<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=windows-1252">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <font face="Arial">Dear board colleagues, <br>
      FYI<br>
      Best regards, Tobias<br>
    </font>
    <div class="moz-forward-container"><br>
      <br>
      -------- Original Message --------
      <table class="moz-email-headers-table" border="0" cellpadding="0"
        cellspacing="0">
        <tbody>
          <tr>
            <th align="RIGHT" nowrap="nowrap" valign="BASELINE">Subject:
            </th>
            <td>Re: [Owasp-board] Fwd: Request to address the OWASP
              Board</td>
          </tr>
          <tr>
            <th align="RIGHT" nowrap="nowrap" valign="BASELINE">Date: </th>
            <td>Sun, 23 Feb 2014 01:15:54 +0000</td>
          </tr>
          <tr>
            <th align="RIGHT" nowrap="nowrap" valign="BASELINE">From: </th>
            <td>Jeremiah Grossman <a class="moz-txt-link-rfc2396E" href="mailto:jeremiah@whitehatsec.com"><jeremiah@whitehatsec.com></a></td>
          </tr>
          <tr>
            <th align="RIGHT" nowrap="nowrap" valign="BASELINE">To: </th>
            <td>Tobias <a class="moz-txt-link-rfc2396E" href="mailto:tobias.gondrom@owasp.org"><tobias.gondrom@owasp.org></a></td>
          </tr>
          <tr>
            <th align="RIGHT" nowrap="nowrap" valign="BASELINE">CC: </th>
            <td>Sarah Baso <a class="moz-txt-link-rfc2396E" href="mailto:sarah.baso@owasp.org"><sarah.baso@owasp.org></a></td>
          </tr>
        </tbody>
      </table>
      <br>
      <br>
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      Completely fine to share. Thank you!
      <div><br>
      </div>
      <div>
        <div apple-content-edited="true"><br>
        </div>
        <br>
        <div>
          <div>On Feb 22, 2014, at 5:14 PM, Tobias <<a
              moz-do-not-send="true"
              href="mailto:tobias.gondrom@owasp.org">tobias.gondrom@owasp.org</a>>
            wrote:</div>
          <br class="Apple-interchange-newline">
          <blockquote type="cite">
            <div bgcolor="#FFFFFF" text="#000000">
              <div class="moz-cite-prefix">Hi Jeremiah, <br>
                <br>
                thanks a lot for the info. And interesting point. ;-) <br>
                If you wish and with your permission, I can share your
                reply with the board list.
                <br>
                But as it will not aim for a vote on the day of Mar-3,
                it is not necessary. <br>
                So your choice. <br>
                Very much looking forward to hearing your ideas on
                Mar-3. <br>
                <br>
                Cheers and all the best, Tobias<br>
                <br>
                <br>
                On 23/02/14 01:02, Jeremiah Grossman wrote:<br>
              </div>
              <blockquote
                cite="mid:7485C58C-0366-4958-8E04-334E1D614C3A@whitehatsec.com"
                type="cite">
                <div apple-content-edited="true">Removing the board from
                  the list as I’m obvious not on it.
                </div>
                <div apple-content-edited="true"><br>
                </div>
                <div apple-content-edited="true"><br>
                </div>
                <div apple-content-edited="true">Tobias,</div>
                <div apple-content-edited="true"><br>
                </div>
                <div apple-content-edited="true"><span
                    class="Apple-tab-span" style="white-space:pre"></span>First,
                  thank you very much. And second, your suspicions are
                  correct. While I’ve plenty of “ideas” to float by
                  everyone, they’ve not been fully vetted and certainly
                  not something I think is anywhere near board vote
                  ready.</div>
                <div apple-content-edited="true"><br>
                </div>
                <div apple-content-edited="true">The one I’ve been
                  trying to get socialized for years is an OWASP run
                  application security certification (a variety of them
                  actually). While yet another crappy certification
                  scares many people in the community, and for good ISC2
                  reasons, I find they mostly disagree with the
                  implementation, but not the concept in general. That
                  says to me, if done well, if done right, this could
                  fly, and do great things. It would give people a real
                  reason to become OWASP members.</div>
                <div apple-content-edited="true"><br>
                </div>
                <div apple-content-edited="true">1) OWASP sets the
                  minimum standard of experience / skill for a
                  certification. The organization creates and curates
                  the testing question bank.</div>
                <div apple-content-edited="true"><br>
                </div>
                <div apple-content-edited="true">2) Any organization may
                  then offer in-person / CBT training for those wishing
                  to be OWASP certified. Of course some will be better
                  than others, but this is a community issue.</div>
                <div apple-content-edited="true"><br>
                </div>
                <div apple-content-edited="true">3) An independent
                  third-party professional testing facility, of which
                  there are many, is approved by OWASP… paid for by the
                  test-taker will then manage the testing processes.</div>
                <div apple-content-edited="true"><br>
                </div>
                <div apple-content-edited="true">Everyone plays a role,
                  all interests are in alignment, and hiring managers
                  may rejoice!</div>
                <div apple-content-edited="true"><br>
                </div>
                <div apple-content-edited="true"><br>
                </div>
                <div apple-content-edited="true">Anyway, that’s one…</div>
                <div apple-content-edited="true"><br>
                </div>
                <div apple-content-edited="true"><br>
                </div>
                <div apple-content-edited="true"><br>
                </div>
                <div apple-content-edited="true">Regards,</div>
                <div apple-content-edited="true"><br>
                </div>
                <div apple-content-edited="true">Jeremiah-</div>
                <div apple-content-edited="true"><br>
                </div>
                <br>
                <div>
                  <div>On Feb 22, 2014, at 10:02 AM, Tobias <<a
                      moz-do-not-send="true"
                      href="mailto:tobias.gondrom@owasp.org">tobias.gondrom@owasp.org</a>>
                    wrote:</div>
                  <br class="Apple-interchange-newline">
                  <blockquote type="cite">
                    <div bgcolor="#FFFFFF" text="#000000">
                      <div class="moz-cite-prefix">Hi Sarah, <br>
                        <br>
                        thanks. <br>
                        Yes, I think we should have sufficient time on
                        the agenda. <br>
                        Could you please add the 20min slot for Jeremiah
                        on Mar-3 agenda under "new business"?
