No subject

Wed Nov 1 13:33:20 EST 2006

at the current moment in time), I think that Owasp should ( in the short

In the short term, Owasp should only have operational-leaders (or whatever
they would be called) responsible for specific operational tasks (for
example dealing with any issues related to: the Owasp Foundation, the Owasp
servers, the Owasp PR, the main Owasp website, the Owasp new business
development exercises, etc...).

Hopefully the crisis created by Mark's departure will create an environment
where the new future Owasp Leader will appear, and his/her promotion to
Owasp leadership is accepted/proposed by the majority of Owasp Leaders and

C) My comments on ... the industry current COLD reaction to OWASP

Another factor which in my view is not helping the development of Owasp is
the fact that Owasp is trying to do something that the security industry
doesn't want to happen. For example: 

    - the development of clear standards to evaluate Web Application
    - the Development of Open Source security tools, 
    - and ultimately addressing the real problems that are creating the
current 'insecure Web Application Landscape'

Most Security Companies (not everybody is like this) are making too much
money with Security Vulnerabilities to make REAL and ACTIVE efforts in
actually solving the problems (since in most cases this would kill their

The reality is that the ones that have most to benefit from Owasp, are the
current 'Security products/services buyers' because these are the ones that
are currently buying overpriced and incomplete products/solutions. The
problem is that these 'entities' (Companies, Government Organizations, NGOs,
persons) need to have something to buy (which OWASP currently doesn't have)
and are used to (and demand/expect) a credible, professional and reliable

In my view, Owasp should stop trying to please (and not offend) the Security
Industry players and the Software Companies (from Microsoft downwards) and
should focus on these entities (companies, governments, persons, etc...)
which have most to benefit from Owasp work.

The current Owasp successes (like the wide spread usage of the Top 10) must
be built upon and nurtured, since current Owasp Market credibility and
perceived independence is one of Owasp biggest assets

D) My comments on ... 'the Microsoft response'

I also find fascinating the fact that the current Owasp-dotNet leader (i.e.
me) has not been contacted by nobody from the Microsoft Asp.Net team
regarding the Owasp-DotNet tools currently published:

    - Asp.Net Security Analyzer (ANSA)
    - Security Analyzer for Microsoft's Shared Hosting Environment (SAM'SHE)
    - Asp.Net Reflector
    - Online Metabase explorer

The only logic explanation that I have for this situation (since these tools
DO actually work and have helped hundreds of companies to improve their
Asp.Net hosting environments) is that Microsoft doesn't want to 'endorse'
these tools because all of them show how insecure and dangerous the current
Full Trust Asp.Net environment is.

Microsoft's position speaks volumes about the current state of the industry,
since they (and their clients) would benefit tremendously from a vibrant
development community continuously developing and improving these tools. The
reason why Microsoft's (lack of) response is important,  is because
Microsoft is currently one of the most active and responsive companies to
security issues and  shows how low the current level is :-(. 

For as much as I (Dinis Cruz): 

    1) criticize Microsoft (publicly and privately), 
    2) think that they are not doing enough, and 
    3) say that they are making a massive mistake with their current lack of
acknowledgment (and focus) of the Full Trust Asp.Net Vulnerabilities;

, based on my professional experience, I still think that Microsoft DOES
TAKE Security much more Seriously than most other Software companies out
there (which again shows how we are still very far away from starting to
tackle the real security problems and vulnerabilities that exist in today's
Web Applications).

E) My comments on ... making Money with Owasp

Before I get accused of being an idealistic or a crazy-open-source-guy which
lives on 'planet fantasy'. I would like to state, that I fully understand
that Money and Financial reward is a major element in our current society
and way of live. I am not anti-corporations, anti-capitalism or anti-making

We all need money to live, and the best model in life is when you manage to
get paid to do on something that you would do for free (i.e. not charge for

I have to say that lately I have been very privileged to be in that position
where most projects that I worked where projects that I would gladly do for
free (if I could financially afford it). And what is very relevant to Owasp,
is the fact that a substantial percentage of my income for the past 6 months
originated in projects directly related to my participation and
contributions to Owasp.

