No subject


Wed Nov 1 13:33:20 EST 2006


at the current moment in time), I think that Owasp should ( in the short
term) NOT HAVE A MAIN LEADER! 

In the short term, Owasp should only have operational-leaders (or whatever
they would be called) responsible for specific operational tasks (for
example dealing with any issues related to: the Owasp Foundation, the Owasp
servers, the Owasp PR, the main Owasp website, the Owasp new business
development exercises, etc...).

Hopefully the crisis created by Mark's departure will create an environment
where the new future Owasp Leader will appear, and his/her promotion to
Owasp leadership is accepted/proposed by the majority of Owasp Leaders and
Members.


C) My comments on ... the industry current COLD reaction to OWASP

Another factor which in my view is not helping the development of Owasp is
the fact that Owasp is trying to do something that the security industry
doesn't want to happen. For example: 

    - the development of clear standards to evaluate Web Application
Security,
    - the Development of Open Source security tools, 
    - and ultimately addressing the real problems that are creating the
current 'insecure Web Application Landscape'

Most Security Companies (not everybody is like this) are making too much
money with Security Vulnerabilities to make REAL and ACTIVE efforts in
actually solving the problems (since in most cases this would kill their
markets). 

The reality is that the ones that have most to benefit from Owasp, are the
current 'Security products/services buyers' because these are the ones that
are currently buying overpriced and incomplete products/solutions. The
problem is that these 'entities' (Companies, Government Organizations, NGOs,
persons) need to have something to buy (which OWASP currently doesn't have)
and are used to (and demand/expect) a credible, professional and reliable
service.

In my view, Owasp should stop trying to please (and not offend) the Security
Industry players and the Software Companies (from Microsoft downwards) and
should focus on these entities (companies, governments, persons, etc...)
which have most to benefit from Owasp work.

The current Owasp successes (like the wide spread usage of the Top 10) must
be built upon and nurtured, since current Owasp Market credibility and
perceived independence is one of Owasp biggest assets


D) My comments on ... 'the Microsoft response'

I also find fascinating the fact that the current Owasp-dotNet leader (i.e.
me) has not been contacted by nobody from the Microsoft Asp.Net team
regarding the Owasp-DotNet tools currently published:

    - Asp.Net Security Analyzer (ANSA)
    - Security Analyzer for Microsoft's Shared Hosting Environment (SAM'SHE)
    - Asp.Net Reflector
    - Online Metabase explorer

The only logic explanation that I have for this situation (since these tools
DO actually work and have helped hundreds of companies to improve their
Asp.Net hosting environments) is that Microsoft doesn't want to 'endorse'
these tools because all of them show how insecure and dangerous the current
Full Trust Asp.Net environment is.

Microsoft's position speaks volumes about the current state of the industry,
since they (and their clients) would benefit tremendously from a vibrant
development community continuously developing and improving these tools. The
reason why Microsoft's (lack of) response is important,  is because
Microsoft is currently one of the most active and responsive companies to
security issues and  shows how low the current level is :-(. 

For as much as I (Dinis Cruz): 

    1) criticize Microsoft (publicly and privately), 
    2) think that they are not doing enough, and 
    3) say that they are making a massive mistake with their current lack of
acknowledgment (and focus) of the Full Trust Asp.Net Vulnerabilities;

, based on my professional experience, I still think that Microsoft DOES
TAKE Security much more Seriously than most other Software companies out
there (which again shows how we are still very far away from starting to
tackle the real security problems and vulnerabilities that exist in today's
Web Applications).

E) My comments on ... making Money with Owasp

Before I get accused of being an idealistic or a crazy-open-source-guy which
lives on 'planet fantasy'. I would like to state, that I fully understand
that Money and Financial reward is a major element in our current society
and way of live. I am not anti-corporations, anti-capitalism or anti-making
money.

