[Owasp-board] Public Statements, Personal Thoughts, The Voice of OWASP
michael.coates at owasp.org
Wed Feb 5 20:34:34 UTC 2014
Fair points. We should certainly work with Sarah to understand what are our
stated expectations for the project (e.g. no way to expect people to do
anything different then what we've told them) and where our thoughts fall
in relation to those. We should also just chat with Mark on the issue.
Some things we'd love to change may turn out to be very minor issues from
his perspective and easy to explore other approaches. In the end we can
find a win for owasp and a win for anyone donating funding or sponsorship.
I think your other point about who would be point of contact makes lots of
sense. Seems like Sarah and Samantha own this space. As the previous person
who ran the project I think your knowledge and lessons learned are good to
include and consider in the discussion.
On Wed, Feb 5, 2014 at 12:25 PM, Jim Manico <jim.manico at owasp.org> wrote:
> I consider the OWASP podcast to be a "special case" for projects because
> it's basically a "default flagship project" with a lot of visibility. It's
> also a very public PR "official" representation of OWASP.
> Right now, just my opinion, the separation of #1 and #2 is not (nearly)
> strong enough and the commercial advertisement at the beginning and end are
> in opposition to our bylaws. Again, just my opinion. There are rules in
> community radio (no calls to action, and no use of superlatives) that may
> provide a good guideline. Also, can we ask Mark what he is getting paid to
> deliver this podcast? Maybe we can just pay him ourselves and remove the
> But where do we draw the line? I frankly would like to see Mark to make
> several changes, but do I have authority to put new requirements on him?
> Also, my opinions on these matters are often a lot more "strict" than what
> others believe in the community, so am I the right person to talk to him
> and/or set new policy?
> Maybe it's best if Sarah or another staff member got involved.
> - Jim
> We should unwind the podcast(s) a bit.
> 1. Mark is leading the continued OWASP podcast series that you (jim)
> originally started. This is an owasp project and should reflect OWASP in
> all ways.
> 2. Mark is leading a separate trusted software alliance video series.
> This is not related to OWASP and should be treated as a separate entity all
> Just as we've discussed the dual roles we can all operate in Mark will
> need to be prudent about the same items to properly isolate items #1 and #2.
> Back to your original comment, should we chat with Mark about any
> concerns about item 1 not meeting expectations as an OWASP project?
> Agreed on your final note, Mark is doing great work and his time (donated
> or funded) that benefits OWASP is great. I consider our attention to detail
> on separation of owasp and non-owasp items to simply be a testament to
> OWASP's focus on creating a neutral and independent environment for all.
> Michael Coates
> On Wed, Feb 5, 2014 at 11:52 AM, Jim Manico <jim.manico at owasp.org> wrote:
>> Thanks for having this conversation.
>> I am a bit concerned about our partnership with "the new podcast" in
>> general. The podcast, when I ran it, ended with a reading of the OWASP
>> mission and a call to ask people to donate. Now it ends with a endorsement
>> to a commercial entity in language that makes is seem like a commercial
>> entity is an official partner of OWASP.
>> Even if you continue to do a show with Mark (that is commercial centric
>> and not OWASP centric) there are additional entanglements that make this
>> Mark is now the host of the OWASP podcast and posts all of his broadcasts
>> on the trusted software alliance website instead of the OWASP blog. I do
>> not feel a strong separation between his commercial interested and his
>> "official" representation of OWASP, which I feel is critical.
>> My suggestion is, please consider stating "Comments within these
>> interviews represent Michael's own opinions and are not endorsements by any
>> other organization he is affiliated with" verbally at the beginning of each
>> broadcast. Please trust me when I suggest that the more clear you make this
>> separation, the better it will be for you and what you are trying to
>> And to be fair to Mark, he is prolific is releasing a large number of
>> high quality shows. Although I am concerned about the branding and want
>> Mark to do serious clean-up, I would like to see him continue with his work
>> representing OWASP.
