No subject


Wed Nov 1 13:33:20 EST 2006


In the short term, Owasp should only have operational-leaders (or whatever they would be called) responsible for specific operational tasks (for example dealing with any issues related to: the Owasp Foundation, the Owasp servers, the Owasp PR, the main Owasp website, the Owasp new business development exercises, etc...).

Hopefully the crisis created by Mark's departure will create an environment where the new future Owasp Leader will appear, and his/her promotion to Owasp leadership is accepted/proposed by the majority of Owasp Leaders and Members.


C) My comments on ... the industry current COLD reaction to OWASP

Another factor which in my view is not helping the development of Owasp is the fact that Owasp is trying to do something that the security industry doesn't want to happen. For example: 

    - the development of clear standards to evaluate Web Application Security,
    - the Development of Open Source security tools, 
    - and ultimately addressing the real problems that are creating the current 'insecure Web Application Landscape'

Most Security Companies (not everybody is like this) are making too much money with Security Vulnerabilities to make REAL and ACTIVE efforts in actually solving the problems (since in most cases this would kill their markets). 

The reality is that the ones that have most to benefit from Owasp, are the current 'Security products/services buyers' because these are the ones that are currently buying overpriced and incomplete products/solutions. The problem is that these 'entities' (Companies, Government Organizations, NGOs, persons) need to have something to buy (which OWASP currently doesn't have) and are used to (and demand/expect) a credible, professional and reliable service.

In my view, Owasp should stop trying to please (and not offend) the Security Industry players and the Software Companies (from Microsoft downwards) and should focus on these entities (companies, governments, persons, etc...) which have most to benefit from Owasp work.

The current Owasp successes (like the wide spread usage of the Top 10) must be built upon and nurtured, since current Owasp Market credibility and perceived independence is one of Owasp biggest assets


D) My comments on ... 'the Microsoft response'

I also find fascinating the fact that the current Owasp-dotNet leader (i.e. me) has not been contacted by nobody from the Microsoft Asp.Net team regarding the Owasp-DotNet tools currently published:

    - Asp.Net Security Analyzer (ANSA)
    - Security Analyzer for Microsoft's Shared Hosting Environment (SAM'SHE)
    - Asp.Net Reflector
    - Online Metabase explorer

The only logic explanation that I have for this situation (since these tools DO actually work and have helped hundreds of companies to improve their Asp.Net hosting environments) is that Microsoft doesn't want to 'endorse' these tools because all of them show how insecure and dangerous the current Full Trust Asp.Net environment is.

Microsoft's position speaks volumes about the current state of the industry, since they (and their clients) would benefit tremendously from a vibrant development community continuously developing and improving these tools. The reason why Microsoft's (lack of) response is important,  is because Microsoft is currently one of the most active and responsive companies to security issues and  shows how low the current level is :-(. 

For as much as I (Dinis Cruz): 

    1) criticize Microsoft (publicly and privately), 
    2) think that they are not doing enough, and 
    3) say that they are making a massive mistake with their current lack of acknowledgment (and focus) of the Full Trust Asp.Net Vulnerabilities;

, based on my professional experience, I still think that Microsoft DOES TAKE Security much more Seriously than most other Software companies out there (which again shows how we are still very far away from starting to tackle the real security problems and vulnerabilities that exist in today's Web Applications).

E) My comments on ... making Money with Owasp

Before I get accused of being an idealistic or a crazy-open-source-guy which lives on 'planet fantasy'. I would like to state, that I fully understand that Money and Financial reward is a major element in our current society and way of live. I am not anti-corporations, anti-capitalism or anti-making money.

We all need money to live, and the best model in life is when you manage to get paid to do on something that you would do for free (i.e. not charge for it)

I have to say that lately I have been very privileged to be in that position where most projects that I worked where projects that I would gladly do for free (if I could financially afford it). And what is very relevant to Owasp, is the fact that a substantial percentage of my income for the past 6 months originated in projects directly related to my participation and contributions to Owasp.

Which means that I have to personally thank Owasp for the exposure that I received as the leader of the Owasp-DotNet projects. So here it is: Thank you Owasp

In some ways I am a good success-story of how Owasp can directly and indirectly provide a good financial and professional reward to active and participative members.

I also would like to point that given the current skill shortage in certain areas of Web Security (for example Asp.Net Security), Owasp has the opportunity to become a 'recruitment center' for high-skilled, reliable and effective developers (since all that the employers would need to do is to look at the prospective employee participation and contribution record)

F) My comments on ... the fact that most Owasp projects have no participation from the community

In my view there are several reasons why most Owasp Projects don't have more than 2 to 5 active participants:

    1) lack of time: Most good and knowledgeable members are currently very busy and have very little time to dedicate to personal projects

    2) the current '2h to start being productive' paradigm: which means that if I (for example) want to participate in a project, I will need to dedicate at least 2 hours to the project in order to start being productive (sometimes even for simple things like adding content to the new website!). What we need is the '30m to start being productive' paradigm or even better the '10m to start being productive paradigm' (which when functional, actually create an environment where participants regularly spend 2 hours or more on the project). Let me give a musical analogy (for the ones that don't know, I am also a part-time professional drummer): If you want to practice a music instrument on a regular basis (for example every day), you must create an environment where there is there is almost no effort required to start practicing (i.e. there should be no set-up time and one should be able to start practicing 5m after deciding one wants to practice a little bit). This means that your musical
 instrument and practice environment must always be set-up (e.g.drums) or plugged-in (e.g. guitar) since that will allow for spontaneous practice sessions (which usually are the most productive) when the musician thinks 'I am just going to play for 10m - 15m' (which usually gets 'extended' into 1h to 2h sessions :) ). This creates an environment where it is easy to practice and in the musician's mind, practicing is not associated with spending 30m to set-up the practice environment.

    3) Most Owasp projects don't have clear 'this is want you can do to participate' instructions and require quite a lot of work and effort by the would-be contributors and participants

    4) Owasp memberships is not big enough where there are enough people with an 'itch' (i.e. problem or requirement) similar to the project leader's 'itch', which will make them go one step further and spend the time, effort and dedication required to become an active participant and member

    5) Most projects are very dependent on the availability and energy-level of the project leader (which usually is also its author / creator). Hopefully we will soon reach a critical mass point (the 10,000 member mark?) where the community surrounding a project is vibrant enough to compensate for the regular MIA (Missing in Action) periods

    6) and probably the most important one. Collaborating in an Open Source project is VERY HARD. Sometime I fell an urge to hit persons who make FUD claims such as 'Open Source projects are created by a network of Kids and clueless programmers' (note that I am a non-violent person and very rarely get angry). Sending a comment like "humm, i clicked on this button and the application crashed" is very easy and anybody can do it, sending a comment like "I installed the application and I had a problem with XYZ function which I traced back to the method AAA.BBB.CCC, and I wrote a patch for it which solved the problem" or "I've read this 50 page document and here are my comments" is :

    - VERY HARD TO DO (since one is reading other's code or words)
    - REQUIRES A DEEP UNDERSTANDING OF THAT PARTICULAR TECHNOLOGY OR SUBJECT MATTER
    - TAKES A LOT OF TIME, 
    - REQUIRES A LOT OF CONFIDENCE (since you are in effect sending a criticism of someone else's work)
    - FORCES THE CONTRIBUTOR TO TAKE A POSITION (i.e. "...I think that this is a better way to do it...") which is always a hard thing to do
    - IS VERY DEPENDING OF THE RECEIVER'S (i.e. that project's leader) PAST BEHAVIOR IN DEALING WITH CONTRIBUTIONS 

So, don't tell me that it is kids that make-up the main body of contributions of successful Open Source projects. Most successfully Open Source projects have as their main contributors highly intelligent, competent, dedicated and creative IT Professionals. 


G) My comments on ... Why I haven't participate on other Owasp Projects

Following my previous points, I can now speak on the first person and say that I am as guilty of anybody else for not participating in other Owasp projects. 

I am particularly ashame by not having contributed to the WebGoat, WebScarab, Owasp Top 10, Testing Guide and the Penetration Test guide, since I have used them professionally.

