[Owasp-board] [Owasp-leaders] OWASP.next

Jim Manico jim.manico at owasp.org
Fri Apr 11 00:06:35 UTC 2014


A  few years ago the conference committee was about to do a OWASP Summit 
(at great expense) on a cruise ship, which is not very becoming for a 
non-profit charity. :) That is why the board killed the last summit.

However, a project or other focused summit is really a good idea. I 
support it if we do it in a cost effective and sensible way.  No more 
open bar tab for you, Mr Cruz!   *wink*   By the same token, the 
Portugal summit was powerful in ways that still reverberate today, and I 
think doing something like that again would really benefit the foundation.

Aloha,
Jim

On 4/10/14, 7:56 PM, Tony Turner wrote:
>
> I agree. I think summits are extremely important and I'm not sure why 
> we don't do more of them. Honestly I'd love to see even small regional 
> hackathons and summits see some traction. I run the Security B-sides 
> Orlando conference every April and it's been huge for our local 
> community and I'm starting to see projects and community collaboration 
> kicking off as a result of it. Some of us do OWASP Day in our 
> respective regions, but I've seen some that are little more than a 
> vendor trade show with questionable value. We need more collaborative 
> events with focused objectives. FOCUSED.
>
> What is our wish list of projects? How do we get from here to there? 
> That's what I'm interested in. We are focusing too much on operational 
> issues, meanwhile nothing (or very little) gets done. Let's empower 
> the doers, and stop nitpicking over the details.
>
> On Apr 10, 2014 7:42 PM, "Dinis Cruz" <dinis.cruz at owasp.org 
> <mailto:dinis.cruz at owasp.org>> wrote:
>
>     brilliant Tony, that was the best comment of the day!
>
>     maybe we should do another of these to get us back into
>     Application Security mode:
>     http://blog.diniscruz.com/2012/04/great-description-of-why-owasp-summits.html
>
>     :)
>
>     Dinis
>
>
>     On 10 April 2014 23:34, Tony Turner <tony.turner at owasp.org
>     <mailto:tony.turner at owasp.org>> wrote:
>
>         It's too bad application security topics don't see the same
>         level of participation. What was our core mission again? ;)
>
>         On Apr 10, 2014 6:25 PM, "Abbas Naderi" <abiusx at owasp.org
>         <mailto:abiusx at owasp.org>> wrote:
>
>             What if it was a cause with at least 6 OWASP members in
>             it, and was simply ignored (and never mentioned again)
>             because was not in interest of someone at the board level
>             or similar? That's what I mean by support.
>
>             I have seen several cases. The problem is that members
>             don't feel that there is a force supporting them, and feel
>             that they are dictated their terms by the board and other
>             high levels. This is what kills the motivation, and from
>             what I've seen so far from other posts in this thread,
>             everybody is noticing it.
>
>             Regards
>             -A
>             ______________________________________________________________
>             *Notice:***This message is *digitally signed*, its
>             *source* and *integrity* are verifiable.
>             If you mail client does not support S/MIME verification,
>             it will display a file (smime.p7s), which includes the
>             X.509 certificate and the signature body.  Read more at
>             Certified E-Mail with Comodo and Thunderbird
>             <http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>             AbiusX.com <http://AbiusX.com>
>
>             On Apr 10, 2014, at 6:19 PM, Josh Sokol
>             <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>
>>             There are a few different interpretations of "proper
>>             support" and I want to make sure I'm understanding you
>>             correctly:
>>
>>             1) I couldn't get a Board member to sponsor this initiative.
>>
>>             If this is the case, then sign me up.  I'm not sure I can
>>             put together all of the details that I asked you for, but
>>             I think the idea has merit and am willing to
>>             support/explore it as an option.
>>
>>             2) I tried and couldn't make it work.
>>
>>             If this is the case, then I'm not sure what to say.  I
>>             love the concept, but as I said the devil is in the
>>             details and I'm not sure how it would work in practice.
>>
>>             3) I stated an interest and nobody wanted to help.
>>
>>             If this is the case, then maybe it's just a situation
>>             where you want something really bad, but they majority
>>             doesn't see the value in it as much as you do.  If you
>>             don't have enough motivation to pursue, and others are
>>             willing to discuss it with you but don't have the
>>             motivation to pursue, then I'd start to question whether
>>             it's actually something worth pursuing.  If you change
>>             your mind about that, then let me know as I'm happy to
>>             walk the path with you.
