[Owasp-board] [Governance] Stepping down from Project Reviews

johanna curiel curiel johanna.curiel at owasp.org
Wed Sep 2 20:17:27 UTC 2015


As long as your role is clear in this process, including no influence in
who reviews your projects😜

cheers

Johanna

On Wed, Sep 2, 2015 at 4:09 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Johanna,
>
> Transparency wins here. :) Claudia is leading this process and asked me to
> help. I am super happy to do so. Everyone is invited; the invite is on the
> OWASP global calendar. The discussions will all continue on public on the
> project list. When you were lead you asked me questions and asked me for
> feedback on many occasions - I'd like to offer that same help to Claudia
> since I've been around OWASP projects for many years.
>
> The line I draw is that while I am happy to help comment on the review
> process, I do not actually do any reviews because I am a project leader of
> several projects.
>
> Does that line seem reasonable, Johanna?
>
> Aloha,
>
> --
> Jim Manico
> Global Board Member
> OWASP Foundationhttps://www.owasp.org
> Join me at AppSecUSA 2015!
>
>
> On 9/2/15 10:03 AM, johanna curiel curiel wrote:
>
> Jim
>
> Improvements are always possible.
>
> You are a member of the board and are leading many projects.
>
> Conflict of interest is at high stake in this position. That is a ticklish
> zone.
>
> cheers
>
> Johanna
>
>
>
>
> On Wed, Sep 2, 2015 at 3:31 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> > I hope you understand that we did try many things for automation.
>>
>> Of course! Life is an evolution. We're going to keep working on it! :)
>>
>> > In Openduck all projects are registered and have a 'review this
>> project' form where you can provide a start and comments. We tried that
>> approach.We made google forms, we made google sheets, we built simple
>>  criteria.
>>
>> This is all great, I'm a big fan of openduck. We're likely going to keep
>> using it. And we will also put some fresh eyes on it to see if we can
>> improve.
>>
>> > A JIRA donated with the help of Norman Yuen to create tasks and follow
>> ups, Jonathan Johnson who setup a server with automated builds, the SWAMP
>> to built projects ...We did try automation and a lot.
>>
>> Great stuff! :)
>>
>> > Before you go and attempt a new thing lets share experience and not
>> repeat  same approaches.
>>
>> Johanna, don't worry we're all professionals. Good folks will be looking
>> at this. We certainly do not want to re-do things that do not need to be
>> re-done.
>>
>> > I hope you understand that after spending 2 years in reviews the main
>> problem in my opinion based on my experience, is getting the right people
>> to spend time to review.
>>
>> I understand that issue. I hope to find a more streamlined way to
>> on-board reviewers for one or two reviews. I have a knack for getting folks
>> involved. :) We're on it.
>>
>> > Is just not simple.
>>
>> Hahaha! Nothing is simple at OWASP, I agree!
>>
>> > Open source security projects are not simple to test or use *this part
>> cannot be automated*. If you are not a developer with some security
>> background  you cannot even test more than half of them. Every project has
>> there way to build and install.
>>
>> Well said, I agree.
>>
>> > The automation is already there for handling the review once is done.
>>
>> I hear you. We've set a meeting to review everything in place and posted
>> that to the project review list. There might be some things we can improve,
>> maybe not.
>>
>> > We must create incentives for people to go and review. People that have
>> the knowledge capable of reviewing. Example : If you are not a
>> (Java)developer how can you test and review CRSFGuard, Dependency,
>> Appsensor? HTML sanitiser?  If you are not a .NET developer how can you use
>> webgoat.NET or O2 project?
>>
>> I agree, that is something that we plan to discuss.
>>
>> >  I hope you get my point.
>>
>> Completely. As OWASP volunteers step away from important initiatives,
>> that is ok! That is part of the flow of OWASP. But as some step away,
>> others will step in and take over and try to continue that work. I hope you
>> are ok with that and you get my points here that we are going to try to
>> make improvements where we can and take this seriously!