And the reasons that I have for not participating are:

    -  I didn't have the required time to put myself in a position where I was able to send meaningful contributions 
    - Those project leaders didn't put any pressure on me to participate and didn't actively encourage it (when one is working on several projects at the same time, unfortunately the projects that don't make any noise and are not critical tend to live permanently on the 'to-do-list-when-I-have-2-free-hours' pile)
    - There is almost no documentation to help  (although I do admit that I didn't make a huge effort to find it)
    - I didn't need professionally an improved version of those tools/documents (i.e. I didn't had the 'itch' that those projects are scratching)

To start contributing in these projects I needed to be given simple, quick and meaningful (i.e. could be used in the actual project) tasks (the '30m task' paradigm) and I have to be 'sold' on the idea of why I should participate. 

I must be in a position where I am proud to participate and must subconsciously feel that my efforts will be appreciated.

I am assuming that If motivated and focused I  would produce material of high quality and that the project leader would find valuable (although anybody should be able to join an Owasp project, the Owasp leader has no duty to spend any time motivating and nurturing people who don't have the appropriate skills, knowledge, attitude or commitment)

And this is the bottom line: it is the leaders of these projects (WebGoat, WebScarab, Owasp Top 10, Testing Guide and the Penetration Test list) that have the responsibility and duty to motivate me to participate, and if they don't want to do it (since that is hard and takes time), then they should 
    1) step down (from leaders), 
    2) become 'normal' project members, 
    3) continue to submit their contributions  and 
    4) give (i.e. assign) the leadership to another Owasp member that is willing to do it.

Now, does my lack of participation on these projects make me a 'taker'! Somebody that is 'exploiting' the work of the talented and dedicated persons who worked on this projects? Do I deserve (due to my lack of participation) to be kicked out of the current mailing lists and not be member of those projects?

H) My comments on ... Mark's influence on Owasp

I can honestly say that Mark is the main reason why I am in OWASP today. 

It was his energy, principles and commitment to Openness (i.e. Open Source) that made me join this community, donate my Asp.Net work and lead the Owasp-dotNet efforts.

Mark's has also been a very good influence on me since we share the same ideals and it is always very refreshing when one meets other like-minded individuals.

Mark's departure also makes me think that I should had done more to help Owasp in 2004 and puts me in a position where I am guilty and partly responsible for his decision. The main reason I am writing this 'Open Letter to Owasp' is so that Mark's departure is not in vain and Owasp is able to learn from its mistakes and change the current environment which caused one of Owasp most important members to quit.

Knowing how much Mark loves Owasp I can't even imagine how hard must have been for him to take this decision. 

I hope that this 'Open Letter to Owasp' kick-starts a healthy discussion and is well received by the other Owasp Leaders and Members. 

Do send me your comments and criticisms, and if you think that I am out of order, or what I am saying is stupid and doesn't make sense, please do let me know. 

I also need to be happy in this community and if my ideas and ideals are not welcomed at Owasp, then I will have to (with a heavy heart) also quit and find (or create) another Community

I) My comments on ...how Owasp can make money:

Just before I get into practical solutions (because one cannot only talk, one must also present solutions), here are some ideas of where Owasp can make money:

 - Owasp Project sponsorships or Research Grants 
 - Owasp Consultancy 
 - Owasp Accreditations 
 - Owasp Official Curriculum
 - Owasp Books and White papers
 - Owasp Products (based on the developed tools)
 - Owasp Fund raising Events (Dinners, Presentations)
 - Owasp Conferences

And what could this money be used for? 

In my view it should be used to pay for:

    - Owasp Administrative services 
    - Developer's time spend on specific (or sponsored) Owasp Projects
    - Creation of Documentation
    - Packaging of Owasp Products 
    - Marketing and PR
    - Sales
    - Support to Owasp's product or services 


J) Ideas for the Future:

Finally, here are some ideas which hopefully will point Owasp in the right direction:

     - In the short-term, there should be no main OWASP Leader, since this position (which in my eyes currently still belongs to Mark) must be earned not given. This means that the next Owasp's leader should be chosen by Owasp's Leaders with full support by Owasp's community

    - Jeff should continue to have several responsibilities within Owasp management, but current Owasp leaders should be able to say "I would like to take responsibility for 'XYZ' task" 

     - The current Owasp leaders should do what I recommended earlier and actively encourage their communities to participate in their project.

     - The current Owasp leaders should also make an effort to participate in each others projects.

    - A series of 30m tasks should be defined for each project, which will allow the Owasp members to easily contribute and participate

    - On the short term, Owasp must have a CMS (Content Management System) solution which allows authorized members to QUICKLY (in minutes) and EASILY (not too many clicks) add content to the LIVE SERVER Hosting the main Owasp and individual project's websites. I don't care if this is done with the current Magnolia solution, with b-sec's CMS (support.binaryvision.com.au), a very Expensive donated CMS (www.tomoye.com), with FrontPage, with Dreamweaver or with NOTEPAD!!!! What I want is something that doesn't get in the way, and I can get my content uploaded and published to Owasp website in 10m. And (please don't kill me for this), in the beginning I don't really care about how secure this system is. The first objective is to create a dynamic, vibrant and very active community. If we get maliciously hacked, then so be it!!!  Note that I am not saying that Owasp should not have (and be able to provide as a template) a secure hosting environment. Just to avoid confusions let me say it
 again: "I do think that Owasp should host its online content in an locked down environment which is as secure as possible". What I trying to say is that the current priority should be in creating vibrant communities (which could, as one of its projects build a tool to create and configure secure hosting environments)

    - There must be total clarity of Owasp finances and financial operations. The current lack of transparency is not healthy and doesn't promote contributions. I know that there are some short-term credibility issues with the current low-turnover but I strongly believe that the advantages of full openness are far bigger than the disadvantages.

    - Once the current Owasp finances are published, a short term investment plan should be created which defines what Owasp wants to do, how much money it requires, and where is that money going to come from (for example I can (through my UK company) make some financial contributions to OWASP)

    - A series of 'Owasp Products' should be created (based on the current Owasp projects) and sold online

    - Owasp should take a much more aggressive position in the Industry and start making its Voice heard. And if this creates controversy, then so be it (the open letter sent last month was a good start). From my point of view, the moment Owasp starts to be attacked by 'respected' security companies and organizations, is the moment that Owasp is starting to do its job right and is starting to change the world
   
    - A formal Owasp Leader recognition process should be created which publicly recognizes current Owasp Leaders and most active Project contributors (since this will help those person's careers and will encourage others to become leaders them selfs)

    - A formal 'Thank you' letter should be sent to Mark (signed by as many members as possible) as a gesture of gratitude for what he has done for Owasp

    - A meeting should take place to discuss this (and other) ideas

I hope that this made sense and if you made it this far, thanks for your patience for reading this long, rambling and of my entire responsibility 'Open Letter to Owasp'

I'm looking forward to your comments

Best regards

Dinis Cruz

PS: My apologies in advance for my spelling and grammatical errors, I am not a Native-English speaker and I currently live in the UK (which might make some of my analogies and words sound a bit weird to the US readers)







