[Owasp-board] [Owasp-leaders] (Projects Reboot 2012) Re: OWASP 2014 - Strategic Goals

Eoin Keary eoin.keary at owasp.org
Wed Nov 13 09:46:39 UTC 2013


Thanks Sarah,

To be clear,

The issue was an allegation by Dennis Groves of me moving DHS funds to other projects. 

In effect moving grant funds allocated to owasp projects which we could never do and would be questionable if not illegal.

This was never suggested or discussed by myself or any other OWASP employee or board member.

The transfer /movement of funds suggested was on relation to owasp funds allocated to projects which are also supported by other companies and third parties. 

In effect giving us the  ability to support more projects and Making best use of our limited budget.

Dennis, your allegation is false, misinformed and dangerous. Dennis, I'd like to talk to you in person regarding this and for you to retract that accusation.

Eoin Keary
Owasp Global Board
+353 87 977 2988


On 13 Nov 2013, at 08:32, Sarah Baso <sarah.baso at owasp.org> wrote:

> Thanks Josh.
> 
> I wanted to echo Josh's sentiments and ask that you (Dennis and Eoin) continue this conversation offline (if it is necessary).  
> 
> I think this back and forth has been a series of poor communication (or lack of communication) and operating on different sets of assumptions.  As a global community that works remotely and communicates via email, we all need to try hard to pick up the phone where necessary and also I would like to think we can give our colleagues and peers in OWASP the benefit of the doubt. I don't think Eoin or anyone else was defrauding OWASP.  
> 
> The staff is working hard at setting better policies and financial communication methods to help make sure that there isn't ongoing confusion about who is getting what money and where guidelines we need to follow to comply with terms of our grants as well as donor intent.  I would like to see the board not be involved in the day to day management of funds going forward, but instead directing questions and submitting expense requests (as applicable) per the standard policies set for the organization.  I think we are getting there....
> 
> On a positive note, just think if this energy of all of us (staff, board members, and volunteers) was spent working towards our mission instead of rehashing the same argument in a nonproductive way 10 times!?
> 
> Let's refocus on the strategic goal discussion -- and Eoin, i haven't seen you bring up your cause of Developer Outreach that we discussed in Germany. I assume you still feel strongly about that specifically being called out in the goals for the upcoming year? (which i agree with).  Are there certain metrics you think we could use to measure impact on the community in this area?
> 
> Regards,
> Sarah
> 
> On Mon, Nov 11, 2013 at 3:54 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>> Guys, stop.  This conversation isn't the least bit productive and I can say with a fair amount of confidence that the rest of the leaders list doesn't want to listen to you squabble over things that happened in the past.  If you feel the need to continue this conversation, then please do so in private.
>> 
>> ~josh
>> 
>> 
>> On Mon, Nov 11, 2013 at 5:47 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>> Hi Dennis,
>>> 
>>> Any issues or mis understanding re funding for projects was between the project lead (me) and an OWASP employee.
>>> 
>>> Funding for ciso was voted on based on the proposal received by a panel. It was transparent. I have a record of the votes. The CISO project was one of the first proposals we received.
>>> 
>>> I do not wish to re visit the misunderstandings re funding and have moved on. I'm unsure what you aim to gain from this email or what your point is.
>>> 
>>> Such an email tells me I am doing my job. I can't keep everyone happy. People who have never generated noise probably have not done anything of value.
>>> 
>>> All I have ever done was the best i could do for OWASP. In this case; Get funding so we could move projects forward etc. which I have achieved. Ask the project leaders.
