[Owasp-board] Public Statements, Personal Thoughts, The Voice of OWASP
tobias.gondrom at owasp.org
Wed Feb 5 20:34:48 UTC 2014
My preference would be that someone (either from the board or the ops
team) prepares a proposal with Mark on how to separate #1 and #2. As Jim
seems to have strong opinions on that, it might be good if it's not him.
But he should send his input to the proposal writer beforehand. This
proposal should then be send to the board for a quick discussion and
then be implemented. The point is, I would rather discuss about a
specific overall proposal that also works for Mark, then a collection of
Or shall we ask Sarah?
Best regards, Tobias
On 05/02/14 20:25, Jim Manico wrote:
> I consider the OWASP podcast to be a "special case" for projects
> because it's basically a "default flagship project" with a lot of
> visibility. It's also a very public PR "official" representation of OWASP.
> Right now, just my opinion, the separation of #1 and #2 is not
> (nearly) strong enough and the commercial advertisement at the
> beginning and end are in opposition to our bylaws. Again, just my
> opinion. There are rules in community radio (no calls to action, and
> no use of superlatives) that may provide a good guideline. Also, can
> we ask Mark what he is getting paid to deliver this podcast? Maybe we
> can just pay him ourselves and remove the sponsorship.
> But where do we draw the line? I frankly would like to see Mark to
> make several changes, but do I have authority to put new requirements
> on him? Also, my opinions on these matters are often a lot more
> "strict" than what others believe in the community, so am I the right
> person to talk to him and/or set new policy?
> Maybe it's best if Sarah or another staff member got involved.
> - Jim
>> We should unwind the podcast(s) a bit.
>> 1. Mark is leading the continued OWASP podcast series that you (jim)
>> originally started. This is an owasp project and should reflect OWASP
>> in all ways.
>> 2. Mark is leading a separate trusted software alliance video series.
>> This is not related to OWASP and should be treated as a separate
>> entity all together.
>> Just as we've discussed the dual roles we can all operate in Mark
>> will need to be prudent about the same items to properly isolate
>> items #1 and #2.
>> Back to your original comment, should we chat with Mark about any
>> concerns about item 1 not meeting expectations as an OWASP project?
>> Agreed on your final note, Mark is doing great work and his time
>> (donated or funded) that benefits OWASP is great. I consider our
>> attention to detail on separation of owasp and non-owasp items to
>> simply be a testament to OWASP's focus on creating a neutral and
>> independent environment for all.
>> Michael Coates
>> On Wed, Feb 5, 2014 at 11:52 AM, Jim Manico <jim.manico at owasp.org
>> <mailto:jim.manico at owasp.org>> wrote:
>> Thanks for having this conversation.
>> I am a bit concerned about our partnership with "the new podcast"
>> in general. The podcast, when I ran it, ended with a reading of
>> the OWASP mission and a call to ask people to donate. Now it ends
>> with a endorsement to a commercial entity in language that makes
>> is seem like a commercial entity is an official partner of OWASP.
>> Even if you continue to do a show with Mark (that is commercial
>> centric and not OWASP centric) there are additional entanglements
>> that make this problematic.
>> Mark is now the host of the OWASP podcast and posts all of his
>> broadcasts on the trusted software alliance website instead of
>> the OWASP blog. I do not feel a strong separation between his
>> commercial interested and his "official" representation of OWASP,
>> which I feel is critical.
>> My suggestion is, please consider stating "Comments within these
>> interviews represent Michael's own opinions and are not
>> endorsements by any other organization he is affiliated with"
>> verbally at the beginning of each broadcast. Please trust me when
>> I suggest that the more clear you make this separation, the
>> better it will be for you and what you are trying to accomplish.
>> And to be fair to Mark, he is prolific is releasing a large
>> number of high quality shows. Although I am concerned about the
>> branding and want Mark to do serious clean-up, I would like to
>> see him continue with his work representing OWASP.
