[Owasp-board] [Governance] Stepping down from Project Reviews

johanna curiel curiel johanna.curiel at owasp.org
Wed Sep 2 20:03:58 UTC 2015


Jim

Improvements are always possible.

You are a member of the board and are leading many projects.

Conflict of interest is at high stake in this position. That is a ticklish
zone.

cheers

Johanna




On Wed, Sep 2, 2015 at 3:31 PM, Jim Manico <jim.manico at owasp.org> wrote:

> > I hope you understand that we did try many things for automation.
>
> Of course! Life is an evolution. We're going to keep working on it! :)
>
> > In Openduck all projects are registered and have a 'review this project'
> form where you can provide a start and comments. We tried that approach.We
> made google forms, we made google sheets, we built simple  criteria.
>
> This is all great, I'm a big fan of openduck. We're likely going to keep
> using it. And we will also put some fresh eyes on it to see if we can
> improve.
>
> > A JIRA donated with the help of Norman Yuen to create tasks and follow
> ups, Jonathan Johnson who setup a server with automated builds, the SWAMP
> to built projects ...We did try automation and a lot.
>
> Great stuff! :)
>
> > Before you go and attempt a new thing lets share experience and not
> repeat  same approaches.
>
> Johanna, don't worry we're all professionals. Good folks will be looking
> at this. We certainly do not want to re-do things that do not need to be
> re-done.
>
> > I hope you understand that after spending 2 years in reviews the main
> problem in my opinion based on my experience, is getting the right people
> to spend time to review.
>
> I understand that issue. I hope to find a more streamlined way to on-board
> reviewers for one or two reviews. I have a knack for getting folks
> involved. :) We're on it.
>
> > Is just not simple.
>
> Hahaha! Nothing is simple at OWASP, I agree!
>
> > Open source security projects are not simple to test or use *this part
> cannot be automated*. If you are not a developer with some security
> background  you cannot even test more than half of them. Every project has
> there way to build and install.
>
> Well said, I agree.
>
> > The automation is already there for handling the review once is done.
>
> I hear you. We've set a meeting to review everything in place and posted
> that to the project review list. There might be some things we can improve,
> maybe not.
>
> > We must create incentives for people to go and review. People that have
> the knowledge capable of reviewing. Example : If you are not a
> (Java)developer how can you test and review CRSFGuard, Dependency,
> Appsensor? HTML sanitiser?  If you are not a .NET developer how can you use
> webgoat.NET or O2 project?
>
> I agree, that is something that we plan to discuss.
>
> >  I hope you get my point.
>
> Completely. As OWASP volunteers step away from important initiatives, that
> is ok! That is part of the flow of OWASP. But as some step away, others
> will step in and take over and try to continue that work. I hope you are ok
> with that and you get my points here that we are going to try to make
> improvements where we can and take this seriously!
>
> And Johanna, again, you did amazing work. There are a few areas I think
> can be improved, but I was always hesitant to dive into project review that
> much because I did not want to be a board member who was interfering with
> your work.
>
> I respect that fact that you want to step away. There are tons of other
> things to do at OWASP that would make your happier. I can tell by your
> email the last month or two that you are unhappy with OWASP and that
> certainly effects me. I take everything regarding OWASP very personally,
> especially from super active volunteers like yourself.
>
> So when you say, I plan to step away this time, I think you really mean
> it. Since I'm the board liaison for projects, I'm going to step in and help
> Claudia keep this ship sailing. The only thing that is constant is change
> and the way reviews are done will certainly change in some ways as a
> different crew take over. I hope that is ok with you. It's just the natural
> progression of things and no disrespect is meant.
>
> Aloha,
> Jim Manico
>
>
> And yes I do appreciated all the support you have personally given me and
> the Curacao community. It has been a great OWASP push from you for
> caribbean region .
>
> Cheers and Aloha
>
> Johanna
>
> On Wed, Sep 2, 2015 at 2:52 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> Johanna,
>>
>> I want you to know that your work is going to continue. We're looking to
>> automate more of the review process, we going to onboard new reviewers
>> carefully and also take a second look at the processes in place. I hope
