No subject


Wed Nov 1 13:33:20 EST 2006


code published under Owasp HAS the FREEDOM to be used by anybody and
can
be shared and distributed by anybody. The fact that this material is
FREE (as in beer, i.e. no cost) is a nice side effect and a good
inevitable
practicality (since if this material had to be paid for, its FREEDOM
would not exist). <br>
<br>
Starting to <b>complain that 1) most Owasp members are 'takers'
instead of
'givers' and 2) they are only interested in getting from Owasp things
for FREE (as in
beer, i.e. no cost) , is in my view: </b><br>
<br>
&nbsp;&nbsp;&nbsp; - <b>offensive </b>to those Owasp members (who I include myself
in) since they are
being called: thieves, opportunistic and selfish<br>
&nbsp;&nbsp;&nbsp; - <b>short-sighted</b>, since there is much more than meets the
eye (things are never black or white)<br>
&nbsp;&nbsp;&nbsp; - <b>counter-productive</b>, since it is creating unnecessary
frictions and
bad feelings amongst the community, and <br>
&nbsp;&nbsp;&nbsp; - <b>Missing the point</b>, since the main discussion point should
be always about FREEDOM
and not about COST<br>
<br>
Going further, from my point of view, <b>blaming the current lack of
participation in Owasp projects on the 'quality' of the current Owasp
community</b> (which are being labeled as 'takers' and not 'givers')<b>
is
merely a scapegoat exercise which fails to address the core problems
and
doesn't allows for the real issue to be dealt with.</b><br>
<br>
In my view, <b>it is not the responsibility and duty of the current
Owasp
members</b> (for example the persons subscribed to the current mailing
lists) <b>to be active participants and to dedicate enormous amount of
time to those projects.</b><br>
<br>
In my view, <b>IT IS THE SPECIFIC OWASP PROJECT LEADER THAT HAS THE
RESPONSIBILITY AND DUTY TO CREATE AN ENVIRONMENT where those project's
members
</b>(and the other Owasp leaders)<b> fell motivated to participate and
become active members</b>. This is not easy and takes quite a lot of
work,
dedication and patience by those project leaders. <br>
<br>
This means that it is the OWASP PROJECT LEADER THAT HAS TO: <br>
<br>
&nbsp;&nbsp;&nbsp; - make everybody aware of what is going on<br>
&nbsp;&nbsp;&nbsp; - create simple, relevant and usable mini-tasks which can be
executed by the community (it should be possible for somebody that
wants to contribute to be able to go to a web page and be given a task
which will not take him/her more than 30m to 2h to execute (compare
that to the current situation))<br>
&nbsp;&nbsp;&nbsp; - actively market the Owasp project and encourage participation<br>
&nbsp;&nbsp;&nbsp; - manage expectations and ensure that the project's members are
motivated and happy<br>
&nbsp;&nbsp;&nbsp; - ensure that all contributions are respectively credited and that
people are rewarded for their time and commitment<br>
&nbsp;&nbsp;&nbsp; - create products based on that Project's deliverables (white
papers, tools, security templates, etc....) which can be sold by Owasp<br>
<br>
Due to my past contributions to Owasp and my professional Project
manager experience, I
believe that I have
earned the right to make these grand statements, specially since&nbsp;<b> I
consider
that I</b> (Dinis Cruz, current Owasp leader of the Owasp-dotNet
projects)
<b>am a very BAD LEADER because I was not able to make the current 130
Owasp-DotNet subscribers participate in the current Owasp-dotNet
projects</b> (I am including myself in the guilty-list). I have also
been
very bad at replying to contributors (sorry
specially to Michael Silk (article) and Kerem Kusmezer (http module))
and should
have done much more to help those subscribers to understand how the
tools that I have developed and published work and how they can
contribute.<br>
<br>
One of my objectives for 2005 is to make this community participate
and 'come to life' (and <b>I don't blame them for not participating, I
blame myself</b>)<br>
<br>
<b>
What Owasp needs now are strong, creative and active leaders who will