--0-1932272829-1104188614=:95808
Content-Type: text/html; charset=us-ascii

<DIV>
<BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">
<DIV>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt">Hello Everyone,</P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p>&nbsp;</o:p></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt">Hopefully I don’t repeat what Dinis and Denis wrote in their emails. It is unfortunate that we need a key member like Mark to depart from OWASP to start a discussion on the direction of OWASP’s future.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>Moving forward I hope we can start these types of discussion without key members leaving…</P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p>&nbsp;</o:p></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt">Let’s put things into perspective, I don’t know if OWASP needs a radical change and it’s going to crash and burn.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>OWASP needs goals, a clear direction/roadmap, more organization, funding, and etc... <SPAN style="mso-spacerun: yes">&nbsp;&nbsp;</SPAN>Basically, OWASP is a group of security gurus that need some direction and help in business development.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p>&nbsp;</o:p></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt">IMHO to move things forward the following needs to be addressed:</P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt 0.25in"><o:p>&nbsp;</o:p></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; mso-list: l0 level1 lfo1; tab-stops: list .5in"><SPAN style="mso-list: Ignore">1)<SPAN style="FONT: 7pt 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN>Governance – Currently there is very little governance and IMHO this is the root of the problem.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>I don’t think most security gurus have the desire to work on governance.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>They rather work on security related issues.</P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt 0.25in"><o:p>&nbsp;</o:p></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt 0.5in">I feel that OWASP’s future growth will be limited with the current governance.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>Many points in both Dinis and Denis emails should be addressed and incorporated into OWASP governance. </P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt 0.5in"><o:p>&nbsp;</o:p></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; mso-list: l0 level1 lfo1; tab-stops: list .5in"><SPAN style="mso-list: Ignore">2)<SPAN style="FONT: 7pt 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN>Leadership – With the current situation of OWASP I think Jeff is doing well.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>He has been the OWASP leader for about 6 months and he achieved the following:</P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt 1in; TEXT-INDENT: -0.25in; mso-list: l0 level2 lfo1; tab-stops: list 1.0in"><SPAN style="mso-list: Ignore">a.<SPAN style="FONT: 7pt 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN>OWASP Conference – He was one of the key people in establishing the first ever OWASP conference.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>We need to build on the conferences because this could be a good revenue generator.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt 1in; TEXT-INDENT: -0.25in; mso-list: l0 level2 lfo1; tab-stops: list 1.0in"><SPAN style="mso-list: Ignore">b.<SPAN style="FONT: 7pt 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN>OWASP Foundation - He setup the OWASP Foundation and I’m sure all legal areas were covered.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>I think having a lawyer is beneficial.<SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt 1in; TEXT-INDENT: -0.25in; mso-list: l0 level2 lfo1; tab-stops: list 1.0in"><SPAN style="mso-list: Ignore">c.<SPAN style="FONT: 7pt 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN>OWASP Portal – He was key in setting up the new OWASP portal.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>It’s not the most ideal portal but it’s 100% better then the XML portal we had before.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>We still have a way to go on the portal….</P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt 1in; TEXT-INDENT: -0.25in; mso-list: l0 level2 lfo1; tab-stops: list 1.0in"><SPAN style="mso-list: Ignore">d.<SPAN style="FONT: 7pt 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN>OWASP Local Chapters – We now have local chapters.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>The OWASP name is spreading and participation is growing via local chapters. I’m the NYC chair and our membership and meeting attendance is doing very well. </P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p>&nbsp;</o:p></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt 0.25in">I do think there is lack of a structured roadmap for OWASP.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>Our projects and ideas are ad-hock. If something cool comes up we’ll do it.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>There is no structured roadmap and this should be addressed by Jeff and the OWASP leaders.</P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p>&nbsp;</o:p></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; mso-list: l0 level1 lfo1; tab-stops: list .5in"><SPAN style="mso-list: Ignore">3)<SPAN style="FONT: 7pt 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN>Revenue Generation &amp; Sponsorship – Let’s create a plan to address Dinis and Denis issues along with others.</P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt 0.25in"><o:p>&nbsp;</o:p></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; mso-list: l0 level1 lfo1; tab-stops: list .5in"><SPAN style="mso-list: Ignore">4)<SPAN style="FONT: 7pt 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN>Participation – We need to make it clear in each project on what you can do to participate.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>Each project web page should have a standard what should be included.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>I guess this goes back to governance.</P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p>&nbsp;</o:p></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt">I can go on and on but I won’t.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>I suggest we have a meeting with all the larders to discuss the direction of OWASP.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>I’ll volunteer to create a meeting agenda based on everyone’s feedback to Mark departure.<SPAN style="mso-spacerun: yes">&nbsp;&nbsp; </SPAN>I can setup a GoToMeeting session for all of us.</P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p>&nbsp;</o:p></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt">Thanks,<BR>Stan</P><BR><BR><B><I>"Verdon, Denis" &lt;Denis.Verdon at fnf.com&gt;</I></B> wrote: 
<BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">
<META content="Microsoft Word 11 (filtered medium)" name=Generator>
<STYLE>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</STYLE>
<o:SmartTagType name="country-region" namespaceuri="urn:schemas-microsoft-com:office:smarttags"></o:SmartTagType><o:SmartTagType name="place" namespaceuri="urn:schemas-microsoft-com:office:smarttags"></o:SmartTagType><o:SmartTagType name="Street" namespaceuri="urn:schemas-microsoft-com:office:smarttags"></o:SmartTagType><o:SmartTagType name="PostalCode" namespaceuri="urn:schemas-microsoft-com:office:smarttags"></o:SmartTagType><o:SmartTagType name="State" namespaceuri="urn:schemas-microsoft-com:office:smarttags"></o:SmartTagType><o:SmartTagType name="City" namespaceuri="urn:schemas-microsoft-com:office:smarttags"></o:SmartTagType><o:SmartTagType name="address" namespaceuri="urn:schemas-microsoft-com:office:smarttags"></o:SmartTagType>
<STYLE>
st1\:*{behavior:url(#default#ieooui) }
</STYLE>

<STYLE>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";
	color:black;}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:blue;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-reply;
	font-family:Arial;
	color:navy;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
 /* List Definitions */
 @list l0
	{mso-list-id:2040356822;
	mso-list-type:hybrid;
	mso-list-template-ids:-511905288 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
	{mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;}
ol
	{margin-bottom:0in;}
ul
	{margin-bottom:0in;}
-->
</STYLE>

