[Owasp-board] [Governance] Stepping down from Project Reviews

Jim Manico jim.manico at owasp.org
Wed Sep 2 20:09:13 UTC 2015


Johanna,

Transparency wins here. :) Claudia is leading this process and asked me 
to help. I am super happy to do so. Everyone is invited; the invite is 
on the OWASP global calendar. The discussions will all continue on 
public on the project list. When you were lead you asked me questions 
and asked me for feedback on many occasions - I'd like to offer that 
same help to Claudia since I've been around OWASP projects for many years.

The line I draw is that while I am happy to help comment on the review 
process, I do not actually do any reviews because I am a project leader 
of several projects.

Does that line seem reasonable, Johanna?

Aloha,

-- 
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org
Join me at AppSecUSA 2015!


On 9/2/15 10:03 AM, johanna curiel curiel wrote:
> Jim
>
> Improvements are always possible.
>
> You are a member of the board and are leading many projects.
>
> Conflict of interest is at high stake in this position. That is a 
> ticklish zone.
>
> cheers
>
> Johanna
>
>
>
>
> On Wed, Sep 2, 2015 at 3:31 PM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>     > I hope you understand that we did try many things for automation.
>
>     Of course! Life is an evolution. We're going to keep working on it! :)
>
>     > In Openduck all projects are registered and have a 'review this
>     project' form where you can provide a start and comments. We tried
>     that approach.We made google forms, we made google sheets, we
>     built simple  criteria.
>
>     This is all great, I'm a big fan of openduck. We're likely going
>     to keep using it. And we will also put some fresh eyes on it to
>     see if we can improve.
>
>     > A JIRA donated with the help of Norman Yuen to create tasks and
>     follow ups, Jonathan Johnson who setup a server with automated
>     builds, the SWAMP to built projects ...We did try automation and a
>     lot.
>
>     Great stuff! :)
>
>     > Before you go and attempt a new thing lets share experience and
>     not repeat  same approaches.
>
>     Johanna, don't worry we're all professionals. Good folks will be
>     looking at this. We certainly do not want to re-do things that do
>     not need to be re-done.
>
>     > I hope you understand that after spending 2 years in reviews the
>     main problem in my opinion based on my experience, is getting the
>     right people to spend time to review.
>
>     I understand that issue. I hope to find a more streamlined way to
>     on-board reviewers for one or two reviews. I have a knack for
>     getting folks involved. :) We're on it.
>
>     > Is just not simple.
>
>     Hahaha! Nothing is simple at OWASP, I agree!
>
>     > Open source security projects are not simple to test or use
>     *this part cannot be automated*. If you are not a developer with
>     some security background  you cannot even test more than half of
>     them. Every project has there way to build and install.
>
>     Well said, I agree.
>
>     > The automation is already there for handling the review once is
>     done.
>
>     I hear you. We've set a meeting to review everything in place and
>     posted that to the project review list. There might be some things
>     we can improve, maybe not.
>
>     > We must create incentives for people to go and review. People
>     that have the knowledge capable of reviewing. Example : If you are
>     not a (Java)developer how can you test and review CRSFGuard,
>     Dependency, Appsensor? HTML sanitiser?  If you are not a .NET
>     developer how can you use webgoat.NET or O2 project?
>
>     I agree, that is something that we plan to discuss.
>
>     >  I hope you get my point.
>
>     Completely. As OWASP volunteers step away from important
>     initiatives, that is ok! That is part of the flow of OWASP. But as
>     some step away, others will step in and take over and try to
>     continue that work. I hope you are ok with that and you get my
>     points here that we are going to try to make improvements where we
>     can and take this seriously!
>
>     And Johanna, again, you did amazing work. There are a few areas I
>     think can be improved, but I was always hesitant to dive into
>     project review that much because I did not want to be a board
>     member who was interfering with your work.
>
>     I respect that fact that you want to step away. There are tons of
>     other things to do at OWASP that would make your happier. I can
>     tell by your email the last month or two that you are unhappy with
>     OWASP and that certainly effects me. I take everything regarding
>     OWASP very personally, especially from super active volunteers
>     like yourself.
>
>     So when you say, I plan to step away this time, I think you really
>     mean it. Since I'm the board liaison for projects, I'm going to
>     step in and help Claudia keep this ship sailing. The only thing
