No subject


Wed Nov 1 13:33:20 EST 2006


code
published under Owasp HAS the FREEDOM to be used by anybody and can be =
shared
and distributed by anybody. The fact that this material is FREE (as in =
beer,
i.e. no cost) is a nice side effect and a good inevitable practicality =
(since
if this material had to be paid for, its FREEDOM would not exist). <br>
<br>
Starting to <b><span style=3D'font-weight:bold'>complain that 1) most =
Owasp
members are 'takers' instead of 'givers' and 2) they are only interested =
in
getting from Owasp things for FREE (as in beer, i.e. no cost) , is in my =
view: </span></b><br>
<br>
&nbsp;&nbsp;&nbsp; - <b><span style=3D'font-weight:bold'>offensive =
</span></b>to
those Owasp members (who I include myself in) since they are being =
called:
thieves, opportunistic and selfish<br>
&nbsp;&nbsp;&nbsp; - <b><span =
style=3D'font-weight:bold'>short-sighted</span></b>,
since there is much more than meets the eye (things are never black or =
white)<br>
&nbsp;&nbsp;&nbsp; - <b><span =
style=3D'font-weight:bold'>counter-productive</span></b>,
since it is creating unnecessary frictions and bad feelings amongst the
community, and <br>
&nbsp;&nbsp;&nbsp; - <b><span style=3D'font-weight:bold'>Missing the =
point</span></b>,
since the main discussion point should be always about FREEDOM and not =
about
COST<br>
<br>
Going further, from my point of view, <b><span =
style=3D'font-weight:bold'>blaming
the current lack of participation in Owasp projects on the 'quality' of =
the
current Owasp community</span></b> (which are being labeled as 'takers' =
and not
'givers')<b><span style=3D'font-weight:bold'> is merely a scapegoat =
exercise
which fails to address the core problems and doesn't allows for the real =
issue
to be dealt with.</span></b><br>
<br>
In my view, <b><span style=3D'font-weight:bold'>it is not the =
responsibility and
duty of the current Owasp members</span></b> (for example the persons
subscribed to the current mailing lists) <b><span =
style=3D'font-weight:bold'>to
be active participants and to dedicate enormous amount of time to those
projects.</span></b><br>
<br>
In my view, <b><span style=3D'font-weight:bold'>IT IS THE SPECIFIC OWASP =
PROJECT
LEADER THAT HAS THE RESPONSIBILITY AND DUTY TO CREATE AN ENVIRONMENT =
where
those project's members </span></b>(and the other Owasp leaders)<b><span
style=3D'font-weight:bold'> fell motivated to participate and become =
active
members</span></b>. This is not easy and takes quite a lot of work, =
dedication
and patience by those project leaders. <br>
<br>
This means that it is the OWASP PROJECT LEADER THAT HAS TO: <br>
<br>
&nbsp;&nbsp;&nbsp; - make everybody aware of what is going on<br>
&nbsp;&nbsp;&nbsp; - create simple, relevant and usable mini-tasks which =
can be
executed by the community (it should be possible for somebody that wants =
to
contribute to be able to go to a web page and be given a task which will =
not
take him/her more than 30m to 2h to execute (compare that to the current
situation))<br>
&nbsp;&nbsp;&nbsp; - actively market the Owasp project and encourage
participation<br>
&nbsp;&nbsp;&nbsp; - manage expectations and ensure that the project's =
members
are motivated and happy<br>
&nbsp;&nbsp;&nbsp; - ensure that all contributions are respectively =
credited
and that people are rewarded for their time and commitment<br>
&nbsp;&nbsp;&nbsp; - create products based on that Project's =
deliverables
(white papers, tools, security templates, etc....) which can be sold by =
Owasp<br>
<br>
Due to my past contributions to Owasp and my professional Project =
manager
experience, I believe that I have earned the right to make these grand
statements, specially since&nbsp;<b><span style=3D'font-weight:bold'> I =
