[Owasp-board] Compliance Officer for 2015

Martin Knobloch martin.knobloch at owasp.org
Thu Apr 30 08:11:08 UTC 2015


Due to the upcomming AppSec-Eu conference, I have not been able to join the
last board call.

For your remark, Matt, just some thoughts that cam up when reading your
comment (and writing this):

The regular ongoing cases are not the problem. Indeed, in case of a major
compliant case, as last year, I do not scale much as one person. Saying, as
I am volunteer in this role, a case of that extend as last year does take
quite some resources in time-wise.
Also, I have a serious feeling (you never can tell for sure) in person
meeting with the involved parties could have prevented  the case to blow up
as it did. In the past I have asked if a travel budget during a serious
case would be possible, but was rejected by the previous board. I
understand the reasoning, we are IT people and know you can meet online,
but in such a case in person meetings are very helpful. You just can talk
differently in a private space, face to face, than online.

As I am involved in OWASP for quite some time, many have become friends.
Luckily, until now parties have always accepted and approved my
independence and objectiveness.
This might be more difficult for a committee, I don't know.

To be honest, I have mixed feelings about the idea of a compliant
committee, in previous emails I have explained my concerns about creating a
compliance committee.
Most definitely, it differs from regular committees, as there is a trust
factor to be taken in account. It cannot be, as for current committee
setup, you register and you are in.

As we hopefully will not face to many complaint cases of the extent of the
one major case we had so far, a committee is not solving much:
- scalability
- local presence (could be interesting)

As the responsibility of my role is defined, it is to investigate, mediate
where possible, report and advice the board.
To be honest, in my experience after last year, I rather predict a
complaint committee can make communications cumbersome. Therefore, I
currently see more problems than than solutions in having a complaint


On Thu, Apr 30, 2015 at 5:36 AM, Matt Konda <matt.konda at owasp.org> wrote:

> Follow up on this discussion about the Compliance Officer role...
> I was surprised to hear that Martin (or others) might need a committee to
> help handle compliance issues.
> I certainly appreciate Martin's work and I understand 2014 was a tough
> year for this role, but doing a reality check my sense is that it should be
> a relatively manageable amount of work in most years.  I'm worried that
> without formal training, lines of responsibility and accountability that
> the credibility of the people in this role could get eroded.  I think
> Martin maintained credibility and that is part of why he was successful in
> the role.
> Therefore, I would suggest that for 2016, we define what the time,
> experience and process expectations are more formally and then consider how
> to fit that need.  It may be that we do need a committee.  I'm just wary of
> going that route prematurely.  Reading the current policy, it is written to
> a single person filling the role.
> Thanks,
> Matt
> On Tue, Apr 28, 2015 at 11:08 AM, Andrew van der Stock <vanderaj at owasp.org
> > wrote:
>> +1 for Martin here.
>> On Wed, Apr 8, 2015 at 1:02 AM, Jim Manico <jim.manico at owasp.org> wrote:
>>>  I'll do it. On it now.
>>> On 4/7/15 8:11 AM, Tobias wrote:
>>> I agree that Martin has done a great job as our compliance officer in
>>> this tough past year.
>>> For the transparency, I would still like to do a quick call for
>>> volunteers. Ok?
>>> Anyone from my fellow board members volunteering to launch that call?
>>> ;-)
>>> Cheers, Tobias
>>> On 06/04/15 01:32, Josh Sokol wrote:
>>>  I just realized that we forgot to nominate and vote on a Compliance
>>> Officer for 2015.  For simplicity's sake, and because I think he has done a
>>> phenomenal job so far, I wanted to propose that we re-affirm Martin
>>> Knobloch as our Compliance Officer for 2015.  Hopefully, after last year's
>>> issues, he is still willing to do it.
>>>  ~josh
>>> _______________________________________________
>>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>> _______________________________________________
>>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

Met vriendelijke groet,

Martin Knobloch
OWASP AppSec-Eu/Research 2015 Conference Chair
OWASP Netherlands Chapter Leader

Email: martin.knobloch at owasp.org
Mobile: +31623226933
Twitter:  @AppsScE
Web:    http://owasp.nl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150430/a4e91e1e/attachment-0001.html>

More information about the Owasp-board mailing list