>>
>> And Johanna, again, you did amazing work. There are a few areas I think
>> can be improved, but I was always hesitant to dive into project review that
>> much because I did not want to be a board member who was interfering with
>> your work.
>>
>> I respect that fact that you want to step away. There are tons of other
>> things to do at OWASP that would make your happier. I can tell by your
>> email the last month or two that you are unhappy with OWASP and that
>> certainly effects me. I take everything regarding OWASP very personally,
>> especially from super active volunteers like yourself.
>>
>> So when you say, I plan to step away this time, I think you really mean
>> it. Since I'm the board liaison for projects, I'm going to step in and help
>> Claudia keep this ship sailing. The only thing that is constant is change
>> and the way reviews are done will certainly change in some ways as a
>> different crew take over. I hope that is ok with you. It's just the natural
>> progression of things and no disrespect is meant.
>>
>> Aloha,
>> Jim Manico
>>
>>
>> And yes I do appreciated all the support you have personally given me and
>> the Curacao community. It has been a great OWASP push from you for
>> caribbean region .
>>
>> Cheers and Aloha
>>
>> Johanna
>>
>> On Wed, Sep 2, 2015 at 2:52 PM, Jim Manico < <jim.manico at owasp.org>
>> jim.manico at owasp.org> wrote:
>>
>>> Johanna,
>>>
>>> I want you to know that your work is going to continue. We're looking to
>>> automate more of the review process, we going to onboard new reviewers
>>> carefully and also take a second look at the processes in place. I hope
>>> this is a good thing in your mind. I personally think it's a very important
>>> part of the foundation and I've thanked you more times than I can count.
>>>
>>> I even flew to your home island to give you your WASPY award in person.
>>> Don you know why I did that? No it was not for vacation, I live on a
>>> vacation island already. ;) I flew to Curacao because I believe in what you
>>> are doing and wanted to thank you in person.
>>>
>>> Project reviews and projects in general are very important to the
>>> foundation and I plan to assist Claudia and staff as they see fit to keep
>>> the review party going.
>>>
>>> I would not be able to even say that if it were not for the massive
>>> efforts from you over the past few years. Thank you!
>>>
>>> Aloha,
>>> --
>>> Jim Manico
>>> Global Board Member
>>> OWASP Foundation
>>> https://www.owasp.org
>>> Join me at AppSecUSA <http://appsecusa.org/> 2015!
>>>
>>> On Sep 2, 2015, at 8:41 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>
>>> Johanna,
>>>
>>> You have both my attention and my support with this initiative and I
>>> agree that it's, at least at this point in time, a far better use of our
>>> time than in trying to wrangle with project reviews and whatnot.  You did a
>>> fantastic job with those for a very long time and with little recognition
>>> for it, though I do think you won a WASPY for it, didn't you?  At least
>>> that's something.  In any case, let's figure out how to build those stairs
>>> to reach those bananas.  If it requires changing some policies to make
>>> funds more accessible, then I can definitely help to push those changes.
>>> What policies currently stand in your way (ie. what is the rationale for
>>> being told "no")?  What new policies would be reasonable.  What is a
>>> reasonable approach to making sure that limited funds are spent on the
>>> things that matter most and in alignment with the OWASP mission?
>>>
>>> ~josh
>>>
>>> On Wed, Sep 2, 2015 at 12:05 PM, johanna curiel curiel <
>>> <johanna.curiel at owasp.org>johanna.curiel at owasp.org> wrote:
>>>
>>>> >I certainly cannot speak for all Projects, but every time I tried to
>>>> get the things I needed for a project, I got either a deny or a big
>>>> silence. so the first thing needed is, if there is money available, more
>>>> communication and an easy way to get to it[....] In summary, my
>>>> experience in getting money or support for OWASP projects is bad. IMHO,
>>>> this is why so many projects die.
>>>> [...]And lastly, I did not compare Chapters and Projects. I did
>>>> compare the treatment that they get from OWASP.
>>>>
>>>> You are not the only one with the same issues. I have the same
>>>> experience too and as also many others.
