[Owasp-board] [Governance] Stepping down from Project Reviews

Jim Manico jim.manico at owasp.org
Wed Sep 2 20:24:36 UTC 2015


Johanna,

This is a *very* serious manner. Manipulating reviews of projects I 
manage would be grounds to have me dismissed from the board. If you are 
seriously concerned that my involvement would lead ethical problems of 
that nature, then I encourage you to talk to other board members and 
escalate this issue. Corruption of that nature is very serious and would 
be a breach of my fiduciary duty to the OWASP Foundation.

My main concern (and my sole reason for involvement) is that OWASP 
presents its catalog of projects in a fair way. In the past, we held up 
projects as "Flagship" that had very serious quality issues. I do not 
feel that is the case any more.

Is there anything else you are concerned with while we are on the topic 
of ethics and project review?

- Jim


On 9/2/15 10:17 AM, johanna curiel curiel wrote:
> As long as your role is clear in this process, including no influence 
> in who reviews your projects😜
>
> cheers
>
> Johanna
>
> On Wed, Sep 2, 2015 at 4:09 PM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>     Johanna,
>
>     Transparency wins here. :) Claudia is leading this process and
>     asked me to help. I am super happy to do so. Everyone is invited;
>     the invite is on the OWASP global calendar. The discussions will
>     all continue on public on the project list. When you were lead you
>     asked me questions and asked me for feedback on many occasions -
>     I'd like to offer that same help to Claudia since I've been around
>     OWASP projects for many years.
>
>     The line I draw is that while I am happy to help comment on the
>     review process, I do not actually do any reviews because I am a
>     project leader of several projects.
>
>     Does that line seem reasonable, Johanna?
>
>     Aloha,
>
>     -- 
>     Jim Manico
>     Global Board Member
>     OWASP Foundation
>     https://www.owasp.org
>     Join me at AppSecUSA 2015!
>
>
>     On 9/2/15 10:03 AM, johanna curiel curiel wrote:
>>     Jim
>>
>>     Improvements are always possible.
>>
>>     You are a member of the board and are leading many projects.
>>
>>     Conflict of interest is at high stake in this position. That is a
>>     ticklish zone.
>>
>>     cheers
>>
>>     Johanna
>>
>>
>>
>>
>>     On Wed, Sep 2, 2015 at 3:31 PM, Jim Manico <jim.manico at owasp.org
>>     <mailto:jim.manico at owasp.org>> wrote:
>>
>>         > I hope you understand that we did try many things for
>>         automation.
>>
>>         Of course! Life is an evolution. We're going to keep working
>>         on it! :)
>>
>>         > In Openduck all projects are registered and have a 'review
>>         this project' form where you can provide a start and
>>         comments. We tried that approach.We made google forms, we
>>         made google sheets, we built simple  criteria.
>>
>>         This is all great, I'm a big fan of openduck. We're likely
>>         going to keep using it. And we will also put some fresh eyes
>>         on it to see if we can improve.
>>
>>         > A JIRA donated with the help of Norman Yuen to create tasks
>>         and follow ups, Jonathan Johnson who setup a server with
>>         automated builds, the SWAMP to built projects ...We did try
>>         automation and a lot.
>>
>>         Great stuff! :)
>>
>>         > Before you go and attempt a new thing lets share experience
>>         and not repeat  same approaches.
>>
>>         Johanna, don't worry we're all professionals. Good folks will
>>         be looking at this. We certainly do not want to re-do things
>>         that do not need to be re-done.
>>
>>         > I hope you understand that after spending 2 years in
>>         reviews the main problem in my opinion based on my
>>         experience, is getting the right people to spend time to review.
>>
>>         I understand that issue. I hope to find a more streamlined
>>         way to on-board reviewers for one or two reviews. I have a
>>         knack for getting folks involved. :) We're on it.
>>
>>         > Is just not simple.
>>
>>         Hahaha! Nothing is simple at OWASP, I agree!
>>
>>         > Open source security projects are not simple to test or use
>>         *this part cannot be automated*. If you are not a developer
>>         with some security background  you cannot even test more than
>>         half of them. Every project has there way to build and install.
>>
>>         Well said, I agree.
>>
>>         > The automation is already there for handling the review
>>         once is done.
>>
>>         I hear you. We've set a meeting to review everything in place
>>         and posted that to the project review list. There might be
>>         some things we can improve, maybe not.
>>
>>         > We must create incentives for people to go and review.
>>         People that have the knowledge capable of reviewing. Example
>>         : If you are not a (Java)developer how can you test and
>>         review CRSFGuard, Dependency, Appsensor? HTML sanitiser?  If
>>         you are not a .NET developer how can you use webgoat.NET or
>>         O2 project?
>>
>>         I agree, that is something that we plan to discuss.
>>
>>         >  I hope you get my point.
>>
>>         Completely. As OWASP volunteers step away from important
>>         initiatives, that is ok! That is part of the flow of OWASP.
>>         But as some step away, others will step in and take over and
>>         try to continue that work. I hope you are ok with that and
>>         you get my points here that we are going to try to make
>>         improvements where we can and take this seriously!
>>
>>         And Johanna, again, you did amazing work. There are a few
>>         areas I think can be improved, but I was always hesitant to
