[Owasp-board] Public Statements, Personal Thoughts, The Voice of OWASP

Jim Manico jim.manico at owasp.org
Wed Feb 5 20:25:24 UTC 2014

I consider the OWASP podcast to be a "special case" for projects because 
it's basically a "default flagship project" with a lot of visibility. 
It's also a very public PR "official" representation of OWASP.

Right now, just my opinion, the separation of #1 and #2 is not (nearly) 
strong enough and the commercial advertisement at the beginning and end 
are in opposition to our bylaws. Again, just my opinion. There are rules 
in community radio (no calls to action, and no use of superlatives) that 
may provide a good guideline. Also, can we ask Mark what he is getting 
paid to deliver this podcast? Maybe we can just pay him ourselves and 
remove the sponsorship.

But where do we draw the line? I frankly would like to see Mark to make 
several changes, but do I have authority to put new requirements on him? 
Also, my opinions on these matters are often a lot more "strict" than 
what others believe in the community, so am I the right person to talk 
to him and/or set new policy?

Maybe it's best if Sarah or another staff member got involved.

- Jim

> Jim,
> We should unwind the podcast(s) a bit.
> 1. Mark is leading the continued OWASP podcast series that you (jim) 
> originally started. This is an owasp project and should reflect OWASP 
> in all ways.
> 2. Mark is leading a separate trusted software alliance video series. 
> This is not related to OWASP and should be treated as a separate 
> entity all together.
> Just as we've discussed the dual roles we can all operate in Mark will 
> need to be prudent about the same items to properly isolate items #1 
> and #2.
> Back to your original comment, should we chat with Mark about any 
> concerns about item 1 not meeting expectations as an OWASP project?
> Agreed on your final note, Mark is doing great work and his time 
> (donated or funded) that benefits OWASP is great. I consider our 
> attention to detail on separation of owasp and non-owasp items to 
> simply be a testament to OWASP's focus on creating a neutral and 
> independent environment for all.
> --
> Michael Coates
> @_mwc
> On Wed, Feb 5, 2014 at 11:52 AM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>     Michael,
>     Thanks for having this conversation.
>     I am a bit concerned about our partnership with "the new podcast"
>     in general. The podcast, when I ran it, ended with a reading of
>     the OWASP mission and a call to ask people to donate. Now it ends
>     with a endorsement to a commercial entity in language that makes
>     is seem like a commercial entity is an official partner of OWASP.
>     Even if you continue to do a show with Mark (that is commercial
>     centric and not OWASP centric) there are additional entanglements
>     that make this problematic.
>     Mark is now the host of the OWASP podcast and posts all of his
>     broadcasts on the trusted software alliance website instead of the
>     OWASP blog. I do not feel a strong separation between his
>     commercial interested and his "official" representation of OWASP,
>     which I feel is critical.
>     My suggestion is, please consider stating "Comments within these
>     interviews represent Michael's own opinions and are not
>     endorsements by any other organization he is affiliated with"
>     verbally at the beginning of each broadcast. Please trust me when
>     I suggest that the more clear you make this separation, the better
>     it will be for you and what you are trying to accomplish.
>     And to be fair to Mark, he is prolific is releasing a large number
>     of high quality shows. Although I am concerned about the branding
>     and want Mark to do serious clean-up, I would like to see him
>     continue with his work representing OWASP.
>     And please, what is good for the goose is good for the gander. If
>     you see me making any mistakes in this area, please let me know
>     and I'll work to clean up my act.
>     Aloha,
>     Jim
>>     Thanks Jim,
>>     Yes. I've looked at the first 2 episodes and reviewed it's
>>     perception. The exact comments you raised are items I'm actively
>>     making changes to eliminate. Here's a bit more info:
>>     1. The goal of the show is to represent myself, my views in the
>>     industry and not represent my employer or OWASP. To that end I
>>     asked earlier this week to add a disclaimer at the bottom of each
>>     show notes. I sent this note to Mark (who runs the podcast)  on
>>     Tuesday and he'll be adding the following below my bio on each
>>     video page:
