[Owasp-board] Discussion on motion for next Board meeting

Martin Knobloch martin.knobloch at owasp.org
Wed Jun 14 08:22:26 UTC 2017

Hi Andrew,

As I total agree with you and Tom, we need to manage policies not solving
individual problems, added policies so not solve problems and having more
policies is not better by default.
Each rule (or policy) has to have a reason and I am not sure if the 'two
companies' part of your motion will solve the problem behind the reasoning.
For example, using the Top 10 case at hand, it would be compliant to your
motion if Jeff Williams and Dave Wichers would both be project leaders of
the Top 10 project, one working for Aspect and one for Contrast. Of course,
less obvious business connections are much harder to identify.

In my opinion, more transparency added to the open character of OWASP has
shown issues will be raised by the community. A transparent process of
handling issues will be more sufficient and the community did raise the
issues we had with the OWASP TopTen project at an early state. To have a
transparent process handling community raised concerns is much more useful.
Of course, I am aware about the compliant committee, but to file a
compliant is something not done quickly and we do not want things to
escalate until an official compliant has to be filed.
We should have an easy entrance where concerns can be posted about
projects, that will be handled in a transparent and open way.
At the end of my term as compliant / whistle-blower officer, I suggested to
board to set up and ombudsman group for such cases. This should be a
mitigating committee of volunteers.

Kind regards,

On Wed, Jun 14, 2017 at 4:00 AM, Andrew van der Stock <vanderaj at owasp.org>

> Hi there,
> As part of the OWASP Top 10 track at the OWASP Summit, one of the outcomes
> was to improve independence issues with the OWASP Top 10 project.
> However, as Tom is often heard saying, we can't manage individual issues,
> we need to manage to policy. The policy in this area is quite open, and
> indeed, if we want to avoid the situation where the independence issue is
> thrown at other flagships or even my stewardship of the OWASP Top 10
> project, it needs to be addressed for all of the them or not at all.
> I am proposing tabling a motion at the next Board meeting to update the
> Projects Handbook to include improved governance for Flagship projects,
> with independence in appearance and in actuality.
> "The Board directs OWASP Foundation staff to make updates to the Project
> Handbook as applicable to include two project leaders for Flagship
> projects, with a period of public comment before it takes effect. The
> updated guidelines should include:
>    - Flagship Projects shall have two leaders from different
>    organizations to avoid independence issues in appearance or in actuality
>    - Lab Projects looking to be promoted to Flagship shall have two
>    project leaders as per Flagship requirements to be eligible for promotion
>    - If during a project review it is identified that a project leader
>    has become dormant, or through project leader resignation or transfer, the
>    project has a period of three months to identify as many project leaders as
>    required to resolve the situation or risk being demoted to Lab status at
>    the next project review
>    - A grace period of until the end of 2017 shall apply to the new
>    independence requirements to allow projects time to promote a second leader.
> Foundation Staff are directed to work with affected Projects, including
> ensuring timely processing of leadership promotion through the usual
> process."
> https://github.com/OWASP-Foundation/Project-Handbook/
> blob/master/Project-Handbook_02_Project-Requirements.md
> Happy to take the Board's view on this important topic and any friendly
> amendments. I'd also like to hear from Matt Tesauro, the OWASP Senior
> Technical Coordinator, as this will impact their workload, especially over
> the next few months.
> A list of all Flagships include:
> https://www.owasp.org/index.php/OWASP_Project_Inventory#
> tab=Flagship_Projects
> At this time, I'm not sure how many projects are affected by this change,
> but it would definitely still include the OWASP Top 10. I will reach out to
> see if I can find volunteers from within the existing project to help step
> up with this process.
> thanks,
> Andrew
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20170614/36db9dc9/attachment.html>

More information about the Owasp-board mailing list