<DIV class=Section1>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">Dinis,<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">Your impassioned open letter is much needed and, hopefully, not too late. &nbsp;I support at least a large part of your thoughts on this subject and am keen to see progress made in much the way you advocate. &nbsp;However, a few observations from my personal POV:<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<OL style="MARGIN-TOP: 0in" type=1>
<LI class=MsoNormal style="COLOR: navy; mso-list: l0 level1 lfo1"><FONT face=Arial color=navy size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">I would suggest that the success of Open Source projects is directly related to the nature and motivation of the community they serve. &nbsp;Linux succeeded in large part due to the fact that such a “product” was immensely useful to its participants, who in large part were geeks who wanted to roll their own “better” *NIX system. &nbsp;More than intellectually challenging, it provided a product that many individuals could use. &nbsp;However, looking at the OWASP community, I would suggest that the population is more oriented to Enterprises (like my company) and Software Shops. &nbsp;This immediately places a different slant on participants’ motivations.&nbsp; <o:p></o:p></SPAN></FONT></LI>
<LI class=MsoNormal style="COLOR: navy; mso-list: l0 level1 lfo1"><FONT face=Arial color=navy size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">I don’t profess to speak for anyone but myself here, but my openly selfish objectives are two-fold: (a) align my company’s efforts with emerging de facto standards and (b) gain leverage for my seven-figure budget in application security. &nbsp;My preference is to do that with an “open” standard and not with a vendor and if I can collaborate with my peers in other organizations, that’s even better.&nbsp; However, by the same token, I do not want to squander my hard-won budget on projects that do not deliver within the timeframe I need.&nbsp; Right now, I find it difficult to contribute unless I know that the efforts will bear fruit within reasonable time and that is a basic project management issue: project sponsorship and commitment.&nbsp; I am willing to contribute cash, hosted CMS systems and active staff participation, but I owe it
 to my company and its shareholders that this contribution achieves results. &nbsp;In short, I need guarantees that OWASP will be a force multiplier to my efforts. &nbsp;If you want to take OWASP out of academia and a pure hobbyists’ realm, my suggestion is that OWASP needs to recognize these commercial needs.&nbsp; <o:p></o:p></SPAN></FONT></LI>
<LI class=MsoNormal style="COLOR: navy; mso-list: l0 level1 lfo1"><FONT face=Arial color=navy size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">This appears to me a classic project management issue: most projects fail when there is limited “skin in the game” (read “money”) and when project accountability is weak. &nbsp;My advocacy of a strong governance structure is targeted at exactly this issue. &nbsp;Membership funding focuses the mind.<o:p></o:p></SPAN></FONT></LI>
<LI class=MsoNormal style="COLOR: navy; mso-list: l0 level1 lfo1"><FONT face=Arial color=navy size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Strong management, well funded, but who are held accountable for deliverables, is one way to approach this. &nbsp;This is the model the FS-ISAC uses and I suggest we need a similar model. That OWASP was born and survived so long is, in my mind, testimony to Mark’s inspirational qualities, but it is not a scalable architecture. &nbsp;True governance is needed to deflect some of my dollars to the project.<o:p></o:p></SPAN></FONT></LI>
<LI class=MsoNormal style="COLOR: navy; mso-list: l0 level1 lfo1"><FONT face=Arial color=navy size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">I believe that the best part of the Open Source model – widespread contributions by motivated individuals and academia, as well as peer review – need not be lost, so long as there is recognition that the main audience for the products is large organizations. &nbsp;One approach may be a paid membership, with fellowship status being awarded to individuals that have made significant contributions.<o:p></o:p></SPAN></FONT></LI></OL>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">I welcome your challenge, but as with so many undertakings like this, critical mass is needed. &nbsp;I will continue to fund my own projects in this area and will make good on my promise to contribute these artifacts when done, but this will be done unilaterally until such time that enough of my peers and colleagues in other organizations recognize the opportunity we have to work more effectively under a new, revitalized OWASP organization.&nbsp; <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<DIV>
<P class=MsoNormal><FONT face=Arial color=black size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Denis Verdon, Senior Vice President &amp; Head of CISG</SPAN></FONT><o:p></o:p></P>
<P class=MsoNormal><FONT face=Arial color=black size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">FNF - Corporate Information Security Group</SPAN></FONT><o:p></o:p></P>
<P class=MsoNormal><?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" /><st1:address w:st="on"><st1:Street w:st="on"><FONT face=Arial color=black size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">2510 N. Red Hill Avenue</SPAN></FONT></st1:Street><FONT face=Arial size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">, <st1:City w:st="on">Santa Ana</st1:City> <st1:State w:st="on">CA</st1:State> <st1:PostalCode w:st="on">92705</st1:PostalCode></SPAN></FONT></st1:address><o:p></o:p></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=black size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Tel: (949) 221 3252</SPAN></FONT><o:p></o:p></P>
<P class=MsoNormal><FONT face=Arial color=black size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Cell: (949) 923 0390</SPAN></FONT><o:p></o:p></P>
<P class=MsoNormal><FONT face=Arial color=black size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Email: </SPAN></FONT><A href="mailto:denis.verdon at fnf.com"><FONT face=Arial size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">denis.verdon at fnf.com</SPAN></FONT></A><o:p></o:p></P>
<P class=MsoNormal><FONT face=Arial color=black size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Web: <A href="http://www.fnf.com/">http://www.fnf.com</A></SPAN></FONT><o:p></o:p></P>
<P class=MsoNormal><FONT face=Arial color=black size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Intranet: </SPAN></FONT><A href="https://cis.fnf.com/"><FONT face=Arial size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">https://cis.fnf.com</SPAN></FONT></A><o:p></o:p></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt"><BR></SPAN></FONT><FONT face=Arial color=navy size=1><SPAN style="FONT-SIZE: 7.5pt; COLOR: navy; FONT-FAMILY: Arial">THIS E-MAIL AND ITS ATTACHMENTS ARE INTENDED ONLY FOR THE USE OF THE INDIVIDUAL OR ENTITY WHO IS THE INTENDED RECIPIENT AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, CONFIDENTIAL AND EXEMPT FROM DISCLOSURE OR ANY TYPE OF USE UNDER APPLICABLE LAW. IF THE READER OF THIS E-MAIL IS NOT THE INTENDED RECIPIENT, OR THE EMPLOYEE, AGENT OR REPRESENTATIVE RESPONSIBLE FOR DELIVERING THE E-MAIL TO THE INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY DISSEMINATION, DISTRIBUTION, COPYING, OR OTHER USE OF THIS E-MAIL IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED THIS E-MAIL IN ERROR, PLEASE REPLY IMMEDIATELY TO THE SENDER.</SPAN></FONT><o:p></o:p></P></DIV>
<DIV>
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">
<HR tabIndex=-1 align=center width="100%" SIZE=2>
</SPAN></FONT></DIV>
<P class=MsoNormal><B><FONT face=Tahoma color=black size=2><SPAN style="FONT-WEIGHT: bold; FONT-SIZE: 10pt; COLOR: windowtext; FONT-FAMILY: Tahoma">From:</SPAN></FONT></B><FONT face=Tahoma color=black size=2><SPAN style="FONT-SIZE: 10pt; COLOR: windowtext; FONT-FAMILY: Tahoma"> Dinis Cruz [mailto:dinis at ddplus.net] <BR><B><SPAN style="FONT-WEIGHT: bold">Sent:</SPAN></B> Monday, December 27, 2004 8:09 AM<BR><B><SPAN style="FONT-WEIGHT: bold">To:</SPAN></B> owasp-leaders at lists.sourceforge.net<BR><B><SPAN style="FONT-WEIGHT: bold">Cc:</SPAN></B> Mark Curphey; owasp-dotnet at lists.sourceforge.net; owasp-guide at lists.sourceforge.net; owasp-testing at lists.sourceforge.net; owasp-chapters at lists.sourceforge.net; owasp-advisors at lists.sourcforge.net; owasp-metrics-request at lists.sourceforge.net; ingo at ingostruck.de; alex at netwindows.org; dendler at tippingpoint.com; jermey at poteet.com; admin at mokshafaced.com; david.raphael at ceterum.net; stanguzik at yahoo.com; jeff.williams at owasp.org<BR><B><SPAN