>     that is constant is change and the way reviews are done will
>     certainly change in some ways as a different crew take over. I
>     hope that is ok with you. It's just the natural progression of
>     things and no disrespect is meant.
>
>     Aloha,
>     Jim Manico
>
>>
>>     And yes I do appreciated all the support you have personally
>>     given me and the Curacao community. It has been a great OWASP
>>     push from you for caribbean region .
>>
>>     Cheers and Aloha
>>
>>     Johanna
>>
>>     On Wed, Sep 2, 2015 at 2:52 PM, Jim Manico <jim.manico at owasp.org
>>     <mailto:jim.manico at owasp.org>> wrote:
>>
>>         Johanna,
>>
>>         I want you to know that your work is going to continue. We're
>>         looking to automate more of the review process, we going to
>>         onboard new reviewers carefully and also take a second look
>>         at the processes in place. I hope this is a good thing in
>>         your mind. I personally think it's a very important part of
>>         the foundation and I've thanked you more times than I can count.
>>
>>         I even flew to your home island to give you your WASPY award
>>         in person. Don you know why I did that? No it was not for
>>         vacation, I live on a vacation island already. ;) I flew to
>>         Curacao because I believe in what you are doing and wanted to
>>         thank you in person.
>>
>>         Project reviews and projects in general are very important to
>>         the foundation and I plan to assist Claudia and staff as they
>>         see fit to keep the review party going.
>>
>>         I would not be able to even say that if it were not for the
>>         massive efforts from you over the past few years. Thank you!
>>
>>         Aloha,
>>         --
>>         Jim Manico
>>         Global Board Member
>>         OWASP Foundation
>>         https://www.owasp.org <https://www.owasp.org/>
>>         Join me at AppSecUSA <http://appsecusa.org/> 2015!
>>
>>         On Sep 2, 2015, at 8:41 AM, Josh Sokol <josh.sokol at owasp.org
>>         <mailto:josh.sokol at owasp.org>> wrote:
>>
>>>         Johanna,
>>>
>>>         You have both my attention and my support with this
>>>         initiative and I agree that it's, at least at this point in
>>>         time, a far better use of our time than in trying to wrangle
>>>         with project reviews and whatnot.  You did a fantastic job
>>>         with those for a very long time and with little recognition
>>>         for it, though I do think you won a WASPY for it, didn't
>>>         you?  At least that's something.  In any case, let's figure
>>>         out how to build those stairs to reach those bananas. If it
>>>         requires changing some policies to make funds more
>>>         accessible, then I can definitely help to push those
>>>         changes.  What policies currently stand in your way (ie.
>>>         what is the rationale for being told "no")?  What new
>>>         policies would be reasonable.  What is a reasonable approach
>>>         to making sure that limited funds are spent on the things
>>>         that matter most and in alignment with the OWASP mission?
>>>
>>>         ~josh
>>>
>>>         On Wed, Sep 2, 2015 at 12:05 PM, johanna curiel curiel
>>>         <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>>
>>>         wrote:
>>>
>>>             >I certainly cannot speak for all Projects, but every time
>>>             I tried to get the things I needed for a project, I got
>>>             either a deny or a big silence. so the first thing
>>>             needed is, if there is money available, more
>>>             communication and an easy way to get to it[....] In
>>>             summary, my experience in getting money or support for
>>>             OWASP projects is bad. IMHO, this is why so many
>>>             projects die.
>>>             [...]And lastly, I did not compare Chapters and
>>>             Projects. I did compare the treatment that they get from
>>>             OWASP.
>>>
>>>             You are not the only one with the same issues. I have
>>>             the same experience too and as also many others.
>>>
>>>             Let's accept that we have a problem and no, I don't
>>>             blame the Board for that, but I'm asking your attention
>>>             and we have to admit that we need to work on this. And
>>>             the person asking your attention is a volunteer who has
>>>             dedicated her time the last 3 years trying to improve a
>>>             system and contributing in multiple activities, I think
>>>             I deserve a small acknowledgement for that.
>>>
>>>             This is part of the evolution OWASP is having from small
>>>             to bigger organisation. A natural process. From US to
>>>             Global.
>>>
>>>             What I mean with a good platform in place is more than
>>>             money in the community fund.
>>>
>>>             That money  feels like a banana hanging too high to
>>>             reach and no stairs to reach it for project leaders.