consider
that I</span></b> (Dinis Cruz, current Owasp leader of the Owasp-dotNet
projects) <b><span style=3D'font-weight:bold'>am a very BAD LEADER =
because I was
not able to make the current 130 Owasp-DotNet subscribers participate in =
the
current Owasp-dotNet projects</span></b> (I am including myself in the
guilty-list). I have also been very bad at replying to contributors =
(sorry
specially to Michael Silk (article) and Kerem Kusmezer (http module)) =
and
should have done much more to help those subscribers to understand how =
the
tools that I have developed and published work and how they can =
contribute.<br>
<br>
One of my objectives for 2005 is to make this community participate and =
'come
to life' (and <b><span style=3D'font-weight:bold'>I don't blame them for =
not
participating, I blame myself</span></b>)<br>
<br>
<b><span style=3D'font-weight:bold'>What Owasp needs now are strong, =
creative and
active leaders who will have to continuously prove </span></b>(i.e. =
every week,
every month, every year) <b><span style=3D'font-weight:bold'>that they =
deserve to
be Owasp Leaders and that they can be responsible for his/hers =
projects.</span></b><br>
<br>
In fact, one of the main reasons why the 'OWASP Foundation' must =
guarantee and
fight for <br>
<br>
&nbsp;&nbsp;&nbsp; 1) the FREEDOM of all material produced and <br>
&nbsp;&nbsp;&nbsp; 2) the OPENNESS of its doors (i.e. anybody can join =
and be
(if desired) a non-contributor member)<br>
<br>
, is because <b><span style=3D'font-weight:bold'>when Leaders stop =
behaving
accordingly to his/hers responsibilities</span></b> (for personal or
professional reasons) <b><span style=3D'font-weight:bold'>his/hers =
replacement </span></b>(amicably
or not) <b><span style=3D'font-weight:bold'>must be an relatively easy =
and
strait-forward process </span></b>(following the wishes of that =
project's
community). <br>
<br>
As in the Hacker or Open Source community, an <b><span =
style=3D'font-weight:bold'>Owasp
Leader can only be an Owasp Leader if the Owasp community accepts and
recognizes his/hers leadership</span></b> (see the Linus example). <br>
<br>
In my view, this model creates a positive and healthy environment where =
the
focus is always on productivity and never (or at least as little as =
possible)
in political games and 'who is the boss' type of argument.<br>
<br>
<b><span style=3D'font-weight:bold'>B) My comments on .... Jeff as a =
OWASP leader</span></b><br>
<br>
Before I go any further let me just say that:<br>
<br>
&nbsp;&nbsp;&nbsp; - I don't question Jeff's commitment and belief in =
Owasp<br>
&nbsp;&nbsp;&nbsp; - I think that Jeff has done a great job with the =
creation
of the Owasp Foundation<br>
&nbsp;&nbsp;&nbsp; - I think that Jeff was very brave and courageous =
when he accepted
(from Mark) the role as the main Owasp Leader<br>
&nbsp;&nbsp;&nbsp; - I think that Jeff should continue to have some =
management
roles in Owasp <br>
<br>
But <b><span style=3D'font-weight:bold'>I DON'T THINK THAT JEFF SHOULD =
CONTINUE
TO BE THE MAIN Owasp Leader,</span></b> since I don't think that Jeff =
has
(based on his actions so far) what I would consider to be the right =
profile to
be the main leader that Owasp needs today<br>
<br>
Although <b><span style=3D'font-weight:bold'>Jeff is beyond doubt a very =
active
and productive Owasp member </span></b>(whose technical competence and
professionalism is of the highest caliber)<b><span =
style=3D'font-weight:bold'> I
don't think that Jeff</span></b> (to which I sincerely apologize for =
such a
public criticism)<b><span style=3D'font-weight:bold'> has the energy, =
vision and
'craziness' required to lead a project like Owasp (as it is =
today)</span></b>.