have to continuously prove </b>(i.e. every week, every month, every
year)
<b>that they deserve to be Owasp Leaders and that they can be
responsible
for his/hers projects.</b><br>
<br>
In fact, one of the main reasons why the 'OWASP Foundation' must
guarantee and fight for <br>
<br>
&nbsp;&nbsp;&nbsp; 1) the FREEDOM of all material produced and <br>
&nbsp;&nbsp;&nbsp; 2) the OPENNESS of its doors (i.e. anybody can join and be (if
desired) a non-contributor member)<br>
<br>
, is because <b>when Leaders stop behaving accordingly to his/hers
responsibilities</b> (for personal or professional reasons) <b>his/hers
replacement </b>(amicably or not) <b>must be an relatively easy and
strait-forward process </b>(following the wishes of that project's
community). <br>
<br>
As in the Hacker or Open Source community, an <b>Owasp Leader can only
be
an Owasp Leader if the Owasp community accepts and recognizes his/hers
leadership</b> (see the Linus example). <br>
<br>
In my view, this model creates a positive and healthy environment where
the focus is always on productivity and never (or at least as little as
possible) in political games and 'who is the boss' type of argument.<br>
<br>
<b>B) My comments on .... Jeff as a OWASP leader</b><br>
<br>
Before I go any further let me just say that:<br>
<br>
&nbsp;&nbsp;&nbsp; - I don't question Jeff's commitment and belief in Owasp<br>
&nbsp;&nbsp;&nbsp; - I think that Jeff has done a great job with the creation of the
Owasp Foundation<br>
&nbsp;&nbsp;&nbsp; - I think that Jeff was very brave and courageous when he accepted
(from Mark)
the role as the main Owasp Leader<br>
&nbsp;&nbsp;&nbsp; - I think that Jeff should continue to have some management roles
in Owasp <br>
<br>
But <b>I DON'T THINK THAT JEFF SHOULD CONTINUE TO BE THE MAIN Owasp
Leader,</b>
since I don't think that Jeff has (based on his actions so far) what I
would consider to be the right profile to be the main leader that Owasp
needs today<br>
<br>
Although <b>Jeff is beyond doubt a very active and productive Owasp
member </b>(whose technical competence and professionalism is of the
highest caliber)<b> I don't think that Jeff</b> (to which I sincerely
apologize for such a public criticism)<b> has the energy, vision and
'craziness'
required to lead a project like Owasp (as it is today)</b>. Maybe it is
Jeff's training as a
Lawyer that makes him risk-adverse, maybe it is just his personally,
and maybe it is just the current phase that Owasp is currently in
(<b>there is no reason why Jeff's profile is not the most indicated to
lead Owasp in one, two or ten years time</b>).<br>
<br>
<b>
What Owasp needs now is to have an energetic, dynamic, thought
provoking
and inspiring leader who can lead Owasp into a being major player in
the Web Application Security World,</b> and help it to make the world
a 'safer' (and better) place.<br>
<br>
From&nbsp; my point of view,&nbsp; <b>unless Mark retakes the Job</b> (which is
not an option at the
current moment in time), <b>I think that Owasp should </b>( in the
short term)
<b>NOT HAVE A MAIN LEADER! </b><br>
<br>
In the short term, <b>Owasp should only have operational-leaders</b>
(or whatever they would be
called) <b>responsible for specific operational tasks </b>(for
example dealing
with any issues related to: the Owasp Foundation, the Owasp servers,
the Owasp PR, the main Owasp website, the Owasp new business
development exercises, etc...).<br>
<br>
Hopefully the <b>crisis created by Mark's departure will create an
environment where the new future Owasp Leader will appear, </b>and
his/her
promotion to Owasp leadership is accepted/proposed by the majority of
Owasp
Leaders and Members.<br>
<br>
<b><br>
</b><b>C) My comments on </b><b>... </b><b>the industry current COLD
reaction to OWASP<br>
<br>
</b>Another factor which in my view is not helping the development of
Owasp is the fact that <b>Owasp is trying to do something that the
security industry doesn't
want to happen</b>. For example: <br>
<br>
&nbsp;&nbsp;&nbsp; - the development of clear standards to evaluate Web Application