>>         dive into project review that much because I did not want to
>>         be a board member who was interfering with your work.
>>
>>         I respect that fact that you want to step away. There are
>>         tons of other things to do at OWASP that would make your
>>         happier. I can tell by your email the last month or two that
>>         you are unhappy with OWASP and that certainly effects me. I
>>         take everything regarding OWASP very personally, especially
>>         from super active volunteers like yourself.
>>
>>         So when you say, I plan to step away this time, I think you
>>         really mean it. Since I'm the board liaison for projects, I'm
>>         going to step in and help Claudia keep this ship sailing. The
>>         only thing that is constant is change and the way reviews are
>>         done will certainly change in some ways as a different crew
>>         take over. I hope that is ok with you. It's just the natural
>>         progression of things and no disrespect is meant.
>>
>>         Aloha,
>>         Jim Manico
>>
>>>
>>>         And yes I do appreciated all the support you have personally
>>>         given me and the Curacao community. It has been a great
>>>         OWASP push from you for caribbean region .
>>>
>>>         Cheers and Aloha
>>>
>>>         Johanna
>>>
>>>         On Wed, Sep 2, 2015 at 2:52 PM, Jim Manico
>>>         <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>>>
>>>             Johanna,
>>>
>>>             I want you to know that your work is going to continue.
>>>             We're looking to automate more of the review process, we
>>>             going to onboard new reviewers carefully and also take a
>>>             second look at the processes in place. I hope this is a
>>>             good thing in your mind. I personally think it's a very
>>>             important part of the foundation and I've thanked you
>>>             more times than I can count.
>>>
>>>             I even flew to your home island to give you your WASPY
>>>             award in person. Don you know why I did that? No it was
>>>             not for vacation, I live on a vacation island already.
>>>             ;) I flew to Curacao because I believe in what you are
>>>             doing and wanted to thank you in person.
>>>
>>>             Project reviews and projects in general are very
>>>             important to the foundation and I plan to assist Claudia
>>>             and staff as they see fit to keep the review party going.
>>>
>>>             I would not be able to even say that if it were not for
>>>             the massive efforts from you over the past few years.
>>>             Thank you!
>>>
>>>             Aloha,
>>>             --
>>>             Jim Manico
>>>             Global Board Member
>>>             OWASP Foundation
>>>             https://www.owasp.org <https://www.owasp.org/>
>>>             Join me at AppSecUSA <http://appsecusa.org/> 2015!
>>>
>>>             On Sep 2, 2015, at 8:41 AM, Josh Sokol
>>>             <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>>>
>>>>             Johanna,
>>>>
>>>>             You have both my attention and my support with this
>>>>             initiative and I agree that it's, at least at this
>>>>             point in time, a far better use of our time than in
>>>>             trying to wrangle with project reviews and whatnot. 
>>>>             You did a fantastic job with those for a very long time
>>>>             and with little recognition for it, though I do think
>>>>             you won a WASPY for it, didn't you?  At least that's
>>>>             something.  In any case, let's figure out how to build
>>>>             those stairs to reach those bananas.  If it requires
>>>>             changing some policies to make funds more accessible,
>>>>             then I can definitely help to push those changes.  What
>>>>             policies currently stand in your way (ie. what is the
>>>>             rationale for being told "no")? What new policies would
>>>>             be reasonable.  What is a reasonable approach to making
>>>>             sure that limited funds are spent on the things that
>>>>             matter most and in alignment with the OWASP mission?
>>>>
>>>>             ~josh
>>>>
>>>>             On Wed, Sep 2, 2015 at 12:05 PM, johanna curiel curiel
>>>>             <johanna.curiel at owasp.org
>>>>             <mailto:johanna.curiel at owasp.org>> wrote:
>>>>
>>>>                 >I certainly cannot speak for all Projects, but every
>>>>                 time I tried to get the things I needed for a
>>>>                 project, I got either a deny or a big silence. so
>>>>                 the first thing needed is, if there is money
>>>>                 available, more communication and an easy way to
>>>>                 get to it[....] In summary, my experience in
>>>>                 getting money or support for OWASP projects is bad.
>>>>                 IMHO, this is why so many projects die.
>>>>                 [...]And lastly, I did not compare Chapters and
>>>>                 Projects. I did compare the treatment that they get
>>>>                 from OWASP.
>>>>
>>>>                 You are not the only one with the same issues. I
>>>>                 have the same experience too and as also many others.
>>>>
>>>>                 Let's accept that we have a problem and no, I don't
>>>>                 blame the Board for that, but I'm asking your
>>>>                 attention and we have to admit that we need to work
>>>>                 on this. And the person asking your attention is a
>>>>                 volunteer who has dedicated her time the last 3
>>>>                 years trying to improve a system and contributing
>>>>                 in multiple activities, I think I deserve a small