>>> 
>>> I'm very sorry you feel this way.  
>>> 
>>> Eoin.
>>> 
>>> 
>>> Eoin Keary
>>> Owasp Global Board
>>> +353 87 977 2988
>>> 
>>> 
>>> On 11 Nov 2013, at 21:27, Dennis Groves <dennis.groves at owasp.org> wrote:
>>> 
>>>> CISO wasn’t funded by project reboot. 
>>>> 
>>>> Initially, you wanted to taking money from grants awarded by DHS and cause OWASP to commit fraud in the USA, and put the entire organization at risk. When I brought this to your attention you dismissed me by saying “I was a know it all.” Your new solution was to spend other peoples chapter money!  
>>>> 
>>>> The money for CISO came from the Phoenix chapter, and from your own project after the staff held you accountable for your actions. 
>>>> 
>>>> To top this all off you did not take personal responsibility for your actions, instead you blamed others publicly. 
>>>> 
>>>> There were a hundred million ways to manage the issue, none of which required publcly blaming others for your failures, or putting OWASP at risk. It was beyond completely unprofessional of you.
>>>> 
>>>> Had this been the first time, it may have been acceptable; as everybody makes mistakes but you have a history of this behaviour.
>>>> 
>>>> And, this all happened because you did not manage either your project or the money, nor did you take responsibility for your actions.
>>>> 
>>>> Frankly, a board level position requires a much higher standard of behavior than you exhibit.
>>>> 
>>>> 
>>>> 
>>>> On Nov 11, 2013, at 10:58 AM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>>> 
>>>>> No Dinis....don't have time to bow to your request, very sorry....
>>>>> 
>>>>> The leaders are happy with the support and "stuff is getting done" so that's good for me.
>>>>> 
>>>>> Dude check the site. It's all there.
>>>>> Samantha has also done great work managing the funding and developing guidelines such as the grant policy etc.
>>>>> 
>>>>> There is no hard timeline to adhere to as projects take time to develop and are volunteer based. We can't put a gun to leaders heads.
>>>>> 
>>>>> Testing,
>>>>> Development,
>>>>> Code review
>>>>> Ciso 
>>>>> Appsensor - all reboot funded.
>>>>> 
>>>>> How is the appsec "Jesus"- no shoes thing going. :)
>>>>> 
>>>>> 
>>>>> 
>>>>> Eoin Keary
>>>>> Owasp Global Board
>>>>> +353 87 977 2988
>>>>> 
>>>>> 
>>>>> On 11 Nov 2013, at 15:14, Dinis Cruz <dinis.cruz at owasp.org> wrote:
>>>>> 
>>>>>> Eoin, when you say ' very successful reboot project funding' , can you be more specific on the criteria you used to reach that conclusion?
>>>>>> 
>>>>>> For example where can I see:
>>>>>> - all funds allocated 
>>>>>> - all funds projected to be spent
>>>>>> - all funds actually spent
>>>>>> - timeline of the expenditure
>>>>>> - what was achieved with the funds spent?
>>>>>> - the final deliverables of the project reboot 2012 (which started on Jun/Aug 2012)
>>>>>> 
>>>>>> Also the page https://www.owasp.org/index.php/Projects_Reboot_2012 seems quite out of date. So I would expect that a number of the answers to my questions should be placed there (since it is important to have accurate historical documentation of this type of Owasp initiatives)
>>>>>> 
>>>>>> Thanks
>>>>>> 
>>>>>> On 11 Nov 2013 14:15, "Eoin Keary" <eoin.keary at owasp.org> wrote:
>>>>>>> We have the very successful reboot project funding many projects. Some are to be released at appsecusa such as the ciso guide.
>>>>>>> I agree we need to spend more. If € is donated for a particular project or chapter, we can't move that money to another project that easily, given it was a donation.
>>>>>>> This is frustrating but needs to be observed to be compliant with charity law etc.
>>>>>>> 
>>>>>>> 
>>>>>>> Eoin Keary
>>>>>>> Owasp Global Board
>>>>>>> +353 87 977 2988
>>>>>>> 
>>>>>>> 
>>>>>>> On 11 Nov 2013, at 13:15, Dinis Cruz <dinis.cruz at owasp.org> wrote:
>>>>>>> 
