[Owasp-board] Fwd: [Governance] OWASP statement on security: your opinion? - until Monday 14:00 CST

Tobias tobias.gondrom at owasp.org
Fri Jan 24 23:36:55 UTC 2014

Hi Jeff and Jim,

hm. Let me ask this to Jeff:
do you overall agree with the statement as it is right now, even though
the text is obviously not exactly in the words as you would have written
it yourself?

Jim, I don't agree with your suggestion to change the text for this now.
And I can imagine that Jeff might feel the same in my position.
Please consider the following: even though I can totally understand that
some people may feel more of this or less of that would make it better,
I do not want to change the text unless absolutely necessary, i.e. if
there would be something _fundamentally_ or _obviously_ wrong with it.
The reasons are simple:
0. We spent a lot of work on the wording and balancing, and there was a
joint content review from the board team.
1. This community review is to see whether there are fundamental issues
with the text.
2. We need to release this text ASAP, and
3. We need to keep the text stable. If you ever tried to edit a document
with more than 10 people, you may recall, that although you can do team
review/editing with a small team (which we had on the board team). But
to continue editing it while collecting feedback from the community of
hundreds of people is like steering a ship in a storm. A recipe for
disaster. There are conflicting opinions on what are "improvements" and
we can't include text "improvement" comments on text bits from everyone,
unless they are absolutely specific and it is obvious that everyone in
the community would think it is indeed an "improvement". In Germany we
have a saying, too many cooks ruin the meal. Note, that this is a
balancing act and we do receive feedback in various forms and going left
and right at the same time is not possible.

@Jeff and Jim: So I like to ask for your understanding and support, even
though the text may not be absolutely perfect in your eyes.
In fact, I imagine that when you would ask any one individual in the
community, everyone could imagine slight "improvements" or changes - but
different ones and for very different reasons. E.g. "write more about
A", "make it shorter", "write more about B", "avoid conflict between A
and B", "don't write about A at all", etc. I think you get the gist.
This document aims to capture the consensus of the community and be good
for everyone, not to be perfect in everyone's eyes. The second would be
an impossible feat.

If Jeff would say the statement as it is has fundamental flaws and he
can't live with the statement for a specific reason, I like to learn,
but I am extremely reluctant to open the document for "improvement"
suggestions - unless they would be absolutely necessary, obvious and
without the slightest doubt better in the eyes of all community members.

Please, I ask for your understanding.

All the best, Tobias

On 24/01/14 22:23, Jim Manico wrote:
> +1 Jeff is spot on, we need to include this. Jeff, I'm glad you
> support out foray into infosec politics.
> Aloha,
> --
> Jim Manico
> @Manicode
> (808) 652-3805
> On Jan 24, 2014, at 9:42 AM, Kate Hartmann <kate.hartmann at owasp.org
> <mailto:kate.hartmann at owasp.org>> wrote:
>> The form did not allow comments, but here is one from Jeff Williams.
>> ---------- Forwarded message ----------
>> From: *Jeff Williams* <jeff.williams at aspectsecurity.com
>> <mailto:jeff.williams at aspectsecurity.com>>
>> Date: Fri, Jan 24, 2014 at 10:20 AM
>> Subject: RE: [Governance] OWASP statement on security: your opinion?
>> - until Monday 14:00 CST
>> To: Kate Hartmann <kate.hartmann at owasp.org
>> <mailto:kate.hartmann at owasp.org>>
>> I think this statement should spend more time on the idea of
>> "visibility" and why it is OWASP's mission.   There can be no
>> SECURITY where there is no VISIBILITY.  What RSA is accused of doing
>> is an egregious example of an action in DIRECT conflict with OWASP's
>> mission.  There are many many less serious examples of the lack of
>> visibility into security -- but most of them are the result of apathy
>> or negligence.  Like when companies fail to tell us how their
>> security controls work.  But the intentional hiding of critical
>> security information is diametrically opposed to OWASP's mission and
>> we should fight hard to prevent anyone else from attempting it.
>> --Jeff
>> Kate Hartmann
>> kate.hartmann at owasp.org <mailto:kate.hartmann at owasp.org>
>> +1 301-275-9403
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140124/13f9b744/attachment-0001.html>

More information about the Owasp-board mailing list