                        <br>
                        <br>
                        Thanks, Tobias<br>
                        <br>
                        <br>
                        Ps.: @Jeremiah: small comment: as mentioned
                        before, if you have specific ideas or actionable
                        items that you like the board to vote on, please
                        send these questions before the meeting so
                        people have time to think about them and involve
                        the community for opinions. As you did not
                        mention specific vote questions, I assume your
                        talk is planned as food for thought and
                        potential medium term ideas, but does not
                        contain requests for immediate actions. (Of
                        course, in the end nothing would prevent the
                        board from voting during the meeting if it
                        decides so.) <br>
                        <br>
                        <br>
                        <br>
                        On 21/02/14 02:50, Sarah Baso wrote:<br>
                      </div>
                      <blockquote
cite="mid:CAA_HhV+DazMkjoWTUH1RxDf1EVH82xPMeA+FZb45fq3kqMtK3A@mail.gmail.com"
                        type="cite">
                        <div dir="ltr">Board Members -
                          <div>See email from Jeremiah below regarding
                            his request to speak with the board. Please
                            let him know if you are not able to
                            accommodate his requested time on March 3.</div>
                          <div><br>
                          </div>
                          <div>Thanks,</div>
                          <div>Sarah<br>
                            <br>
                            <div class="gmail_quote">----------
                              Forwarded message ----------<br>
                              From: <b class="gmail_sendername">Jeremiah
                                Grossman</b> <span dir="ltr"><<a
                                  moz-do-not-send="true"
                                  href="mailto:jeremiah@whitehatsec.com">jeremiah@whitehatsec.com</a>></span><br>
                              Date: Fri, Feb 14, 2014 at 12:10 PM<br>
                              Subject: Re: Request to address the OWASP
                              Board<br>
                              To: Sarah Baso <<a
                                moz-do-not-send="true"
                                href="mailto:sarah.baso@owasp.org">sarah.baso@owasp.org</a>><br>
                              Cc: OWASP Foundation Board List <<a
                                moz-do-not-send="true"
                                href="mailto:owasp-board@lists.owasp.org">owasp-board@lists.owasp.org</a>><br>
                              <br>
                              <br>
                              <div style="word-wrap:break-word">Hi Sara
                                (et al),
                                <div><br>
                                </div>
                                <div><span style="white-space:pre-wrap"></span>Thank
                                  you, I much appreciate the
                                  opportunity. The ideal time for me
                                  is March 3 at 9am PT.<br>
                                  <br>
                                  <div><span
                                      style="white-space:pre-wrap"></span>The
                                    subject I’d like to discuss
                                    is, "Growing the Application
                                    Security Industry,” a topic that’s
                                    important to a great many people in
                                    the industry and I suspect OWASP as
                                    an organization as well. 20min
                                    should be enough to carry on a
                                    useful discussion.</div>
                                  <div><br>
                                  </div>
                                  <div>As requested for context, while
                                    the application security industry
                                    has grown and grown up a lot over
                                    the years, it is still very small by
                                    any comparison from where it needs
                                    to be. Consider, Gary McGraw (CTO,
                                    Cigital) says roughly 2% of all
                                    programmers should be software
                                    security pros through his BSIMM
                                    research. If so, then at a worldwide
                                    programmer population of 17 million,
                                    we’ll be needing 340,000 software
                                    security pros. I don’t have to tell
                                    you all, we’re no where that. And
                                    don’t even get me started on the
                                    completley inadequate level of
                                    monetary investment in the space
                                    relative to other less important
                                    area of InfoSec.</div>
                                  <div><br>
                                  </div>
                                  <div>What I’m advocating everyone to
                                    consider, including the OWASP board,
                                    is to begin looking at every
                                    community project, every software
                                    and documentation initiative, and
                                    every donated dollar spent to help
                                    closing this gap. Investing
                                    resources to increase OWASP
                                    membership, increase the number of
                                    people using it’s materials, and by
                                    extension the number of
                                    organizations that have application
                                    security programs in general. And
                                    then look with a skeptical eye for
                                    anything that doesn’t move the
                                    needle in that direction.</div>
                                  <div><br>
                                  </div>
                                  <div>I have some ideas sure, but they
                                    are just that, ideas. What I think
                                    we need most, is a new way of
                                    thinking about the AppSec industry.</div>
                                  <div><br>
                                  </div>
                                  <div>Does this help?</div>
                                  <div><br>
                                  </div>
                                  <div>Regards,</div>
                                  <div><br>
                                  </div>
                                  <div>
                                    <div>