>>>>>>>> This innovation will not come from 'owasp' . The way to do it is to create a budget programme like the Owasp GSD project ( https://www.owasp.org/index.php/OWASP_GSD_Project) and trust the owasp leaders with the responsibility and budget .
>>>>>>>> 
>>>>>>>> This is the Projects/Chapters Buckets idea that I have been talking for a while now, and that idea will do more for OWASP's ability to innovate , than any discussion thread or top-down initiative
>>>>>>>> 
>>>>>>>> On the topic of Measurement , I completely agree, and that is something that the owasp OpsTeam (the employees) should really focus on (since they are the only ones that will have the independence and motivation to do it)
>>>>>>>> 
>>>>>>>> On 11 Nov 2013 03:03, "Jeff Williams" <jeff.williams at owasp.org> wrote:
>>>>>>>>> I wasn't suggesting that the organization-focused goals aren't important. I'm thrilled to see OWASP continue to grow. Just saying a few of the strategic goal ideas for 2014 should be focused on our domain...
>>>>>>>>> 
>>>>>>>>> * Foster innovation and experimentation. One possibility is a DARPA style high-risk, high-reward proposal program... there are others.
>>>>>>>>> * Encourage diversity.  I think the "Women in AppSec" program is great and should be expanded
>>>>>>>>> * Pursue Measurement.  As Jeremiah has correctly pointed out, nobody really knows if any of this stuff really works. Let's find out.
>>>>>>>>> * Advertise.  This isn't exactly the right word. I'm thinking of a "Truth" style campaign to help the world understand the importance of appsec
>>>>>>>>> * Encourage competition. The crypto community does this well through NIST for algorithms. Why not other defenses?
>>>>>>>>> 
>>>>>>>>> --Jeff
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> On Fri, Nov 8, 2013 at 11:21 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>>>>>>>>> > Shouldn't the strategies have something to do with the mission?
>>>>>>>>>> 
>>>>>>>>>> Of course. But we also need a well run organization in order to properly serve the mission. The staff has done a remarkable job in cleaning up a lot of difficult messes that OWASP had become. There is no shame meant in that statement. OWASP is just growing up - kind of like moving from a start-up to a larger organization. The organizational changes that Colin and Josh suggest are really critical in terms of efficiency. We just want to maximize the minimal resources that we have to serve the mission.
>>>>>>>>>> 
>>>>>>>>>> Another thing, the suggestions below from Colin and Josh are additions, not the entire set of strategic goals of the organization.
>>>>>>>>>> 
>>>>>>>>>> Here are the past OWASP strategic goals. https://docs.google.com/a/owasp.org/document/d/19BJMDMTVWlwqMcvUfDy1Mcjtd_bKGbhu-D-VBE-7kFU/edit
>>>>>>>>>> 
>>>>>>>>>> We are going to be building the 2014 strategic goals after AppSecUSA (www.appsecusa.com) on November 22rd. https://www.owasp.org/index.php/November_22,_2013 You are welcome to dial in and lend advice and support!
>>>>>>>>>> 
>>>>>>>>>> If you have any suggestions as to how we can make "aggressive game changing innovation" in an open, vendor-neutral and community based way, then bring it on!
>>>>>>>>>> 
>>>>>>>>>> > How are we going to change the trajectory of software development?
>>>>>>>>>> 
>>>>>>>>>> Jeff, as one of the OWASP Top Ten leaders, you have a HUGE opportunity to effect the culture of software. I see the OWASP Top Ten in almost every dev shop I run into. So I ask you, is the OWASP Top Ten 2013 an "aggressive pursuit and encouragement of game-changing innovation, not just technological but cultural"? I think that one of your biggest opportunities to see the change you want.
>>>>>>>>>> 
>>>>>>>>>> Aloha,
>>>>>>>>>> Jim
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> > How are we going to change the trajectory of software development?  How to make appsec something every developer wants to know...aspirational?
>>>>>>>>>> >
>>>>>>>>>> > The strategies ought to include aggressive pursuit and encouragement of game-changing innovation, not just technological but cultural. Otherwise we will continue to slowly lose ground in the face of rapid tech expansion.