We all need money to live, and the best model in life is when you manage to
get paid to do on something that you would do for free (i.e. not charge for
it)

I have to say that lately I have been very privileged to be in that position
where most projects that I worked where projects that I would gladly do for
free (if I could financially afford it). And what is very relevant to Owasp,
is the fact that a substantial percentage of my income for the past 6 months
originated in projects directly related to my participation and
contributions to Owasp.

Which means that I have to personally thank Owasp for the exposure that I
received as the leader of the Owasp-DotNet projects. So here it is: Thank
you Owasp

In some ways I am a good success-story of how Owasp can directly and
indirectly provide a good financial and professional reward to active and
participative members.

I also would like to point that given the current skill shortage in certain
areas of Web Security (for example Asp.Net Security), Owasp has the
opportunity to become a 'recruitment center' for high-skilled, reliable and
effective developers (since all that the employers would need to do is to
look at the prospective employee participation and contribution record)

F) My comments on ... the fact that most Owasp projects have no
participation from the community

In my view there are several reasons why most Owasp Projects don't have more
than 2 to 5 active participants:

    1) lack of time: Most good and knowledgeable members are currently very
busy and have very little time to dedicate to personal projects

    2) the current '2h to start being productive' paradigm: which means that
if I (for example) want to participate in a project, I will need to dedicate
at least 2 hours to the project in order to start being productive
(sometimes even for simple things like adding content to the new website!).
What we need is the '30m to start being productive' paradigm or even better
the '10m to start being productive paradigm' (which when functional,
actually create an environment where participants regularly spend 2 hours or
more on the project). Let me give a musical analogy (for the ones that don't
know, I am also a part-time professional drummer): If you want to practice a
music instrument on a regular basis (for example every day), you must create
an environment where there is there is almost no effort required to start
practicing (i.e. there should be no set-up time and one should be able to
start practicing 5m after deciding one wants to practice a little bit). This
means that your musical instrument and practice environment must always be
set-up (e.g.drums) or plugged-in (e.g. guitar) since that will allow for
spontaneous practice sessions (which usually are the most productive) when
the musician thinks 'I am just going to play for 10m - 15m' (which usually
gets 'extended' into 1h to 2h sessions :) ). This creates an environment
where it is easy to practice and in the musician's mind, practicing is not
associated with spending 30m to set-up the practice environment.

    3) Most Owasp projects don't have clear 'this is want you can do to
participate' instructions and require quite a lot of work and effort by the
would-be contributors and participants

    4) Owasp memberships is not big enough where there are enough people
with an 'itch' (i.e. problem or requirement) similar to the project leader's
'itch', which will make them go one step further and spend the time, effort
and dedication required to become an active participant and member

    5) Most projects are very dependent on the availability and energy-level
of the project leader (which usually is also its author / creator).
Hopefully we will soon reach a critical mass point (the 10,000 member mark?)
where the community surrounding a project is vibrant enough to compensate
for the regular MIA (Missing in Action) periods

    6) and probably the most important one. Collaborating in an Open Source
project is VERY HARD. Sometime I fell an urge to hit persons who make FUD
claims such as 'Open Source projects are created by a network of Kids and
clueless programmers' (note that I am a non-violent person and very rarely
get angry). Sending a comment like "humm, i clicked on this button and the
application crashed" is very easy and anybody can do it, sending a comment
like "I installed the application and I had a problem with XYZ function
which I traced back to the method AAA.BBB.CCC, and I wrote a patch for it
which solved the problem" or "I've read this 50 page document and here are
my comments" is :

    - VERY HARD TO DO (since one is reading other's code or words)
    - REQUIRES A DEEP UNDERSTANDING OF THAT PARTICULAR TECHNOLOGY OR SUBJECT
MATTER
    - TAKES A LOT OF TIME, 
    - REQUIRES A LOT OF CONFIDENCE (since you are in effect sending a
criticism of someone else's work)
    - FORCES THE CONTRIBUTOR TO TAKE A POSITION (i.e. "...I think that this
is a better way to do it...") which is always a hard thing to do
    - IS VERY DEPENDING OF THE RECEIVER'S (i.e. that project's leader) PAST
BEHAVIOR IN DEALING WITH CONTRIBUTIONS 

So, don't tell me that it is kids that make-up the main body of
contributions of successful Open Source projects. Most successfully Open
Source projects have as their main contributors highly intelligent,
competent, dedicated and creative IT Professionals. 


