[Owasp-board] Public Statements, Personal Thoughts, The Voice of OWASP

Jim Manico jim.manico at owasp.org
Wed Feb 5 19:52:00 UTC 2014


Thanks for having this conversation.

I am a bit concerned about our partnership with "the new podcast" in 
general. The podcast, when I ran it, ended with a reading of the OWASP 
mission and a call to ask people to donate. Now it ends with a 
endorsement to a commercial entity in language that makes is seem like a 
commercial entity is an official partner of OWASP.

Even if you continue to do a show with Mark (that is commercial centric 
and not OWASP centric) there are additional entanglements that make this 

Mark is now the host of the OWASP podcast and posts all of his 
broadcasts on the trusted software alliance website instead of the OWASP 
blog. I do not feel a strong separation between his commercial 
interested and his "official" representation of OWASP, which I feel is 

My suggestion is, please consider stating "Comments within these 
interviews represent Michael's own opinions and are not endorsements by 
any other organization he is affiliated with" verbally at the beginning 
of each broadcast. Please trust me when I suggest that the more clear 
you make this separation, the better it will be for you and what you are 
trying to accomplish.

And to be fair to Mark, he is prolific is releasing a large number of 
high quality shows. Although I am concerned about the branding and want 
Mark to do serious clean-up, I would like to see him continue with his 
work representing OWASP.

And please, what is good for the goose is good for the gander. If you 
see me making any mistakes in this area, please let me know and I'll 
work to clean up my act.


> Thanks Jim,
> Yes. I've looked at the first 2 episodes and reviewed it's perception. 
> The exact comments you raised are items I'm actively making changes to 
> eliminate. Here's a bit more info:
> 1. The goal of the show is to represent myself, my views in the 
> industry and not represent my employer or OWASP. To that end I asked 
> earlier this week to add a disclaimer at the bottom of each show 
> notes. I sent this note to Mark (who runs the podcast)  on Tuesday and 
> he'll be adding the following below my bio on each video page:
> Comments within these interviews represent Michael's own opinions and 
> are not endorsements by any other organization he is affiliated with.
> 2. In general more awareness of OWASP is a good thing. However, in 
> this scenario (and as you pointed out) I think this creates confusion 
> and may in fact nullify item #1 and my goal to represent only myself. 
> So, after review of the first 2 episodes I've decided to pass on 
> further discussions of official owasp items or discussions that appear 
> to be owasp updates from an owasp board member.
> -Michael
> --
> Michael Coates
> @_mwc
> On Wed, Feb 5, 2014 at 11:30 AM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>     +1 Michael. If you see anything from me other others that is of
>     concern, please say so. I suggest that anyone who is going to
>     speak on behalf of OWASP go through press training with members of
>     staff. We also have to balance this with the "open" nature of our
>     bylaws and mission. We really are a unique organization.
>     I think - especially for board members - to clarify when speaking
>     in public. Something like:  "OWASP does not endorse any commercial
>     entity, including myself or my company. These opinions are my own
>     and not official OWASP policy."
>     Michael, I don't mean to point the finger at you, but I'm about to
>     do just that. Check out
>     http://trustedsoftwarealliance.com/2014/01/28/january-28-2014-security-start-ups-with-co-host-michael-coates-video/
>     where you give commercial analysis on security startups. In this
>     broadcast, the OWASP logo is used, very contentious OWASP
>     political issues are being discussed, and the mix of commercialism
>     and official OWASP representation seems muddled. This is exactly
>     the kind of thing we want to avoid.
>     Perhaps we could separate commercial analysis from "official"
>     updates on OWASP? Or at least provide some kind of disclaimer?
>     Hey we are all human here. If you ever interpret any of my actions
>     as stepping over the line, please call me on it and I'll try to do
>     better.
>     Aloha,
>     Jim
>>     Board,
>>     I'd like to bring up a topic for thought. As board members we
>>     individually have very little power. Hence the entire process of
>>     a vote for decisions and the rule of majority.
>>     In addition, we also each wear a variety of hats - our
>>     professional "day job" our "owasp hat", our own ideas separate
>>     from each, etc.
>>     I mention these items for the following scenarios:
>>     1. We need to be careful about acting as individuals and issuing
>>     statements on behalf of OWASP. I believe an official channel for
>>     OWASP statements is much more clear for the community and the
>>     world rather then individual statements by board members on
>>     blogs, twitter, interviews, etc.
>>     2. Currently our owasp blog serves a variety of purposes. Whether
>>     or not we intend, any post made here will also be interpreted as
>>     an official statement by OWASP. Food for thought - there are
>>     multiple people that can post to this blog. If we hastily issue a
>>     post here it could be picked up as an official statement by OWASP
>>     before we have a chance to fully flush out the wording or message.
>>     3. Our mailing lists are all publicly archived. This is great and
>>     by design. Keep in mind that your statements will be referenced
>>     within stories, future discussions, etc. We should do our best to
>>     keep on topic within subject threads, change subject lines when
>>     conversation drifts, and be cognizant that emails sent in haste
>>     will live on forever.
>>     I'm interested in others thoughts on this. Building clear
>>     official channels for OWASP statements will make our messages
>>     more powerful and easier for others to spread.
>>     --
>>     Michael Coates
>>     @_mwc
>>     _______________________________________________
>>     Owasp-board mailing list
>>     Owasp-board at lists.owasp.org  <mailto:Owasp-board at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140205/9d0961b5/attachment-0001.html>

More information about the Owasp-board mailing list