Maybe it is Jeff's training as a Lawyer that makes him risk-adverse, =
maybe it
is just his personally, and maybe it is just the current phase that =
Owasp is
currently in (<b><span style=3D'font-weight:bold'>there is no reason why =
Jeff's
profile is not the most indicated to lead Owasp in one, two or ten years =
time</span></b>).<br>
<br>
<b><span style=3D'font-weight:bold'>What Owasp needs now is to have an =
energetic,
dynamic, thought provoking and inspiring leader who can lead Owasp into =
a being
major player in the Web Application Security World,</span></b> and help =
it to
make the world a 'safer' (and better) place.<br>
<br>
From&nbsp; my point of view,&nbsp; <b><span =
style=3D'font-weight:bold'>unless
Mark retakes the Job</span></b> (which is not an option at the current =
moment
in time), <b><span style=3D'font-weight:bold'>I think that Owasp should =
</span></b>(
in the short term) <b><span style=3D'font-weight:bold'>NOT HAVE A MAIN =
LEADER! </span></b><br>
<br>
In the short term, <b><span style=3D'font-weight:bold'>Owasp should only =
have
operational-leaders</span></b> (or whatever they would be called) =
<b><span
style=3D'font-weight:bold'>responsible for specific operational tasks =
</span></b>(for
example dealing with any issues related to: the Owasp Foundation, the =
Owasp
servers, the Owasp PR, the main Owasp website, the Owasp new business
development exercises, etc...).<br>
<br>
Hopefully the <b><span style=3D'font-weight:bold'>crisis created by =
Mark's
departure will create an environment where the new future Owasp Leader =
will
appear, </span></b>and his/her promotion to Owasp leadership is
accepted/proposed by the majority of Owasp Leaders and Members.<br>
<br>
<b><span style=3D'font-weight:bold'><br>
C) My comments on ... the industry current COLD reaction to OWASP<br>
<br>
</span></b>Another factor which in my view is not helping the =
development of
Owasp is the fact that <b><span style=3D'font-weight:bold'>Owasp is =
trying to do
something that the security industry doesn't want to happen</span></b>. =
For
example: <br>
<br>
&nbsp;&nbsp;&nbsp; - the development of clear standards to evaluate Web
Application Security,<br>
&nbsp;&nbsp;&nbsp; - the Development of Open Source security tools, <br>
&nbsp;&nbsp;&nbsp; - and ultimately addressing the real problems that =
are
creating the current 'insecure Web Application Landscape'<br>
<br>
Most Security Companies (not everybody is like this) are making too much =
money
with Security Vulnerabilities to make REAL and ACTIVE efforts in =
actually
solving the problems (since in most cases this would kill their =
markets). <br>
<br>
<b><span style=3D'font-weight:bold'>The reality is that the ones that =
have most
to benefit from Owasp, are the current 'Security products/services =
buyers' </span></b>because
these are the ones that are currently buying overpriced and incomplete
products/solutions. <b><span style=3D'font-weight:bold'>The problem is =
that these
'entities'</span></b> (Companies, Government Organizations, NGOs, =
persons) <b><span
style=3D'font-weight:bold'>need to have something to buy</span></b> =
(which OWASP
currently doesn't have) <b><span style=3D'font-weight:bold'>and are used =
to</span></b>
(and demand/expect) <b><span style=3D'font-weight:bold'>a credible, =
professional
and reliable service</span></b>.<br>
<br>
In my view, Owasp should stop trying to please (and not offend) the =
Security
Industry players and the Software Companies (from Microsoft downwards) =
and
should focus on these entities (companies, governments, persons, etc...) =
which
have most to benefit from Owasp work.<br>
<br>
<b><span style=3D'font-weight:bold'>The current Owasp =
successes</span></b> (like
the wide spread usage of the Top 10) <b><span =
style=3D'font-weight:bold'>must be
built upon and nurtured, since current Owasp Market credibility and =
perceived
independence is one of Owasp biggest assets</span></b><br>
<br>
<b><span style=3D'font-weight:bold'><br>
D) My comments on ... 'the Microsoft response'</span></b><br>
<br>
I also find fascinating the fact that <b><span =
style=3D'font-weight:bold'>the
current Owasp-dotNet leader</span></b> (i.e. me)<b><span =
style=3D'font-weight:
bold'> has not been contacted by nobody from the Microsoft Asp.Net team
regarding the Owasp-DotNet tools currently published</span></b>:<br>
<br>
&nbsp;&nbsp;&nbsp; - Asp.Net Security Analyzer (ANSA)<br>
&nbsp;&nbsp;&nbsp; - Security Analyzer for Microsoft's Shared Hosting
Environment (SAM'SHE)<br>
&nbsp;&nbsp;&nbsp; - Asp.Net Reflector<br>
&nbsp;&nbsp;&nbsp; - Online Metabase explorer<br>
<br>
<b><span style=3D'font-weight:bold'>The only logic explanation =
</span></b>that I
have for this situation (since these tools DO actually work and have =
helped
hundreds of companies to improve their Asp.Net hosting environments) =
<b><span
style=3D'font-weight:bold'>is that Microsoft doesn't want to 'endorse' =
these
tools because all of them show how insecure and dangerous the current =
Full
Trust Asp.Net environment is</span></b>.<br>
<br>
Microsoft's position speaks volumes about the current state of the =
industry,
since they (and their clients) would benefit tremendously from a vibrant
development community continuously developing and improving these tools. =
The
reason why Microsoft's (lack of) response is important,&nbsp; is because
Microsoft is currently one of the most active and responsive companies =
