[Owasp-board] [Owasp-leaders] OWASP.next

Michael Coates michael.coates at owasp.org
Fri Apr 11 00:24:18 UTC 2014


*'Give the power of operational and financial decisions to the OWASP
OPsTeam and let the OWASP board be just one focused on 'values and

This is true. Sarah and team have budgets to work from and they can spend
as they see fit to accomplish high level mission items.

Michael Coates

On Thu, Apr 10, 2014 at 4:05 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:

> For a while I have been saying that putting such '*expectations and
> requirements'* on board members was going to cause a lot of friction and
> this is just another example of it
> I don't actually agree with Dennis analysis. But the reason I don't agree
> is not due to the fact that he is correct (or not) in his analysis. My view
> is that it is* completely unrealistic to put  such a high level of
> expectation on OWASP board members*, specially in terms of
> their: behaviour, morals, actions and words. My biggest problem with
> current/past board members is on lack of action, decisions and delegation
> of duties :)
> But the biggest problem with the line of thinking that '*OWASP Board
> members must behave differently*' it that it also:
>    - perpetuates the *'myth of the OWASP Board member'* : which is the
>    idea that things can only happen at OWASP if one is on the Board. Not only
>    this is simply is not true, this myth creates a negative energy cycle
>    between '*the ones NOT in the board'* (who don't feel empowered) and '*the
>    ones on the board'* (who realise that being a board member doesn't
>    actually help to get things done).
>    - provides an '*focus of blame'* since there is this expectation that *'somebody
>    else should be doing it'. *The reality is that OWASP leaders must
>    realise that they are the ones that need to 'get on with it' and not expect
>    the mythical OWASP board members to *'come and save the day'*
>    - provides a way to 'shot down the Board Members' since they are in
>    impossible position (*dammed if they do and dammed if they don't*)
> The only OWASP leaders (board members or not) that actually make a
> difference at OWASP, are the ones that put the hours/ days/weeks) of
> effort, energy and commitment on a particular idea, vision, project or
> initiative (as an example, if you look at the current/past board members,
> the areas where they have added a lot of value to OWASP, have not been in
> cases where they actually 'needed to be on the board' to archived those
> results).
> I have written on my blog on what I believe to be a better model for
> OWASP,  you can read at An Idea of a new model for OWASP<http://blog.diniscruz.com/2012/10/an-idea-of-new-model-for-owasp.html> (for
> the TL; DR crowd: *'Give the power of operational and financial decisions
> to the OWASP OPsTeam and let the OWASP board be just one focused on 'values
> and community'*)
> Also written in Nov 2012 was the I wish that OWASP in 2014 ....<http://blog.diniscruz.com/2012/11/i-wish-that-owasp-in-2014.html> post
> which I hope that you will share with me the feeling that THAT is what
> OWASP should feel like :)
> On the topic of thinking and blogging about OWASP could be, I have been
> trying LeanPub as a publishing medium and have publish a 'beta book' one
> called Thoughts on OWASP <https://leanpub.com/Thoughts_OWASP/> (which you
> can read more about at: Published Beta version of "Thoughts on OWASP"
> eBook<http://blog.diniscruz.com/2014/03/published-beta-version-of-thoughts-on.html>
> I also put the contents of that book (which is at the moment a collection
> of my blog posts on OWASP and other philosophical ideas) on this GitHub
> repo: https://github.com/DinisCruz/Book_Thoughts_OWASP
> Here are the links to the main Sections (now in Markdown since they are in
> the GitHub repo):
>    - Introduction<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/0.Introduction/README.md>
>    - 1.OWASP_Organization<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/README.md>
>    - 2.OWASP_Projects<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/2.OWASP_Projects/README.md>
>    - 3.OWASP_Summits<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/3.OWASP_Summits/README.md>
>    - 4.OWASP_Education<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/4.OWASP_Education/README.md>
>    - 5.OWASP_MIA<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/5.OWASP_MIA/README.md>
>    - 6,Philosophy<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/6.Philosophy/README.md>
>    - 7.Security_Industry<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/7.Security_Industry/README.md>
> Here are the links to the chapters with my main OWASP thinking:
>    - An Idea of a New Model for owasp<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/An_Idea_of_a_New_Model_for_owasp.md>
>    - I wish that OWASP in 2014<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/I_wish_that_OWASP_in_2014.md>
>    - Improved Wikipedia funding page why OWASP needs something similar
>    and who buys OWASP Corporate Memberships<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/Improved_Wikipedia_funding_page_why_OWASP_needs_something_similar_and_who_buys_OWASP_Corporate_Memberships.md>
>    - OWASP Board Election - Why I voted 'Abstain' and why you should go