 style="FONT-WEIGHT: bold">Subject:</SPAN></B> An Open Letter to Owasp</SPAN></FONT><FONT color=black><SPAN style="COLOR: windowtext"><o:p></o:p></SPAN></FONT></P></DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=MsoNormal style="MARGIN-BOTTOM: 12pt"><B><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-WEIGHT: bold; FONT-SIZE: 12pt">Owasp is in a Crisis!</SPAN></FONT></B><BR><BR>Mark's departure (who was one of the original Owasp members and one of the most active and energetic participants) must make us all reflect hard on his reasons for departure. Hopefully, this crisis will also create an environment where the necessary changes are made to Owasp's world which:<BR>&nbsp;&nbsp;&nbsp; a) prevents the departure of other key players and <BR>&nbsp;&nbsp;&nbsp; b) substantially change Owasp's behavior so that Mark (and others) will want to (re)join, participate and collaborate.<BR><BR>As an Owasp member myself, and knowing (hoping?) that Owasp continues to be a big part of my professional life, I would like to propose a series of measures and suggestions for its future. These ideas are included at the end of this 'Open Letter to Owasp, but firstly I would like to give my
 personal opinion on several issues which I think are very relevant to the current Owasp environment/situation.<BR><BR><B><SPAN style="FONT-WEIGHT: bold">A) My comments on .... "Owasp's vs Open Source"<BR><BR></SPAN></B>Sorry If I am offending somebody, but I think that at the moment, in the Owasp community, there are some expectations of what Open Source should deliver which are not based on WHAT CAN happen but on what people WOULD LIKE to happen.<BR><BR>I feel that several Owasp members (including Mark) are misinterpreting the concepts of FREEDOM and FREE (as in beer, i.e. no cost).<BR><BR>From my point of view, what matters is that the information and source code published under Owasp HAS the FREEDOM to be used by anybody and can be shared and distributed by anybody. The fact that this material is FREE (as in beer, i.e. no cost) is a nice side effect and a good inevitable practicality (since if this material had to be paid for, its FREEDOM would not exist). <BR><BR>Starting to
 <B><SPAN style="FONT-WEIGHT: bold">complain that 1) most Owasp members are 'takers' instead of 'givers' and 2) they are only interested in getting from Owasp things for FREE (as in beer, i.e. no cost) , is in my view: </SPAN></B><BR><BR>&nbsp;&nbsp;&nbsp; - <B><SPAN style="FONT-WEIGHT: bold">offensive </SPAN></B>to those Owasp members (who I include myself in) since they are being called: thieves, opportunistic and selfish<BR>&nbsp;&nbsp;&nbsp; - <B><SPAN style="FONT-WEIGHT: bold">short-sighted</SPAN></B>, since there is much more than meets the eye (things are never black or white)<BR>&nbsp;&nbsp;&nbsp; - <B><SPAN style="FONT-WEIGHT: bold">counter-productive</SPAN></B>, since it is creating unnecessary frictions and bad feelings amongst the community, and <BR>&nbsp;&nbsp;&nbsp; - <B><SPAN style="FONT-WEIGHT: bold">Missing the point</SPAN></B>, since the main discussion point should be always about FREEDOM and not about COST<BR><BR>Going further, from my point of view, <B><SPAN
 style="FONT-WEIGHT: bold">blaming the current lack of participation in Owasp projects on the 'quality' of the current Owasp community</SPAN></B> (which are being labeled as 'takers' and not 'givers')<B><SPAN style="FONT-WEIGHT: bold"> is merely a scapegoat exercise which fails to address the core problems and doesn't allows for the real issue to be dealt with.</SPAN></B><BR><BR>In my view, <B><SPAN style="FONT-WEIGHT: bold">it is not the responsibility and duty of the current Owasp members</SPAN></B> (for example the persons subscribed to the current mailing lists) <B><SPAN style="FONT-WEIGHT: bold">to be active participants and to dedicate enormous amount of time to those projects.</SPAN></B><BR><BR>In my view, <B><SPAN style="FONT-WEIGHT: bold">IT IS THE SPECIFIC OWASP PROJECT LEADER THAT HAS THE RESPONSIBILITY AND DUTY TO CREATE AN ENVIRONMENT where those project's members </SPAN></B>(and the other Owasp leaders)<B><SPAN style="FONT-WEIGHT: bold"> fell motivated to participate
 and become active members</SPAN></B>. This is not easy and takes quite a lot of work, dedication and patience by those project leaders. <BR><BR>This means that it is the OWASP PROJECT LEADER THAT HAS TO: <BR><BR>&nbsp;&nbsp;&nbsp; - make everybody aware of what is going on<BR>&nbsp;&nbsp;&nbsp; - create simple, relevant and usable mini-tasks which can be executed by the community (it should be possible for somebody that wants to contribute to be able to go to a web page and be given a task which will not take him/her more than 30m to 2h to execute (compare that to the current situation))<BR>&nbsp;&nbsp;&nbsp; - actively market the Owasp project and encourage participation<BR>&nbsp;&nbsp;&nbsp; - manage expectations and ensure that the project's members are motivated and happy<BR>&nbsp;&nbsp;&nbsp; - ensure that all contributions are respectively credited and that people are rewarded for their time and commitment<BR>&nbsp;&nbsp;&nbsp; - create products based on that Project's
 deliverables (white papers, tools, security templates, etc....) which can be sold by Owasp<BR><BR>Due to my past contributions to Owasp and my professional Project manager experience, I believe that I have earned the right to make these grand statements, specially since&nbsp;<B><SPAN style="FONT-WEIGHT: bold"> I consider that I</SPAN></B> (Dinis Cruz, current Owasp leader of the Owasp-dotNet projects) <B><SPAN style="FONT-WEIGHT: bold">am a very BAD LEADER because I was not able to make the current 130 Owasp-DotNet subscribers participate in the current Owasp-dotNet projects</SPAN></B> (I am including myself in the guilty-list). I have also been very bad at replying to contributors (sorry specially to Michael Silk (article) and Kerem Kusmezer (http module)) and should have done much more to help those subscribers to understand how the tools that I have developed and published work and how they can contribute.<BR><BR>One of my objectives for 2005 is to make this community participate
 and 'come to life' (and <B><SPAN style="FONT-WEIGHT: bold">I don't blame them for not participating, I blame myself</SPAN></B>)<BR><BR><B><SPAN style="FONT-WEIGHT: bold">What Owasp needs now are strong, creative and active leaders who will have to continuously prove </SPAN></B>(i.e. every week, every month, every year) <B><SPAN style="FONT-WEIGHT: bold">that they deserve to be Owasp Leaders and that they can be responsible for his/hers projects.</SPAN></B><BR><BR>In fact, one of the main reasons why the 'OWASP Foundation' must guarantee and fight for <BR><BR>&nbsp;&nbsp;&nbsp; 1) the FREEDOM of all material produced and <BR>&nbsp;&nbsp;&nbsp; 2) the OPENNESS of its doors (i.e. anybody can join and be (if desired) a non-contributor member)<BR><BR>, is because <B><SPAN style="FONT-WEIGHT: bold">when Leaders stop behaving accordingly to his/hers responsibilities</SPAN></B> (for personal or professional reasons) <B><SPAN style="FONT-WEIGHT: bold">his/hers replacement
 </SPAN></B>(amicably or not) <B><SPAN style="FONT-WEIGHT: bold">must be an relatively easy and strait-forward process </SPAN></B>(following the wishes of that project's community). <BR><BR>As in the Hacker or Open Source community, an <B><SPAN style="FONT-WEIGHT: bold">Owasp Leader can only be an Owasp Leader if the Owasp community accepts and recognizes his/hers leadership</SPAN></B> (see the Linus example). <BR><BR>In my view, this model creates a positive and healthy environment where the focus is always on productivity and never (or at least as little as possible) in political games and 'who is the boss' type of argument.<BR><BR><B><SPAN style="FONT-WEIGHT: bold">B) My comments on .... Jeff as a OWASP leader</SPAN></B><BR><BR>Before I go any further let me just say that:<BR><BR>&nbsp;&nbsp;&nbsp; - I don't question Jeff's commitment and belief in Owasp<BR>&nbsp;&nbsp;&nbsp; - I think that Jeff has done a great job with the creation of the Owasp Foundation<BR>&nbsp;&nbsp;&nbsp; -