>>>>                 acknowledgement for that.
>>>>
>>>>                 This is part of the evolution OWASP is having from
>>>>                 small to bigger organisation. A natural process.
>>>>                 From US to Global.
>>>>
>>>>                 What I mean with a good platform in place is more
>>>>                 than money in the community fund.
>>>>
>>>>                 That money  feels like a banana hanging too high to
>>>>                 reach and no stairs to reach it for project leaders.
>>>>
>>>>                 Platform means communication, managing resources ,
>>>>                 support and much more. And money helps but a good
>>>>                 plan is necessary.
>>>>
>>>>                 It means having the stair (the platform) to make
>>>>                 available those funds, so they become available.
>>>>
>>>>                 And I know that the problem is we have not work on
>>>>                 creating the 'stair'.
>>>>
>>>>                 This is where I want to dedicate my efforts so I
>>>>                 will submit to form a committee to create the stair
>>>>                 for better development of OWASP projects. I care
>>>>                 about them, I use them I want to see fair
>>>>                 opportunities for everyone.
>>>>
>>>>
>>>>                 On Wed, Sep 2, 2015 at 11:42 AM, Lucas Ferreira
>>>>                 <lucas.ferreira at owasp.org
>>>>                 <mailto:lucas.ferreira at owasp.org>> wrote:
>>>>
>>>>                     Josh,
>>>>
>>>>                     I certainly cannot speak for all Projects, but
>>>>                     every time I tried to get the things I needed
>>>>                     for a project, I got either a deny or a big
>>>>                     silence. so the first thing needed is, if there
>>>>                     is money available, more communication and an
>>>>                     easy way to get to it.
>>>>
>>>>                     I will put here my experience. Others can say
>>>>                     if they face similar issues or not.
>>>>
>>>>                     First, as part of the
>>>>                     https://www.owasp.org/index.php/OWASP_Brasil_Manifesto,
>>>>                     I tried to get money to pay for a professional
>>>>                     public relations person/company to help us
>>>>                     promote the manifesto to the Brazilian
>>>>                     congress. I learnt the hard way (from
>>>>                     organizing AppSec conferences) that a good PR
>>>>                     person can make a real difference. At the time,
>>>>                     I asked for USD 2600 to pay the PR but could
>>>>                     not get the money.
>>>>
>>>>                     Second, as part of
>>>>                     https://www.owasp.org/index.php/OWASP_File_Hash_Repository,
>>>>                     I needed a server to use to deploy the initial
>>>>                     code and help collecting data. I also needed a
>>>>                     DNS entry. I ended up paying for the VM myself
>>>>                     and used my own private domain for the DNS
>>>>                     because I could not get it from OWASP.
>>>>
>>>>                     Lastly, as part of
>>>>                     https://www.owasp.org/index.php/OWASP_Portuguese_Language_Project,
>>>>                     we tried to get money to hire translators and
>>>>                     professional writers to work with the more tech
>>>>                     oriented volunteers with no luck.
>>>>
>>>>                     In summary, my experience in getting money or
>>>>                     support for OWASP projects is bad. IMHO, this
>>>>                     is why so many projects die.
>>>>
>>>>                     And just to be sure, unlike Johanna, I think
>>>>                     money is a big issue as it could be used to
>>>>                     remove some of the load from volunteers. An
>>>>                     example is the translation projects: we could
>>>>                     leverage the knowledge of our network of
>>>>                     volunteers, without requiring them to do all
>>>>                     the work, by relying on professional services.
>>>>                     So, the issue is to have money to buy the
>>>>                     services needed by the projects, from VMs to
>>>>                     professional services.
>>>>
>>>>                     And lastly, I did not compare Chapters and
>>>>                     Projects. I did compare the treatment that they
>>>>                     get from OWASP.
>>>>
>>>>                     Regards,
>>>>
>>>>                     Lucas
>>>>
>>>>
>>>>                     On Wed, Sep 2, 2015 at 5:06 PM Josh Sokol
>>>>                     <josh.sokol at owasp.org
>>>>                     <mailto:josh.sokol at owasp.org>> wrote:
>>>>
>>>>                         I believe Johanna said "It's not about
>>>>                         money". Every time I hear someone say that
>>>>                         it is, I cringe a little because I know
>>>>                         that we allocated $50,000 in Community
>>>>                         Engagement Funding this year to projects
>>>>                         alone and have $15,650 of that remaining
>>>>                         (https://owasp.org/index.php/Community_Engagement_-_Payments).
>>>>                         I also know that if there's a need that
>>>>                         goes beyond what is budgeted, we have ways
>>>>                         to make that happen outside of this
>>>>                         channel.  For example, when Dinis asked for
>>>>                         $100,000 for a Project Summit, we said
>>>>                         "Give us a plan and we'll discuss."
>>>>
>>>>                         I also cringe when I hear people compare