G) My comments on ... Why I haven't participate on other Owasp Projects

Following my previous points, I can now speak on the first person and say
that I am as guilty of anybody else for not participating in other Owasp
projects. 

I am particularly ashame by not having contributed to the WebGoat,
WebScarab, Owasp Top 10, Testing Guide and the Penetration Test guide, since
I have used them professionally.

And the reasons that I have for not participating are:

    -  I didn't have the required time to put myself in a position where I
was able to send meaningful contributions 
    - Those project leaders didn't put any pressure on me to participate and
didn't actively encourage it (when one is working on several projects at the
same time, unfortunately the projects that don't make any noise and are not
critical tend to live permanently on the
'to-do-list-when-I-have-2-free-hours' pile)
    - There is almost no documentation to help  (although I do admit that I
didn't make a huge effort to find it)
    - I didn't need professionally an improved version of those
tools/documents (i.e. I didn't had the 'itch' that those projects are
scratching)

To start contributing in these projects I needed to be given simple, quick
and meaningful (i.e. could be used in the actual project) tasks (the '30m
task' paradigm) and I have to be 'sold' on the idea of why I should
participate. 

I must be in a position where I am proud to participate and must
subconsciously feel that my efforts will be appreciated.

I am assuming that If motivated and focused I  would produce material of
high quality and that the project leader would find valuable (although
anybody should be able to join an Owasp project, the Owasp leader has no
duty to spend any time motivating and nurturing people who don't have the
appropriate skills, knowledge, attitude or commitment)

And this is the bottom line: it is the leaders of these projects (WebGoat,
WebScarab, Owasp Top 10, Testing Guide and the Penetration Test list) that
have the responsibility and duty to motivate me to participate, and if they
don't want to do it (since that is hard and takes time), then they should 
    1) step down (from leaders), 
    2) become 'normal' project members, 
    3) continue to submit their contributions  and 
    4) give (i.e. assign) the leadership to another Owasp member that is
willing to do it.

Now, does my lack of participation on these projects make me a 'taker'!
Somebody that is 'exploiting' the work of the talented and dedicated persons
who worked on this projects? Do I deserve (due to my lack of participation)
to be kicked out of the current mailing lists and not be member of those
projects?

H) My comments on ... Mark's influence on Owasp

I can honestly say that Mark is the main reason why I am in OWASP today. 

It was his energy, principles and commitment to Openness (i.e. Open Source)
that made me join this community, donate my Asp.Net work and lead the
Owasp-dotNet efforts.

Mark's has also been a very good influence on me since we share the same
ideals and it is always very refreshing when one meets other like-minded
individuals.

Mark's departure also makes me think that I should had done more to help
Owasp in 2004 and puts me in a position where I am guilty and partly
responsible for his decision. The main reason I am writing this 'Open Letter
to Owasp' is so that Mark's departure is not in vain and Owasp is able to
learn from its mistakes and change the current environment which caused one
of Owasp most important members to quit.

Knowing how much Mark loves Owasp I can't even imagine how hard must have
been for him to take this decision. 

I hope that this 'Open Letter to Owasp' kick-starts a healthy discussion and
is well received by the other Owasp Leaders and Members. 

Do send me your comments and criticisms, and if you think that I am out of
order, or what I am saying is stupid and doesn't make sense, please do let
me know. 