to
security issues and&nbsp; shows how low the current level is :-(. <br>
<br>
For as much as I (Dinis Cruz): <br>
<br>
&nbsp;&nbsp;&nbsp; 1) criticize Microsoft (publicly and privately), <br>
&nbsp;&nbsp;&nbsp; 2) think that they are not doing enough, and <br>
&nbsp;&nbsp;&nbsp; 3) say that they are making a massive mistake with =
their
current lack of acknowledgment (and focus) of the Full Trust Asp.Net
Vulnerabilities;<br>
<br>
, based on my professional experience, I still think that <b><span
style=3D'font-weight:bold'>Microsoft DOES TAKE Security much more =
Seriously than
most other Software companies out there</span></b> (which again shows =
how we
are still very far away from starting to tackle the real security =
problems and
vulnerabilities that exist in today's Web Applications).<br>
<b><span style=3D'font-weight:bold'><br>
E) My comments on ... making Money with Owasp<br>
<br>
</span></b>Before I get accused of being an idealistic or a
crazy-open-source-guy which lives on 'planet fantasy'. I would like to =
state,
that I fully understand that Money and Financial reward is a major =
element in
our current society and way of live. I am not anti-corporations,
anti-capitalism or anti-making money.<br>
<br>
We all need money to live, and the best model in life is when you manage =
to get
paid to do on something that you would do for free (i.e. not charge for =
it)<br>
<br>
I have to say that lately I have been very privileged to be in that =
position
where most projects that I worked where projects that I would gladly do =
for
free (if I could financially afford it). And what is very relevant to =
Owasp, is
the fact that a <b><span style=3D'font-weight:bold'>substantial =
percentage of my
income for the past 6 months originated in projects directly related to =
my
participation and contributions to Owasp</span></b>.<br>
<br>
Which means that I have to personally thank Owasp for the exposure that =
I
received as the leader of the Owasp-DotNet projects. So here it is: =
<b><span
style=3D'font-weight:bold'>Thank you Owasp</span></b><br>
<br>
In some ways I am a good success-story of how <b><span =
style=3D'font-weight:bold'>Owasp
can directly and indirectly provide a good financial and professional =
reward to
active and participative members.</span></b><br>
<br>
I also would like to point that given the current skill shortage in =
certain
areas of Web Security (for example Asp.Net Security), <b><span
style=3D'font-weight:bold'>Owasp has the opportunity to become a =
'recruitment
center' for high-skilled, reliable and effective developers</span></b> =
(since
all that the employers would need to do is to look at the prospective =
employee
participation and contribution record)<b><span =
style=3D'font-weight:bold'><br>
</span></b><br>
<b><span style=3D'font-weight:bold'>F) My comments on ... the fact that =
most
Owasp projects have no participation from the community<br>
<br>
</span></b>In my view there are several <b><span =
style=3D'font-weight:bold'>reasons
why most Owasp Projects don't have more than 2 to 5 active =
participants</span></b>:<br>
<br>
&nbsp;&nbsp;&nbsp; 1) <b><span style=3D'font-weight:bold'>lack of time: =
</span></b>Most
good and knowledgeable members are currently very busy and have very =
little
time to dedicate to personal projects<br>
<br>
&nbsp;&nbsp;&nbsp; 2) <b><span style=3D'font-weight:bold'>the current =
'2h to
start being productive' paradigm</span></b>: which means that if I (for
example) want to participate in a project, I will need to dedicate at =
least 2
hours to the project in order to start being productive (sometimes even =
for
simple things like adding content to the new website!). <b><span
style=3D'font-weight:bold'>What we need is the</span></b> <b><span
style=3D'font-weight:bold'>'30m to start being productive' paradigm =
</span></b>or
even better the '10m to start being productive paradigm' (which when
functional, actually create an environment where participants regularly =
spend 2
hours or more on the project). Let me give a musical analogy (for the =
ones that
don't know, I am also a part-time professional drummer): If you want to
practice a music instrument on a regular basis (for example every day), =
you
must create an environment where there is there is almost no effort =
required to
start practicing (i.e. there should be no set-up time and one should be =
able to
start practicing 5m after deciding one wants to practice a little bit). =
This
means that your musical instrument and practice environment must always =
be
set-up (e.g.drums) or plugged-in (e.g. guitar) since that will allow for
spontaneous practice sessions (which usually are the most productive) =
when the
musician thinks 'I am just going to play for 10m - 15m' (which usually =
gets
'extended' into 1h to 2h sessions :) ). This creates an environment =
where it is
easy to practice and in the musician's mind, practicing is not =
associated with
spending 30m to set-up the practice environment.<br>
<br>
&nbsp;&nbsp;&nbsp; 3) <b><span style=3D'font-weight:bold'>Most Owasp =
projects
don't have clear 'this is want you can do to participate' =
instructions</span></b>
and require quite a lot of work and effort by the would-be contributors =
and
participants<br>
<br>
&nbsp;&nbsp;&nbsp; 4) <b><span style=3D'font-weight:bold'>Owasp =
memberships is
not big enough </span></b>where there are enough people with an 'itch' =
(i.e.