Which means that I have to personally thank Owasp for the exposure that I
received as the leader of the Owasp-DotNet projects. So here it is: Thank
you Owasp

In some ways I am a good success-story of how Owasp can directly and
indirectly provide a good financial and professional reward to active and
participative members.

I also would like to point that given the current skill shortage in certain
areas of Web Security (for example Asp.Net Security), Owasp has the
opportunity to become a 'recruitment center' for high-skilled, reliable and
effective developers (since all that the employers would need to do is to
look at the prospective employee participation and contribution record)

F) My comments on ... the fact that most Owasp projects have no
participation from the community

In my view there are several reasons why most Owasp Projects don't have more
than 2 to 5 active participants:

    1) lack of time: Most good and knowledgeable members are currently very
busy and have very little time to dedicate to personal projects

    2) the current '2h to start being productive' paradigm: which means that
if I (for example) want to participate in a project, I will need to dedicate
at least 2 hours to the project in order to start being productive
(sometimes even for simple things like adding content to the new website!).
What we need is the '30m to start being productive' paradigm or even better
the '10m to start being productive paradigm' (which when functional,
actually create an environment where participants regularly spend 2 hours or
more on the project). Let me give a musical analogy (for the ones that don't
know, I am also a part-time professional drummer): If you want to practice a
music instrument on a regular basis (for example every day), you must create
an environment where there is there is almost no effort required to start
practicing (i.e. there should be no set-up time and one should be able to
start practicing 5m after deciding one wants to practice a little bit). This
means that your musical instrument and practice environment must always be
set-up (e.g.drums) or plugged-in (e.g. guitar) since that will allow for
spontaneous practice sessions (which usually are the most productive) when
the musician thinks 'I am just going to play for 10m - 15m' (which usually
gets 'extended' into 1h to 2h sessions :) ). This creates an environment
where it is easy to practice and in the musician's mind, practicing is not
associated with spending 30m to set-up the practice environment.

    3) Most Owasp projects don't have clear 'this is want you can do to
participate' instructions and require quite a lot of work and effort by the
would-be contributors and participants

    4) Owasp memberships is not big enough where there are enough people
with an 'itch' (i.e. problem or requirement) similar to the project leader's
'itch', which will make them go one step further and spend the time, effort
and dedication required to become an active participant and member

    5) Most projects are very dependent on the availability and energy-level
of the project leader (which usually is also its author / creator).
Hopefully we will soon reach a critical mass point (the 10,000 member mark?)
where the community surrounding a project is vibrant enough to compensate
for the regular MIA (Missing in Action) periods

    6) and probably the most important one. Collaborating in an Open Source
project is VERY HARD. Sometime I fell an urge to hit persons who make FUD
claims such as 'Open Source projects are created by a network of Kids and
clueless programmers' (note that I am a non-violent person and very rarely
get angry). Sending a comment like "humm, i clicked on this button and the
application crashed" is very easy and anybody can do it, sending a comment
like "I installed the application and I had a problem with XYZ function
which I traced back to the method AAA.BBB.CCC, and I wrote a patch for it
which solved the problem" or "I've read this 50 page document and here are
my comments" is :

    - VERY HARD TO DO (since one is reading other's code or words)
    - REQUIRES A LOT OF CONFIDENCE (since you are in effect sending a
criticism of someone else's work)
    - FORCES THE CONTRIBUTOR TO TAKE A POSITION (i.e. "...I think that this
is a better way to do it...") which is always a hard thing to do
    - IS VERY DEPENDING OF THE RECEIVER'S (i.e. that project's leader) PAST

So, don't tell me that it is kids that make-up the main body of
contributions of successful Open Source projects. Most successfully Open
Source projects have as their main contributors highly intelligent,
competent, dedicated and creative IT Professionals. 

G) My comments on ... Why I haven't participate on other Owasp Projects

Following my previous points, I can now speak on the first person and say
that I am as guilty of anybody else for not participating in other Owasp

I am particularly ashame by not having contributed to the WebGoat,
WebScarab, Owasp Top 10, Testing Guide and the Penetration Test guide, since
I have used them professionally.