>>>>>>>>>> >
>>>>>>>>>> > --Jeff
>>>>>>>>>> >
>>>>>>>>>> >
>>>>>>>>>> >> On Nov 8, 2013, at 4:25 PM, Colin Watson <colin.watson at owasp.org> wrote:
>>>>>>>>>> >>
>>>>>>>>>> >> I still quite like the "platform" and "quality" aspects.
>>>>>>>>>> >>
>>>>>>>>>> >> 1. The community (incl staff) efforts on updating design and the wiki
>>>>>>>>>> >> has made a huge improvement. Contrary to the 2013 objective, the wiki
>>>>>>>>>> >> stuff is improving from the bottom up, but I'm sure this will surface
>>>>>>>>>> >> onto the home page soon.
>>>>>>>>>> >>
>>>>>>>>>> >> 2. I'd like to see some effort in enabling "self-service" for
>>>>>>>>>> >> volunteers to take some of the load off the staff e.g. "how tos and
>>>>>>>>>> >> FAQs" for project leaders.
>>>>>>>>>> >>
>>>>>>>>>> >> 3.  I also think we need to keep pushing the "open" aspect. Make it
>>>>>>>>>> >> difficult for secret groups, cliques and closed-door activities to
>>>>>>>>>> >> occur.
>>>>>>>>>> >>
>>>>>>>>>> >> Colin
>>>>>>>>>> >>
>>>>>>>>>> >>
>>>>>>>>>> >>
>>>>>>>>>> >>> On 8 November 2013 21:06, Jim Manico <jim.manico at owasp.org> wrote:
>>>>>>>>>> >>> Right on, Josh! Bring it! :)
>>>>>>>>>> >>>
>>>>>>>>>> >>> Aloha,
>>>>>>>>>> >>> --
>>>>>>>>>> >>> Jim Manico
>>>>>>>>>> >>> @Manicode
>>>>>>>>>> >>> (808) 652-3805
>>>>>>>>>> >>>
>>>>>>>>>> >>> On Nov 8, 2013, at 4:02 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>>>>>>>> >>>
>>>>>>>>>> >>> I would like to add two strategic goals to this list:
>>>>>>>>>> >>>
>>>>>>>>>> >>> 1) Create policies and processes to support the chapters.  Encourage them to
>>>>>>>>>> >>> innovate.  Create a framework to allow them to be financially
>>>>>>>>>> >>> self-sufficient.
>>>>>>>>>> >>>
>>>>>>>>>> >>> 2) Investigate what it means to be an "OWASP member".  How do we justify
>>>>>>>>>> >>> becoming a paid member?  What are the benefits that paid members receive
>>>>>>>>>> >>> from their contributions?
>>>>>>>>>> >>>
>>>>>>>>>> >>> ~josh
>>>>>>>>>> >>>
>>>>>>>>>> >>>
>>>>>>>>>> >>> On Fri, Nov 8, 2013 at 2:50 PM, Michael Coates <michael.coates at owasp.org>
>>>>>>>>>> >>> wrote:
>>>>>>>>>> >>>>
>>>>>>>>>> >>>> Leaders,
>>>>>>>>>> >>>>
>>>>>>>>>> >>>> For the past 2 years we have set strategic goals at the board level. The
>>>>>>>>>> >>>> purpose of these initiatives are to zero in on a few key elements where we
>>>>>>>>>> >>>> wish to drive growth. These strategic goals are also used to prioritize and
>>>>>>>>>> >>>> guide the operation team's tactcial goals and focus.
>>>>>>>>>> >>>>
>>>>>>>>>> >>>> As we're planning for 2014 I'd like to ask all of you for your thoughts
>>>>>>>>>> >>>> and feedback on strategic goals for the OWASP foundation. Please note that
>>>>>>>>>> >>>> these items are geared towards the owasp organization, not any specific
>>>>>>>>>> >>>> project, conference, chapter etc. OWASP is building the platform for all of
>>>>>>>>>> >>>> these wonderful things to occur. How should we specifically try and grow
>>>>>>>>>> >>>> that platform in pursuit of our mission in 2014?
>>>>>>>>>> >>>>
>>>>>>>>>> >>>> The list of 2012 and 2013 strategic goals can be found here:
>>>>>>>>>> >>>> https://docs.google.com/document/d/19BJMDMTVWlwqMcvUfDy1Mcjtd_bKGbhu-D-VBE-7kFU/edit
>>>>>>>>>> >>>>
>>>>>>>>>> >>>>
>>>>>>>>>> >>>> Please reply to this thread with your thoughts, comments and ideas.
>>>>>>>>>> >>>>
>>>>>>>>>> >>>>
>>>>>>>>>> >>>>
>>>>>>>>>> >>>> Thanks!
>>>>>>>>>> >>>>
>>>>>>>>>> >>>> --
>>>>>>>>>> >>>> Michael Coates | OWASP | @_mwc
>>>> 
>>>> 
>>>> 
>>>>>>>> Dennis Groves, MSc
>>>> Stay in touch via email or schedule a meeting.
>>>> 
>>>> “The things most people want to know about are usually none of their business.” 
>>>> – George Orwell, 1984
>>> 
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
> 
> 
> 
> -- 
> Executive Director
> OWASP Foundation
> 
> sarah.baso at owasp.org
> +1.312.869.2779
> 
> 
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20131113/69fbc1c0/attachment-0001.html>


More information about the Owasp-board mailing list