[Owasp-board] Public Statements, Personal Thoughts, The Voice of OWASP

Michael Coates michael.coates at owasp.org
Wed Feb 5 20:14:54 UTC 2014


We should unwind the podcast(s) a bit.

1. Mark is leading the continued OWASP podcast series that you (jim)
originally started. This is an owasp project and should reflect OWASP in
all ways.
2. Mark is leading a separate trusted software alliance video series. This
is not related to OWASP and should be treated as a separate entity all

Just as we've discussed the dual roles we can all operate in Mark will need
to be prudent about the same items to properly isolate items #1 and #2.

Back to your original comment, should we chat with Mark about any concerns
about item 1 not meeting expectations as an OWASP project?

Agreed on your final note, Mark is doing great work and his time (donated
or funded) that benefits OWASP is great. I consider our attention to detail
on separation of owasp and non-owasp items to simply be a testament to
OWASP's focus on creating a neutral and independent environment for all.

Michael Coates

On Wed, Feb 5, 2014 at 11:52 AM, Jim Manico <jim.manico at owasp.org> wrote:

>  Michael,
> Thanks for having this conversation.
> I am a bit concerned about our partnership with "the new podcast" in
> general. The podcast, when I ran it, ended with a reading of the OWASP
> mission and a call to ask people to donate. Now it ends with a endorsement
> to a commercial entity in language that makes is seem like a commercial
> entity is an official partner of OWASP.
> Even if you continue to do a show with Mark (that is commercial centric
> and not OWASP centric) there are additional entanglements that make this
> problematic.
> Mark is now the host of the OWASP podcast and posts all of his broadcasts
> on the trusted software alliance website instead of the OWASP blog. I do
> not feel a strong separation between his commercial interested and his
> "official" representation of OWASP, which I feel is critical.
> My suggestion is, please consider stating "Comments within these
> interviews represent Michael's own opinions and are not endorsements by any
> other organization he is affiliated with" verbally at the beginning of each
> broadcast. Please trust me when I suggest that the more clear you make this
> separation, the better it will be for you and what you are trying to
> accomplish.
> And to be fair to Mark, he is prolific is releasing a large number of high
> quality shows. Although I am concerned about the branding and want Mark to
> do serious clean-up, I would like to see him continue with his work
> representing OWASP.
> And please, what is good for the goose is good for the gander. If you see
> me making any mistakes in this area, please let me know and I'll work to
> clean up my act.
> Aloha,
> Jim
>    Thanks Jim,
>  Yes. I've looked at the first 2 episodes and reviewed it's perception.
> The exact comments you raised are items I'm actively making changes to
> eliminate. Here's a bit more info:
>  1. The goal of the show is to represent myself, my views in the industry
> and not represent my employer or OWASP. To that end I asked earlier this
> week to add a disclaimer at the bottom of each show notes. I sent this note
> to Mark (who runs the podcast)  on Tuesday and he'll be adding the
> following below my bio on each video page:
> Comments within these interviews represent Michael's own opinions and are
> not endorsements by any other organization he is affiliated with.
> 2. In general more awareness of OWASP is a good thing. However, in this
> scenario (and as you pointed out) I think this creates confusion and may in
> fact nullify item #1 and my goal to represent only myself. So, after review
> of the first 2 episodes I've decided to pass on further discussions of
> official owasp items or discussions that appear to be owasp updates from an
> owasp board member.
>  -Michael
> --
> Michael Coates
> @_mwc
> On Wed, Feb 5, 2014 at 11:30 AM, Jim Manico <jim.manico at owasp.org> wrote:
>>  +1 Michael. If you see anything from me other others that is of concern,
>> please say so. I suggest that anyone who is going to speak on behalf of
>> OWASP go through press training with members of staff. We also have to
>> balance this with the "open" nature of our bylaws and mission. We really
>> are a unique organization.
>> I think - especially for board members - to clarify when speaking in
>> public. Something like:  "OWASP does not endorse any commercial entity,
>> including myself or my company. These opinions are my own and not official
>> OWASP policy."
>> Michael, I don't mean to point the finger at you, but I'm about to do
>> just that. Check out
>> http://trustedsoftwarealliance.com/2014/01/28/january-28-2014-security-start-ups-with-co-host-michael-coates-video/where you give commercial analysis on security startups. In this broadcast,
>> the OWASP logo is used, very contentious OWASP political issues are being
>> discussed, and the mix of commercialism and official OWASP representation
>> seems muddled. This is exactly the kind of thing we want to avoid.
>> Perhaps we could separate commercial analysis from "official" updates on
>> OWASP? Or at least provide some kind of disclaimer?
>> Hey we are all human here. If you ever interpret any of my actions as
>> stepping over the line, please call me on it and I'll try to do better.
>> Aloha,
>> Jim
>>   Board,
>>  I'd like to bring up a topic for thought. As board members we
>> individually have very little power. Hence the entire process of a vote for
>> decisions and the rule of majority.
>> In addition, we also each wear a variety of hats - our professional "day
>> job" our "owasp hat", our own ideas separate from each, etc.
>>  I mention these items for the following scenarios:
>>  1. We need to be careful about acting as individuals and issuing
>> statements on behalf of OWASP. I believe an official channel for OWASP
>> statements is much more clear for the community and the world rather then
>> individual statements by board members on blogs, twitter, interviews, etc.
>>  2. Currently our owasp blog serves a variety of purposes. Whether or
>> not we intend, any post made here will also be interpreted as an official
>> statement by OWASP. Food for thought - there are multiple people that can
>> post to this blog. If we hastily issue a post here it could be picked up as
>> an official statement by OWASP before we have a chance to fully flush out
>> the wording or message.
>>  3. Our mailing lists are all publicly archived. This is great and by
>> design. Keep in mind that your statements will be referenced within
>> stories, future discussions, etc. We should do our best to keep on topic
>> within subject threads, change subject lines when conversation drifts, and
>> be cognizant that emails sent in haste will live on forever.
>>  I'm interested in others thoughts on this. Building clear official
>> channels for OWASP statements will make our messages more powerful and
>> easier for others to spread.
>> --
>> Michael Coates
>> @_mwc
>>  _______________________________________________
>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140205/c24d9bc1/attachment.html>

More information about the Owasp-board mailing list