 I think that Jeff was very brave and courageous when he accepted (from Mark) the role as the main Owasp Leader<BR>&nbsp;&nbsp;&nbsp; - I think that Jeff should continue to have some management roles in Owasp <BR><BR>But <B><SPAN style="FONT-WEIGHT: bold">I DON'T THINK THAT JEFF SHOULD CONTINUE TO BE THE MAIN Owasp Leader,</SPAN></B> since I don't think that Jeff has (based on his actions so far) what I would consider to be the right profile to be the main leader that Owasp needs today<BR><BR>Although <B><SPAN style="FONT-WEIGHT: bold">Jeff is beyond doubt a very active and productive Owasp member </SPAN></B>(whose technical competence and professionalism is of the highest caliber)<B><SPAN style="FONT-WEIGHT: bold"> I don't think that Jeff</SPAN></B> (to which I sincerely apologize for such a public criticism)<B><SPAN style="FONT-WEIGHT: bold"> has the energy, vision and 'craziness' required to lead a project like Owasp (as it is today)</SPAN></B>. Maybe it is Jeff's training as a
 Lawyer that makes him risk-adverse, maybe it is just his personally, and maybe it is just the current phase that Owasp is currently in (<B><SPAN style="FONT-WEIGHT: bold">there is no reason why Jeff's profile is not the most indicated to lead Owasp in one, two or ten years time</SPAN></B>).<BR><BR><B><SPAN style="FONT-WEIGHT: bold">What Owasp needs now is to have an energetic, dynamic, thought provoking and inspiring leader who can lead Owasp into a being major player in the Web Application Security World,</SPAN></B> and help it to make the world a 'safer' (and better) place.<BR><BR>From&nbsp; my point of view,&nbsp; <B><SPAN style="FONT-WEIGHT: bold">unless Mark retakes the Job</SPAN></B> (which is not an option at the current moment in time), <B><SPAN style="FONT-WEIGHT: bold">I think that Owasp should </SPAN></B>( in the short term) <B><SPAN style="FONT-WEIGHT: bold">NOT HAVE A MAIN LEADER! </SPAN></B><BR><BR>In the short term, <B><SPAN style="FONT-WEIGHT: bold">Owasp should only
 have operational-leaders</SPAN></B> (or whatever they would be called) <B><SPAN style="FONT-WEIGHT: bold">responsible for specific operational tasks </SPAN></B>(for example dealing with any issues related to: the Owasp Foundation, the Owasp servers, the Owasp PR, the main Owasp website, the Owasp new business development exercises, etc...).<BR><BR>Hopefully the <B><SPAN style="FONT-WEIGHT: bold">crisis created by Mark's departure will create an environment where the new future Owasp Leader will appear, </SPAN></B>and his/her promotion to Owasp leadership is accepted/proposed by the majority of Owasp Leaders and Members.<BR><BR><B><SPAN style="FONT-WEIGHT: bold"><BR>C) My comments on ... the industry current COLD reaction to OWASP<BR><BR></SPAN></B>Another factor which in my view is not helping the development of Owasp is the fact that <B><SPAN style="FONT-WEIGHT: bold">Owasp is trying to do something that the security industry doesn't want to happen</SPAN></B>. For example:
 <BR><BR>&nbsp;&nbsp;&nbsp; - the development of clear standards to evaluate Web Application Security,<BR>&nbsp;&nbsp;&nbsp; - the Development of Open Source security tools, <BR>&nbsp;&nbsp;&nbsp; - and ultimately addressing the real problems that are creating the current 'insecure Web Application Landscape'<BR><BR>Most Security Companies (not everybody is like this) are making too much money with Security Vulnerabilities to make REAL and ACTIVE efforts in actually solving the problems (since in most cases this would kill their markets). <BR><BR><B><SPAN style="FONT-WEIGHT: bold">The reality is that the ones that have most to benefit from Owasp, are the current 'Security products/services buyers' </SPAN></B>because these are the ones that are currently buying overpriced and incomplete products/solutions. <B><SPAN style="FONT-WEIGHT: bold">The problem is that these 'entities'</SPAN></B> (Companies, Government Organizations, NGOs, persons) <B><SPAN style="FONT-WEIGHT: bold">need to
 have something to buy</SPAN></B> (which OWASP currently doesn't have) <B><SPAN style="FONT-WEIGHT: bold">and are used to</SPAN></B> (and demand/expect) <B><SPAN style="FONT-WEIGHT: bold">a credible, professional and reliable service</SPAN></B>.<BR><BR>In my view, Owasp should stop trying to please (and not offend) the Security Industry players and the Software Companies (from Microsoft downwards) and should focus on these entities (companies, governments, persons, etc...) which have most to benefit from Owasp work.<BR><BR><B><SPAN style="FONT-WEIGHT: bold">The current Owasp successes</SPAN></B> (like the wide spread usage of the Top 10) <B><SPAN style="FONT-WEIGHT: bold">must be built upon and nurtured, since current Owasp Market credibility and perceived independence is one of Owasp biggest assets</SPAN></B><BR><BR><B><SPAN style="FONT-WEIGHT: bold"><BR>D) My comments on ... 'the Microsoft response'</SPAN></B><BR><BR>I also find fascinating the fact that <B><SPAN
 style="FONT-WEIGHT: bold">the current Owasp-dotNet leader</SPAN></B> (i.e. me)<B><SPAN style="FONT-WEIGHT: bold"> has not been contacted by nobody from the Microsoft Asp.Net team regarding the Owasp-DotNet tools currently published</SPAN></B>:<BR><BR>&nbsp;&nbsp;&nbsp; - Asp.Net Security Analyzer (ANSA)<BR>&nbsp;&nbsp;&nbsp; - Security Analyzer for Microsoft's Shared Hosting Environment (SAM'SHE)<BR>&nbsp;&nbsp;&nbsp; - Asp.Net Reflector<BR>&nbsp;&nbsp;&nbsp; - Online Metabase explorer<BR><BR><B><SPAN style="FONT-WEIGHT: bold">The only logic explanation </SPAN></B>that I have for this situation (since these tools DO actually work and have helped hundreds of companies to improve their Asp.Net hosting environments) <B><SPAN style="FONT-WEIGHT: bold">is that Microsoft doesn't want to 'endorse' these tools because all of them show how insecure and dangerous the current Full Trust Asp.Net environment is</SPAN></B>.<BR><BR>Microsoft's position speaks volumes about the current state of the
 industry, since they (and their clients) would benefit tremendously from a vibrant development community continuously developing and improving these tools. The reason why Microsoft's (lack of) response is important,&nbsp; is because Microsoft is currently one of the most active and responsive companies to security issues and&nbsp; shows how low the current level is :-(. <BR><BR>For as much as I (Dinis Cruz): <BR><BR>&nbsp;&nbsp;&nbsp; 1) criticize Microsoft (publicly and privately), <BR>&nbsp;&nbsp;&nbsp; 2) think that they are not doing enough, and <BR>&nbsp;&nbsp;&nbsp; 3) say that they are making a massive mistake with their current lack of acknowledgment (and focus) of the Full Trust Asp.Net Vulnerabilities;<BR><BR>, based on my professional experience, I still think that <B><SPAN style="FONT-WEIGHT: bold">Microsoft DOES TAKE Security much more Seriously than most other Software companies out there</SPAN></B> (which again shows how we are still very far away from starting to
 tackle the real security problems and vulnerabilities that exist in today's Web Applications).<BR><B><SPAN style="FONT-WEIGHT: bold"><BR>E) My comments on ... making Money with Owasp<BR><BR></SPAN></B>Before I get accused of being an idealistic or a crazy-open-source-guy which lives on 'planet fantasy'. I would like to state, that I fully understand that Money and Financial reward is a major element in our current society and way of live. I am not anti-corporations, anti-capitalism or anti-making money.<BR><BR>We all need money to live, and the best model in life is when you manage to get paid to do on something that you would do for free (i.e. not charge for it)<BR><BR>I have to say that lately I have been very privileged to be in that position where most projects that I worked where projects that I would gladly do for free (if I could financially afford it). And what is very relevant to Owasp, is the fact that a <B><SPAN style="FONT-WEIGHT: bold">substantial percentage of my
 income for the past 6 months originated in projects directly related to my participation and contributions to Owasp</SPAN></B>.<BR><BR>Which means that I have to personally thank Owasp for the exposure that I received as the leader of the Owasp-DotNet projects. So here it is: <B><SPAN style="FONT-WEIGHT: bold">Thank you Owasp</SPAN></B><BR><BR>In some ways I am a good success-story of how <B><SPAN style="FONT-WEIGHT: bold">Owasp can directly and indirectly provide a good financial and professional reward to active and participative members.</SPAN></B><BR><BR>I also would like to point that given the current skill shortage in certain areas of Web Security (for example Asp.Net Security), <B><SPAN style="FONT-WEIGHT: bold">Owasp has the opportunity to become a 'recruitment center' for high-skilled, reliable and effective developers</SPAN></B> (since all that the employers would need to do is to look at the prospective employee participation and contribution record)<B><SPAN