>> this is a good thing in your mind. I personally think it's a very important
>> part of the foundation and I've thanked you more times than I can count.
>>
>> I even flew to your home island to give you your WASPY award in person.
>> Don you know why I did that? No it was not for vacation, I live on a
>> vacation island already. ;) I flew to Curacao because I believe in what you
>> are doing and wanted to thank you in person.
>>
>> Project reviews and projects in general are very important to the
>> foundation and I plan to assist Claudia and staff as they see fit to keep
>> the review party going.
>>
>> I would not be able to even say that if it were not for the massive
>> efforts from you over the past few years. Thank you!
>>
>> Aloha,
>> --
>> Jim Manico
>> Global Board Member
>> OWASP Foundation
>> https://www.owasp.org
>> Join me at AppSecUSA <http://appsecusa.org/> 2015!
>>
>> On Sep 2, 2015, at 8:41 AM, Josh Sokol < <josh.sokol at owasp.org>
>> josh.sokol at owasp.org> wrote:
>>
>> Johanna,
>>
>> You have both my attention and my support with this initiative and I
>> agree that it's, at least at this point in time, a far better use of our
>> time than in trying to wrangle with project reviews and whatnot.  You did a
>> fantastic job with those for a very long time and with little recognition
>> for it, though I do think you won a WASPY for it, didn't you?  At least
>> that's something.  In any case, let's figure out how to build those stairs
>> to reach those bananas.  If it requires changing some policies to make
>> funds more accessible, then I can definitely help to push those changes.
>> What policies currently stand in your way (ie. what is the rationale for
>> being told "no")?  What new policies would be reasonable.  What is a
>> reasonable approach to making sure that limited funds are spent on the
>> things that matter most and in alignment with the OWASP mission?
>>
>> ~josh
>>
>> On Wed, Sep 2, 2015 at 12:05 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> >I certainly cannot speak for all Projects, but every time I tried to
>>> get the things I needed for a project, I got either a deny or a big
>>> silence. so the first thing needed is, if there is money available, more
>>> communication and an easy way to get to it[....] In summary, my
>>> experience in getting money or support for OWASP projects is bad. IMHO,
>>> this is why so many projects die.
>>> [...]And lastly, I did not compare Chapters and Projects. I did compare
>>> the treatment that they get from OWASP.
>>>
>>> You are not the only one with the same issues. I have the same
>>> experience too and as also many others.
>>>
>>> Let's accept that we have a problem and no, I don't blame the Board for
>>> that, but I'm asking your attention and we have to admit that we need to
>>> work on this. And the person asking your attention is a volunteer who has
>>> dedicated her time the last 3 years trying to improve a system and
>>> contributing in multiple activities, I think I deserve a small
>>> acknowledgement for that.
>>>
>>> This is part of the evolution OWASP is having from small to bigger
>>> organisation. A natural process. From US to Global.
>>>
>>> What I mean with a good platform in place is more than money in the
>>> community fund.
>>>
>>> That money  feels like a banana hanging too high to reach and no stairs
>>> to reach it for project leaders.
>>>
>>> Platform means communication, managing resources , support and much
>>> more. And money helps but a good plan is necessary.
>>>
>>> It means having the stair (the platform) to make available those funds,
>>> so they become available.
>>>
>>> And I know that the problem is we have not work on creating the 'stair'.
>>>
>>> This is where I want to dedicate my efforts so I will submit to form a
>>> committee to create the stair for better development of OWASP projects. I
>>> care about them, I use them I want to see fair opportunities for everyone.
>>>
>>>
>>> On Wed, Sep 2, 2015 at 11:42 AM, Lucas Ferreira <
>>> <lucas.ferreira at owasp.org>lucas.ferreira at owasp.org> wrote:
>>>
>>>> Josh,
>>>>
>>>> I certainly cannot speak for all Projects, but every time I tried to
>>>> get the things I needed for a project, I got either a deny or a big
>>>> silence. so the first thing needed is, if there is money available, more
>>>> communication and an easy way to get to it.
>>>>
>>>> I will put here my experience. Others can say if they face similar
>>>> issues or not.
>>>>
>>>> First, as part of the
>>>> <https://www.owasp.org/index.php/OWASP_Brasil_Manifesto>
>>>> https://www.owasp.org/index.php/OWASP_Brasil_Manifesto, I tried to get
>>>> money to pay for a professional public relations person/company to help us