>>>>
>>>> Let's accept that we have a problem and no, I don't blame the Board for
>>>> that, but I'm asking your attention and we have to admit that we need to
>>>> work on this. And the person asking your attention is a volunteer who has
>>>> dedicated her time the last 3 years trying to improve a system and
>>>> contributing in multiple activities, I think I deserve a small
>>>> acknowledgement for that.
>>>>
>>>> This is part of the evolution OWASP is having from small to bigger
>>>> organisation. A natural process. From US to Global.
>>>>
>>>> What I mean with a good platform in place is more than money in the
>>>> community fund.
>>>>
>>>> That money  feels like a banana hanging too high to reach and no stairs
>>>> to reach it for project leaders.
>>>>
>>>> Platform means communication, managing resources , support and much
>>>> more. And money helps but a good plan is necessary.
>>>>
>>>> It means having the stair (the platform) to make available those funds,
>>>> so they become available.
>>>>
>>>> And I know that the problem is we have not work on creating the
>>>> 'stair'.
>>>>
>>>> This is where I want to dedicate my efforts so I will submit to form a
>>>> committee to create the stair for better development of OWASP projects. I
>>>> care about them, I use them I want to see fair opportunities for everyone.
>>>>
>>>>
>>>> On Wed, Sep 2, 2015 at 11:42 AM, Lucas Ferreira <
>>>> <lucas.ferreira at owasp.org>lucas.ferreira at owasp.org> wrote:
>>>>
>>>>> Josh,
>>>>>
>>>>> I certainly cannot speak for all Projects, but every time I tried to
>>>>> get the things I needed for a project, I got either a deny or a big
>>>>> silence. so the first thing needed is, if there is money available, more
>>>>> communication and an easy way to get to it.
>>>>>
>>>>> I will put here my experience. Others can say if they face similar
>>>>> issues or not.
>>>>>
>>>>> First, as part of the
>>>>> <https://www.owasp.org/index.php/OWASP_Brasil_Manifesto>
>>>>> https://www.owasp.org/index.php/OWASP_Brasil_Manifesto, I tried to
>>>>> get money to pay for a professional public relations person/company to help
>>>>> us promote the manifesto to the Brazilian congress. I learnt the hard way
>>>>> (from organizing AppSec conferences) that a good PR person can make a real
>>>>> difference. At the time, I asked for USD 2600 to pay the PR but could not
>>>>> get the money.
>>>>>
>>>>> Second, as part of
>>>>> <https://www.owasp.org/index.php/OWASP_File_Hash_Repository>
>>>>> https://www.owasp.org/index.php/OWASP_File_Hash_Repository, I needed
>>>>> a server to use to deploy the initial code and help collecting data. I also
>>>>> needed a DNS entry. I ended up paying for the VM myself and used my own
>>>>> private domain for the DNS because I could not get it from OWASP.
>>>>>
>>>>> Lastly, as part of
>>>>> <https://www.owasp.org/index.php/OWASP_Portuguese_Language_Project>
>>>>> https://www.owasp.org/index.php/OWASP_Portuguese_Language_Project, we
>>>>> tried to get money to hire translators and professional writers to work
>>>>> with the more tech oriented volunteers with no luck.
>>>>>
>>>>> In summary, my experience in getting money or support for OWASP
>>>>> projects is bad. IMHO, this is why so many projects die.
>>>>>
>>>>> And just to be sure, unlike Johanna, I think money is a big issue as
>>>>> it could be used to remove some of the load from volunteers. An example is
>>>>> the translation projects: we could leverage the knowledge of our network of
>>>>> volunteers, without requiring them to do all the work, by relying on
>>>>> professional services. So, the issue is to have money to buy the services
>>>>> needed by the projects, from VMs to professional services.
>>>>>
>>>>> And lastly, I did not compare Chapters and Projects. I did compare the
>>>>> treatment that they get from OWASP.