 style="FONT-WEIGHT: bold"><BR></SPAN></B><BR><B><SPAN style="FONT-WEIGHT: bold">F) My comments on ... the fact that most Owasp projects have no participation from the community<BR><BR></SPAN></B>In my view there are several <B><SPAN style="FONT-WEIGHT: bold">reasons why most Owasp Projects don't have more than 2 to 5 active participants</SPAN></B>:<BR><BR>&nbsp;&nbsp;&nbsp; 1) <B><SPAN style="FONT-WEIGHT: bold">lack of time: </SPAN></B>Most good and knowledgeable members are currently very busy and have very little time to dedicate to personal projects<BR><BR>&nbsp;&nbsp;&nbsp; 2) <B><SPAN style="FONT-WEIGHT: bold">the current '2h to start being productive' paradigm</SPAN></B>: which means that if I (for example) want to participate in a project, I will need to dedicate at least 2 hours to the project in order to start being productive (sometimes even for simple things like adding content to the new website!). <B><SPAN style="FONT-WEIGHT: bold">What we need is the</SPAN></B>
 <B><SPAN style="FONT-WEIGHT: bold">'30m to start being productive' paradigm </SPAN></B>or even better the '10m to start being productive paradigm' (which when functional, actually create an environment where participants regularly spend 2 hours or more on the project). Let me give a musical analogy (for the ones that don't know, I am also a part-time professional drummer): If you want to practice a music instrument on a regular basis (for example every day), you must create an environment where there is there is almost no effort required to start practicing (i.e. there should be no set-up time and one should be able to start practicing 5m after deciding one wants to practice a little bit). This means that your musical instrument and practice environment must always be set-up (e.g.drums) or plugged-in (e.g. guitar) since that will allow for spontaneous practice sessions (which usually are the most productive) when the musician thinks 'I am just going to play for 10m - 15m' (which
 usually gets 'extended' into 1h to 2h sessions :) ). This creates an environment where it is easy to practice and in the musician's mind, practicing is not associated with spending 30m to set-up the practice environment.<BR><BR>&nbsp;&nbsp;&nbsp; 3) <B><SPAN style="FONT-WEIGHT: bold">Most Owasp projects don't have clear 'this is want you can do to participate' instructions</SPAN></B> and require quite a lot of work and effort by the would-be contributors and participants<BR><BR>&nbsp;&nbsp;&nbsp; 4) <B><SPAN style="FONT-WEIGHT: bold">Owasp memberships is not big enough </SPAN></B>where there are enough people with an 'itch' (i.e. problem or requirement) similar to the project leader's 'itch', which will make them go one step further and spend the time, effort and dedication required to become an active participant and member<BR><BR>&nbsp;&nbsp;&nbsp; 5) <B><SPAN style="FONT-WEIGHT: bold">Most projects are very dependent on the availability and energy-level of the project
 leader</SPAN></B> (which usually is also its author / creator). Hopefully we will soon reach a critical mass point (the 10,000 member mark?) where the community surrounding a project is vibrant enough to compensate for the regular MIA (Missing in Action) periods<BR><BR>&nbsp;&nbsp;&nbsp; 6) and probably the most important one. <B><SPAN style="FONT-WEIGHT: bold">Collaborating in an Open Source project is VERY HARD</SPAN></B>. Sometime I fell an urge to hit persons who make FUD claims such as 'Open Source projects are created by a network of Kids and clueless programmers' (note that I am a non-violent person and very rarely get angry). Sending a comment like "humm, i clicked on this button and the application crashed" is very easy and anybody can do it, sending a comment like "I installed the application and I had a problem with XYZ function which I traced back to the method AAA.BBB.CCC, and I wrote a patch for it which solved the problem" or "I've read this 50 page document and here
 are my comments" is :<BR><BR>&nbsp;&nbsp;&nbsp; - VERY HARD TO DO (since one is reading other's code or words)<BR>&nbsp;&nbsp;&nbsp; - REQUIRES A DEEP UNDERSTANDING OF THAT PARTICULAR TECHNOLOGY OR SUBJECT MATTER<BR>&nbsp;&nbsp;&nbsp; - TAKES A LOT OF TIME, <BR>&nbsp;&nbsp;&nbsp; - REQUIRES A LOT OF CONFIDENCE (since you are in effect sending a criticism of someone else's work)<BR>&nbsp;&nbsp;&nbsp; - FORCES THE CONTRIBUTOR TO TAKE A POSITION (i.e. "...I think that this is a better way to do it...") which is always a hard thing to do<BR>&nbsp;&nbsp;&nbsp; - IS VERY DEPENDING OF THE RECEIVER'S (i.e. that project's leader) PAST BEHAVIOR IN DEALING WITH CONTRIBUTIONS <BR><BR>So, don't tell me that it is kids that make-up the main body of contributions of successful Open Source projects. Most successfully Open Source projects have as their main contributors highly intelligent, competent, dedicated and creative IT Professionals. <BR><BR><B><SPAN style="FONT-WEIGHT: bold"><BR>G) My
 comments on ... Why I haven't participate on other Owasp Projects<BR><BR></SPAN></B>Following my previous points, I can now speak on the first person and say that<B><SPAN style="FONT-WEIGHT: bold"> I am as guilty of anybody else for not participating in other Owasp projects. <BR></SPAN></B><BR>I am particularly ashame by not having contributed to the WebGoat, WebScarab, Owasp Top 10, Testing Guide and the Penetration Test guide, since I have used them professionally.<BR><BR>And the <B><SPAN style="FONT-WEIGHT: bold">reasons that I have for not participating are:</SPAN></B><BR><BR>&nbsp;&nbsp;&nbsp; -&nbsp; <B><SPAN style="FONT-WEIGHT: bold">I didn't have</SPAN></B> the required <B><SPAN style="FONT-WEIGHT: bold">time </SPAN></B>to put myself in a position where I was able to send meaningful contributions <BR>&nbsp;&nbsp;&nbsp; - Those<B><SPAN style="FONT-WEIGHT: bold"> project leaders didn't put any pressure on me to participate and didn't actively encourage it</SPAN></B> (when one
 is working on several projects at the same time, unfortunately the projects that don't make any noise and are not critical tend to live permanently on the 'to-do-list-when-I-have-2-free-hours' pile)<BR>&nbsp;&nbsp;&nbsp; - There is almost <B><SPAN style="FONT-WEIGHT: bold">no documentation to help</SPAN></B>&nbsp; (although I do admit that I didn't make a huge effort to find it)<BR>&nbsp;&nbsp;&nbsp; - I <B><SPAN style="FONT-WEIGHT: bold">didn't need professionally an improved version of those tools/documents</SPAN></B> (i.e. I didn't had the 'itch' that those projects are scratching)<BR><BR><B><SPAN style="FONT-WEIGHT: bold">To start contributing in these projects I needed to be given simple, quick and meaningful</SPAN></B> (i.e. could be used in the actual project) <B><SPAN style="FONT-WEIGHT: bold">tasks </SPAN></B>(the '30m task' paradigm) and I have to be 'sold' on the idea of why I should participate. <BR><BR>I must be in a position where I am proud to participate and must
 subconsciously feel that my efforts will be appreciated.<BR><BR>I am assuming that If motivated and focused I&nbsp; would produce material of high quality and that the project leader would find valuable (although anybody should be able to join an Owasp project, the Owasp leader has no duty to spend any time motivating and nurturing people who don't have the appropriate skills, knowledge, attitude or commitment)<BR><BR>And this is the bottom line:<B><SPAN style="FONT-WEIGHT: bold"> it is the leaders of these projects </SPAN></B>(WebGoat, WebScarab, Owasp Top 10, Testing Guide and the Penetration Test list)<B><SPAN style="FONT-WEIGHT: bold"> that have the responsibility and duty to motivate me to participate</SPAN></B>, and if they don't want to do it (since that is hard and takes time), then they should <BR>&nbsp;&nbsp;&nbsp; 1) step down (from leaders), <BR>&nbsp;&nbsp;&nbsp; 2) become 'normal' project members, <BR>&nbsp;&nbsp;&nbsp; 3) continue to submit their contributions&nbsp;
 and <BR>&nbsp;&nbsp;&nbsp; 4) give (i.e. assign) the leadership to another Owasp member that is willing to do it.<BR><BR>Now, <B><SPAN style="FONT-WEIGHT: bold">does my lack of participation on these projects make me a 'taker'! </SPAN></B>Somebody that is 'exploiting' the work of the talented and dedicated persons who worked on this projects? <B><SPAN style="FONT-WEIGHT: bold">Do I deserve</SPAN></B> (due to my lack of participation) <B><SPAN style="FONT-WEIGHT: bold">to be kicked out of the current mailing lists and not be member of those projects?<BR><BR>H) My comments on ... Mark's influence on Owasp<BR><BR></SPAN></B>I can honestly say that Mark is the main reason why I am in OWASP today. <BR><BR>It was his energy, principles and commitment to Openness (i.e. Open Source) that made me join this community, donate my Asp.Net work and lead the Owasp-dotNet efforts.<BR><BR>Mark's has also been a very good influence on me since we share the same ideals and it is always very refreshing