>>>> promote the manifesto to the Brazilian congress. I learnt the hard way
>>>> (from organizing AppSec conferences) that a good PR person can make a real
>>>> difference. At the time, I asked for USD 2600 to pay the PR but could not
>>>> get the money.
>>>>
>>>> Second, as part of
>>>> <https://www.owasp.org/index.php/OWASP_File_Hash_Repository>
>>>> https://www.owasp.org/index.php/OWASP_File_Hash_Repository, I needed a
>>>> server to use to deploy the initial code and help collecting data. I also
>>>> needed a DNS entry. I ended up paying for the VM myself and used my own
>>>> private domain for the DNS because I could not get it from OWASP.
>>>>
>>>> Lastly, as part of
>>>> <https://www.owasp.org/index.php/OWASP_Portuguese_Language_Project>
>>>> https://www.owasp.org/index.php/OWASP_Portuguese_Language_Project, we
>>>> tried to get money to hire translators and professional writers to work
>>>> with the more tech oriented volunteers with no luck.
>>>>
>>>> In summary, my experience in getting money or support for OWASP
>>>> projects is bad. IMHO, this is why so many projects die.
>>>>
>>>> And just to be sure, unlike Johanna, I think money is a big issue as it
>>>> could be used to remove some of the load from volunteers. An example is the
>>>> translation projects: we could leverage the knowledge of our network of
>>>> volunteers, without requiring them to do all the work, by relying on
>>>> professional services. So, the issue is to have money to buy the services
>>>> needed by the projects, from VMs to professional services.
>>>>
>>>> And lastly, I did not compare Chapters and Projects. I did compare the
>>>> treatment that they get from OWASP.
>>>>
>>>> Regards,
>>>>
>>>> Lucas
>>>>
>>>>
>>>> On Wed, Sep 2, 2015 at 5:06 PM Josh Sokol < <josh.sokol at owasp.org>
>>>> josh.sokol at owasp.org> wrote:
>>>>
>>>>> I believe Johanna said "It's not about money".  Every time I hear
>>>>> someone say that it is, I cringe a little because I know that we allocated
>>>>> $50,000 in Community Engagement Funding this year to projects alone and
>>>>> have $15,650 of that remaining (
>>>>> <https://owasp.org/index.php/Community_Engagement_-_Payments>
>>>>> https://owasp.org/index.php/Community_Engagement_-_Payments).  I also
>>>>> know that if there's a need that goes beyond what is budgeted, we have ways
>>>>> to make that happen outside of this channel.  For example, when Dinis asked
>>>>> for $100,000 for a Project Summit, we said "Give us a plan and we'll
>>>>> discuss."
>>>>>
>>>>> I also cringe when I hear people compare the Projects to the Chapters
>>>>> or vice versa.  They are both unique and important to OWASP.  Both have
>>>>> needs that we need to satisfy.  Chapters have historically been more
>>>>> successful in fundraising because of the large volume of people involved
>>>>> with them, but that doesn't make them better or worse.  Just different.
>>>>> Let's be honest, the Chapter model of fundraising doesn't really work for
>>>>> Projects.  That's ok...we just need to find other ways.
>>>>>
>>>>> So, let's assume that money is not an issue.  What are the needs that
>>>>> our Projects have that OWASP is not currently fulfilling.  I don't claim to
>>>>> be an expert on Projects.  I don't routinely work with them and the one
>>>>> project that I tried to start at OWASP died a very quick death.  It was an
>>>>> issue with time and volunteerism, though, and had nothing to do with the
>>>>> OWASP platform.  I understand and agree that it's not about things you can
>>>>> get for free like GitHub or wiki pages.  So, what is it?  What do you
>>>>> need?  We have an in-house graphic designer.  We have companies that we
>>>>> work with for publishing.  We hired a full-time person to help with
>>>>> projects.  If there are needs that aren't being met here, then what are
>>>>> they?  What can OWASP do to make Projects more successful?
>>>>>
>>>>> ~josh
>>>>>
>>>>> On Wed, Sep 2, 2015 at 9:39 AM, Lucas Ferreira <
>>>>> <lucas.ferreira at owasp.org>lucas.ferreira at owasp.org> wrote:
>>>>>
>>>>>> Dear Johanna,
>>>>>>
>>>>>> it is very sad that you are stepping down, but you nailed it when you
>>>>>> said:
>>>>>>
>>>>>> "I hope that in the future there is a clear perspective how to help
>>>>>> projects develop better. So far I have not seen major initiatives directed
>>>>>> on improving a platform. A platform is not a wiki page, not a github
>>>>>> account, these things are already free without OWASP support."
>>>>>>
>>>>>> For a long time already, I have the same feeling that OWASP is always
>>>>>> discussing about chapters and their bank accounts and never about projects.
>>>>>> I just hope one day OWASP will be able to see that projects are what makes