>>>>>
>>>>> Regards,
>>>>>
>>>>> Lucas
>>>>>
>>>>>
>>>>> On Wed, Sep 2, 2015 at 5:06 PM Josh Sokol < <josh.sokol at owasp.org>
>>>>> josh.sokol at owasp.org> wrote:
>>>>>
>>>>>> I believe Johanna said "It's not about money".  Every time I hear
>>>>>> someone say that it is, I cringe a little because I know that we allocated
>>>>>> $50,000 in Community Engagement Funding this year to projects alone and
>>>>>> have $15,650 of that remaining (
>>>>>> <https://owasp.org/index.php/Community_Engagement_-_Payments>
>>>>>> https://owasp.org/index.php/Community_Engagement_-_Payments).  I
>>>>>> also know that if there's a need that goes beyond what is budgeted, we have
>>>>>> ways to make that happen outside of this channel.  For example, when Dinis
>>>>>> asked for $100,000 for a Project Summit, we said "Give us a plan and we'll
>>>>>> discuss."
>>>>>>
>>>>>> I also cringe when I hear people compare the Projects to the Chapters
>>>>>> or vice versa.  They are both unique and important to OWASP.  Both have
>>>>>> needs that we need to satisfy.  Chapters have historically been more
>>>>>> successful in fundraising because of the large volume of people involved
>>>>>> with them, but that doesn't make them better or worse.  Just different.
>>>>>> Let's be honest, the Chapter model of fundraising doesn't really work for
>>>>>> Projects.  That's ok...we just need to find other ways.
>>>>>>
>>>>>> So, let's assume that money is not an issue.  What are the needs that
>>>>>> our Projects have that OWASP is not currently fulfilling.  I don't claim to
>>>>>> be an expert on Projects.  I don't routinely work with them and the one
>>>>>> project that I tried to start at OWASP died a very quick death.  It was an
>>>>>> issue with time and volunteerism, though, and had nothing to do with the
>>>>>> OWASP platform.  I understand and agree that it's not about things you can
>>>>>> get for free like GitHub or wiki pages.  So, what is it?  What do you
>>>>>> need?  We have an in-house graphic designer.  We have companies that we
>>>>>> work with for publishing.  We hired a full-time person to help with
>>>>>> projects.  If there are needs that aren't being met here, then what are
>>>>>> they?  What can OWASP do to make Projects more successful?
>>>>>>
>>>>>> ~josh
>>>>>>
>>>>>> On Wed, Sep 2, 2015 at 9:39 AM, Lucas Ferreira <
>>>>>> <lucas.ferreira at owasp.org>lucas.ferreira at owasp.org> wrote:
>>>>>>
>>>>>>> Dear Johanna,
>>>>>>>
>>>>>>> it is very sad that you are stepping down, but you nailed it when
>>>>>>> you said:
>>>>>>>
>>>>>>> "I hope that in the future there is a clear perspective how to help
>>>>>>> projects develop better. So far I have not seen major initiatives directed
>>>>>>> on improving a platform. A platform is not a wiki page, not a github
>>>>>>> account, these things are already free without OWASP support."
>>>>>>>
>>>>>>> For a long time already, I have the same feeling that OWASP is
>>>>>>> always discussing about chapters and their bank accounts and never about
>>>>>>> projects. I just hope one day OWASP will be able to see that projects are
>>>>>>> what makes OWASP known and respected.
>>>>>>>
>>>>>>> I have talked to a few leaders of open-source projects about
>>>>>>> bringing their projects to OWASP and, in the end, the feeling is that all
>>>>>>> they would get is the ability to benefit from the OWASP "brand". We should
>>>>>>> offer project leaders more than the opportunity to beg chapters for money.
>>>>>>>
>>>>>>> Regards and good luck,
>>>>>>>
>>>>>>> Lucas
>>>>>>>
>>>>>>> On Wed, Sep 2, 2015 at 4:19 PM johanna curiel curiel <
>>>>>>> <johanna.curiel at owasp.org>johanna.curiel at owasp.org> wrote:
>>>>>>>
>>>>>>>> Members of the board ,
>>>>>>>>
>>>>>>>> I have decided to step down from the project reviews activities.