Security,<br>
&nbsp;&nbsp;&nbsp; - the Development of Open Source security tools, <br>
&nbsp;&nbsp;&nbsp; - and ultimately addressing the real problems that are creating the
current 'insecure Web Application Landscape'<br>
<br>
Most Security Companies (not everybody is like this) are making too
much money with Security Vulnerabilities to make REAL and ACTIVE
efforts
in
actually solving the problems (since in most cases this would kill
their
markets). <br>
<br>
<b>
The reality is that the ones that have most to benefit from Owasp, are
the current 'Security
products/services buyers' </b>because these are the ones that are
currently
buying
overpriced and incomplete products/solutions. <b>The problem is that
these
'entities'</b> (Companies, Government Organizations, NGOs, persons) <b>need
to
have something to buy</b> (which OWASP currently doesn't have) <b>and
are used
to</b> (and demand/expect) <b>a credible, professional and reliable
service</b>.<br>
<br>
In my view, Owasp should stop trying to please (and not offend) the
Security Industry players and the Software Companies (from Microsoft
downwards) and should focus on these entities (companies, governments,
persons, etc...) which have most to benefit from Owasp work.<br>
<br>
<b>The current Owasp successes</b> (like the wide spread usage of the
Top 10) <b>must
be built upon and nurtured, since current Owasp Market credibility and
perceived independence is one of Owasp biggest assets</b><br>
<br>
<b><br>
D) My comments on ... 'the Microsoft response'</b><br>
<br>
I also find fascinating the fact that <b>the current Owasp-dotNet
leader</b>
(i.e. me)<b> has not been contacted by nobody from the Microsoft
Asp.Net
team regarding the Owasp-DotNet tools currently published</b>:<br>
<br>
&nbsp;&nbsp;&nbsp; - Asp.Net Security Analyzer (ANSA)<br>
&nbsp;&nbsp;&nbsp; - Security Analyzer for Microsoft's Shared Hosting
Environment (SAM'SHE)<br>
&nbsp;&nbsp;&nbsp; - Asp.Net Reflector<br>
&nbsp;&nbsp;&nbsp; - Online Metabase explorer<br>
<br>
<b>
The only logic explanation </b>that I have for this situation (since
these
tools DO actually work and have helped hundreds of companies to improve
their Asp.Net hosting environments) <b>is that Microsoft doesn't want
to
'endorse' these tools because all of them show how insecure and
dangerous
the current Full Trust Asp.Net environment is</b>.<br>
<br>
Microsoft's position speaks volumes about the current state of the
industry, since they (and their clients) would benefit tremendously
from
a vibrant development community continuously developing and improving
these tools. The reason why Microsoft's (lack of) response is
important,&nbsp; is because Microsoft is currently one of the most active
and responsive companies to security issues and&nbsp; shows how low the
current level is :-(. <br>
<br>
For as much as I (Dinis Cruz): <br>
<br>
&nbsp;&nbsp;&nbsp; 1) criticize Microsoft (publicly and privately), <br>
&nbsp;&nbsp;&nbsp; 2) think that
they are
not doing enough, and <br>
&nbsp;&nbsp;&nbsp; 3) say that they are making a massive mistake with
their current lack of acknowledgment (and focus) of the Full Trust
Asp.Net
Vulnerabilities;<br>
<br>
, based on my professional experience, I still think that
<b>Microsoft DOES TAKE Security much more Seriously than most other
Software
companies out there</b>
(which again shows how we are still very far away from starting to
tackle the real security problems and vulnerabilities that exist in
today's Web Applications).<br>
<b><br>
</b><b>E) My comments on </b><b>...</b><b> making Money with Owasp<br>
<br>
</b>Before I get accused of being an idealistic or a
crazy-open-source-guy which lives on 'planet fantasy'. I would like to
state, that I fully understand that Money and Financial reward is a
major element in our current society and way of live. I am not
anti-corporations, anti-capitalism or anti-making money.<br>
<br>
We all need money to live, and the best model in life is when you
manage to get paid to do on something that you would do for free (i.e.