>>     Comments within these interviews represent Michael's own opinions
>>     and are not endorsements by any other organization he is
>>     affiliated with.
>>     2. In general more awareness of OWASP is a good thing. However,
>>     in this scenario (and as you pointed out) I think this creates
>>     confusion and may in fact nullify item #1 and my goal to
>>     represent only myself. So, after review of the first 2 episodes
>>     I've decided to pass on further discussions of official owasp
>>     items or discussions that appear to be owasp updates from an
>>     owasp board member.
>>     -Michael
>>     --
>>     Michael Coates
>>     @_mwc
>>     On Wed, Feb 5, 2014 at 11:30 AM, Jim Manico <jim.manico at owasp.org
>>     <mailto:jim.manico at owasp.org>> wrote:
>>         +1 Michael. If you see anything from me other others that is
>>         of concern, please say so. I suggest that anyone who is going
>>         to speak on behalf of OWASP go through press training with
>>         members of staff. We also have to balance this with the
>>         "open" nature of our bylaws and mission. We really are a
>>         unique organization.
>>         I think - especially for board members - to clarify when
>>         speaking in public. Something like:  "OWASP does not endorse
>>         any commercial entity, including myself or my company. These
>>         opinions are my own and not official OWASP policy."
>>         Michael, I don't mean to point the finger at you, but I'm
>>         about to do just that. Check out
>>         http://trustedsoftwarealliance.com/2014/01/28/january-28-2014-security-start-ups-with-co-host-michael-coates-video/
>>         where you give commercial analysis on security startups. In
>>         this broadcast, the OWASP logo is used, very contentious
>>         OWASP political issues are being discussed, and the mix of
>>         commercialism and official OWASP representation seems
>>         muddled. This is exactly the kind of thing we want to avoid.
>>         Perhaps we could separate commercial analysis from "official"
>>         updates on OWASP? Or at least provide some kind of disclaimer?
>>         Hey we are all human here. If you ever interpret any of my
>>         actions as stepping over the line, please call me on it and
>>         I'll try to do better.
>>         Aloha,
>>         Jim
>>>         Board,
>>>         I'd like to bring up a topic for thought. As board members
>>>         we individually have very little power. Hence the entire
>>>         process of a vote for decisions and the rule of majority.
>>>         In addition, we also each wear a variety of hats - our
>>>         professional "day job" our "owasp hat", our own ideas
>>>         separate from each, etc.
>>>         I mention these items for the following scenarios:
>>>         1. We need to be careful about acting as individuals and
>>>         issuing statements on behalf of OWASP. I believe an official
>>>         channel for OWASP statements is much more clear for the
>>>         community and the world rather then individual statements by
>>>         board members on blogs, twitter, interviews, etc.
>>>         2. Currently our owasp blog serves a variety of purposes.
>>>         Whether or not we intend, any post made here will also be
>>>         interpreted as an official statement by OWASP. Food for
>>>         thought - there are multiple people that can post to this
>>>         blog. If we hastily issue a post here it could be picked up
>>>         as an official statement by OWASP before we have a chance to
>>>         fully flush out the wording or message.
>>>         3. Our mailing lists are all publicly archived. This is
>>>         great and by design. Keep in mind that your statements will
>>>         be referenced within stories, future discussions, etc. We
>>>         should do our best to keep on topic within subject threads,
>>>         change subject lines when conversation drifts, and be
>>>         cognizant that emails sent in haste will live on forever.
>>>         I'm interested in others thoughts on this. Building clear
>>>         official channels for OWASP statements will make our
>>>         messages more powerful and easier for others to spread.
>>>         --
>>>         Michael Coates
>>>         @_mwc
>>>         _______________________________________________
>>>         Owasp-board mailing list
>>>         Owasp-board at lists.owasp.org  <mailto:Owasp-board at lists.owasp.org>
>>>         https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140205/252a7f98/attachment-0001.html>

More information about the Owasp-board mailing list