I also need to be happy in this community and if my ideas and ideals are not
welcomed at Owasp, then I will have to (with a heavy heart) also quit and
find (or create) another Community

I) My comments on ...how Owasp can make money:

Just before I get into practical solutions (because one cannot only talk,
one must also present solutions), here are some ideas of where Owasp can
make money:

 - Owasp Project sponsorships or Research Grants 
 - Owasp Consultancy 
 - Owasp Accreditations 
 - Owasp Official Curriculum
 - Owasp Books and White papers
 - Owasp Products (based on the developed tools)
 - Owasp Fund raising Events (Dinners, Presentations)
 - Owasp Conferences

And what could this money be used for? 

In my view it should be used to pay for:

    - Owasp Administrative services 
    - Developer's time spend on specific (or sponsored) Owasp Projects
    - Creation of Documentation
    - Packaging of Owasp Products 
    - Marketing and PR
    - Sales
    - Support to Owasp's product or services 


J) Ideas for the Future:

Finally, here are some ideas which hopefully will point Owasp in the right
direction:

     - In the short-term, there should be no main OWASP Leader, since this
position (which in my eyes currently still belongs to Mark) must be earned
not given. This means that the next Owasp's leader should be chosen by
Owasp's Leaders with full support by Owasp's community

    - Jeff should continue to have several responsibilities within Owasp
management, but current Owasp leaders should be able to say "I would like to
take responsibility for 'XYZ' task" 

     - The current Owasp leaders should do what I recommended earlier and
actively encourage their communities to participate in their project.

     - The current Owasp leaders should also make an effort to participate
in each others projects.

    - A series of 30m tasks should be defined for each project, which will
allow the Owasp members to easily contribute and participate

    - On the short term, Owasp must have a CMS (Content Management System)
solution which allows authorized members to QUICKLY (in minutes) and EASILY
(not too many clicks) add content to the LIVE SERVER Hosting the main Owasp
and individual project's websites. I don't care if this is done with the
current Magnolia solution, with b-sec's CMS (support.binaryvision.com.au), a
very Expensive donated CMS (www.tomoye.com <http://www.tomoye.com> ), with
FrontPage, with Dreamweaver or with NOTEPAD!!!! What I want is something
that doesn't get in the way, and I can get my content uploaded and published
to Owasp website in 10m. And (please don't kill me for this), in the
beginning I don't really care about how secure this system is. The first
objective is to create a dynamic, vibrant and very active community. If we
get maliciously hacked, then so be it!!!  Note that I am not saying that
Owasp should not have (and be able to provide as a template) a secure
hosting environment. Just to avoid confusions let me say it again: "I do
think that Owasp should host its online content in an locked down
environment which is as secure as possible". What I trying to say is that
the current priority should be in creating vibrant communities (which could,
as one of its projects build a tool to create and configure secure hosting
environments)

    - There must be total clarity of Owasp finances and financial
operations. The current lack of transparency is not healthy and doesn't
promote contributions. I know that there are some short-term credibility
issues with the current low-turnover but I strongly believe that the
advantages of full openness are far bigger than the disadvantages.

    - Once the current Owasp finances are published, a short term investment
plan should be created which defines what Owasp wants to do, how much money
it requires, and where is that money going to come from (for example I can
(through my UK company) make some financial contributions to OWASP)

    - A series of 'Owasp Products' should be created (based on the current
Owasp projects) and sold online

    - Owasp should take a much more aggressive position in the Industry and
start making its Voice heard. And if this creates controversy, then so be it
(the open letter sent last month was a good start). From my point of view,
the moment Owasp starts to be attacked by 'respected' security companies and
organizations, is the moment that Owasp is starting to do its job right and
is starting to change the world
   
    - A formal Owasp Leader recognition process should be created which
publicly recognizes current Owasp Leaders and most active Project
contributors (since this will help those person's careers and will encourage
others to become leaders them selfs)

    - A formal 'Thank you' letter should be sent to Mark (signed by as many
members as possible) as a gesture of gratitude for what he has done for
Owasp

