[Owasp-board] Fwd: Jeff's statement

Sarah Baso sarah.baso at owasp.org
Mon Jun 10 17:54:28 UTC 2013


Board -
See Jeff's comments in writing below. I have copied them into the bottom of
the meeting minutes page from today:
https://docs.google.com/a/owasp.org/document/d/1jCQYmc-NC5L_JVLsx3INrCrM_iacE9ujhH0Nf6iriXw/edit

Regards,
Sarah Baso

---------- Forwarded message ----------
From: Jeff Williams <jeff.williams at aspectsecurity.com>
Date: Mon, Jun 10, 2013 at 10:49 AM
Subject: Jeff's statement
To: "'Sarah Baso' (sarah.baso at owasp.org)" <sarah.baso at owasp.org>
Cc: "dinis cruz (dinis.cruz at owasp.org)" <dinis.cruz at owasp.org>


 Hi Sarah,****

** **

Thanks for moderating this morning.  Would it be possible for my remarks to
appear in the minutes (maybe at the end?).****

** **

Thanks,****

** **

--Jeff****

** **

** **

*Jeff Williams statement about the OWASP Top Ten Project*****

** **

OWASP is, at the core, a project. We’ll be DONE when the world’s
application aren’t riddled with known security weaknesses and new code is
secure from the start.  Let’s keep this in mind as we discuss the Top Ten.**
**

* *****

*Vendor Independence at OWASP*****

 ****

There are two different ways the term “VENDOR INDEPENDENCE” applies to
OWASP, and it’s easy to get them confused.****

 ****

First, there are IRS rules to ensure that leaders don’t buy from
organizations they have an interest in. It should have been obvious to
everyone on the Board that this is not the issue here.****

 ****

But the second part of VENDOR INDEPNDENCE is trickier.  OWASP can **choose**
a policy for dealing with vendors in the application security market. This
is a business judgment by OWASP.  We could choose to stay completely
isolated, we could interact at arms-length, or we could have vendors fully
participate in everything.  From the outset, OWASP has maintained
independence, but allowed  vendors to sponsor projects and tastefully put
logos on project materials.****

** **

Under this policy, OWASP grew to the largest, most effective security
organization in the world.  This policy wasn’t chosen lightly, and I
caution you against tinkering with what made OWASP great.****

 ****

*OK, so let’s talk about the OWASP Top Ten Project…*****

 ****

Several folks, including some on the Board, invented the totally unfounded
idea that Aspect has a commercial interest in the new A9 risk added to the
T10.  I want to be REALLY clear on this – we have no commercial interest in
A9.  The ONLY reason we added it is because it is incredibly important.
The risk associated with insecure components is far more widespread than
SQL injection, is sometimes more dangerous, and we have no idea how to deal
with it – yet.  The work for adding A9 started years ago when we added a
note about libraries to the insecure configuration risk in the T10 2010.****

 ****

The only “partnership” Aspect has with Sonatype is that they provided the
data on 113 million downloads of components for a study we published.  We
DO NOT resell each others’ products or services.  Aspect’s only interest in
insecure components is to help people understand this risk and put in place
some tools and processes to deal with it.  In fact, Aspect has more of a
commercial interest in EVERY SINGLE OTHER item in the T10.****

** **

I have spoken at conferences and to the press about A9, Sonatype, and other
tools and products focused on this problem.  And I intend to KEEP ON
talking about important issues in AppSec and telling the truth about
products in our market.  The press coverage generated by Sonatype about
OWASP was EXCELLENT for OWASP, and portrayed us as the leaders and experts
in ine field.****


****

 ****

*The T10 Project Has Done Nothing Unethical –OR- in Violation of Any OWASP
Policy…*****

 ****

In fact, the T10 is an example for other projects.  It started with two
people and now it is so much more.  For the T10 2013, we got a bunch of
vendors to open their data, followed a **published** process, created a
release candidate, issued it for notice and comment, etc…. ****

** **

By the way, there seems to be some idea that the T10 is unethical if it is
not supported by multiple sources of data unrelated to the people on the
project.  Hogwash.  There is no REQUIREMENT for the T10 to use data and be
backwards-looking.  In my mind, most of the value is in the
forward-looking expert-driven
aspects. What Neil Smithline has called “subjective.” This kind of decision
is a project choice.****

** **

It’s the same with putting the Aspect logo in the OWASP T10. Putting a tiny
logo with an acknowledgement has always been allowed… and for good reason.
Attracting new projects and participants to OWASP is critically important. *
***

 ****

If you want to be a great platform, then projects should be able to decide
for themselves what makes the most sense – what license to choose, what
process to follow, whether to issue a DRAFT release, and whether
acknowledging contributors makes sense.  If you don’t like logos, then make
the business case for why people should participate.****

** **

The Board should stay out of project decisions because the POWER OF OWASP
and frankly our ONLY CHANCE OF SUCCEEDING comes from being a great platform.
****

 ****

 ****

*And THAT is the REAL Problem at OWASP…*****

 ****

The platform has become unattractive.  Whether it’s a desired policy change
or suspected abuse, the process at OWASP is to shoot first and ask
questions later.  ****

 ****

There are good reasons to debate OWASP policies.  But whether you disagree
with a policy or there is no clear policy in place, targeting volunteer
contributors EX POST FACTO is the wrong way to effect change.  Even if
someone actually does VIOLATE an EXISTING policy, the approach should be to
help them understand the community.****

** **

In this case, not only did Board members NOT seek to calm accusations and
find out the facts, they piled on with their own accusations and threats of
ridiculous lawsuits.  The Board has endorsed McCarthyism as a substitute
for thoughtful discussion about what helps achieve the mission.  ****

 ****

This is the real ABUSE OF OWASP’S BRAND.  Whenever anyone is attacked in
the name of OWASP, it harms the platform and undermines the mission. ****

 ****

*Application Security Is Too Important for this…*****

** **

OWASP is not moving as fast as the software development community.  We are
LOSING ground every day.  All the knowledge in the OWASP wiki, all the
tools, all the everything is basically 2005 stuff.****

** **

We need to be recruiting new companies to contribute – we’re still in
startup mode.  We need tons of new ideas.  None of OWASP’s existing ideas
are going to have any significant effect.  Part of me wants to abandon
anything that isn’t a gamechanger.****

 ****

Does anyone on the call think AT THIS POINT that the OWASP Top Ten is
really going to change the way application software is developed?  It’s
been 10 years and there has been almost no change.  Is it really the best
we can do?****

** **

If you’re frustrated with the way the Top Ten project is being run… go
start your own cool project.  There is an almost unlimited array of
possible cool documents, tools, standards, or projects that you could
create to move and inspire people.   ****

** **

You have the power to turn OWASP around – all you have to do is let go.****

** **

** **

** **

 ****

 ****

 ****



-- 
Executive Director
OWASP Foundation

sarah.baso at owasp.org
+1.312.869.2779
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20130610/7fda895b/attachment-0001.html>


More information about the Owasp-board mailing list