[Owasp-board] [Owasp-leaders] OWASP.next

Michael Coates michael.coates at owasp.org
Fri Apr 11 00:24:18 UTC 2014


Dinis,

*'Give the power of operational and financial decisions to the OWASP
OPsTeam and let the OWASP board be just one focused on 'values and
community'*)

This is true. Sarah and team have budgets to work from and they can spend
as they see fit to accomplish high level mission items.


--
Michael Coates
@_mwc



On Thu, Apr 10, 2014 at 4:05 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:

> For a while I have been saying that putting such '*expectations and
> requirements'* on board members was going to cause a lot of friction and
> this is just another example of it
>
> I don't actually agree with Dennis analysis. But the reason I don't agree
> is not due to the fact that he is correct (or not) in his analysis. My view
> is that it is* completely unrealistic to put  such a high level of
> expectation on OWASP board members*, specially in terms of
> their: behaviour, morals, actions and words. My biggest problem with
> current/past board members is on lack of action, decisions and delegation
> of duties :)
>
> But the biggest problem with the line of thinking that '*OWASP Board
> members must behave differently*' it that it also:
>
>    - perpetuates the *'myth of the OWASP Board member'* : which is the
>    idea that things can only happen at OWASP if one is on the Board. Not only
>    this is simply is not true, this myth creates a negative energy cycle
>    between '*the ones NOT in the board'* (who don't feel empowered) and '*the
>    ones on the board'* (who realise that being a board member doesn't
>    actually help to get things done).
>    - provides an '*focus of blame'* since there is this expectation that *'somebody
>    else should be doing it'. *The reality is that OWASP leaders must
>    realise that they are the ones that need to 'get on with it' and not expect
>    the mythical OWASP board members to *'come and save the day'*
>    - provides a way to 'shot down the Board Members' since they are in
>    impossible position (*dammed if they do and dammed if they don't*)
>
> The only OWASP leaders (board members or not) that actually make a
> difference at OWASP, are the ones that put the hours/ days/weeks) of
> effort, energy and commitment on a particular idea, vision, project or
> initiative (as an example, if you look at the current/past board members,
> the areas where they have added a lot of value to OWASP, have not been in
> cases where they actually 'needed to be on the board' to archived those
> results).
>
> I have written on my blog on what I believe to be a better model for
> OWASP,  you can read at An Idea of a new model for OWASP<http://blog.diniscruz.com/2012/10/an-idea-of-new-model-for-owasp.html> (for
> the TL; DR crowd: *'Give the power of operational and financial decisions
> to the OWASP OPsTeam and let the OWASP board be just one focused on 'values
> and community'*)
>
> Also written in Nov 2012 was the I wish that OWASP in 2014 ....<http://blog.diniscruz.com/2012/11/i-wish-that-owasp-in-2014.html> post
> which I hope that you will share with me the feeling that THAT is what
> OWASP should feel like :)
>
> On the topic of thinking and blogging about OWASP could be, I have been
> trying LeanPub as a publishing medium and have publish a 'beta book' one
> called Thoughts on OWASP <https://leanpub.com/Thoughts_OWASP/> (which you
> can read more about at: Published Beta version of "Thoughts on OWASP"
> eBook<http://blog.diniscruz.com/2014/03/published-beta-version-of-thoughts-on.html>
>
>
> I also put the contents of that book (which is at the moment a collection
> of my blog posts on OWASP and other philosophical ideas) on this GitHub
> repo: https://github.com/DinisCruz/Book_Thoughts_OWASP
>
> Here are the links to the main Sections (now in Markdown since they are in
> the GitHub repo):
>
>    - Introduction<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/0.Introduction/README.md>
>    - 1.OWASP_Organization<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/README.md>
>    - 2.OWASP_Projects<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/2.OWASP_Projects/README.md>
>    - 3.OWASP_Summits<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/3.OWASP_Summits/README.md>
>    - 4.OWASP_Education<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/4.OWASP_Education/README.md>
>    - 5.OWASP_MIA<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/5.OWASP_MIA/README.md>
>    - 6,Philosophy<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/6.Philosophy/README.md>
>    - 7.Security_Industry<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/7.Security_Industry/README.md>
>
>
> Here are the links to the chapters with my main OWASP thinking:
>
>
>    - An Idea of a New Model for owasp<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/An_Idea_of_a_New_Model_for_owasp.md>
>    - I wish that OWASP in 2014<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/I_wish_that_OWASP_in_2014.md>
>    - Improved Wikipedia funding page why OWASP needs something similar
>    and who buys OWASP Corporate Memberships<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/Improved_Wikipedia_funding_page_why_OWASP_needs_something_similar_and_who_buys_OWASP_Corporate_Memberships.md>
>    - OWASP Board Election - Why I voted 'Abstain' and why you should go
>    on the record with your vote<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/OWASP_Board_Election_-__Why_I_voted_'Abstain'_and_why_you_should_go_on_the_record_with_your_vote.md>