    - A meeting should take place to discuss this (and other) ideas

I hope that this made sense and if you made it this far, thanks for your
patience for reading this long, rambling and of my entire responsibility
'Open Letter to Owasp'

I'm looking forward to your comments

Best regards

Dinis Cruz

PS: My apologies in advance for my spelling and grammatical errors, I am not
a Native-English speaker and I currently live in the UK (which might make
some of my analogies and words sound a bit weird to the US readers)





------_=_NextPart_001_01C4EC3D.028EABE2
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">


<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
 namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" =
name=3D"country-region"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"place"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"Street"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"PostalCode"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"State"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"City"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"address"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";
	color:black;}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:blue;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-reply;
	font-family:Arial;
	color:navy;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
 /* List Definitions */
 @list l0
	{mso-list-id:2040356822;
	mso-list-type:hybrid;
	mso-list-template-ids:-511905288 67698703 67698713 67698715 67698703 =
67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
	{mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;}
ol
	{margin-bottom:0in;}
ul
	{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body bgcolor=3Dwhite lang=3DEN-US link=3Dblue vlink=3Dblue>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Dinis,<o:p></o:p></span></font></p>=


<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>=


<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Your impassioned open letter is =
much
needed and, hopefully, not too late. &nbsp;I support at least a large =
part of
your thoughts on this subject and am keen to see progress made in much =
the way
you advocate. &nbsp;However, a few observations from my personal =
POV:<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>=


<ol style=3D'margin-top:0in' start=3D1 type=3D1>
 <li class=3DMsoNormal style=3D'color:navy;mso-list:l0 level1 =
lfo1'><font size=3D2
     color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>I
     would suggest that the success of Open Source projects is directly =
related
     to the nature and motivation of the community they serve. =
&nbsp;Linux
     succeeded in large part due to the fact that such a =
&#8220;product&#8221;
     was immensely useful to its participants, who in large part were =
geeks who
     wanted to roll their own &#8220;better&#8221; *NIX system. =
&nbsp;More than
     intellectually challenging, it provided a product that many =
individuals
     could use. &nbsp;However, looking at the OWASP community, I would =
suggest
     that the population is more oriented to Enterprises (like my =
company) and
     Software Shops. &nbsp;This immediately places a different slant on =
participants&#8217;
     motivations.&nbsp; <o:p></o:p></span></font></li>
 <li class=3DMsoNormal style=3D'color:navy;mso-list:l0 level1 =
lfo1'><font size=3D2
     color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>I
     don&#8217;t profess to speak for anyone but myself here, but my =
openly
     selfish objectives are two-fold: (a) align my company&#8217;s =
efforts with
     emerging de facto standards and (b) gain leverage for my =
seven-figure
     budget in application security. &nbsp;My preference is to do that =
with an &#8220;open&#8221;
     standard and not with a vendor and if I can collaborate with my =
peers in
     other organizations, that&#8217;s even better.&nbsp; However, by =
the same
     token, I do not want to squander my hard-won budget on projects =
that do
     not deliver within the timeframe I need.&nbsp; Right now, I find =
it
     difficult to contribute unless I know that the efforts will bear =
fruit
     within reasonable time and that is a basic project management =
issue:
     project sponsorship and commitment.&nbsp; I am willing to =
contribute cash,
     hosted CMS systems and active staff participation, but I owe it to =
my
     company and its shareholders that this contribution achieves =
results. &nbsp;In
     short, I need guarantees that OWASP will be a force multiplier to =
my
     efforts. &nbsp;If you want to take OWASP out of academia and a =
pure
     hobbyists&#8217; realm, my suggestion is that OWASP needs to =
recognize
     these commercial needs.&nbsp; <o:p></o:p></span></font></li>
 <li class=3DMsoNormal style=3D'color:navy;mso-list:l0 level1 =
lfo1'><font size=3D2
     color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>This
     appears to me a classic project management issue: most projects =
fail when
     there is limited &#8220;skin in the game&#8221; (read =
&#8220;money&#8221;)
     and when project accountability is weak. &nbsp;My advocacy of a =
strong
     governance structure is targeted at exactly this issue. =
&nbsp;Membership
     funding focuses the mind.<o:p></o:p></span></font></li>
 <li class=3DMsoNormal style=3D'color:navy;mso-list:l0 level1 =
lfo1'><font size=3D2
     color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>Strong
     management, well funded, but who are held accountable for =
deliverables, is
     one way to approach this. &nbsp;This is the model the FS-ISAC uses =
and I
     suggest we need a similar model. That OWASP was born and survived =
so long
     is, in my mind, testimony to Mark&#8217;s inspirational qualities, =
but it
     is not a scalable architecture. &nbsp;True governance is needed to =
deflect
     some of my dollars to the project.<o:p></o:p></span></font></li>
 <li class=3DMsoNormal style=3D'color:navy;mso-list:l0 level1 =
lfo1'><font size=3D2
     color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>I
     believe that the best part of the Open Source model &#8211; =
widespread
     contributions by motivated individuals and academia, as well as =
peer
     review &#8211; need not be lost, so long as there is recognition =
that the
     main audience for the products is large organizations. &nbsp;One =
approach
     may be a paid membership, with fellowship status being awarded to
     individuals that have made significant =
contributions.<o:p></o:p></span></font></li>
</ol>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>=


