[Owasp-board] OWASP Top 10

Matt Tesauro matt.tesauro at owasp.org
Mon Apr 14 02:40:01 UTC 2014


Josh, I reviewed the Project Leaders Handbook prior to my email and that is
why I used the wording "create an explicit policy".

Look, I totally believe that any project which does analysis of data at
OWASP _should_ have that data open so it can be reviewed by anyone.  I'm on
your side here - if there really are sides.

The thing that I think both of you are missing is that:

(1) The Project Leader Handbook at best tangentially handles this
situation.  If you want this not to happen again, update the policy
to explicitly handle it.  Your the board, its what boards do.  Write policy
which empowers the staff to act on that policy.

(2) Unless you want to appear to be a board which arbitrary applies policy
to projects you have some dispute with, create said policy and enforce it
going forward.  It is impossible to follow the rules which don't exist.
 OWASP has gotten too large to do enforcement via cultural norms.  Write
policy and work off that policy.  If there are projects that don't follow
the new policy, then you have a framework to constructively discuss how to
get them where they now need to be.  Otherwise, from a project leaders
perspective, it feels like arbitrary enforcement.

I know if someone told me there was some problem with WTE because of some
undocumented obligation, especially if I had not been required to do so for
years, I'd feel far more a victim that part of the community.  I sure don't
want that for me and I'd not want that done to any project leader.

Josh - just like you've aggressively advocated for Chapters (and thanks for
that), I'm doing the same for projects.  I don't want to see a precedent
where what hasn't bee a problem for years is suddenly a problem which must
be addressed yesterday.

I share Jim's feelings about previous boards failing to act on the 2013 Top
10.   It sucks but that's how things happened.  You can't change the past
but you can set a correct course for future projects and provide a path for
ones off course to make any needed correction in reasonable time.


--
-- Matt Tesauro
OWASP WTE Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site
OWASP OpenStack Security Project Lead
https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project


On Sun, Apr 13, 2014 at 4:48 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> Matt,
>
> Please take a look at the OWASP Project Leader Handbook:
>
> https://www.owasp.org/images/d/d8/PROJECT_LEADER-HANDBOOK_2014.pdf
>
> Specifically section 3.1 on Openness:
>
> "Project source code must be made openly available"
>
> Its in the 2013 handbook as well though I'd argue that this standard has
> gone back many years earlier as Christian Heinrich was suspended for
> failing to publish the source code for his OWASP project and Jeff and Dave
> were amongst those who set that standard.  While I see nothing wrong with
> Eoin being the one to go to them requesting it, I also see no issue with
> him trying to avoid a confrontation by asking Samantha to do it instead.
> Enforcement should be part of her job, especially if its in the Project
> Leader Handbook.  And its far nicer than the Board appointing a group of
> people for inquiry on the openness of the project.
>
> ~josh
> >  I also don't think that it's unreasonable to ask that our project
> manager ensure that this exists before publishing any project to any one of
> the project categories.
>
> I fully agree with this going forward.  But you are asking for this
> retrospectively for the Top 10 2013.
>
> If this is a standard that all projects should make according to the
> board, then the board should create an explicit policy to that effect and
> let the staff the enforce it going forward.  That would provide Samantha
> the mechanism she needs to make sure _future_ projects don't violate this
> policy.  It can also be used to correct any projects that are outside of
> this policy without being enforced after the project has already created a
> deliverable, in an ad hoc manner.
>
> However, I still contend that we've spent more time discussing who should
> ask when a simple email from Eoin to Dave and/or the Top 10 list would
> solve this issue.  It is simple, direct and transparent.
>
> --
> -- Matt Tesauro
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>
>
> On Sun, Apr 13, 2014 at 3:34 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> I don't think that it's unreasonable to ask for the "source" (ie. how the
>> document was generated) for a purported open source project.  I also don't
>> think that it's unreasonable to ask that our project manager ensure that
>> this exists before publishing any project to any one of the project
>> categories.
>>
>> ~josh
>>
>>
>> On Sun, Apr 13, 2014 at 3:22 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>
>>> Dancing? Asking for information on how a project is made, which is
>>> allegedly opensource is a valid request.
>>> Reason I'm asking Samantha is she is paid staff to manage projects for
>>> OWASP.
>>> Simple really.
>>>
>>>
>>> Eoin Keary
>>> Owasp Global Board
>>> +353 87 977 2988
>>>
>>>
>>> On 13 Apr 2014, at 19:44, Michael Coates <michael.coates at owasp.org>
>>> wrote:
>>>
>>> Eoin,
>>>
>>> Are we dancing around the elephant in the room? We know there are many
>>> calls for the top 10 to be more open. I hope people will join the project
>>> and push the top 10 process from it's beginning and create a very open 2015
>>> top 10 with all these ideas  - we just need to get into the process at the
>>> beginning, not the end .
>>>
>>> I guess my question is this - why not just ask the project mailing list
>>> for this information directly? Or are they not responding or refusing?
>>>
>>> I don't think we have a model or expectation that a request to project X
>>> should flow through Samantha to simply relay that same request to the
>>> project mailing list.
>>>
>>> Perhaps I'm missing something - help me understand?
>>>
>>>
>>> --
>>> Michael Coates
>>> @_mwc
>>>
>>>
>>>
>>> On Sun, Apr 13, 2014 at 4:41 AM, Eoin Keary <eoin.keary at owasp.org>wrote:
>>>
>>>> Hi Samantha,
>>>> I am formally requesting that as projects manager you obtain the data,
>>>> work papers and associated statistic model for the owasp top 10. This is a
>>>> core owasp project and needs to be assessed such that we can leverage it
>>>> for other endeavours.
>>>> Thanks in advance.
>>>> Eoin.
>>>>
>>>>
>>>> Eoin Keary
>>>> Owasp Global Board
>>>> +353 87 977 2988
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140413/d6f80470/attachment.html>


More information about the Owasp-board mailing list