not charge for it)<br>
<br>
I have to say that lately I have been very privileged to be in that
position where most projects that I worked where projects that I would
gladly do for free (if I could financially afford it). And what is very
relevant to Owasp, is the fact that a <b>substantial percentage of my
income for the past 6 months originated in projects directly related to
my participation and contributions to Owasp</b>.<br>
<br>
Which means that I have to personally thank Owasp for the exposure that
I received as the leader of the Owasp-DotNet projects. So here it is:
<b>Thank you Owasp</b><br>
<br>
In some ways I am a good success-story of how <b>Owasp can directly
and
indirectly provide a good financial and professional reward to active
and participative members.</b><br>
<br>
I also would like to point that given the current skill shortage in
certain areas of Web Security (for example Asp.Net Security), <b>Owasp
has
the opportunity to become a 'recruitment center' for high-skilled,
reliable and effective developers</b> (since all that the employers
would
need to do is to look at the prospective employee participation and
contribution record)<b><br>
</b><br>
<b>F) My comments on ... the fact that most Owasp projects have no
participation from the community<br>
<br>
</b>In my view there are several <b>reasons why most Owasp Projects
don't
have more than 2 to 5 active participants</b>:<br>
<br>
&nbsp;&nbsp;&nbsp; 1) <b>lack of time: </b>Most good and knowledgeable members are
currently very busy and have very little time to dedicate to personal
projects<br>
<br>
&nbsp;&nbsp;&nbsp; 2) <b>the current '2h to start being productive' </b><b>paradigm</b>:
which means
that if I (for example) want to participate in a project, I will need
to dedicate at least 2 hours to the project in order to start being
productive (sometimes even for simple things like adding content to the
new website!). <b>What we need is the</b> <b>'30m to start being
productive</b><b>' </b><b>paradigm</b><b>
</b>or even better the '10m to start being productive paradigm' (which
when functional, actually create an environment where participants
regularly spend 2 hours or more on the project). Let me give a musical
analogy (for the ones that don't know, I am also a part-time
professional drummer): If you want to practice a music instrument on a
regular basis (for example every day), you must create an environment
where there is there is almost no effort required to start practicing
(i.e. there should be no set-up time and one should be able to start
practicing 5m after deciding one wants to practice a little bit). This
means that your musical instrument and practice environment must always
be set-up (e.g.drums) or plugged-in (e.g. guitar) since that will allow
for spontaneous practice sessions (which usually are the most
productive) when the musician thinks 'I am just going to play for 10m -
15m' (which usually gets 'extended' into 1h to 2h sessions :) ). This
creates an environment where it is easy to practice and in the
musician's mind, practicing is not associated with spending 30m to
set-up the practice environment.<br>
<br>
&nbsp;&nbsp;&nbsp; 3) <b>Most Owasp projects don't have clear 'this is want you can
do to participate' instructions</b> and require quite a lot of work and
effort by the would-be contributors and participants<br>
<br>
&nbsp;&nbsp;&nbsp; 4) <b>Owasp memberships is not big enough </b>where there are
enough people with an 'itch' (i.e. problem or requirement) similar to
the project leader's 'itch', which will make them go one step further
and spend the time, effort and dedication required to become an active
participant and member<br>
<br>
&nbsp;&nbsp;&nbsp; 5) <b>Most projects are very dependent on the availability and
energy-level of the project leader</b> (which usually is also its
author / creator). Hopefully we will soon reach a critical mass point
(the 10,000 member mark?) where the community surrounding a project is
vibrant enough to compensate for the regular MIA (Missing in Action)
periods<br>
<br>
&nbsp;&nbsp;&nbsp; 6) and probably the most important one. <b>Collaborating in an
Open
Source project is VERY HARD</b>. Sometime I fell an urge to hit
persons who make FUD claims such as 'Open Source projects are created