<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>I welcome your challenge, but as =
with so
many undertakings like this, critical mass is needed. &nbsp;I will =
continue to
fund my own projects in this area and will make good on my promise to
contribute these artifacts when done, but this will be done =
unilaterally until
such time that enough of my peers and colleagues in other organizations =
recognize
the opportunity we have to work more effectively under a new, =
revitalized OWASP
organization.&nbsp; <o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>=


<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>=


<div>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial'>Denis Verdon, Senior Vice President &amp; =
Head of
CISG</span></font><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial'>FNF - Corporate Information Security =
Group</span></font><o:p></o:p></p>

<p class=3DMsoNormal><st1:address w:st=3D"on"><st1:Street =
w:st=3D"on"><font size=3D2
  color=3Dblack face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>2510
  N. Red Hill Avenue</span></font></st1:Street><font size=3D2 =
face=3DArial><span
 style=3D'font-size:10.0pt;font-family:Arial'>, <st1:City =
w:st=3D"on">Santa Ana</st1:City>
 <st1:State w:st=3D"on">CA</st1:State> <st1:PostalCode =
w:st=3D"on">92705</st1:PostalCode></span></font></st1:address><o:p></o:p=
></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
style=3D'font-size:12.0pt'>&nbsp;<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial'>Tel: (949) 221 =
3252</span></font><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial'>Cell: (949) 923 =
0390</span></font><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial'>Email: </span></font><a
href=3D"mailto:denis.verdon at fnf.com"><font size=3D2 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>denis.verdon at fnf.com</span>=
</font></a><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial'>Web: <a =
href=3D"http://www.fnf.com">http://www.fnf.com</a></span></font><o:p></o=
:p></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial'>Intranet: </span></font><a =
href=3D"https://cis.fnf.com"><font
size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>https://cis.fnf.com</span><=
/font></a><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
style=3D'font-size:12.0pt'>&nbsp;<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
style=3D'font-size:12.0pt'><br>
</span></font><font size=3D1 color=3Dnavy face=3DArial><span =
style=3D'font-size:7.5pt;
font-family:Arial;color:navy'>THIS E-MAIL AND ITS ATTACHMENTS ARE =
INTENDED ONLY
FOR THE USE OF THE INDIVIDUAL OR ENTITY WHO IS THE INTENDED RECIPIENT =
AND MAY
CONTAIN INFORMATION THAT IS PRIVILEGED, CONFIDENTIAL AND EXEMPT FROM =
DISCLOSURE
OR ANY TYPE OF USE UNDER APPLICABLE LAW. IF THE READER OF THIS E-MAIL =
IS NOT
THE INTENDED RECIPIENT, OR THE EMPLOYEE, AGENT OR REPRESENTATIVE =
RESPONSIBLE
FOR DELIVERING THE E-MAIL TO THE INTENDED RECIPIENT, YOU ARE HEREBY =
NOTIFIED
THAT ANY DISSEMINATION, DISTRIBUTION, COPYING, OR OTHER USE OF THIS =
E-MAIL IS
STRICTLY PROHIBITED. IF YOU HAVE RECEIVED THIS E-MAIL IN ERROR, PLEASE =
REPLY
IMMEDIATELY TO THE SENDER.</span></font><o:p></o:p></p>