 when one meets other like-minded individuals.<BR><BR>Mark's departure also makes me think that I should had done more to help Owasp in 2004 and puts me in a position where I am guilty and partly responsible for his decision. <B><SPAN style="FONT-WEIGHT: bold">The main reason I am writing this 'Open Letter to Owasp' is so that Mark's departure is not in vain and Owasp is able to learn from its mistakes and change the current environment which caused one of Owasp most important members to quit.</SPAN></B><BR><BR>Knowing how much Mark loves Owasp I can't even imagine how hard must have been for him to take this decision. <BR><BR><B><SPAN style="FONT-WEIGHT: bold">I hope that this 'Open Letter to Owasp' kick-starts a healthy discussion and is well received by the other Owasp Leaders and Members. </SPAN></B><BR><BR>Do send me your comments and criticisms, and if you think that I am out of order, or what I am saying is stupid and doesn't make sense, please do let me know. <BR><BR>I also
 need to be happy in this community and if my ideas and ideals are not welcomed at Owasp, then I will have to (with a heavy heart) also quit and find (or create) another Community<BR><BR><B><SPAN style="FONT-WEIGHT: bold">I) My comments on ...how Owasp can make money:<BR><BR></SPAN></B>Just before I get into practical solutions (because one cannot only talk, one must also present solutions), here are some ideas of where Owasp can make money:<B><SPAN style="FONT-WEIGHT: bold"><BR><BR></SPAN></B>&nbsp;- Owasp Project sponsorships or Research Grants <BR>&nbsp;- Owasp Consultancy <BR>&nbsp;- Owasp Accreditations <BR>&nbsp;- Owasp Official Curriculum<BR>&nbsp;- Owasp Books and White papers<BR>&nbsp;- Owasp Products (based on the developed tools)<BR>&nbsp;- Owasp Fund raising Events (Dinners, Presentations)<BR>&nbsp;- Owasp Conferences<BR><B><SPAN style="FONT-WEIGHT: bold"><BR>And what could this money be used for? <BR><BR>In my view it should be used to pay
 for:</SPAN></B><BR><BR>&nbsp;&nbsp;&nbsp; - Owasp Administrative services <BR>&nbsp;&nbsp;&nbsp; - Developer's time spend on specific (or sponsored) Owasp Projects<BR>&nbsp;&nbsp;&nbsp; - Creation of Documentation<BR>&nbsp;&nbsp;&nbsp; - Packaging of Owasp Products <BR>&nbsp;&nbsp;&nbsp; - Marketing and PR<BR>&nbsp;&nbsp;&nbsp; - Sales<BR>&nbsp;&nbsp;&nbsp; - Support to Owasp's product or services <BR><BR><BR><B><SPAN style="FONT-WEIGHT: bold">J) Ideas for the Future:<BR><BR></SPAN></B>Finally, here are some ideas which hopefully will point Owasp in the right direction:<B><SPAN style="FONT-WEIGHT: bold"><BR><BR></SPAN></B>&nbsp;&nbsp;&nbsp;&nbsp; - <B><SPAN style="FONT-WEIGHT: bold">In the short-term, there should be no main OWASP Leader</SPAN></B>, since this position (which in my eyes currently still belongs to Mark) must be earned not given. This means that the next Owasp's leader should be chosen by Owasp's Leaders with full support by Owasp's community<BR><BR>&nbsp;&nbsp;&nbsp;
 - <B><SPAN style="FONT-WEIGHT: bold">Jeff should continue to have several responsibilities within Owasp management</SPAN></B>, but current Owasp leaders should be able to say "I would like to take responsibility for 'XYZ' task" <BR><BR>&nbsp;&nbsp;&nbsp;&nbsp; - <B><SPAN style="FONT-WEIGHT: bold">The current Owasp leaders should do what I recommended earlier and actively encourage their communities to participate in their project.</SPAN></B><BR><BR>&nbsp;&nbsp;&nbsp;&nbsp; - <B><SPAN style="FONT-WEIGHT: bold">The current Owasp leaders should also make an effort to participate in each others projects.</SPAN></B><BR><BR>&nbsp;&nbsp;&nbsp; - <B><SPAN style="FONT-WEIGHT: bold">A series of 30m tasks should be defined for each project, which will allow the Owasp members to easily contribute and participate</SPAN></B><BR><BR>&nbsp;&nbsp;&nbsp; - <B><SPAN style="FONT-WEIGHT: bold">On the short term, Owasp must have a CMS </SPAN></B>(Content Management System) <B><SPAN style="FONT-WEIGHT:
 bold">solution which allows authorized members to QUICKLY (in minutes) and EASILY (not too many clicks) add content to the LIVE SERVER Hosting the main Owasp and individual project's websites.</SPAN></B> I don't care if this is done with the current Magnolia solution, with b-sec's CMS (support.binaryvision.com.au), a very Expensive donated CMS (<A href="http://www.tomoye.com/">www.tomoye.com</A>), with FrontPage, with Dreamweaver or with NOTEPAD!!!! <B><SPAN style="FONT-WEIGHT: bold">What I want is something that doesn't get in the way, and I can get my content uploaded and published to Owasp website in 10m</SPAN></B>. And (please don't kill me for this), in the beginning I don't really care about how secure this system is. The first objective is to create a dynamic, vibrant and very active community. If we get maliciously hacked, then so be it!!!&nbsp; Note that I am not saying that Owasp should not have (and be able to provide as a template) a secure hosting environment. Just to
 avoid confusions let me say it again: <B><SPAN style="FONT-WEIGHT: bold">"I do think that Owasp should host its online content in an locked down environment which is as secure as possible".</SPAN></B> What I trying to say is that the current priority should be in creating vibrant communities (which could, as one of its projects build a tool to create and configure secure hosting environments)<BR><BR>&nbsp;&nbsp;&nbsp; <B><SPAN style="FONT-WEIGHT: bold">- There must be total clarity of Owasp finances and financial operations</SPAN></B>. The current lack of transparency is not healthy and doesn't promote contributions. I know that there are some short-term credibility issues with the current low-turnover but I strongly believe that the advantages of full openness are far bigger than the disadvantages.<BR><BR>&nbsp;&nbsp;&nbsp; - Once the current Owasp finances are published, <B><SPAN style="FONT-WEIGHT: bold">a short term investment plan should be created which defines what Owasp
 wants to do, how much money it requires, and where is that money going to come from</SPAN></B> (for example I can (through my UK company) make some financial contributions to OWASP)<BR><BR>&nbsp;&nbsp;&nbsp; - <B><SPAN style="FONT-WEIGHT: bold">A series of 'Owasp Products' should be created</SPAN></B> (based on the current Owasp projects)<B><SPAN style="FONT-WEIGHT: bold"> and sold online</SPAN></B><BR><BR>&nbsp;&nbsp;&nbsp; - <B><SPAN style="FONT-WEIGHT: bold">Owasp should take a much more aggressive position in the Industry and start making its Voice heard. </SPAN></B>And if this creates controversy, then so be it (the open letter sent last month was a good start). From my point of view, the moment Owasp starts to be attacked by 'respected' security companies and organizations, is the moment that Owasp is starting to do its job right and is starting to change the world<BR>&nbsp;&nbsp; <BR>&nbsp;&nbsp;&nbsp; - <B><SPAN style="FONT-WEIGHT: bold">A formal Owasp Leader recognition
 process should be created which publicly recognizes current Owasp Leaders</SPAN></B> <B><SPAN style="FONT-WEIGHT: bold">and most active Project contributors</SPAN></B> (since this will help those person's careers and will encourage others to become leaders them selfs)<BR><BR>&nbsp;&nbsp;&nbsp; - <B><SPAN style="FONT-WEIGHT: bold">A formal 'Thank you' letter should be sent to Mark</SPAN></B> (signed by as many members as possible) as a gesture of gratitude for what he has done for Owasp<BR><BR><B><SPAN style="FONT-WEIGHT: bold">&nbsp;&nbsp;&nbsp; - A meeting should take place to discuss this (and other) ideas</SPAN></B><BR><B><SPAN style="FONT-WEIGHT: bold"><BR></SPAN></B>I hope that this made sense and if you made it this far, thanks for your patience for reading this long, rambling and of my entire responsibility 'Open Letter to Owasp'<BR><BR>I'm looking forward to your comments<BR><BR>Best regards<BR><BR>Dinis Cruz<BR><BR>PS: My apologies in advance for my spelling and grammatical
 errors, I am not a Native-English speaker and I currently live in the <st1:country-region w:st="on">UK</st1:country-region> (which might make some of my analogies and words sound a bit weird to the <st1:country-region w:st="on"><st1:place w:st="on">US</st1:place></st1:country-region> readers)<BR><BR><BR><o:p></o:p></P></DIV></BLOCKQUOTE></DIV></BLOCKQUOTE></DIV>
--0-1932272829-1104188614=:95808--




More information about the Owasp-guide mailing list