by a network of Kids and clueless programmers' (note that I am a
non-violent person and very rarely get angry). Sending a comment like
"humm, i clicked on this button and the application crashed" is very
easy and anybody can do it, sending a comment like "I installed the
application and I had a problem with XYZ function which I traced back
to the method AAA.BBB.CCC, and I wrote a patch for it which solved the
problem" or "I've read this 50 page document and here are my comments"
is :<br>
<br>
&nbsp;&nbsp;&nbsp; - VERY HARD TO DO (since one is reading other's code or words)<br>
&nbsp;&nbsp;&nbsp; - REQUIRES A DEEP UNDERSTANDING OF THAT PARTICULAR TECHNOLOGY OR
SUBJECT MATTER<br>
&nbsp;&nbsp;&nbsp; - TAKES A LOT OF TIME, <br>
&nbsp;&nbsp;&nbsp; - REQUIRES A LOT OF CONFIDENCE (since you are in effect sending a
criticism of someone else's work)<br>
&nbsp;&nbsp;&nbsp; - FORCES THE CONTRIBUTOR TO TAKE A POSITION (i.e. "...I think that
this is a better way to do it...") which is always a hard thing to do<br>
&nbsp;&nbsp;&nbsp; - IS VERY DEPENDING OF THE RECEIVER'S (i.e. that project's leader)
PAST BEHAVIOR IN DEALING WITH CONTRIBUTIONS <br>
<br>
So, don't tell me that it is kids that make-up the main body of
contributions of successful Open Source projects. Most successfully
Open Source projects have as their main contributors highly
intelligent,
competent, dedicated and creative IT Professionals. <br>
<br>
<b><br>
</b><b>G) My comments on </b><b>... Why I haven't participate on other
Owasp Projects<br>
<br>
</b>Following my previous points, I can now speak on the first person
and say that<b> I am as guilty of anybody else for not participating in
other Owasp projects. <br>
</b>
<br>
I am particularly ashame by not having contributed to the WebGoat,
WebScarab, Owasp Top 10, Testing Guide and the Penetration Test guide,
since I have used them professionally.<br>
<br>
And the <b>reasons that I have for not participating are:</b><br>
<br>
&nbsp;&nbsp;&nbsp; -&nbsp; <b>I didn't have</b> the required <b>time </b>to put myself
in a position where
I was able to send meaningful contributions <br>
&nbsp;&nbsp;&nbsp; - Those<b> project leaders didn't put any pressure on me to
participate and didn't actively encourage it</b> (when one is working
on
several projects at the same time, unfortunately the projects that
don't make any noise
and are not critical tend to live permanently on the
'to-do-list-when-I-have-2-free-hours'
pile)<br>
&nbsp;&nbsp;&nbsp; - There is almost <b>no documentation to help</b>&nbsp; (although I do
admit that I didn't make a huge effort to find it)<br>
&nbsp;&nbsp;&nbsp; - I <b>didn't need professionally an improved version of those
tools/documents</b> (i.e. I didn't had the 'itch' that those projects
are
scratching)<br>
<br>
<b>
To start contributing in these projects I needed to be given simple,
quick and meaningful</b> (i.e. could
be used in the actual project) <b>tasks </b>(the '30m task' paradigm)
and I
have to be 'sold' on the idea of why I should participate. <br>
<br>
I must be in a position where I am proud to participate and must
subconsciously
feel that my efforts will be appreciated.<br>
<br>
I am assuming that If motivated and focused I&nbsp; would produce material
of high quality and that the project leader would find valuable
(although anybody should be able to join an Owasp project, the Owasp
leader has no duty to spend any time motivating and nurturing people
who don't have the appropriate skills, knowledge, attitude or
commitment)<br>
<br>
And this is the bottom line:<b> it is the leaders of these projects </b>(WebGoat,
WebScarab, Owasp Top 10, Testing Guide and the Penetration Test list)<b>
that have the responsibility and duty to motivate me to participate</b>,
and if they don't want to do
it (since that is hard and takes time), then they should <br>
&nbsp;&nbsp;&nbsp; 1) step down (from leaders), <br>
&nbsp;&nbsp;&nbsp; 2) become 'normal' project members, <br>
&nbsp;&nbsp;&nbsp; 3) continue to submit their contributions&nbsp; and
<br>
&nbsp;&nbsp;&nbsp; 4) give (i.e. assign) the leadership to another Owasp member that
is willing to do it.<br>
<br>
Now, <b>does my lack of participation on these projects make me a
'taker'!
