[Owasp-board] Fwd: [Governance] OWASP statement on security: your opinion? - until Monday 14:00 CST

Tobias tobias.gondrom at owasp.org
Sun Jan 26 23:03:02 UTC 2014


Hi Jeff,
thank you for your understanding and support.
And thanks a lot for the feedback. I very much appreciate your
suggestions and will definitely keep this in mind and see how we can
better include this in the case of future statements if they come up.
Thanks a lot, Tobias



On 25/01/14 12:53, Jeff Williams wrote:
> Sure.  I'm sure it will be fine.
>
> --Jeff
>
> Jeff Williams, CEO
> Aspect Security
> work: 410-707-1487
> main: 301-604-4882
>
>
>
>>
>> On Jan 24, 2014, at 1:37 PM, Tobias <tobias.gondrom at owasp.org
>> <mailto:tobias.gondrom at owasp.org>> wrote:
>>
>>> Hi Jeff and Jim,
>>>
>>> hm. Let me ask this to Jeff:
>>> do you overall agree with the statement as it is right now, even
>>> though the text is obviously not exactly in the words as you would
>>> have written it yourself?
>>>
>>> Jim, I don't agree with your suggestion to change the text for this
>>> now.
>>> And I can imagine that Jeff might feel the same in my position.
>>> Please consider the following: even though I can totally understand
>>> that some people may feel more of this or less of that would make it
>>> better, I do not want to change the text unless absolutely
>>> necessary, i.e. if there would be something _fundamentally_ or
>>> _obviously_ wrong with it.
>>> The reasons are simple:
>>> 0. We spent a lot of work on the wording and balancing, and there
>>> was a joint content review from the board team.
>>> 1. This community review is to see whether there are fundamental
>>> issues with the text.
>>> 2. We need to release this text ASAP, and
>>> 3. We need to keep the text stable. If you ever tried to edit a
>>> document with more than 10 people, you may recall, that although you
>>> can do team review/editing with a small team (which we had on the
>>> board team). But to continue editing it while collecting feedback
>>> from the community of hundreds of people is like steering a ship in
>>> a storm. A recipe for disaster. There are conflicting opinions on
>>> what are "improvements" and we can't include text "improvement"
>>> comments on text bits from everyone, unless they are absolutely
>>> specific and it is obvious that everyone in the community would
>>> think it is indeed an "improvement". In Germany we have a saying,
>>> too many cooks ruin the meal. Note, that this is a balancing act and
>>> we do receive feedback in various forms and going left and right at
>>> the same time is not possible.
>>>
>>> @Jeff and Jim: So I like to ask for your understanding and support,
>>> even though the text may not be absolutely perfect in your eyes.
>>> In fact, I imagine that when you would ask any one individual in the
>>> community, everyone could imagine slight "improvements" or changes -
>>> but different ones and for very different reasons. E.g. "write more
>>> about A", "make it shorter", "write more about B", "avoid conflict
>>> between A and B", "don't write about A at all", etc. I think you get
>>> the gist. This document aims to capture the consensus of the
>>> community and be good for everyone, not to be perfect in everyone's
>>> eyes. The second would be an impossible feat.
>>>
>>> If Jeff would say the statement as it is has fundamental flaws and
>>> he can't live with the statement for a specific reason, I like to
>>> learn, but I am extremely reluctant to open the document for
>>> "improvement" suggestions - unless they would be absolutely
>>> necessary, obvious and without the slightest doubt better in the
>>> eyes of all community members.
>>>
>>> Please, I ask for your understanding.
>>>
>>> All the best, Tobias
>>>
>>>
>>>
>>>
>>> On 24/01/14 22:23, Jim Manico wrote:
>>>> +1 Jeff is spot on, we need to include this. Jeff, I'm glad you
>>>> support out foray into infosec politics.
>>>>
>>>> Aloha,
>>>> --
>>>> Jim Manico
>>>> @Manicode
>>>> (808) 652-3805
>>>>
>>>> On Jan 24, 2014, at 9:42 AM, Kate Hartmann <kate.hartmann at owasp.org
>>>> <mailto:kate.hartmann at owasp.org>> wrote:
>>>>
>>>>> The form did not allow comments, but here is one from Jeff Williams.
>>>>>
>>>>> ---------- Forwarded message ----------
>>>>> From: *Jeff Williams* <jeff.williams at aspectsecurity.com
>>>>> <mailto:jeff.williams at aspectsecurity.com>>
>>>>> Date: Fri, Jan 24, 2014 at 10:20 AM
>>>>> Subject: RE: [Governance] OWASP statement on security: your
>>>>> opinion? - until Monday 14:00 CST
>>>>> To: Kate Hartmann <kate.hartmann at owasp.org
>>>>> <mailto:kate.hartmann at owasp.org>>
>>>>>
>>>>>
>>>>> I think this statement should spend more time on the idea of
>>>>> “visibility” and why it is OWASP’s mission.   There can be no
>>>>> SECURITY where there is no VISIBILITY.  What RSA is accused of
>>>>> doing is an egregious example of an action in DIRECT conflict with
>>>>> OWASP’s mission.  There are many many less serious examples of the
>>>>> lack of visibility into security – but most of them are the result
>>>>> of apathy or negligence.  Like when companies fail to tell us how
>>>>> their security controls work.  But the intentional hiding of
>>>>> critical security information is diametrically opposed to OWASP’s
>>>>> mission and we should fight hard to prevent anyone else from
>>>>> attempting it.
>>>>>
>>>>>  
>>>>>
>>>>> --Jeff
>>>>>
>>>>>  
>>>>>
>>>>>  
>>>>>
>>>>>
>>>>> Kate Hartmann
>>>>> kate.hartmann at owasp.org <mailto:kate.hartmann at owasp.org>
>>>>> +1 301-275-9403
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140126/7af8d9f1/attachment.html>


More information about the Owasp-board mailing list