>>
>>             ~josh
>>
>>
>>             On Thu, Apr 10, 2014 at 5:06 PM, Abbas Naderi
>>             <abiusx at owasp.org <mailto:abiusx at owasp.org>> wrote:
>>
>>                 Unfortunately I have tried a few times to do this,
>>                 but without proper support it is just a dead cause.
>>                 Its not that i'm trying to state my opinion here, I'm
>>                 trying to describe issues that several members of the
>>                 community face, and have discussed to me in person,
>>                 but don't have enough motivation to pursue. Its not
>>                 about me, its about making the community a better
>>                 place for everyone. Its about saving it.
>>                 -A
>>
>>                 ______________________________________________________________
>>                 *Notice:***This message is *digitally signed*, its
>>                 *source* and *integrity* are verifiable.
>>                 If you mail client does not support S/MIME
>>                 verification, it will display a file (smime.p7s),
>>                 which includes the X.509 certificate and the
>>                 signature body.  Read more at Certified E-Mail with
>>                 Comodo and Thunderbird
>>                 <http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>>                 AbiusX.com <http://abiusx.com/>
>>
>>                 On Apr 10, 2014, at 6:03 PM, Josh Sokol
>>                 <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>>
>>                 wrote:
>>
>>>                 Abbas,
>>>
>>>                 Just because you didn't get elected doesn't mean
>>>                 that you have to throw in the towel.  I know what I
>>>                 promised to do when I ran for a Board seat, but
>>>                 can't say that I remember everything that everyone
>>>                 else said they would do.  As with anything, the
>>>                 devil is in the details, but I'm certainly not
>>>                 opposed to your idea.  I don't think there's
>>>                 anything currently stopping you from running a
>>>                 petition if you feel that the Board has done
>>>                 something egregious that needs to be undone.  The
>>>                 couple of initiatives that I've passed since being
>>>                 elected were done with unanimous support of the
>>>                 Board and majority support from those who responded
>>>                 from the community inquiries.  The concept of a veto
>>>                 is a bit more difficult to enforce and I'm curious
>>>                 how this would work in practice.  Is there a
>>>                 percentage of people that would have to respond to a
>>>                 veto request? Do they have to be members?  Is there
>>>                 a number of "in favor" votes that has to be reached
>>>                 for it to be successful?  Is there a time constraint
>>>                 on how long after an action is initiated that it can
>>>                 be repealed?  Are there others in the community who
>>>                 feel like the Board has done something so
>>>                 egregiously bad that it needs to be repealed?
>>>                 Regardless, I'd be happy to work with you to set up
>>>                 a formal proposal here if you'd like to do so?
>>>
>>>                 ~josh
>>>
>>>
>>>                 On Thu, Apr 10, 2014 at 4:46 PM, Abbas Naderi
>>>                 <abiusx at owasp.org <mailto:abiusx at owasp.org>> wrote:
>>>
>>>                     Josh,
>>>                     If you remember, I had similar ideas for the
>>>                     board, as I was running for it as well. My idea
>>>                     was to allow a veto role for the community,
>>>                     because it is not viable and clever to ask for
>>>                     community polls on typical matters, as it does
>>>                     not involve everyone, and they clearly won't
>>>                     participate when they are not involved.
>>>
>>>                     But a veto role, is a different matter. If
>>>                     someone in the community feels undermined by a
>>>                     process enforced by the board, they can run
>>>                     their campaign, get more votes and undo the
>>>                     decision they though was wrong in the first
>>>                     place. This is what we need, and those decisions
>>>                     are really hurting people, making them lose hope
>>>                     for the better in this community.
>>>
>>>                     Unfortunately the previous board and the current
>>>                     board haven't done anything significant towards
>>>                     this, and it seems to me that no priority effort
>>>                     is being made.
>>>
>>>                     Thanks
>>>                     -Abbas
>>>                     ______________________________________________________________
>>>                     *Notice:***This message is *digitally signed*,
>>>                     its *source* and *integrity* are verifiable.