</b>Somebody that is 'exploiting' the work of the talented and
dedicated
persons who worked on this projects? <b>Do I deserve</b> (due to my
lack of
participation) <b>to be kicked out of the current mailing lists and
not be
member of those projects?<br>
</b>
<b><br>
</b><b>H) My comments on </b><b>... </b><b>Mark's influence on Owasp<br>
<br>
</b>I can honestly say that Mark is the main reason why I am in OWASP
today. <br>
<br>
It was his energy, principles and commitment to Openness (i.e. Open
Source) that made me join this community, donate my Asp.Net work and
lead the Owasp-dotNet efforts.<br>
<br>
Mark's has also been a very good influence on me since we share the
same ideals and it is always very refreshing when one meets other
like-minded individuals.<br>
<br>
Mark's departure also makes me think that I should had done more to
help Owasp in 2004 and puts me in a position where I am guilty and
partly responsible for his decision. <b>The main reason I am writing
this 'Open Letter to Owasp'
is so that Mark's departure is not in vain and Owasp is able to learn
from its mistakes and change the current environment which caused one
of Owasp most important members to quit.</b><br>
<br>
Knowing how much Mark loves Owasp I can't even imagine how hard must
have been for him to take this decision. <br>
<br>
<b>
I hope that this 'Open Letter to Owasp' kick-starts a healthy
discussion and is well received by the other Owasp Leaders and Members.
</b><br>
<br>
Do send me your comments and criticisms, and if you think that I
am out of order, or what I am saying is stupid and doesn't make sense,
please do let me know. <br>
<br>
I also need to be happy in this community and if my ideas and ideals
are not welcomed at Owasp, then I will have to (with a heavy heart)
also quit and find (or create) another Community<br>
<br>
<b>I) My comments on </b><b>...</b><b>how Owasp can make money:<br>
<br>
</b>Just before I get into practical solutions (because one cannot only
talk, one must also present solutions), here are some ideas of where
Owasp can make money:<b><br>
<br>
</b>&nbsp;- Owasp Project sponsorships or Research Grants <br>
&nbsp;- Owasp Consultancy <br>
&nbsp;- Owasp Accreditations <br>
&nbsp;- Owasp Official Curriculum<br>
&nbsp;- Owasp Books and White papers<br>
&nbsp;- Owasp Products (based on the developed tools)<br>
&nbsp;- Owasp Fund raising Events (Dinners, Presentations)<br>
&nbsp;- Owasp Conferences<br>
<b><br>
And what could this money be used for? <br>
<br>
In my view it should be
used to pay for:</b><br>
<br>
&nbsp;&nbsp;&nbsp; - Owasp Administrative services <br>
&nbsp;&nbsp;&nbsp; - Developer's time spend on specific (or sponsored) Owasp Projects<br>
&nbsp;&nbsp;&nbsp; - Creation of Documentation<br>
&nbsp;&nbsp;&nbsp; - Packaging of Owasp Products <br>
&nbsp;&nbsp;&nbsp; - Marketing and PR<br>
&nbsp;&nbsp;&nbsp; - Sales<br>
&nbsp;&nbsp;&nbsp; - Support to Owasp's product or services <br>
<br>
<br>
<b>J) Ideas for the Future:<br>
<br>
</b>Finally, here are some ideas which hopefully will point Owasp in
the right direction:<b><br>
<br>
</b>&nbsp;&nbsp;&nbsp;&nbsp; - <b>In the short-term, there should be no main OWASP Leader</b>,
since this position
(which in my eyes currently still belongs to Mark) must be earned not
given. This means that the next Owasp's leader
should be chosen by Owasp's Leaders with full support by Owasp's
community<br>
<br>
&nbsp;&nbsp;&nbsp; - <b>Jeff should continue to have several responsibilities within
Owasp
management</b>, but current Owasp leaders should be able to say "I
would
like to take responsibility for 'XYZ' task" <br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; - <b>The current Owasp leaders should do what I recommended
earlier
and actively encourage their communities to participate in their
project.</b><br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; - <b>The current Owasp leaders should also make an effort to
participate in each others projects.</b><br>
<br>