>>>
>>>             Platform means communication, managing resources ,
>>>             support and much more. And money helps but a good plan
>>>             is necessary.
>>>
>>>             It means having the stair (the platform) to make
>>>             available those funds, so they become available.
>>>
>>>             And I know that the problem is we have not work on
>>>             creating the 'stair'.
>>>
>>>             This is where I want to dedicate my efforts so I will
>>>             submit to form a committee to create the stair for
>>>             better development of OWASP projects. I care about them,
>>>             I use them I want to see fair opportunities for everyone.
>>>
>>>
>>>             On Wed, Sep 2, 2015 at 11:42 AM, Lucas Ferreira
>>>             <lucas.ferreira at owasp.org
>>>             <mailto:lucas.ferreira at owasp.org>> wrote:
>>>
>>>                 Josh,
>>>
>>>                 I certainly cannot speak for all Projects, but every
>>>                 time I tried to get the things I needed for a
>>>                 project, I got either a deny or a big silence. so
>>>                 the first thing needed is, if there is money
>>>                 available, more communication and an easy way to get
>>>                 to it.
>>>
>>>                 I will put here my experience. Others can say if
>>>                 they face similar issues or not.
>>>
>>>                 First, as part of the
>>>                 https://www.owasp.org/index.php/OWASP_Brasil_Manifesto,
>>>                 I tried to get money to pay for a professional
>>>                 public relations person/company to help us promote
>>>                 the manifesto to the Brazilian congress. I learnt
>>>                 the hard way (from organizing AppSec conferences)
>>>                 that a good PR person can make a real difference. At
>>>                 the time, I asked for USD 2600 to pay the PR but
>>>                 could not get the money.
>>>
>>>                 Second, as part of
>>>                 https://www.owasp.org/index.php/OWASP_File_Hash_Repository,
>>>                 I needed a server to use to deploy the initial code
>>>                 and help collecting data. I also needed a DNS entry.
>>>                 I ended up paying for the VM myself and used my own
>>>                 private domain for the DNS because I could not get
>>>                 it from OWASP.
>>>
>>>                 Lastly, as part of
>>>                 https://www.owasp.org/index.php/OWASP_Portuguese_Language_Project,
>>>                 we tried to get money to hire translators and
>>>                 professional writers to work with the more tech
>>>                 oriented volunteers with no luck.
>>>
>>>                 In summary, my experience in getting money or
>>>                 support for OWASP projects is bad. IMHO, this is why
>>>                 so many projects die.
>>>
>>>                 And just to be sure, unlike Johanna, I think money
>>>                 is a big issue as it could be used to remove some of
>>>                 the load from volunteers. An example is the
>>>                 translation projects: we could leverage the
>>>                 knowledge of our network of volunteers, without
>>>                 requiring them to do all the work, by relying on
>>>                 professional services. So, the issue is to have
>>>                 money to buy the services needed by the projects,
>>>                 from VMs to professional services.
>>>
>>>                 And lastly, I did not compare Chapters and Projects.
>>>                 I did compare the treatment that they get from OWASP.
>>>
>>>                 Regards,
>>>
>>>                 Lucas
>>>
>>>
>>>                 On Wed, Sep 2, 2015 at 5:06 PM Josh Sokol
>>>                 <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>>
>>>                 wrote:
>>>
>>>                     I believe Johanna said "It's not about money".
>>>                     Every time I hear someone say that it is, I
>>>                     cringe a little because I know that we allocated
>>>                     $50,000 in Community Engagement Funding this
>>>                     year to projects alone and have $15,650 of that
>>>                     remaining
>>>                     (https://owasp.org/index.php/Community_Engagement_-_Payments).
>>>                     I also know that if there's a need that goes
>>>                     beyond what is budgeted, we have ways to make
>>>                     that happen outside of this channel.  For
>>>                     example, when Dinis asked for $100,000 for a
>>>                     Project Summit, we said "Give us a plan and
>>>                     we'll discuss."
>>>
>>>                     I also cringe when I hear people compare the
>>>                     Projects to the Chapters or vice versa. They are
>>>                     both unique and important to OWASP.  Both have