>> And please, what is good for the goose is good for the gander. If you see
>> me making any mistakes in this area, please let me know and I'll work to
>> clean up my act.
>> Thanks Jim,
>> Yes. I've looked at the first 2 episodes and reviewed it's perception.
>> The exact comments you raised are items I'm actively making changes to
>> eliminate. Here's a bit more info:
>> 1. The goal of the show is to represent myself, my views in the industry
>> and not represent my employer or OWASP. To that end I asked earlier this
>> week to add a disclaimer at the bottom of each show notes. I sent this note
>> to Mark (who runs the podcast) on Tuesday and he'll be adding the
>> following below my bio on each video page:
>> Comments within these interviews represent Michael's own opinions and are
>> not endorsements by any other organization he is affiliated with.
>> 2. In general more awareness of OWASP is a good thing. However, in this
>> scenario (and as you pointed out) I think this creates confusion and may in
>> fact nullify item #1 and my goal to represent only myself. So, after review
>> of the first 2 episodes I've decided to pass on further discussions of
>> official owasp items or discussions that appear to be owasp updates from an
>> owasp board member.
>> Michael Coates
>> On Wed, Feb 5, 2014 at 11:30 AM, Jim Manico <jim.manico at owasp.org> wrote:
>>> +1 Michael. If you see anything from me other others that is of
>>> concern, please say so. I suggest that anyone who is going to speak on
>>> behalf of OWASP go through press training with members of staff. We also
>>> have to balance this with the "open" nature of our bylaws and mission. We
>>> really are a unique organization.
>>> I think - especially for board members - to clarify when speaking in
>>> public. Something like: "OWASP does not endorse any commercial entity,
>>> including myself or my company. These opinions are my own and not official
>>> OWASP policy."
>>> Michael, I don't mean to point the finger at you, but I'm about to do
>>> just that. Check out
>>> http://trustedsoftwarealliance.com/2014/01/28/january-28-2014-security-start-ups-with-co-host-michael-coates-video/where you give commercial analysis on security startups. In this broadcast,
>>> the OWASP logo is used, very contentious OWASP political issues are being
>>> discussed, and the mix of commercialism and official OWASP representation
>>> seems muddled. This is exactly the kind of thing we want to avoid.
>>> Perhaps we could separate commercial analysis from "official" updates on
>>> OWASP? Or at least provide some kind of disclaimer?
>>> Hey we are all human here. If you ever interpret any of my actions as
>>> stepping over the line, please call me on it and I'll try to do better.
>>> I'd like to bring up a topic for thought. As board members we
>>> individually have very little power. Hence the entire process of a vote for
>>> decisions and the rule of majority.
>>> In addition, we also each wear a variety of hats - our professional "day
>>> job" our "owasp hat", our own ideas separate from each, etc.
>>> I mention these items for the following scenarios:
>>> 1. We need to be careful about acting as individuals and issuing
>>> statements on behalf of OWASP. I believe an official channel for OWASP
>>> statements is much more clear for the community and the world rather then
>>> individual statements by board members on blogs, twitter, interviews, etc.
>>> 2. Currently our owasp blog serves a variety of purposes. Whether or
>>> not we intend, any post made here will also be interpreted as an official
>>> statement by OWASP. Food for thought - there are multiple people that can
>>> post to this blog. If we hastily issue a post here it could be picked up as
>>> an official statement by OWASP before we have a chance to fully flush out
>>> the wording or message.
>>> 3. Our mailing lists are all publicly archived. This is great and by
>>> design. Keep in mind that your statements will be referenced within
>>> stories, future discussions, etc. We should do our best to keep on topic
>>> within subject threads, change subject lines when conversation drifts, and
>>> be cognizant that emails sent in haste will live on forever.
>>> I'm interested in others thoughts on this. Building clear official
>>> channels for OWASP statements will make our messages more powerful and
>>> easier for others to spread.
>>> Michael Coates
>>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board