problem or requirement) similar to the project leader's 'itch', which =
will make
them go one step further and spend the time, effort and dedication =
required to
become an active participant and member<br>
<br>
&nbsp;&nbsp;&nbsp; 5) <b><span style=3D'font-weight:bold'>Most projects =
are very
dependent on the availability and energy-level of the project =
leader</span></b>
(which usually is also its author / creator). Hopefully we will soon =
reach a
critical mass point (the 10,000 member mark?) where the community =
surrounding a
project is vibrant enough to compensate for the regular MIA (Missing in =
Action)
periods<br>
<br>
&nbsp;&nbsp;&nbsp; 6) and probably the most important one. <b><span
style=3D'font-weight:bold'>Collaborating in an Open Source project is =
VERY HARD</span></b>.
Sometime I fell an urge to hit persons who make FUD claims such as 'Open =
Source
projects are created by a network of Kids and clueless programmers' =
(note that
I am a non-violent person and very rarely get angry). Sending a comment =
like
&quot;humm, i clicked on this button and the application crashed&quot; =
is very
easy and anybody can do it, sending a comment like &quot;I installed the
application and I had a problem with XYZ function which I traced back to =
the
method AAA.BBB.CCC, and I wrote a patch for it which solved the =
problem&quot;
or &quot;I've read this 50 page document and here are my comments&quot; =
is :<br>
<br>
&nbsp;&nbsp;&nbsp; - VERY HARD TO DO (since one is reading other's code =
or
words)<br>
&nbsp;&nbsp;&nbsp; - REQUIRES A DEEP UNDERSTANDING OF THAT PARTICULAR
TECHNOLOGY OR SUBJECT MATTER<br>
&nbsp;&nbsp;&nbsp; - TAKES A LOT OF TIME, <br>
&nbsp;&nbsp;&nbsp; - REQUIRES A LOT OF CONFIDENCE (since you are in =
effect
sending a criticism of someone else's work)<br>
&nbsp;&nbsp;&nbsp; - FORCES THE CONTRIBUTOR TO TAKE A POSITION (i.e. =
&quot;...I
think that this is a better way to do it...&quot;) which is always a =
hard thing
to do<br>
&nbsp;&nbsp;&nbsp; - IS VERY DEPENDING OF THE RECEIVER'S (i.e. that =
project's
leader) PAST BEHAVIOR IN DEALING WITH CONTRIBUTIONS <br>
<br>
So, don't tell me that it is kids that make-up the main body of =
contributions
of successful Open Source projects. Most successfully Open Source =
projects have
as their main contributors highly intelligent, competent, dedicated and
creative IT Professionals. <br>
<br>
<b><span style=3D'font-weight:bold'><br>
G) My comments on ... Why I haven't participate on other Owasp =
Projects<br>
<br>
</span></b>Following my previous points, I can now speak on the first =
person
and say that<b><span style=3D'font-weight:bold'> I am as guilty of =
anybody else
for not participating in other Owasp projects. <br>
</span></b><br>
I am particularly ashame by not having contributed to the WebGoat, =
WebScarab,
Owasp Top 10, Testing Guide and the Penetration Test guide, since I have =
used
them professionally.<br>
<br>
And the <b><span style=3D'font-weight:bold'>reasons that I have for not
participating are:</span></b><br>
<br>
&nbsp;&nbsp;&nbsp; -&nbsp; <b><span style=3D'font-weight:bold'>I didn't =
have</span></b>
the required <b><span style=3D'font-weight:bold'>time </span></b>to put =
myself in
a position where I was able to send meaningful contributions <br>
&nbsp;&nbsp;&nbsp; - Those<b><span style=3D'font-weight:bold'> project =
leaders
didn't put any pressure on me to participate and didn't actively =
encourage it</span></b>
(when one is working on several projects at the same time, unfortunately =
the
projects that don't make any noise and are not critical tend to live
permanently on the 'to-do-list-when-I-have-2-free-hours' pile)<br>
&nbsp;&nbsp;&nbsp; - There is almost <b><span =
style=3D'font-weight:bold'>no
documentation to help</span></b>&nbsp; (although I do admit that I =