                                      <div>Jeremiah Grossman</div>
                                      <div>Founder & iCEO</div>
                                      <div>WhiteHat Security</div>
                                    </div>
                                    <div>
                                      <div class="h5">
                                        <div><br>
                                        </div>
                                        <br>
                                        <div>
                                          <div>On Feb 13, 2014, at 6:01
                                            PM, Sarah Baso <<a
                                              moz-do-not-send="true"
                                              href="mailto:sarah.baso@owasp.org"
                                              target="_blank">sarah.baso@owasp.org</a>>
                                            wrote:</div>
                                          <br>
                                          <blockquote type="cite">
                                            <div dir="ltr">Hi Jeremiah -
                                              <div><br>
                                              </div>
                                              <div>I wanted to follow up
                                                on your request to
                                                address the board at an
                                                upcoming meeting.  The
                                                Board has meetings
                                                scheduled on February
                                                24th from 8am-10am PST
                                                and a week later on
                                                March 3 from 7am-10am
                                                PST.  </div>
                                              <div><br>
                                              </div>
                                              <div><a
                                                  moz-do-not-send="true"
href="https://www.owasp.org/index.php/Board#tab=Agenda_for_2014_Meetings"
                                                  target="_blank">https://www.owasp.org/index.php/Board#tab=Agenda_for_2014_Meetings</a><br>
                                              </div>
                                              <div><br>
                                              </div>
                                              <div>We can add you to the
                                                agenda for either of
                                                these meetings; however
                                                a couple of the board
                                                members have requested
                                                that something in
                                                writing
                                                (proposal/comments)
                                                beforehand would be
                                                helpful to chew on to
                                                make the time as useful
                                                as possible on the call.</div>
                                              <div><br>
                                              </div>
                                              <div>Let us know your
                                                availability and if you
                                                have anything specific
                                                for them to read in
                                                preparation.</div>
                                              <div><br>
                                              </div>
                                              <div>Best,<br>
                                                Sarah Baso</div>
                                              <div>
                                                <div><br>
                                                </div>
                                                -- <br>
                                                <div dir="ltr">
                                                  <div>Executive
                                                    Director</div>
                                                  <div>OWASP Foundation</div>
                                                  <div><br>
                                                  </div>
                                                  <div><a
                                                      moz-do-not-send="true"
href="mailto:sarah.baso@owasp.org" target="_blank">sarah.baso@owasp.org</a><br>
                                                    <a
                                                      moz-do-not-send="true"
href="tel:%2B1.312.869.2779" value="+13128692779" target="_blank">+1.312.869.2779</a><br>
                                                    <br>
                                                    <br>
                                                    <br>
                                                    <br>
                                                  </div>
                                                </div>
                                              </div>
                                            </div>
                                          </blockquote>
                                        </div>
                                        <br>
                                      </div>
                                    </div>
                                  </div>
                                </div>
                              </div>
                            </div>
                            <br>
                            <br clear="all">
                            <div><br>
                            </div>
                            -- <br>
                            <div dir="ltr">
                              <div>Executive Director</div>
                              <div>OWASP Foundation</div>
                              <div><br>
                              </div>
                              <div><a moz-do-not-send="true"
                                  href="mailto:sarah.baso@owasp.org"
                                  target="_blank">sarah.baso@owasp.org</a><br>
                                +1.312.869.2779<br>
                                <br>
                                <br>
                                <br>
                                <br>
                              </div>
                            </div>
                          </div>
                        </div>
                        <br>
                        <fieldset class="mimeAttachmentHeader"></fieldset>
                        <br>
                        <pre wrap="">_______________________________________________
Owasp-board mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-board">https://lists.owasp.org/mailman/listinfo/owasp-board</a>
</pre>
                      </blockquote>
                      <br>
                    </div>
                  </blockquote>
                </div>
                <br>
              </blockquote>
              <br>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
    </div>
    <br>
  </body>
</html>