>>>                     needs that we need to satisfy. Chapters have
>>>                     historically been more successful in fundraising
>>>                     because of the large volume of people involved
>>>                     with them, but that doesn't make them better or
>>>                     worse.  Just different. Let's be honest, the
>>>                     Chapter model of fundraising doesn't really work
>>>                     for Projects. That's ok...we just need to find
>>>                     other ways.
>>>
>>>                     So, let's assume that money is not an issue.
>>>                     What are the needs that our Projects have that
>>>                     OWASP is not currently fulfilling.  I don't
>>>                     claim to be an expert on Projects. I don't
>>>                     routinely work with them and the one project
>>>                     that I tried to start at OWASP died a very quick
>>>                     death.  It was an issue with time and
>>>                     volunteerism, though, and had nothing to do with
>>>                     the OWASP platform.  I understand and agree that
>>>                     it's not about things you can get for free like
>>>                     GitHub or wiki pages. So, what is it?  What do
>>>                     you need?  We have an in-house graphic
>>>                     designer.  We have companies that we work with
>>>                     for publishing. We hired a full-time person to
>>>                     help with projects.  If there are needs that
>>>                     aren't being met here, then what are they?  What
>>>                     can OWASP do to make Projects more successful?
>>>
>>>                     ~josh
>>>
>>>                     On Wed, Sep 2, 2015 at 9:39 AM, Lucas Ferreira
>>>                     <lucas.ferreira at owasp.org
>>>                     <mailto:lucas.ferreira at owasp.org>> wrote:
>>>
>>>                         Dear Johanna,
>>>
>>>                         it is very sad that you are stepping down,
>>>                         but you nailed it when you said:
>>>
>>>                         "I hope that in the future there is a clear
>>>                         perspective how to help projects develop
>>>                         better. So far I have not seen major
>>>                         initiatives directed on improving a
>>>                         platform. A platform is not a wiki page, not
>>>                         a github account, these things are already
>>>                         free without OWASP support."
>>>
>>>                         For a long time already, I have the same
>>>                         feeling that OWASP is always discussing
>>>                         about chapters and their bank accounts and
>>>                         never about projects. I just hope one day
>>>                         OWASP will be able to see that projects are
>>>                         what makes OWASP known and respected.
>>>
>>>                         I have talked to a few leaders of
>>>                         open-source projects about bringing their
>>>                         projects to OWASP and, in the end, the
>>>                         feeling is that all they would get is the
>>>                         ability to benefit from the OWASP "brand".
>>>                         We should offer project leaders more than
>>>                         the opportunity to beg chapters for money.
>>>
>>>                         Regards and good luck,
>>>
>>>                         Lucas
>>>
>>>                         On Wed, Sep 2, 2015 at 4:19 PM johanna
>>>                         curiel curiel <johanna.curiel at owasp.org
>>>                         <mailto:johanna.curiel at owasp.org>> wrote:
>>>
>>>                             Members of the board ,
>>>
>>>                             I have decided to step down from the
>>>                             project reviews activities.
>>>
>>>                             I have been doing continues reviews the
>>>                             last 2 years, especially the last year I
>>>                             was quite involved in a major clean up
>>>                             in the project inventory, together with
>>>                             other members that participated in and
>>>                             on/off basis.
>>>
>>>                             That does not mean I'll step down from
>>>                             every activity I have been working on
>>>                             the last years at OWASP. Indeed, now
>>>                             I'll focus my attention in those
>>>                             activities that I feel have provided me
>>>                             with higher level of reward and a
>>>                             grateful feeling.
>>>
>>>                             Unfortunately,  I cannot say the same
>>>                             for reviewing projects. The greatest
>>>                             reward I had from that activity is what