didn't make
a huge effort to find it)<br>
&nbsp;&nbsp;&nbsp; - I <b><span style=3D'font-weight:bold'>didn't need
professionally an improved version of those tools/documents</span></b> =
(i.e. I
didn't had the 'itch' that those projects are scratching)<br>
<br>
<b><span style=3D'font-weight:bold'>To start contributing in these =
projects I
needed to be given simple, quick and meaningful</span></b> (i.e. could =
be used
in the actual project) <b><span style=3D'font-weight:bold'>tasks =
</span></b>(the
'30m task' paradigm) and I have to be 'sold' on the idea of why I should
participate. <br>
<br>
I must be in a position where I am proud to participate and must =
subconsciously
feel that my efforts will be appreciated.<br>
<br>
I am assuming that If motivated and focused I&nbsp; would produce =
material of
high quality and that the project leader would find valuable (although =
anybody
should be able to join an Owasp project, the Owasp leader has no duty to =
spend
any time motivating and nurturing people who don't have the appropriate =
skills,
knowledge, attitude or commitment)<br>
<br>
And this is the bottom line:<b><span style=3D'font-weight:bold'> it is =
the
leaders of these projects </span></b>(WebGoat, WebScarab, Owasp Top 10, =
Testing
Guide and the Penetration Test list)<b><span style=3D'font-weight:bold'> =
that
have the responsibility and duty to motivate me to =
participate</span></b>, and
if they don't want to do it (since that is hard and takes time), then =
they
should <br>
&nbsp;&nbsp;&nbsp; 1) step down (from leaders), <br>
&nbsp;&nbsp;&nbsp; 2) become 'normal' project members, <br>
&nbsp;&nbsp;&nbsp; 3) continue to submit their contributions&nbsp; and =
<br>
&nbsp;&nbsp;&nbsp; 4) give (i.e. assign) the leadership to another Owasp =
member
that is willing to do it.<br>
<br>
Now, <b><span style=3D'font-weight:bold'>does my lack of participation =
on these
projects make me a 'taker'! </span></b>Somebody that is 'exploiting' the =
work
of the talented and dedicated persons who worked on this projects? =
<b><span
style=3D'font-weight:bold'>Do I deserve</span></b> (due to my lack of =
participation)
<b><span style=3D'font-weight:bold'>to be kicked out of the current =
mailing lists
and not be member of those projects?<br>
<br>
H) My comments on ... Mark's influence on Owasp<br>
<br>
</span></b>I can honestly say that Mark is the main reason why I am in =
OWASP
today. <br>
<br>
It was his energy, principles and commitment to Openness (i.e. Open =
Source)
that made me join this community, donate my Asp.Net work and lead the
Owasp-dotNet efforts.<br>
<br>
Mark's has also been a very good influence on me since we share the same =
ideals
and it is always very refreshing when one meets other like-minded =
individuals.<br>
<br>
Mark's departure also makes me think that I should had done more to help =
Owasp
in 2004 and puts me in a position where I am guilty and partly =
responsible for
his decision. <b><span style=3D'font-weight:bold'>The main reason I am =
writing
this 'Open Letter to Owasp' is so that Mark's departure is not in vain =
and
Owasp is able to learn from its mistakes and change the current =
environment
which caused one of Owasp most important members to quit.</span></b><br>
<br>
Knowing how much Mark loves Owasp I can't even imagine how hard must =
have been
for him to take this decision. <br>
<br>
<b><span style=3D'font-weight:bold'>I hope that this 'Open Letter to =
Owasp'
kick-starts a healthy discussion and is well received by the other Owasp
Leaders and Members. </span></b><br>
<br>
Do send me your comments and criticisms, and if you think that I am out =
of
order, or what I am saying is stupid and doesn't make sense, please do =
let me
know. <br>
<br>
I also need to be happy in this community and if my ideas and ideals are =