</div>

<div>

<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
color=3Dblack face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:windowtext'>

<hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>

</span></font></div>

<p class=3DMsoNormal><b><font size=3D2 color=3Dblack =
face=3DTahoma><span
style=3D'font-size:10.0pt;font-family:Tahoma;color:windowtext;font-weigh=
t:bold'>From:</span></font></b><font
size=3D2 color=3Dblack face=3DTahoma><span =
style=3D'font-size:10.0pt;font-family:Tahoma;
color:windowtext'> Dinis Cruz [mailto:dinis at ddplus.net] <br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Monday, December =
27, 2004
8:09 AM<br>
<b><span style=3D'font-weight:bold'>To:</span></b> =
owasp-leaders at lists.sourceforge.net<br>
<b><span style=3D'font-weight:bold'>Cc:</span></b> Mark Curphey;
owasp-dotnet at lists.sourceforge.net; owasp-guide at lists.sourceforge.net;
owasp-testing at lists.sourceforge.net; =
owasp-chapters at lists.sourceforge.net;
owasp-advisors at lists.sourcforge.net; =
owasp-metrics-request at lists.sourceforge.net;
ingo at ingostruck.de; alex at netwindows.org; dendler at tippingpoint.com;
jermey at poteet.com; admin at mokshafaced.com; david.raphael at ceterum.net;
stanguzik at yahoo.com; jeff.williams at owasp.org<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> An Open Letter =
to Owasp</span></font><font
color=3Dblack><span =
style=3D'color:windowtext'><o:p></o:p></span></font></p>

</div>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'margin-bottom:12.0pt'><b><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;font-weight:bold'>Owasp is
in a Crisis!</span></font></b><br>
<br>
Mark's departure (who was one of the original Owasp members and one of =
the most
active and energetic participants) must make us all reflect hard on his =
reasons
for departure. Hopefully, this crisis will also create an environment =
where the
necessary changes are made to Owasp's world which:<br>
&nbsp;&nbsp;&nbsp; a) prevents the departure of other key players and =
<br>
&nbsp;&nbsp;&nbsp; b) substantially change Owasp's behavior so that =
Mark (and
others) will want to (re)join, participate and collaborate.<br>
<br>
As an Owasp member myself, and knowing (hoping?) that Owasp continues =
to be a
big part of my professional life, I would like to propose a series of =
measures
and suggestions for its future. These ideas are included at the end of =
this
'Open Letter to Owasp, but firstly I would like to give my personal =
opinion on
several issues which I think are very relevant to the current Owasp
environment/situation.<br>
<br>
<b><span style=3D'font-weight:bold'>A) My comments on .... =
&quot;Owasp's vs Open
Source&quot;<br>
<br>
</span></b>Sorry If I am offending somebody, but I think that at the =
moment, in
the Owasp community, there are some expectations of what Open Source =
should
deliver which are not based on WHAT CAN happen but on what people WOULD =
LIKE to
happen.<br>
<br>
I feel that several Owasp members (including Mark) are misinterpreting =
the
concepts of FREEDOM and FREE (as in beer, i.e. no cost).<br>
<br>


More information about the Owasp-guide mailing list