And the reasons that I have for not participating are:

    -  I didn't have the required time to put myself in a position where I
was able to send meaningful contributions 
    - Those project leaders didn't put any pressure on me to participate and
didn't actively encourage it (when one is working on several projects at the
same time, unfortunately the projects that don't make any noise and are not
critical tend to live permanently on the
'to-do-list-when-I-have-2-free-hours' pile)
    - There is almost no documentation to help  (although I do admit that I
didn't make a huge effort to find it)
    - I didn't need professionally an improved version of those
tools/documents (i.e. I didn't had the 'itch' that those projects are

To start contributing in these projects I needed to be given simple, quick
and meaningful (i.e. could be used in the actual project) tasks (the '30m
task' paradigm) and I have to be 'sold' on the idea of why I should

I must be in a position where I am proud to participate and must
subconsciously feel that my efforts will be appreciated.

I am assuming that If motivated and focused I  would produce material of
high quality and that the project leader would find valuable (although
anybody should be able to join an Owasp project, the Owasp leader has no
duty to spend any time motivating and nurturing people who don't have the
appropriate skills, knowledge, attitude or commitment)

And this is the bottom line: it is the leaders of these projects (WebGoat,
WebScarab, Owasp Top 10, Testing Guide and the Penetration Test list) that
have the responsibility and duty to motivate me to participate, and if they
don't want to do it (since that is hard and takes time), then they should 
    1) step down (from leaders), 
    2) become 'normal' project members, 
    3) continue to submit their contributions  and 
    4) give (i.e. assign) the leadership to another Owasp member that is
willing to do it.

Now, does my lack of participation on these projects make me a 'taker'!
Somebody that is 'exploiting' the work of the talented and dedicated persons
who worked on this projects? Do I deserve (due to my lack of participation)
to be kicked out of the current mailing lists and not be member of those

H) My comments on ... Mark's influence on Owasp

I can honestly say that Mark is the main reason why I am in OWASP today. 

It was his energy, principles and commitment to Openness (i.e. Open Source)
that made me join this community, donate my Asp.Net work and lead the
Owasp-dotNet efforts.

Mark's has also been a very good influence on me since we share the same
ideals and it is always very refreshing when one meets other like-minded

Mark's departure also makes me think that I should had done more to help
Owasp in 2004 and puts me in a position where I am guilty and partly
responsible for his decision. The main reason I am writing this 'Open Letter
to Owasp' is so that Mark's departure is not in vain and Owasp is able to
learn from its mistakes and change the current environment which caused one
of Owasp most important members to quit.

Knowing how much Mark loves Owasp I can't even imagine how hard must have
been for him to take this decision. 

I hope that this 'Open Letter to Owasp' kick-starts a healthy discussion and
is well received by the other Owasp Leaders and Members. 

Do send me your comments and criticisms, and if you think that I am out of
order, or what I am saying is stupid and doesn't make sense, please do let
me know. 

I also need to be happy in this community and if my ideas and ideals are not
welcomed at Owasp, then I will have to (with a heavy heart) also quit and
find (or create) another Community

I) My comments on Owasp can make money:

Just before I get into practical solutions (because one cannot only talk,
one must also present solutions), here are some ideas of where Owasp can
make money:

 - Owasp Project sponsorships or Research Grants 
 - Owasp Consultancy 
 - Owasp Accreditations 
 - Owasp Official Curriculum
 - Owasp Books and White papers
 - Owasp Products (based on the developed tools)
 - Owasp Fund raising Events (Dinners, Presentations)
 - Owasp Conferences

And what could this money be used for? 

In my view it should be used to pay for:

    - Owasp Administrative services 
    - Developer's time spend on specific (or sponsored) Owasp Projects
    - Creation of Documentation
    - Packaging of Owasp Products 
    - Marketing and PR
    - Sales
    - Support to Owasp's product or services 

J) Ideas for the Future:

Finally, here are some ideas which hopefully will point Owasp in the right

     - In the short-term, there should be no main OWASP Leader, since this
position (which in my eyes currently still belongs to Mark) must be earned
not given. This means that the next Owasp's leader should be chosen by
Owasp's Leaders with full support by Owasp's community

    - Jeff should continue to have several responsibilities within Owasp
management, but current Owasp leaders should be able to say "I would like to
take responsibility for 'XYZ' task" 

     - The current Owasp leaders should do what I recommended earlier and
actively encourage their communities to participate in their project.

     - The current Owasp leaders should also make an effort to participate
in each others projects.