not
welcomed at Owasp, then I will have to (with a heavy heart) also quit =
and find
(or create) another Community<br>
<br>
<b><span style=3D'font-weight:bold'>I) My comments on ...how Owasp can =
make
money:<br>
<br>
</span></b>Just before I get into practical solutions (because one =
cannot only
talk, one must also present solutions), here are some ideas of where =
Owasp can
make money:<b><span style=3D'font-weight:bold'><br>
<br>
</span></b>&nbsp;- Owasp Project sponsorships or Research Grants <br>
&nbsp;- Owasp Consultancy <br>
&nbsp;- Owasp Accreditations <br>
&nbsp;- Owasp Official Curriculum<br>
&nbsp;- Owasp Books and White papers<br>
&nbsp;- Owasp Products (based on the developed tools)<br>
&nbsp;- Owasp Fund raising Events (Dinners, Presentations)<br>
&nbsp;- Owasp Conferences<br>
<b><span style=3D'font-weight:bold'><br>
And what could this money be used for? <br>
<br>
In my view it should be used to pay for:</span></b><br>
<br>
&nbsp;&nbsp;&nbsp; - Owasp Administrative services <br>
&nbsp;&nbsp;&nbsp; - Developer's time spend on specific (or sponsored) =
Owasp
Projects<br>
&nbsp;&nbsp;&nbsp; - Creation of Documentation<br>
&nbsp;&nbsp;&nbsp; - Packaging of Owasp Products <br>
&nbsp;&nbsp;&nbsp; - Marketing and PR<br>
&nbsp;&nbsp;&nbsp; - Sales<br>
&nbsp;&nbsp;&nbsp; - Support to Owasp's product or services <br>
<br>
<br>
<b><span style=3D'font-weight:bold'>J) Ideas for the Future:<br>
<br>
</span></b>Finally, here are some ideas which hopefully will point Owasp =
in the
right direction:<b><span style=3D'font-weight:bold'><br>
<br>
</span></b>&nbsp;&nbsp;&nbsp;&nbsp; - <b><span =
style=3D'font-weight:bold'>In the
short-term, there should be no main OWASP Leader</span></b>, since this
position (which in my eyes currently still belongs to Mark) must be =
earned not
given. This means that the next Owasp's leader should be chosen by =
Owasp's
Leaders with full support by Owasp's community<br>
<br>
&nbsp;&nbsp;&nbsp; - <b><span style=3D'font-weight:bold'>Jeff should =
continue to
have several responsibilities within Owasp management</span></b>, but =
current
Owasp leaders should be able to say &quot;I would like to take =
responsibility
for 'XYZ' task&quot; <br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; - <b><span style=3D'font-weight:bold'>The =
current Owasp
leaders should do what I recommended earlier and actively encourage =
their
communities to participate in their project.</span></b><br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; - <b><span style=3D'font-weight:bold'>The =
current Owasp
leaders should also make an effort to participate in each others =
projects.</span></b><br>
<br>
&nbsp;&nbsp;&nbsp; - <b><span style=3D'font-weight:bold'>A series of 30m =
tasks
should be defined for each project, which will allow the Owasp members =
to
easily contribute and participate</span></b><br>
<br>
&nbsp;&nbsp;&nbsp; - <b><span style=3D'font-weight:bold'>On the short =
term, Owasp
must have a CMS </span></b>(Content Management System) <b><span
style=3D'font-weight:bold'>solution which allows authorized members to =
QUICKLY
(in minutes) and EASILY (not too many clicks) add content to the LIVE =
SERVER
Hosting the main Owasp and individual project's websites.</span></b> I =
don't
care if this is done with the current Magnolia solution, with b-sec's =
CMS
(support.binaryvision.com.au), a very Expensive donated CMS (<a
href=3D"http://www.tomoye.com">www.tomoye.com</a>), with FrontPage, with
Dreamweaver or with NOTEPAD!!!! <b><span style=3D'font-weight:bold'>What =
I want
is something that doesn't get in the way, and I can get my content =
uploaded and
published to Owasp website in 10m</span></b>. And (please don't kill me =
for
this), in the beginning I don't really care about how secure this system =
is.
