[Owasp-board] Public Statements, Personal Thoughts, The Voice of OWASP

Tobias tobias.gondrom at owasp.org
Wed Feb 5 20:06:26 UTC 2014

Hi all,

on the podcast note:
I love Mark's energy and the very high activity and quality for the
Having said that, I agree with some of Jim's concerns here, especially
in terms of branding etc.

Could maybe one board member take ownership for this and work with him
on a joint proposal how the "official" OWASP podcast should look like?
Any volunteers?

Cheers, Tobias

On 05/02/14 19:52, Jim Manico wrote:
> Michael,
> Thanks for having this conversation.
> I am a bit concerned about our partnership with "the new podcast" in
> general. The podcast, when I ran it, ended with a reading of the OWASP
> mission and a call to ask people to donate. Now it ends with a
> endorsement to a commercial entity in language that makes is seem like
> a commercial entity is an official partner of OWASP.
> Even if you continue to do a show with Mark (that is commercial
> centric and not OWASP centric) there are additional entanglements that
> make this problematic.
> Mark is now the host of the OWASP podcast and posts all of his
> broadcasts on the trusted software alliance website instead of the
> OWASP blog. I do not feel a strong separation between his commercial
> interested and his "official" representation of OWASP, which I feel is
> critical.
> My suggestion is, please consider stating "Comments within these
> interviews represent Michael's own opinions and are not endorsements
> by any other organization he is affiliated with" verbally at the
> beginning of each broadcast. Please trust me when I suggest that the
> more clear you make this separation, the better it will be for you and
> what you are trying to accomplish.
> And to be fair to Mark, he is prolific is releasing a large number of
> high quality shows. Although I am concerned about the branding and
> want Mark to do serious clean-up, I would like to see him continue
> with his work representing OWASP.
> And please, what is good for the goose is good for the gander. If you
> see me making any mistakes in this area, please let me know and I'll
> work to clean up my act.
> Aloha,
> Jim
>> Thanks Jim,
>> Yes. I've looked at the first 2 episodes and reviewed it's
>> perception. The exact comments you raised are items I'm actively
>> making changes to eliminate. Here's a bit more info:
>> 1. The goal of the show is to represent myself, my views in the
>> industry and not represent my employer or OWASP. To that end I asked
>> earlier this week to add a disclaimer at the bottom of each show
>> notes. I sent this note to Mark (who runs the podcast)  on Tuesday
>> and he'll be adding the following below my bio on each video page:
>> Comments within these interviews represent Michael's own opinions and
>> are not endorsements by any other organization he is affiliated with.
>> 2. In general more awareness of OWASP is a good thing. However, in
>> this scenario (and as you pointed out) I think this creates confusion
>> and may in fact nullify item #1 and my goal to represent only myself.
>> So, after review of the first 2 episodes I've decided to pass on
>> further discussions of official owasp items or discussions that
>> appear to be owasp updates from an owasp board member.
>> -Michael
>> --
>> Michael Coates
>> @_mwc
>> On Wed, Feb 5, 2014 at 11:30 AM, Jim Manico <jim.manico at owasp.org
>> <mailto:jim.manico at owasp.org>> wrote:
>>     +1 Michael. If you see anything from me other others that is of
>>     concern, please say so. I suggest that anyone who is going to
>>     speak on behalf of OWASP go through press training with members
>>     of staff. We also have to balance this with the "open" nature of
>>     our bylaws and mission. We really are a unique organization.
>>     I think - especially for board members - to clarify when speaking
>>     in public. Something like:  "OWASP does not endorse any
>>     commercial entity, including myself or my company. These opinions
>>     are my own and not official OWASP policy."
>>     Michael, I don't mean to point the finger at you, but I'm about
>>     to do just that. Check out
>>     http://trustedsoftwarealliance.com/2014/01/28/january-28-2014-security-start-ups-with-co-host-michael-coates-video/
>>     where you give commercial analysis on security startups. In this
>>     broadcast, the OWASP logo is used, very contentious OWASP
>>     political issues are being discussed, and the mix of
>>     commercialism and official OWASP representation seems muddled.
>>     This is exactly the kind of thing we want to avoid.
>>     Perhaps we could separate commercial analysis from "official"
>>     updates on OWASP? Or at least provide some kind of disclaimer?
>>     Hey we are all human here. If you ever interpret any of my
>>     actions as stepping over the line, please call me on it and I'll
>>     try to do better.
>>     Aloha,
>>     Jim
>>>     Board,
>>>     I'd like to bring up a topic for thought. As board members we
>>>     individually have very little power. Hence the entire process of
>>>     a vote for decisions and the rule of majority.
>>>     In addition, we also each wear a variety of hats - our
>>>     professional "day job" our "owasp hat", our own ideas separate
>>>     from each, etc.
>>>     I mention these items for the following scenarios:
>>>     1. We need to be careful about acting as individuals and issuing
>>>     statements on behalf of OWASP. I believe an official channel for
>>>     OWASP statements is much more clear for the community and the
>>>     world rather then individual statements by board members on
>>>     blogs, twitter, interviews, etc.
>>>     2. Currently our owasp blog serves a variety of purposes.
>>>     Whether or not we intend, any post made here will also be
>>>     interpreted as an official statement by OWASP. Food for thought
>>>     - there are multiple people that can post to this blog. If we
>>>     hastily issue a post here it could be picked up as an official
>>>     statement by OWASP before we have a chance to fully flush out
>>>     the wording or message.
>>>     3. Our mailing lists are all publicly archived. This is great
>>>     and by design. Keep in mind that your statements will be
>>>     referenced within stories, future discussions, etc. We should do
>>>     our best to keep on topic within subject threads, change subject
>>>     lines when conversation drifts, and be cognizant that emails
>>>     sent in haste will live on forever.
>>>     I'm interested in others thoughts on this. Building clear
>>>     official channels for OWASP statements will make our messages
>>>     more powerful and easier for others to spread.
>>>     --
>>>     Michael Coates
>>>     @_mwc
>>>     _______________________________________________
>>>     Owasp-board mailing list
>>>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>>     https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140205/d50ec264/attachment-0001.html>

More information about the Owasp-board mailing list