[Owasp-board] Public Statements, Personal Thoughts, The Voice of OWASP

Jim Manico jim.manico at owasp.org
Wed Feb 5 20:11:31 UTC 2014

I could certainly do it, but I'm a bit too close. How about I lead but 
another board member stay on the thread and keep an eye on it? (ie: Keep 
an eye on me?)


> Hi all,
> on the podcast note:
> I love Mark's energy and the very high activity and quality for the 
> podcasts.
> Having said that, I agree with some of Jim's concerns here, especially 
> in terms of branding etc.
> Could maybe one board member take ownership for this and work with him 
> on a joint proposal how the "official" OWASP podcast should look like? 
> Any volunteers?
> Cheers, Tobias
> On 05/02/14 19:52, Jim Manico wrote:
>> Michael,
>> Thanks for having this conversation.
>> I am a bit concerned about our partnership with "the new podcast" in 
>> general. The podcast, when I ran it, ended with a reading of the 
>> OWASP mission and a call to ask people to donate. Now it ends with a 
>> endorsement to a commercial entity in language that makes is seem 
>> like a commercial entity is an official partner of OWASP.
>> Even if you continue to do a show with Mark (that is commercial 
>> centric and not OWASP centric) there are additional entanglements 
>> that make this problematic.
>> Mark is now the host of the OWASP podcast and posts all of his 
>> broadcasts on the trusted software alliance website instead of the 
>> OWASP blog. I do not feel a strong separation between his commercial 
>> interested and his "official" representation of OWASP, which I feel 
>> is critical.
>> My suggestion is, please consider stating "Comments within these 
>> interviews represent Michael's own opinions and are not endorsements 
>> by any other organization he is affiliated with" verbally at the 
>> beginning of each broadcast. Please trust me when I suggest that the 
>> more clear you make this separation, the better it will be for you 
>> and what you are trying to accomplish.
>> And to be fair to Mark, he is prolific is releasing a large number of 
>> high quality shows. Although I am concerned about the branding and 
>> want Mark to do serious clean-up, I would like to see him continue 
>> with his work representing OWASP.
>> And please, what is good for the goose is good for the gander. If you 
>> see me making any mistakes in this area, please let me know and I'll 
>> work to clean up my act.
>> Aloha,
>> Jim
>>> Thanks Jim,
>>> Yes. I've looked at the first 2 episodes and reviewed it's 
>>> perception. The exact comments you raised are items I'm actively 
>>> making changes to eliminate. Here's a bit more info:
>>> 1. The goal of the show is to represent myself, my views in the 
>>> industry and not represent my employer or OWASP. To that end I asked 
>>> earlier this week to add a disclaimer at the bottom of each show 
>>> notes. I sent this note to Mark (who runs the podcast)  on Tuesday 
>>> and he'll be adding the following below my bio on each video page:
>>> Comments within these interviews represent Michael's own opinions 
>>> and are not endorsements by any other organization he is affiliated 
>>> with.
>>> 2. In general more awareness of OWASP is a good thing. However, in 
>>> this scenario (and as you pointed out) I think this creates 
>>> confusion and may in fact nullify item #1 and my goal to represent 
>>> only myself. So, after review of the first 2 episodes I've decided 
>>> to pass on further discussions of official owasp items or 
>>> discussions that appear to be owasp updates from an owasp board member.
>>> -Michael
>>> --
>>> Michael Coates
>>> @_mwc
>>> On Wed, Feb 5, 2014 at 11:30 AM, Jim Manico <jim.manico at owasp.org 
>>> <mailto:jim.manico at owasp.org>> wrote:
>>>     +1 Michael. If you see anything from me other others that is of
>>>     concern, please say so. I suggest that anyone who is going to
>>>     speak on behalf of OWASP go through press training with members
>>>     of staff. We also have to balance this with the "open" nature of
>>>     our bylaws and mission. We really are a unique organization.
>>>     I think - especially for board members - to clarify when
>>>     speaking in public. Something like:  "OWASP does not endorse any
>>>     commercial entity, including myself or my company. These
>>>     opinions are my own and not official OWASP policy."
>>>     Michael, I don't mean to point the finger at you, but I'm about
>>>     to do just that. Check out
>>>     http://trustedsoftwarealliance.com/2014/01/28/january-28-2014-security-start-ups-with-co-host-michael-coates-video/
>>>     where you give commercial analysis on security startups. In this
>>>     broadcast, the OWASP logo is used, very contentious OWASP
>>>     political issues are being discussed, and the mix of
>>>     commercialism and official OWASP representation seems muddled.
>>>     This is exactly the kind of thing we want to avoid.
>>>     Perhaps we could separate commercial analysis from "official"
>>>     updates on OWASP? Or at least provide some kind of disclaimer?
>>>     Hey we are all human here. If you ever interpret any of my
>>>     actions as stepping over the line, please call me on it and I'll
>>>     try to do better.
>>>     Aloha,
>>>     Jim
>>>>     Board,
>>>>     I'd like to bring up a topic for thought. As board members we
>>>>     individually have very little power. Hence the entire process
>>>>     of a vote for decisions and the rule of majority.
>>>>     In addition, we also each wear a variety of hats - our
>>>>     professional "day job" our "owasp hat", our own ideas separate
>>>>     from each, etc.
>>>>     I mention these items for the following scenarios:
>>>>     1. We need to be careful about acting as individuals and
>>>>     issuing statements on behalf of OWASP. I believe an official
>>>>     channel for OWASP statements is much more clear for the
>>>>     community and the world rather then individual statements by
>>>>     board members on blogs, twitter, interviews, etc.
>>>>     2. Currently our owasp blog serves a variety of purposes.
>>>>     Whether or not we intend, any post made here will also be
>>>>     interpreted as an official statement by OWASP. Food for thought
>>>>     - there are multiple people that can post to this blog. If we
>>>>     hastily issue a post here it could be picked up as an official
>>>>     statement by OWASP before we have a chance to fully flush out
>>>>     the wording or message.
>>>>     3. Our mailing lists are all publicly archived. This is great
>>>>     and by design. Keep in mind that your statements will be
>>>>     referenced within stories, future discussions, etc. We should
>>>>     do our best to keep on topic within subject threads, change
>>>>     subject lines when conversation drifts, and be cognizant that
>>>>     emails sent in haste will live on forever.
>>>>     I'm interested in others thoughts on this. Building clear
>>>>     official channels for OWASP statements will make our messages
>>>>     more powerful and easier for others to spread.
>>>>     --
>>>>     Michael Coates
>>>>     @_mwc
>>>>     _______________________________________________
>>>>     Owasp-board mailing list
>>>>     Owasp-board at lists.owasp.org  <mailto:Owasp-board at lists.owasp.org>
>>>>     https://lists.owasp.org/mailman/listinfo/owasp-board
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140205/dc5fdb09/attachment-0001.html>

More information about the Owasp-board mailing list