>> And please, what is good for the goose is good for the gander. If
>> you see me making any mistakes in this area, please let me know
>> and I'll work to clean up my act.
>>> Thanks Jim,
>>> Yes. I've looked at the first 2 episodes and reviewed it's
>>> perception. The exact comments you raised are items I'm actively
>>> making changes to eliminate. Here's a bit more info:
>>> 1. The goal of the show is to represent myself, my views in the
>>> industry and not represent my employer or OWASP. To that end I
>>> asked earlier this week to add a disclaimer at the bottom of
>>> each show notes. I sent this note to Mark (who runs the
>>> podcast) on Tuesday and he'll be adding the following below my
>>> bio on each video page:
>>> Comments within these interviews represent Michael's own
>>> opinions and are not endorsements by any other organization he
>>> is affiliated with.
>>> 2. In general more awareness of OWASP is a good thing. However,
>>> in this scenario (and as you pointed out) I think this creates
>>> confusion and may in fact nullify item #1 and my goal to
>>> represent only myself. So, after review of the first 2 episodes
>>> I've decided to pass on further discussions of official owasp
>>> items or discussions that appear to be owasp updates from an
>>> owasp board member.
>>> Michael Coates
>>> On Wed, Feb 5, 2014 at 11:30 AM, Jim Manico
>>> <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>>> +1 Michael. If you see anything from me other others that is
>>> of concern, please say so. I suggest that anyone who is
>>> going to speak on behalf of OWASP go through press training
>>> with members of staff. We also have to balance this with the
>>> "open" nature of our bylaws and mission. We really are a
>>> unique organization.
>>> I think - especially for board members - to clarify when
>>> speaking in public. Something like: "OWASP does not endorse
>>> any commercial entity, including myself or my company. These
>>> opinions are my own and not official OWASP policy."
>>> Michael, I don't mean to point the finger at you, but I'm
>>> about to do just that. Check out
>>> where you give commercial analysis on security startups. In
>>> this broadcast, the OWASP logo is used, very contentious
>>> OWASP political issues are being discussed, and the mix of
>>> commercialism and official OWASP representation seems
>>> muddled. This is exactly the kind of thing we want to avoid.
>>> Perhaps we could separate commercial analysis from
>>> "official" updates on OWASP? Or at least provide some kind
>>> of disclaimer?
>>> Hey we are all human here. If you ever interpret any of my
>>> actions as stepping over the line, please call me on it and
>>> I'll try to do better.
>>>> I'd like to bring up a topic for thought. As board members
>>>> we individually have very little power. Hence the entire
>>>> process of a vote for decisions and the rule of majority.
>>>> In addition, we also each wear a variety of hats - our
>>>> professional "day job" our "owasp hat", our own ideas
>>>> separate from each, etc.
>>>> I mention these items for the following scenarios:
>>>> 1. We need to be careful about acting as individuals and
>>>> issuing statements on behalf of OWASP. I believe an
>>>> official channel for OWASP statements is much more clear
>>>> for the community and the world rather then individual
>>>> statements by board members on blogs, twitter, interviews, etc.
>>>> 2. Currently our owasp blog serves a variety of purposes.
>>>> Whether or not we intend, any post made here will also be
>>>> interpreted as an official statement by OWASP. Food for
>>>> thought - there are multiple people that can post to this
>>>> blog. If we hastily issue a post here it could be picked up
>>>> as an official statement by OWASP before we have a chance
>>>> to fully flush out the wording or message.
>>>> 3. Our mailing lists are all publicly archived. This is
>>>> great and by design. Keep in mind that your statements will
>>>> be referenced within stories, future discussions, etc. We
>>>> should do our best to keep on topic within subject threads,
>>>> change subject lines when conversation drifts, and be
>>>> cognizant that emails sent in haste will live on forever.
>>>> I'm interested in others thoughts on this. Building clear
>>>> official channels for OWASP statements will make our
>>>> messages more powerful and easier for others to spread.
>>>> Michael Coates
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board