>>>>>> OWASP known and respected.
>>>>>>
>>>>>> I have talked to a few leaders of open-source projects about bringing
>>>>>> their projects to OWASP and, in the end, the feeling is that all they would
>>>>>> get is the ability to benefit from the OWASP "brand". We should offer
>>>>>> project leaders more than the opportunity to beg chapters for money.
>>>>>>
>>>>>> Regards and good luck,
>>>>>>
>>>>>> Lucas
>>>>>>
>>>>>> On Wed, Sep 2, 2015 at 4:19 PM johanna curiel curiel <
>>>>>> <johanna.curiel at owasp.org>johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>>> Members of the board ,
>>>>>>>
>>>>>>> I have decided to step down from the project reviews activities.
>>>>>>>
>>>>>>> I have been doing continues reviews the last 2 years, especially the
>>>>>>> last year I was quite involved in a major clean up in the project
>>>>>>> inventory, together with other members that participated in and on/off
>>>>>>> basis.
>>>>>>>
>>>>>>> That does not mean I'll step down from every activity I have been
>>>>>>> working on the last years at OWASP. Indeed, now I'll focus my attention in
>>>>>>> those activities that I feel have provided me with higher level of reward
>>>>>>> and a grateful feeling.
>>>>>>>
>>>>>>> Unfortunately,  I cannot say the same for reviewing projects. The
>>>>>>> greatest reward I had from that activity is what I learned from many
>>>>>>> project for the last 2 years, not just looking, but download , testing and
>>>>>>> using them and volunteering on their activities.
>>>>>>>
>>>>>>>  It is a ticklish activity that have provided me very little
>>>>>>> satisfaction but disappointment. Never seems to be enough even when people
>>>>>>> have little idea how much time is needed to use an open source project ,
>>>>>>> let alone understand it. I'm a volunteer , not an OWASP employee. Lets
>>>>>>> clarify that for people that might read this.
>>>>>>>
>>>>>>> I think Claudia  , as her predecessor, Kait-Disney did, can surely
>>>>>>> help maintain inactive/active projects monitoring. Another ticklish
>>>>>>> activity that we hear many complains regarding inactive projects wanted to
>>>>>>> keep alive. Political driven necessities to have wiki pages of empty
>>>>>>> projects, thats what we finished and hope you can continue for the sake of
>>>>>>> users.
>>>>>>>
>>>>>>> The actual situation is that Project leaders are definitely on their
>>>>>>> own, and they should understand that: when it comes to having a platform at
>>>>>>> OWASP for developing projects, they have very little support on this.
>>>>>>>
>>>>>>> It's not about money, is about a platform, a process and a way to be
>>>>>>> able to make a project a reality no matter if you are in India, Pakistan,
>>>>>>> or Africa. The inequality between these worlds is very obvious when we look
>>>>>>> at  projects in US or EU compare to 'developing countries'. Big security
>>>>>>> companies are not behind these leaders  to support them with time or
>>>>>>> resources.
>>>>>>>
>>>>>>> I hope that in the future there is a clear perspective how to help
>>>>>>> projects develop better. So far I have not seen major initiatives directed
>>>>>>> on improving a platform. A platform is not a wiki page, not a github
>>>>>>> account, these things are already free without OWASP support.
>>>>>>>
>>>>>>> I think people hoping to secure their web applications using OWASP
>>>>>>> tools, can have better ways for doing it if more energy is directed towards
>>>>>>> supporting a better structure for developing OWASP projects.
>>>>>>>
>>>>>>> This is where my energy will be from now on. Hopefully with the
>>>>>>> right support.
>>>>>>>
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>> Johanna
>>>>>>> _______________________________________________
>>>>>>> Governance mailing list
>>>>>>> <Governance at lists.owasp.org>Governance at lists.owasp.org
>>>>>>> <https://lists.owasp.org/mailman/listinfo/governance>
>>>>>>> https://lists.owasp.org/mailman/listinfo/governance
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Governance mailing list
>>>>>> <Governance at lists.owasp.org>Governance at lists.owasp.org
>>>>>> <https://lists.owasp.org/mailman/listinfo/governance>
>>>>>> https://lists.owasp.org/mailman/listinfo/governance
>>>>>>
>>>>>>
>>>>>
>>>
>> _______________________________________________
>> Governance mailing list
>> Governance at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/governance
>>
>>
>
> --
> Jim Manico
> Global Board Member
> OWASP Foundationhttps://www.owasp.org
> Join me at AppSecUSA 2015!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150902/44b6f40c/attachment-0001.html>


More information about the Owasp-board mailing list