    - A series of 30m tasks should be defined for each project, which will
allow the Owasp members to easily contribute and participate

    - On the short term, Owasp must have a CMS (Content Management System)
solution which allows authorized members to QUICKLY (in minutes) and EASILY
(not too many clicks) add content to the LIVE SERVER Hosting the main Owasp
and individual project's websites. I don't care if this is done with the
current Magnolia solution, with b-sec's CMS (, a
very Expensive donated CMS (, with FrontPage, with
Dreamweaver or with NOTEPAD!!!! What I want is something that doesn't get in
the way, and I can get my content uploaded and published to Owasp website in
10m. And (please don't kill me for this), in the beginning I don't really
care about how secure this system is. The first objective is to create a
dynamic, vibrant and very active community. If we get maliciously hacked,
then so be it!!!  Note that I am not saying that Owasp should not have (and
be able to provide as a template) a secure hosting environment. Just to
avoid confusions let me say it again: "I do think that Owasp should host its
online content in an locked down environment which is as secure as
possible". What I trying to say is that the current priority should be in
creating vibrant communities (which could, as one of its projects build a
tool to create and configure secure hosting environments)

    - There must be total clarity of Owasp finances and financial
operations. The current lack of transparency is not healthy and doesn't
promote contributions. I know that there are some short-term credibility
issues with the current low-turnover but I strongly believe that the
advantages of full openness are far bigger than the disadvantages.

    - Once the current Owasp finances are published, a short term investment
plan should be created which defines what Owasp wants to do, how much money
it requires, and where is that money going to come from (for example I can
(through my UK company) make some financial contributions to OWASP)

    - A series of 'Owasp Products' should be created (based on the current
Owasp projects) and sold online

    - Owasp should take a much more aggressive position in the Industry and
start making its Voice heard. And if this creates controversy, then so be it
(the open letter sent last month was a good start). From my point of view,
the moment Owasp starts to be attacked by 'respected' security companies and
organizations, is the moment that Owasp is starting to do its job right and
is starting to change the world
    - A formal Owasp Leader recognition process should be created which
publicly recognizes current Owasp Leaders and most active Project
contributors (since this will help those person's careers and will encourage
others to become leaders them selfs)

    - A formal 'Thank you' letter should be sent to Mark (signed by as many
members as possible) as a gesture of gratitude for what he has done for

    - A meeting should take place to discuss this (and other) ideas

I hope that this made sense and if you made it this far, thanks for your
patience for reading this long, rambling and of my entire responsibility
'Open Letter to Owasp'

I'm looking forward to your comments

Best regards

Dinis Cruz

PS: My apologies in advance for my spelling and grammatical errors, I am not
a Native-English speaker and I currently live in the UK (which might make
some of my analogies and words sound a bit weird to the US readers)

------------------------------------------------------- SF email is
sponsored by - The IT Product Guide Read honest & candid reviews on hundreds
of IT Products from real users. Discover which products truly live up to the
hype. Start reading now.
_______________________________________________ Owasp-chapters mailing list
Owasp-chapters at

Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =

<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
 namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" =
<o:SmartTagType =
<!--[if !mso]>
st1\:*{behavior:url(#default#ieooui) }
 /* Font Definitions */
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	font-family:"Times New Roman";
a:link, span.MsoHyperlink
a:visited, span.MsoHyperlinkFollowed
@page Section1
	{size:595.3pt 841.9pt;
	margin:72.0pt 90.0pt 72.0pt 90.0pt;}
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />

<body bgcolor=3Dwhite lang=3DEN-US link=3Dblue vlink=3Dblue>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
style=3D'font-size:12.0pt'>Because I work with the Microsoft community =
sometimes has to represent them, you should really read their papers and
security step by step regarding ASP.NET. I understand that there is a =
with the ASP.NET Full Trust (that&#8217;s why they recommend to develop =
<b><span style=3D'font-weight:bold'>partially trusted</span></b>), but =
all that
is configurable using the CAS tool. In fact, in .NET 2.0, the CAS tool =
be turn off.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
style=3D'font-size:12.0pt'>You should contact them, why not, you can =
find them at (Scott Guthrie). Maybe they haven&#8217;t heard of you =
so that&#8217;s
why they haven&#8217;t contact you.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
style=3D'font-size:12.0pt'>&gt;I also find fascinating the fact that =
style=3D'font-weight:bold'>the current Owasp-dotNet leader</span></b> =
(i.e. me)<b><span
style=3D'font-weight:bold'> has not been contacted by nobody from =
Microsoft Asp.Net team regarding the Owasp-DotNet tools currently =
&gt;&nbsp;&nbsp;&nbsp; - Asp.Net Security Analyzer (ANSA)<br>
&gt;&nbsp;&nbsp;&nbsp; - Security Analyzer for Microsoft's Shared =
Environment (SAM'SHE)<br>
&gt;&nbsp;&nbsp;&nbsp; - Asp.Net Reflector<br>
&gt;&nbsp;&nbsp;&nbsp; - Online Metabase explorer<br>
&gt;<b><span style=3D'font-weight:bold'>The only logic explanation =
I have for this situation (since these tools DO actually work and have =
hundreds of &gt;companies to improve their Asp.Net hosting environments) =
style=3D'font-weight:bold'>is that Microsoft doesn't want to 'endorse' =
tools &gt;because all of them show how insecure and dangerous the =
current Full
Trust Asp.Net environment is</span></b>.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
style=3D'font-size:12.0pt'>And about the contribution, I offered =
sometime ago
some ideas and a code project. But the group never responded back, so I =
posted in my web site =
( =

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
style=3D'font-size:12.0pt'>Regarding the future of OWASP, Mark made the =
decision in my mind. The open source idea is good, but there is a market =
in everything.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
style=3D'font-size:12.0pt'>Best Regards,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
style=3D'font-size:12.0pt'>Rogelio Morrell =

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =


<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
color=3Dblack face=3D"Times New Roman"><span =

<hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>


<p class=3DMsoNormal><b><font size=3D2 color=3Dblack face=3DTahoma><span
size=3D2 color=3Dblack face=3DTahoma><span =
color:windowtext'> owasp-chapters-admin at
[mailto:owasp-chapters-admin at] <b><span =
bold'>On Behalf Of </span></b>Dinis Cruz<br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Lunes, 27 de =
Diciembre de
2004 10:09 a.m.<br>
<b><span style=3D'font-weight:bold'>To:</span></b>
owasp-leaders at<br>
<b><span style=3D'font-weight:bold'>Cc:</span></b> Mark Curphey;
owasp-dotnet at; owasp-guide at;
owasp-testing at; =
owasp-chapters at;
owasp-advisors at;
owasp-metrics-request at; ingo at;
alex at; dendler at; jermey at;
admin at; david.raphael at; stanguzik at;
jeff.williams at<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> [Owasp-chapters] =
An Open
Letter to Owasp</span></font><font color=3Dblack><span =


<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =

<p class=3DMsoNormal style=3D'margin-bottom:12.0pt'><b><font size=3D3 =
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;font-weight:bold'>Owasp is
in a Crisis!</span></font></b><br>
Mark's departure (who was one of the original Owasp members and one of =
the most
active and energetic participants) must make us all reflect hard on his =
for departure. Hopefully, this crisis will also create an environment =
where the
necessary changes are made to Owasp's world which:<br>
&nbsp;&nbsp;&nbsp; a) prevents the departure of other key players and =
&nbsp;&nbsp;&nbsp; b) substantially change Owasp's behavior so that Mark =
others) will want to (re)join, participate and collaborate.<br>
As an Owasp member myself, and knowing (hoping?) that Owasp continues to =
be a
big part of my professional life, I would like to propose a series of =
and suggestions for its future. These ideas are included at the end of =
'Open Letter to Owasp, but firstly I would like to give my personal =
opinion on
several issues which I think are very relevant to the current Owasp
<b><span style=3D'font-weight:bold'>A) My comments on .... &quot;Owasp's =
vs Open
</span></b>Sorry If I am offending somebody, but I think that at the =
moment, in
the Owasp community, there are some expectations of what Open Source =
deliver which are not based on WHAT CAN happen but on what people WOULD =
I feel that several Owasp members (including Mark) are misinterpreting =
concepts of FREEDOM and FREE (as in beer, i.e. no cost).<br>

More information about the Owasp-guide mailing list