>    - OWASP Executive Director Role (Not yet)<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/OWASP_Executive_Director_Role_(Not_yet).md>
>    - OWASP Principles based on NHS<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/OWASP_Principles_based_on_NHS.md>
>    - OWASP Revenue Splits and the 'Non-profits have a charter to be
>    innovators'<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/OWASP_Revenue_Splits_and_the_'Non-profits_have_a_charter_to_be_innovators'.md>
>    - Proposed change for SoC - Use budget to pay for project related
>    expenses<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/Proposed_change_for_SoC_-_Use_budget_to_pay_for_project_related_expenses.md>
>    - Remove all commercial non-OWASP logos from OWASP.org<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/Remove_all_commercial_non-OWASP_logos_from_OWASP.org.md>
>    - Sarah Baso as OWASP Executive director, how it broke the model,
>    structure and culture of OWASP employees<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/Sarah_Baso_as_OWASP_Executive_director,_how_it_broke_the_model,_structure_and_culture_of_OWASP_employees.md>
>    - Why OWASP can't pay OWASP Leaders<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/Why_OWASP_can't_pay_OWASP_Leaders.md>
>    - Why the need to enable the use of OWASP chapter funds<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/Why_the_need_to_enable_the_use_of_OWASP_chapter_funds.md>
>    - Why NDAs have no place at OWASP<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/Why_NDAs_have_no_place_at_OWASP.md>
>    - Me and Jim Manico<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/Me_and_Jim_Manico.md>
>    - On John Wilander<https://github.com/DinisCruz/Book_Thoughts_OWASP/blob/master/manuscript/1.OWASP_Organization/On_John_Wilander.md>
>
> Let me know what you think, and if spot any issues or mistakes, please to
> fork that repo and sent in a Pull Request :)
>
> Also feel free to correct my thinking and show me where I got my analysis
> wrong (so that I can learn and improve)
>
> Dinis
>
>
> On 10 April 2014 22:06, Dennis Groves <dennis.groves at owasp.org> wrote:
>
>> Michael,
>>
>> I applaud you Michael for taking the reigns of leadership and setting
>> both a vision and a positive example for OWASP. What a great post! You
>> have really captured the spirit of OWASP and I hope you succeed in keeping
>> it alive. Like you, I stand behind both the awesome staff and community of
>> OWASP.
>>
>> However, I have great concerns about the future of OWASP, because the
>> board serves as an example for the community. As you have indicated you
>> cannot do this alone, we all have to pitch in. Not everybody on the board
>> is a rotten apple, most of you are awesome. Unfortunately it only takes one
>> rotten apple to spoil the whole barrel.
>>
>> Some examples I have observed of rotten leadership:
>>
>>    - Publicly undermining OWASP employees by an OWASP Board member.
>>    - Publicly undermining OWASP volunteers by an OWASP Board member.
>>    - Privately undermining OWASP leaders by an OWASP Board member.
>>    - Privately undermining OWASP employees by an OWASP Board member.
>>    - Publicly undermining OWASP projects by an OWASP Board member.
>>    - Privately undermining OWASP projects by an OWASP Board member.
>>
>>
>>    - OWASP Board members have caused OWASP to lose money from conference
>>    revenues.
>>    - OWASP Board members have caused OWASP to lose corporate
>>    sponsorship's.
>>    - OWASP Board members have caused OWASP to lose projects.
>>
>>
>>    - OWASP Board members have harassed OWASP employees privately.
>>    - OWASP Board members have abused OWASP employees publicly.
>>
>> All of these things have gone on habitually. Most of the time they are
>> thinly veiled under the guise of 'ethics' and yet all of these behaviors
>> are in direct conflict with the duty of loyalty to the OWASP foundation. *Additionally,
>> it sets up an unprofessional example of 'standard of behavior' for the
>> community to follow, and this is exactly what is happening.*
>>
>> I regularly hear from both sponsors and leaders that no longer want to
>> participate in OWASP anymore due to the examples I have cited above. I
>> spend my OWASP donation hours managing fires like this, when I could be
>> building and contributing to the community with my precious little free
>> time.
>>
>> It has come to a point that I may no longer recommend that the public
>> join or support OWASP because of the unprofessional behavior emanating from
>> the board. *And I feel it is a very sad day when I can not recommend
>> OWASP, something I genuinely want to be proud to be a part of, to people I
>> love and respect.*
>>
>>
>> --
>> Dennis Groves <http://about.me/dennis.groves>, MSc
>> Email me, <dennis.groves at owasp.org> or schedule a meeting<http://goo.gl/8sPIy>
>> .
>> *This email is licensed under a CC BY-ND 3.0
>> <http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB> license.*
>> Stand up for your freedom to install free software.<http://www.fsf.org/campaigns/secure-boot/statement>
>> Please do not send me Microsoft Office/Apple iWork documents.
>> Send OpenDocument <http://fsf.org/campaigns/opendocument/> instead!
>>
>> <http://www.owasp.org/>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140410/b75bee3c/attachment-0001.html>


More information about the Owasp-board mailing list