>>>>>>>>
>>>>>>>> I have been doing continues reviews the last 2 years, especially
>>>>>>>> the last year I was quite involved in a major clean up in the project
>>>>>>>> inventory, together with other members that participated in and on/off
>>>>>>>> basis.
>>>>>>>>
>>>>>>>> That does not mean I'll step down from every activity I have been
>>>>>>>> working on the last years at OWASP. Indeed, now I'll focus my attention in
>>>>>>>> those activities that I feel have provided me with higher level of reward
>>>>>>>> and a grateful feeling.
>>>>>>>>
>>>>>>>> Unfortunately,  I cannot say the same for reviewing projects. The
>>>>>>>> greatest reward I had from that activity is what I learned from many
>>>>>>>> project for the last 2 years, not just looking, but download , testing and
>>>>>>>> using them and volunteering on their activities.
>>>>>>>>
>>>>>>>>  It is a ticklish activity that have provided me very little
>>>>>>>> satisfaction but disappointment. Never seems to be enough even when people
>>>>>>>> have little idea how much time is needed to use an open source project ,
>>>>>>>> let alone understand it. I'm a volunteer , not an OWASP employee. Lets
>>>>>>>> clarify that for people that might read this.
>>>>>>>>
>>>>>>>> I think Claudia  , as her predecessor, Kait-Disney did, can surely
>>>>>>>> help maintain inactive/active projects monitoring. Another ticklish
>>>>>>>> activity that we hear many complains regarding inactive projects wanted to
>>>>>>>> keep alive. Political driven necessities to have wiki pages of empty
>>>>>>>> projects, thats what we finished and hope you can continue for the sake of
>>>>>>>> users.
>>>>>>>>
>>>>>>>> The actual situation is that Project leaders are definitely on
>>>>>>>> their own, and they should understand that: when it comes to having a
>>>>>>>> platform at OWASP for developing projects, they have very little support on
>>>>>>>> this.
>>>>>>>>
>>>>>>>> It's not about money, is about a platform, a process and a way to
>>>>>>>> be able to make a project a reality no matter if you are in India,
>>>>>>>> Pakistan, or Africa. The inequality between these worlds is very obvious
>>>>>>>> when we look at  projects in US or EU compare to 'developing countries'.
>>>>>>>> Big security companies are not behind these leaders  to support them with
>>>>>>>> time or resources.
>>>>>>>>
>>>>>>>> I hope that in the future there is a clear perspective how to help
>>>>>>>> projects develop better. So far I have not seen major initiatives directed
>>>>>>>> on improving a platform. A platform is not a wiki page, not a github
>>>>>>>> account, these things are already free without OWASP support.
>>>>>>>>
>>>>>>>> I think people hoping to secure their web applications using OWASP
>>>>>>>> tools, can have better ways for doing it if more energy is directed towards
>>>>>>>> supporting a better structure for developing OWASP projects.
>>>>>>>>
>>>>>>>> This is where my energy will be from now on. Hopefully with the
>>>>>>>> right support.
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards
>>>>>>>>
>>>>>>>> Johanna
>>>>>>>> _______________________________________________
>>>>>>>> Governance mailing list
>>>>>>>> <Governance at lists.owasp.org>Governance at lists.owasp.org
>>>>>>>> <https://lists.owasp.org/mailman/listinfo/governance>
>>>>>>>> https://lists.owasp.org/mailman/listinfo/governance
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Governance mailing list
>>>>>>> <Governance at lists.owasp.org>Governance at lists.owasp.org
>>>>>>> <https://lists.owasp.org/mailman/listinfo/governance>
>>>>>>> https://lists.owasp.org/mailman/listinfo/governance
>>>>>>>
>>>>>>>
>>>>>>
>>>>
>>> _______________________________________________
>>> Governance mailing list
>>> Governance at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/governance
>>>
>>>
>>
>> --
>> Jim Manico
>> Global Board Member
>> OWASP Foundationhttps://www.owasp.org
>> Join me at AppSecUSA 2015!
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150902/53b53f7e/attachment-0001.html>


More information about the Owasp-board mailing list