>>>                     If you mail client does not support S/MIME
>>>                     verification, it will display a file
>>>                     (smime.p7s), which includes the X.509
>>>                     certificate and the signature body.  Read more
>>>                     at Certified E-Mail with Comodo and Thunderbird
>>>                     <http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>>>                     AbiusX.com <http://abiusx.com/>
>>>
>>>                     On Apr 10, 2014, at 5:42 PM, Josh Sokol
>>>                     <josh.sokol at owasp.org
>>>                     <mailto:josh.sokol at owasp.org>> wrote:
>>>
>>>>                     Abbas,
>>>>
>>>>                     One of the ideas that I (and I believe Tobias
>>>>                     as well) championed when running for the Board
>>>>                     was the idea of bringing the power back to the
>>>>                     community.  I have raised this as an item to
>>>>                     the Board with the hopes of adding a sort of
>>>>                     community referendum to the election later this
>>>>                     year.  In the meantime, you have seen several
>>>>                     examples of polling the community for input on
>>>>                     various topics and we are working to bring you
>>>>                     a new voting platform that will allow even more
>>>>                     of this type of community inquiry.  The caveat
>>>>                     is that people have to actually vote and, as is
>>>>                     the case with the latest poll, our "turnout"
>>>>                     numbers have been relatively low.  Since the
>>>>                     community is made up of more than just leaders,
>>>>                     you've seen Michael's proposal to transition to
>>>>                     a full community involvement model instead of
>>>>                     just having a leaders list and hopefully this
>>>>                     will increase those poll numbers even more.  In
>>>>                     my opinion, the issues that you bring up are in
>>>>                     large part due to actions by the Board in the
>>>>                     past and I do see the current Board trying to
>>>>                     address them. Change won't happen overnight,
>>>>                     but I do see us moving in the right direction.
>>>>                     Hopefully you can stick around long enough for
>>>>                     us to right the ship.
>>>>
>>>>                     ~josh
>>>>
>>>>
>>>>                     On Thu, Apr 10, 2014 at 4:28 PM, Abbas Naderi
>>>>                     <abiusx at owasp.org <mailto:abiusx at owasp.org>> wrote:
>>>>
>>>>                         Dennis,
>>>>                         That is a perfectly valid explanation. I
>>>>                         have been faced with several of these
>>>>                         myself, and it has really affected the way
>>>>                         I love and contribute to OWASP. Now when I
>>>>                         have an idea, instead of making it an OWASP
>>>>                         project, I look elsewhere for a platform,
>>>>                         and all of you people know me and probably
>>>>                         are aware of the contributions I have made
>>>>                         to the community over several years.
>>>>
>>>>                         The list you provided is most of the cases,
>>>>                         but there are definitely cases not
>>>>                         mentioned there, like manipulating and
>>>>                         forcing decisions and actions at the board
>>>>                         level.
>>>>
>>>>                         I believe we need a change of management
>>>>                         model for OWASP. This is clearly not
>>>>                         working (IMHO) and these days I have a deep
>>>>                         sensation of leaving it all for good and
>>>>                         spending my time somewhere more productive.
>>>>
>>>>                         Thanks
>>>>                         -Abbas
>>>>                         ______________________________________________________________
>>>>                         *Notice:***This message is *digitally
>>>>                         signed*, its *source* and *integrity* are
>>>>                         verifiable.
>>>>                         If you mail client does not support S/MIME
>>>>                         verification, it will display a file
>>>>                         (smime.p7s), which includes the X.509
>>>>                         certificate and the signature body.  Read
>>>>                         more at Certified E-Mail with Comodo and
>>>>                         Thunderbird
>>>>                         <http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>>>>                         AbiusX.com <http://abiusx.com/>
>>>>
>>>>                         On Apr 10, 2014, at 5:06 PM, Dennis Groves
>>>>                         <dennis.groves at owasp.org
>>>>                         <mailto:dennis.groves at owasp.org>> wrote:
>>>>
>>>>>                         Michael,
>>>>>
>>>>>                         I applaud you Michael for taking the
>>>>>                         reigns of leadership and setting both a
>>>>>                         vision and a positive example for OWASP.
>>>>>                         What a great post! You have really
>>>>>                         captured the spirit of OWASP and I hope
>>>>>                         you succeed in keeping it alive. Like you,
>>>>>                         I stand behind both the awesome staff and
>>>>>                         community of OWASP.
>>>>>
>>>>>                         However, I have great concerns about the
>>>>>                         future of OWASP, because the board serves
>>>>>                         as an example for the community. As you
>>>>>                         have indicated you cannot do this alone,
>>>>>                         we all have to pitch in. Not everybody on
>>>>>                         the board is a rotten apple, most of you
>>>>>                         are awesome. Unfortunately it only takes
>>>>>                         one rotten apple to spoil the whole barrel.
