[Owasp-board] Fwd: [Governance] OWASP statement on security: your opinion? - until Monday 14:00 CST

Jim Manico jim.manico at owasp.org
Sat Jan 25 01:34:00 UTC 2014

I simply provided feedback. I'll respect your final decision here Tobias.

Jim Manico
(808) 652-3805

On Jan 24, 2014, at 1:37 PM, Tobias <tobias.gondrom at owasp.org> wrote:

 Hi Jeff and Jim,

hm. Let me ask this to Jeff:
do you overall agree with the statement as it is right now, even though the
text is obviously not exactly in the words as you would have written it

Jim, I don't agree with your suggestion to change the text for this now.
And I can imagine that Jeff might feel the same in my position.
Please consider the following: even though I can totally understand that
some people may feel more of this or less of that would make it better, I
do not want to change the text unless absolutely necessary, i.e. if there
would be something _fundamentally_ or _obviously_ wrong with it.
The reasons are simple:
0. We spent a lot of work on the wording and balancing, and there was a
joint content review from the board team.
1. This community review is to see whether there are fundamental issues
with the text.
2. We need to release this text ASAP, and
3. We need to keep the text stable. If you ever tried to edit a document
with more than 10 people, you may recall, that although you can do team
review/editing with a small team (which we had on the board team). But to
continue editing it while collecting feedback from the community of
hundreds of people is like steering a ship in a storm. A recipe for
disaster. There are conflicting opinions on what are "improvements" and we
can't include text "improvement" comments on text bits from everyone,
unless they are absolutely specific and it is obvious that everyone in the
community would think it is indeed an "improvement". In Germany we have a
saying, too many cooks ruin the meal. Note, that this is a balancing act
and we do receive feedback in various forms and going left and right at the
same time is not possible.

@Jeff and Jim: So I like to ask for your understanding and support, even
though the text may not be absolutely perfect in your eyes.
In fact, I imagine that when you would ask any one individual in the
community, everyone could imagine slight "improvements" or changes - but
different ones and for very different reasons. E.g. "write more about A",
"make it shorter", "write more about B", "avoid conflict between A and B",
"don't write about A at all", etc. I think you get the gist. This document
aims to capture the consensus of the community and be good for everyone,
not to be perfect in everyone's eyes. The second would be an impossible

If Jeff would say the statement as it is has fundamental flaws and he can't
live with the statement for a specific reason, I like to learn, but I am
extremely reluctant to open the document for "improvement" suggestions -
unless they would be absolutely necessary, obvious and without the
slightest doubt better in the eyes of all community members.

Please, I ask for your understanding.

All the best, Tobias

On 24/01/14 22:23, Jim Manico wrote:

 +1 Jeff is spot on, we need to include this. Jeff, I'm glad you support
out foray into infosec politics.

Jim Manico
(808) 652-3805

On Jan 24, 2014, at 9:42 AM, Kate Hartmann <kate.hartmann at owasp.org> wrote:

  The form did not allow comments, but here is one from Jeff Williams.

---------- Forwarded message ----------
From: Jeff Williams <jeff.williams at aspectsecurity.com>
Date: Fri, Jan 24, 2014 at 10:20 AM
Subject: RE: [Governance] OWASP statement on security: your opinion? -
until Monday 14:00 CST
To: Kate Hartmann <kate.hartmann at owasp.org>

 I think this statement should spend more time on the idea of “visibility”
and why it is OWASP’s mission.   There can be no SECURITY where there is no
VISIBILITY.  What RSA is accused of doing is an egregious example of an
action in DIRECT conflict with OWASP’s mission.  There are many many less
serious examples of the lack of visibility into security – but most of them
are the result of apathy or negligence.  Like when companies fail to tell
us how their security controls work.  But the intentional hiding of
critical security information is diametrically opposed to OWASP’s mission
and we should fight hard to prevent anyone else from attempting it.


  Kate Hartmann
kate.hartmann at owasp.org
+1 301-275-9403

Owasp-board mailing list
Owasp-board at lists.owasp.org

Owasp-board mailing
listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board

Owasp-board mailing list
Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140124/bd790f4c/attachment.html>

More information about the Owasp-board mailing list