>>>>                         the Projects to the Chapters or vice versa.
>>>>                         They are both unique and important to
>>>>                         OWASP.  Both have needs that we need to
>>>>                         satisfy. Chapters have historically been
>>>>                         more successful in fundraising because of
>>>>                         the large volume of people involved with
>>>>                         them, but that doesn't make them better or
>>>>                         worse.  Just different. Let's be honest,
>>>>                         the Chapter model of fundraising doesn't
>>>>                         really work for Projects. That's ok...we
>>>>                         just need to find other ways.
>>>>
>>>>                         So, let's assume that money is not an
>>>>                         issue. What are the needs that our Projects
>>>>                         have that OWASP is not currently
>>>>                         fulfilling.  I don't claim to be an expert
>>>>                         on Projects. I don't routinely work with
>>>>                         them and the one project that I tried to
>>>>                         start at OWASP died a very quick death.  It
>>>>                         was an issue with time and volunteerism,
>>>>                         though, and had nothing to do with the
>>>>                         OWASP platform.  I understand and agree
>>>>                         that it's not about things you can get for
>>>>                         free like GitHub or wiki pages. So, what is
>>>>                         it?  What do you need?  We have an in-house
>>>>                         graphic designer.  We have companies that
>>>>                         we work with for publishing. We hired a
>>>>                         full-time person to help with projects.  If
>>>>                         there are needs that aren't being met here,
>>>>                         then what are they?  What can OWASP do to
>>>>                         make Projects more successful?
>>>>
>>>>                         ~josh
>>>>
>>>>                         On Wed, Sep 2, 2015 at 9:39 AM, Lucas
>>>>                         Ferreira <lucas.ferreira at owasp.org
>>>>                         <mailto:lucas.ferreira at owasp.org>> wrote:
>>>>
>>>>                             Dear Johanna,
>>>>
>>>>                             it is very sad that you are stepping
>>>>                             down, but you nailed it when you said:
>>>>
>>>>                             "I hope that in the future there is a
>>>>                             clear perspective how to help projects
>>>>                             develop better. So far I have not seen
>>>>                             major initiatives directed on improving
>>>>                             a platform. A platform is not a wiki
>>>>                             page, not a github account, these
>>>>                             things are already free without OWASP
>>>>                             support."
>>>>
>>>>                             For a long time already, I have the
>>>>                             same feeling that OWASP is always
>>>>                             discussing about chapters and their
>>>>                             bank accounts and never about projects.
>>>>                             I just hope one day OWASP will be able
>>>>                             to see that projects are what makes
>>>>                             OWASP known and respected.
>>>>
>>>>                             I have talked to a few leaders of
>>>>                             open-source projects about bringing
>>>>                             their projects to OWASP and, in the
>>>>                             end, the feeling is that all they would
>>>>                             get is the ability to benefit from the
>>>>                             OWASP "brand". We should offer project
>>>>                             leaders more than the opportunity to
>>>>                             beg chapters for money.
>>>>
>>>>                             Regards and good luck,
>>>>
>>>>                             Lucas
>>>>
>>>>                             On Wed, Sep 2, 2015 at 4:19 PM johanna
>>>>                             curiel curiel <johanna.curiel at owasp.org
>>>>                             <mailto:johanna.curiel at owasp.org>> wrote:
>>>>
>>>>                                 Members of the board ,
>>>>
>>>>                                 I have decided to step down from
>>>>                                 the project reviews activities.
>>>>
>>>>                                 I have been doing continues reviews
>>>>                                 the last 2 years, especially the
>>>>                                 last year I was quite involved in a
>>>>                                 major clean up in the project
>>>>                                 inventory, together with other
>>>>                                 members that participated in and
>>>>                                 on/off basis.
>>>>
>>>>                                 That does not mean I'll step down
>>>>                                 from every activity I have been
>>>>                                 working on the last years at OWASP.
>>>>                                 Indeed, now I'll focus my attention
>>>>                                 in those activities that I feel
>>>>                                 have provided me with higher level
>>>>                                 of reward and a grateful feeling.
>>>>
>>>>                                 Unfortunately,  I cannot say the
>>>>                                 same for reviewing projects. The
>>>>                                 greatest reward I had from that