>>>>>
>>>>>                         Some examples I have observed of rotten
>>>>>                         leadership:
>>>>>
>>>>>                           * Publicly undermining OWASP
>>>>>                             employees by an OWASP Board member.
>>>>>                           * Publicly undermining OWASP volunteers
>>>>>                             by an OWASP Board member.
>>>>>                           * Privately undermining OWASP leaders by
>>>>>                             an OWASP Board member.
>>>>>                           * Privately undermining OWASP employees
>>>>>                             by an OWASP Board member.
>>>>>                           * Publicly undermining OWASP projects by
>>>>>                             an OWASP Board member.
>>>>>                           * Privately undermining OWASP projects
>>>>>                             by an OWASP Board member.
>>>>>
>>>>>                           * OWASP Board members have caused OWASP
>>>>>                             to lose money from conference revenues.
>>>>>                           * OWASP Board members have caused OWASP
>>>>>                             to lose corporate sponsorship's.
>>>>>                           * OWASP Board members have caused OWASP
>>>>>                             to lose projects.
>>>>>
>>>>>                           * OWASP Board members
>>>>>                             have harassed OWASP employees privately.
>>>>>                           * OWASP Board members have abused OWASP
>>>>>                             employees publicly.
>>>>>
>>>>>                         All of these things have gone on
>>>>>                         habitually. Most of the time they are
>>>>>                         thinly veiled under the guise of 'ethics'
>>>>>                         and yet all of these behaviors are in
>>>>>                         direct conflict with the duty of loyalty
>>>>>                         to the OWASP foundation. /Additionally, it
>>>>>                         sets up an unprofessional example of
>>>>>                         'standard of behavior' for the community
>>>>>                         to follow, and this is exactly what is
>>>>>                         happening./
>>>>>
>>>>>                         I regularly hear from both sponsors and
>>>>>                         leaders that no longer want to participate
>>>>>                         in OWASP anymore due to the examples I
>>>>>                         have cited above. I spend my OWASP
>>>>>                         donation hours managing fires like this,
>>>>>                         when I could be building and contributing
>>>>>                         to the community with my precious little
>>>>>                         free time.
>>>>>
>>>>>                         It has come to a point that I may no
>>>>>                         longer recommend that the public join or
>>>>>                         support OWASP because of the
>>>>>                         unprofessional behavior emanating from the
>>>>>                         board. /And I feel it is a very sad day
>>>>>                         when *I can not recommend* OWASP,
>>>>>                         something I genuinely want to be proud to
>>>>>                         be a part of, to people I love and respect./
>>>>>
>>>>>
>>>>>                         -- 
>>>>>                         Dennis Groves
>>>>>                         <http://about.me/dennis.groves>, MSc
>>>>>                         Email me, <mailto:dennis.groves at owasp.org>
>>>>>                         or schedule a meeting <http://goo.gl/8sPIy>.
>>>>>                         /This email is licensed under a CC BY-ND
>>>>>                         3.0
>>>>>                         <http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB>
>>>>>                         license./
>>>>>                         Stand up for your freedom to install free
>>>>>                         software.
>>>>>                         <http://www.fsf.org/campaigns/secure-boot/statement>
>>>>>                         Please do not send me Microsoft
>>>>>                         Office/Apple iWork documents.
>>>>>                         Send OpenDocument
>>>>>                         <http://fsf.org/campaigns/opendocument/>
>>>>>                         instead!
>>>>>
>>>>>                         <http://www.owasp.org/>
>>>>>                         _______________________________________________
>>>>>                         OWASP-Leaders mailing list
>>>>>                         OWASP-Leaders at lists.owasp.org
>>>>>                         <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>                         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>>                         _______________________________________________
>>>>                         OWASP-Leaders mailing list
>>>>                         OWASP-Leaders at lists.owasp.org
>>>>                         <mailto:OWASP-Leaders at lists.owasp.org>
>>>>                         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>>
>>
>>
>
>
>             _______________________________________________
>             OWASP-Leaders mailing list
>             OWASP-Leaders at lists.owasp.org
>             <mailto:OWASP-Leaders at lists.owasp.org>
>             https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>         _______________________________________________
>         OWASP-Leaders mailing list
>         OWASP-Leaders at lists.owasp.org
>         <mailto:OWASP-Leaders at lists.owasp.org>
>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140410/d6fd80e2/attachment-0001.html>


More information about the Owasp-board mailing list