > --
> > -- Matt Tesauro
> > OWASP Board Member
> > OWASP WTE Project Lead
> > http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> > http://AppSecLive.org <http://appseclive.org/> - Community and Download
> site
> >
> >
> >
> > On Wed, Apr 11, 2012 at 4:29 PM, Eoin <eoin.keary at owasp.org> wrote:
> > Thanks jim.
> > Board what are your thoughts on this.
> > I'd like to put this to bed soon and start planning.
> >
> >
> > Eoin Keary
> > BCC Risk Advisory
> > Owasp Global Board
> > +353 87 977 2988
> >
> >
> > On 11 Apr 2012, at 20:06, Jim Manico <jim.manico at owasp.org> wrote:
> >
> > > Eoin, I'm also 100% in support of this plan.
> > >
> > > I also would rather see a vote on your plan, instead of a vote that
> sets
> > > up a firewall rule to disallow paying certain people.
> > >
> > > I feel that your plan supports the OWASP mission! It also has a huge
> > > potential to revitalize the organization.
> > >
> > > I feel that negative financing rule inhibits our mission.
> > >
> > > - Jim
> > >> Not trying to complicate, I just want to understand everything. Plus
> these will be the same questions others will ask, so it's good for us to
> have it flushed out.
> > >>
> > >> I'm supportive of the overall plan.
> > >>
> > >>
> > >> -------
> > >> Michael Coates | OWASP
> > >> michael.coates at owasp.org | @_mwc
> > >>
> > >>
> > >>
> > >> On Apr 11, 2012, at 10:54 AM, Eoin wrote:
> > >>
> > >>> Plan is on the wiki and in the document I shared with you last week.
> > >>> Outstanding issue is do project leads get paid. 90% of projects have
> only 1 main leader.
> > >>> Why are we over complicating things?
> > >>>
> > >>>
> > >>> Eoin Keary
> > >>> BCC Risk Advisory
> > >>> Owasp Global Board
> > >>> +353 87 977 2988
> > >>>
> > >>>
> > >>> On 11 Apr 2012, at 18:47, Jim Manico <jim.manico at owasp.org> wrote:
> > >>>
> > >>>>> I'd rather vote on a plan rather than a single statement
> > >>>> Amen! Whitelisting a good plan, FTW!
> > >>>>
> > >>>> --
> > >>>> Jim Manico
> > >>>> VP, Security Architecture
> > >>>> WhiteHat Security
> > >>>> (808) 652-3805
> > >>>>
> > >>>> On Apr 11, 2012, at 11:41 AM, Michael Coates <
> michael.coates at owasp.org> wrote:
> > >>>>
> > >>>>> I'd rather vote on a plan rather than a single statement
> > >
> > >
> > > --
> > > Jim Manico
> > >
> > > Connections Committee Chair
> > > Cheatsheet Series Product Manager
> > > OWASP Podcast Producer/Host
> > >
> > > jim at owasp.org
> > > www.owasp.org
> > _______________________________________________
> > Owasp-board mailing list
> > Owasp-board at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-board
> >
> >
> > _______________________________________________
> > Owasp-board mailing list
> > Owasp-board at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-board
> >
> >
> > _______________________________________________
> > Owasp-board mailing list
> > Owasp-board at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
> Tom Brennan
> International Board of Directors
> OWASP Foundation
> (t) 973-202-0122
> (e) tomb at owasp.org
> (w) http://www.owasp.org
>
>
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>



-- 
Global Board Member (Vice Chair)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20120412/4288484a/attachment-0001.html>


More information about the Owasp-board mailing list