&nbsp;&nbsp;&nbsp; - <b>A series of 30m tasks should be defined for each project,
which
will allow the Owasp members to easily contribute and participate</b><br>
<br>
&nbsp;&nbsp;&nbsp; - <b>On the short term, Owasp must have a CMS </b>(Content
Management
System) <b>solution
which allows authorized members to QUICKLY (in minutes) and EASILY (not
too many clicks) add content to the LIVE SERVER Hosting the main Owasp
and individual project's websites.</b> I don't care if this
is done with <span>the current Magnolia solution, with b-sec's CMS
(support.binaryvision.com.au), </span>a
very Expensive donated CMS (<a href="http://www.tomoye.com">www.tomoye.com</a>),
with FrontPage, with
Dreamweaver or with NOTEPAD!!!! <b>What I want is something that
doesn't
get in the way, and I can get my content uploaded and published to
Owasp website in 10m</b>. And (please don't kill me for this), in the
beginning I don't
really care about how secure this system is. The
first objective is to create a dynamic, vibrant and very active
community. If we get maliciously hacked, then so be it!!!&nbsp; Note that I
am not
saying that Owasp should not have (and be able to provide as a
template) a secure hosting environment. Just to avoid confusions let me
say it again: <b>"I do
think that Owasp should host its online content in an locked down
environment which is as secure as possible".</b> What I trying to say
is
that
the current priority should be in creating vibrant communities (which
could, as
one of
its projects build a tool to create and configure secure hosting
environments)<br>
<br>
&nbsp;&nbsp;&nbsp; <b>- There must be total clarity of Owasp finances and financial
operations</b>. The current lack of transparency is not healthy and
doesn't
promote contributions. I know that there are some short-term
credibility issues with the current low-turnover but I strongly believe
that the advantages of full openness are far bigger than the
disadvantages.<br>
<br>
&nbsp;&nbsp;&nbsp; - Once the current Owasp finances are published, <b>a short term
investment plan should be created which defines what Owasp wants to do,
how much money it requires, and where is that money going to come from</b>
(for example I can (through my UK company) make some financial
contributions to OWASP)<br>
<br>
&nbsp;&nbsp;&nbsp; - <b>A series of 'Owasp Products' should be created</b> (based on
the
current
Owasp projects)<b> and sold online</b><br>
<br>
&nbsp;&nbsp;&nbsp; - <b>Owasp should take a much more aggressive position in the
Industry
and start making its Voice heard. </b>And if this creates controversy,
then
so be it (the open letter sent last month was a good start). From my
point of view, the moment Owasp starts to be attacked
by 'respected' security companies and organizations, is the moment that
Owasp is starting to do its job right and is starting to change the
world<br>
&nbsp;&nbsp; <br>
&nbsp;&nbsp;&nbsp; - <b>A formal Owasp Leader recognition process should be created
which
publicly recognizes current Owasp Leaders</b> <b>and most active
Project
contributors</b> (since this will help those person's careers and will
encourage others to become leaders them selfs)<br>
<br>
&nbsp;&nbsp;&nbsp; - <b>A formal 'Thank you' letter should be sent to Mark</b>
(signed by as
many members as possible) as a gesture of gratitude for what he has
done
for Owasp<br>
<br>
<b>
&nbsp;&nbsp;&nbsp; - A meeting should take place to discuss this (and other) ideas</b><br>
<b><br>
</b>I hope that this made sense and if you made it this far, thanks for
your patience for reading this long, rambling and of my entire
responsibility 'Open Letter to Owasp'<br>
<br>
I'm looking forward to your comments<br>
<br>
Best regards<br>
<br>
Dinis Cruz<br>
<br>
PS: My apologies in advance for my spelling and grammatical errors, I
am not a Native-English speaker and I currently live in the UK (which
might make some of my analogies and words sound a bit weird to the US
readers)<br>
<br>
<br>
<br>
</body>
</html>




More information about the Owasp-guide mailing list