>>>>                                 activity is what I learned from
>>>>                                 many project for the last 2 years,
>>>>                                 not just looking, but download ,
>>>>                                 testing and using them and
>>>>                                 volunteering on their activities.
>>>>
>>>>                                  It is a ticklish activity that
>>>>                                 have provided me very little
>>>>                                 satisfaction but disappointment.
>>>>                                 Never seems to be enough even when
>>>>                                 people have little idea how much
>>>>                                 time is needed to use an open
>>>>                                 source project , let alone
>>>>                                 understand it. I'm a volunteer ,
>>>>                                 not an OWASP employee. Lets clarify
>>>>                                 that for people that might read this.
>>>>
>>>>                                 I think Claudia  , as her
>>>>                                 predecessor, Kait-Disney did, can
>>>>                                 surely help maintain
>>>>                                 inactive/active projects
>>>>                                 monitoring. Another ticklish
>>>>                                 activity that we hear many
>>>>                                 complains regarding inactive
>>>>                                 projects wanted to keep alive.
>>>>                                 Political driven necessities to
>>>>                                 have wiki pages of empty projects,
>>>>                                 thats what we finished and hope you
>>>>                                 can continue for the sake of users.
>>>>
>>>>                                 The actual situation is that
>>>>                                 Project leaders are definitely on
>>>>                                 their own, and they should
>>>>                                 understand that: when it comes to
>>>>                                 having a platform at OWASP for
>>>>                                 developing projects, they have very
>>>>                                 little support on this.
>>>>
>>>>                                 It's not about money, is about a
>>>>                                 platform, a process and a way to be
>>>>                                 able to make a project a reality no
>>>>                                 matter if you are in India,
>>>>                                 Pakistan, or Africa. The inequality
>>>>                                 between these worlds is very
>>>>                                 obvious when we look at  projects
>>>>                                 in US or EU compare to 'developing
>>>>                                 countries'. Big security companies
>>>>                                 are not behind these leaders  to
>>>>                                 support them with time or resources.
>>>>
>>>>                                 I hope that in the future there is
>>>>                                 a clear perspective how to help
>>>>                                 projects develop better. So far I
>>>>                                 have not seen major initiatives
>>>>                                 directed on improving a platform. A
>>>>                                 platform is not a wiki page, not a
>>>>                                 github account, these things are
>>>>                                 already free without OWASP support.
>>>>
>>>>                                 I think people hoping to secure
>>>>                                 their web applications using OWASP
>>>>                                 tools, can have better ways for
>>>>                                 doing it if more energy is directed
>>>>                                 towards supporting a better
>>>>                                 structure for developing OWASP
>>>>                                 projects.
>>>>
>>>>                                 This is where my energy will be
>>>>                                 from now on. Hopefully with the
>>>>                                 right support.
>>>>
>>>>
>>>>                                 Regards
>>>>
>>>>                                 Johanna
>>>>                                 _______________________________________________
>>>>                                 Governance mailing list
>>>>                                 Governance at lists.owasp.org
>>>>                                 <mailto:Governance at lists.owasp.org>
>>>>                                 https://lists.owasp.org/mailman/listinfo/governance
>>>>
>>>>
>>>>                             _______________________________________________
>>>>                             Governance mailing list
>>>>                             Governance at lists.owasp.org
>>>>                             <mailto:Governance at lists.owasp.org>
>>>>                             https://lists.owasp.org/mailman/listinfo/governance
>>>>
>>>>
>>>>
>>>>
>>>>             _______________________________________________
>>>>             Governance mailing list
>>>>             Governance at lists.owasp.org
>>>>             <mailto:Governance at lists.owasp.org>
>>>>             https://lists.owasp.org/mailman/listinfo/governance
>>>
>>>
>>
>>         -- 
>>         Jim Manico
>>         Global Board Member
>>         OWASP Foundation
>>         https://www.owasp.org
>>         Join me at AppSecUSA 2015!
>>
>>
>
>

-- 
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org
Join me at AppSecUSA 2015!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150902/e8550241/attachment-0001.html>


More information about the Owasp-board mailing list