>    on the record with your vote<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/OWASP_Board_Election_-__Why_I_voted_'Abstain'_and_why_you_should_go_on_the_record_with_your_vote.md>
>    - OWASP Executive Director Role (Not yet)<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/OWASP_Executive_Director_Role_(Not_yet).md>
>    - OWASP Principles based on NHS<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/OWASP_Principles_based_on_NHS.md>
>    - OWASP Revenue Splits and the 'Non-profits have a charter to be
>    innovators'<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/OWASP_Revenue_Splits_and_the_'Non-profits_have_a_charter_to_be_innovators'.md>
>    - Proposed change for SoC - Use budget to pay for project related
>    expenses<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/Proposed_change_for_SoC_-_Use_budget_to_pay_for_project_related_expenses.md>
>    - Remove all commercial non-OWASP logos from OWASP.org<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/Remove_all_commercial_non-OWASP_logos_from_OWASP.org.md>
>    - Sarah Baso as OWASP Executive director, how it broke the model,
>    structure and culture of OWASP employees<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/Sarah_Baso_as_OWASP_Executive_director,_how_it_broke_the_model,_structure_and_culture_of_OWASP_employees.md>
>    - Why OWASP can't pay OWASP Leaders<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/Why_OWASP_can't_pay_OWASP_Leaders.md>
>    - Why the need to enable the use of OWASP chapter funds<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/Why_the_need_to_enable_the_use_of_OWASP_chapter_funds.md>
>    - Why NDAs have no place at OWASP<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/Why_NDAs_have_no_place_at_OWASP.md>
>    - Me and Jim Manico<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/Me_and_Jim_Manico.md>
>    - On John Wilander<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/On_John_Wilander.md>
> Let me know what you think, and if spot any issues or mistakes, please to
> fork that repo and sent in a Pull Request :)
> Also feel free to correct my thinking and show me where I got my analysis
> wrong (so that I can learn and improve)
> Dinis
> On 10 April 2014 22:06, Dennis Groves <dennis.groves at owasp.org> wrote:
>> Michael,
>> I applaud you Michael for taking the reigns of leadership and setting
>> both a vision and a positive example for OWASP. What a great post! You
>> have really captured the spirit of OWASP and I hope you succeed in keeping
>> it alive. Like you, I stand behind both the awesome staff and community of
>> However, I have great concerns about the future of OWASP, because the
>> board serves as an example for the community. As you have indicated you
>> cannot do this alone, we all have to pitch in. Not everybody on the board
>> is a rotten apple, most of you are awesome. Unfortunately it only takes one
>> rotten apple to spoil the whole barrel.
>> Some examples I have observed of rotten leadership:
>>    - Publicly undermining OWASP employees by an OWASP Board member.
>>    - Publicly undermining OWASP volunteers by an OWASP Board member.
>>    - Privately undermining OWASP leaders by an OWASP Board member.
>>    - Privately undermining OWASP employees by an OWASP Board member.
>>    - Publicly undermining OWASP projects by an OWASP Board member.
>>    - Privately undermining OWASP projects by an OWASP Board member.
>>    - OWASP Board members have caused OWASP to lose money from conference
>>    revenues.
>>    - OWASP Board members have caused OWASP to lose corporate
>>    sponsorship's.
>>    - OWASP Board members have caused OWASP to lose projects.
>>    - OWASP Board members have harassed OWASP employees privately.
>>    - OWASP Board members have abused OWASP employees publicly.
>> All of these things have gone on habitually. Most of the time they are
>> thinly veiled under the guise of 'ethics' and yet all of these behaviors
>> are in direct conflict with the duty of loyalty to the OWASP foundation. *Additionally,
>> it sets up an unprofessional example of 'standard of behavior' for the
>> community to follow, and this is exactly what is happening.*
>> I regularly hear from both sponsors and leaders that no longer want to
>> participate in OWASP anymore due to the examples I have cited above. I
>> spend my OWASP donation hours managing fires like this, when I could be
>> building and contributing to the community with my precious little free
>> time.
>> It has come to a point that I may no longer recommend that the public
>> join or support OWASP because of the unprofessional behavior emanating from
>> the board. *And I feel it is a very sad day when I can not recommend
>> OWASP, something I genuinely want to be proud to be a part of, to people I
>> love and respect.*
>> --
>> Dennis Groves <http://about.me/dennis.groves>, MSc
>> Email me, <dennis.groves at owasp.org> or schedule a meeting<http://goo.gl/8sPIy>
>> .
>> *This email is licensed under a CC BY-ND 3.0
>> <http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB> license.*
>> Stand up for your freedom to install free software.<http://www.fsf.org/campaigns/secure-boot/statement>
>> Please do not send me Microsoft Office/Apple iWork documents.
>> Send OpenDocument <http://fsf.org/campaigns/opendocument/> instead!
>> <http://www.owasp.org/>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140410/b75bee3c/attachment-0001.html>

More information about the Owasp-board mailing list