>>>                             I learned from many project for the last
>>>                             2 years, not just looking, but download
>>>                             , testing and using them and
>>>                             volunteering on their activities.
>>>
>>>                              It is a ticklish activity that have
>>>                             provided me very little satisfaction but
>>>                             disappointment. Never seems to be enough
>>>                             even when people have little idea how
>>>                             much time is needed to use an open
>>>                             source project , let alone understand
>>>                             it. I'm a volunteer , not an OWASP
>>>                             employee. Lets clarify that for people
>>>                             that might read this.
>>>
>>>                             I think Claudia  , as her predecessor,
>>>                             Kait-Disney did, can surely help
>>>                             maintain inactive/active projects
>>>                             monitoring. Another ticklish activity
>>>                             that we hear many complains regarding
>>>                             inactive projects wanted to keep alive.
>>>                             Political driven necessities to have
>>>                             wiki pages of empty projects, thats what
>>>                             we finished and hope you can continue
>>>                             for the sake of users.
>>>
>>>                             The actual situation is that Project
>>>                             leaders are definitely on their own, and
>>>                             they should understand that: when it
>>>                             comes to having a platform at OWASP for
>>>                             developing projects, they have very
>>>                             little support on this.
>>>
>>>                             It's not about money, is about a
>>>                             platform, a process and a way to be able
>>>                             to make a project a reality no matter if
>>>                             you are in India, Pakistan, or Africa.
>>>                             The inequality between these worlds is
>>>                             very obvious when we look at  projects
>>>                             in US or EU compare to 'developing
>>>                             countries'. Big security companies are
>>>                             not behind these leaders  to support
>>>                             them with time or resources.
>>>
>>>                             I hope that in the future there is a
>>>                             clear perspective how to help projects
>>>                             develop better. So far I have not seen
>>>                             major initiatives directed on improving
>>>                             a platform. A platform is not a wiki
>>>                             page, not a github account, these things
>>>                             are already free without OWASP support.
>>>
>>>                             I think people hoping to secure their
>>>                             web applications using OWASP tools, can
>>>                             have better ways for doing it if more
>>>                             energy is directed towards supporting a
>>>                             better structure for developing OWASP
>>>                             projects.
>>>
>>>                             This is where my energy will be from now
>>>                             on. Hopefully with the right support.
>>>
>>>
>>>                             Regards
>>>
>>>                             Johanna
>>>                             _______________________________________________
>>>                             Governance mailing list
>>>                             Governance at lists.owasp.org
>>>                             <mailto:Governance at lists.owasp.org>
>>>                             https://lists.owasp.org/mailman/listinfo/governance
>>>
>>>
>>>                         _______________________________________________
>>>                         Governance mailing list
>>>                         Governance at lists.owasp.org
>>>                         <mailto:Governance at lists.owasp.org>
>>>                         https://lists.owasp.org/mailman/listinfo/governance
>>>
>>>
>>>
>>>
>>>         _______________________________________________
>>>         Governance mailing list
>>>         Governance at lists.owasp.org <mailto:Governance at lists.owasp.org>
>>>         https://lists.owasp.org/mailman/listinfo/governance
>>
>>
>
>     -- 
>     Jim Manico
>     Global Board Member
>     OWASP Foundation
>     https://www.owasp.org
>     Join me at AppSecUSA 2015!
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150902/61f864fd/attachment-0001.html>


More information about the Owasp-board mailing list