The first objective is to create a dynamic, vibrant and very active =
community.
If we get maliciously hacked, then so be it!!!&nbsp; Note that I am not =
saying
that Owasp should not have (and be able to provide as a template) a =
secure
hosting environment. Just to avoid confusions let me say it again: =
<b><span
style=3D'font-weight:bold'>&quot;I do think that Owasp should host its =
online
content in an locked down environment which is as secure as =
possible&quot;.</span></b>
What I trying to say is that the current priority should be in creating =
vibrant
communities (which could, as one of its projects build a tool to create =
and
configure secure hosting environments)<br>
<br>
&nbsp;&nbsp;&nbsp; <b><span style=3D'font-weight:bold'>- There must be =
total
clarity of Owasp finances and financial operations</span></b>. The =
current lack
of transparency is not healthy and doesn't promote contributions. I know =
that
there are some short-term credibility issues with the current =
low-turnover but
I strongly believe that the advantages of full openness are far bigger =
than the
disadvantages.<br>
<br>
&nbsp;&nbsp;&nbsp; - Once the current Owasp finances are published, =
<b><span
style=3D'font-weight:bold'>a short term investment plan should be =
created which
defines what Owasp wants to do, how much money it requires, and where is =
that
money going to come from</span></b> (for example I can (through my UK =
company)
make some financial contributions to OWASP)<br>
<br>
&nbsp;&nbsp;&nbsp; - <b><span style=3D'font-weight:bold'>A series of =
'Owasp
Products' should be created</span></b> (based on the current Owasp =
projects)<b><span
style=3D'font-weight:bold'> and sold online</span></b><br>
<br>
&nbsp;&nbsp;&nbsp; - <b><span style=3D'font-weight:bold'>Owasp should =
take a much
more aggressive position in the Industry and start making its Voice =
heard. </span></b>And
if this creates controversy, then so be it (the open letter sent last =
month was
a good start). From my point of view, the moment Owasp starts to be =
attacked by
'respected' security companies and organizations, is the moment that =
Owasp is
starting to do its job right and is starting to change the world<br>
&nbsp;&nbsp; <br>
&nbsp;&nbsp;&nbsp; - <b><span style=3D'font-weight:bold'>A formal Owasp =
Leader
recognition process should be created which publicly recognizes current =
Owasp
Leaders</span></b> <b><span style=3D'font-weight:bold'>and most active =
Project
contributors</span></b> (since this will help those person's careers and =
will
encourage others to become leaders them selfs)<br>
<br>
&nbsp;&nbsp;&nbsp; - <b><span style=3D'font-weight:bold'>A formal 'Thank =
you'
letter should be sent to Mark</span></b> (signed by as many members as
possible) as a gesture of gratitude for what he has done for Owasp<br>
<br>
<b><span style=3D'font-weight:bold'>&nbsp;&nbsp;&nbsp; - A meeting =
should take
place to discuss this (and other) ideas</span></b><br>
<b><span style=3D'font-weight:bold'><br>
</span></b>I hope that this made sense and if you made it this far, =
thanks for
your patience for reading this long, rambling and of my entire =
responsibility
'Open Letter to Owasp'<br>
<br>
I'm looking forward to your comments<br>
<br>
Best regards<br>
<br>
Dinis Cruz<br>
<br>
PS: My apologies in advance for my spelling and grammatical errors, I am =
not a Native-English
speaker and I currently live in the <st1:country-region =
w:st=3D"on">UK</st1:country-region>
(which might make some of my analogies and words sound a bit weird to =
the <st1:country-region
w:st=3D"on"><st1:place w:st=3D"on">US</st1:place></st1:country-region> =
readers)<br>
<br>
<br>
<o:p></o:p></p>

</div>

</body>

</html>
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.=20
http://productguide.itmanagersjournal.com/
_______________________________________________
Owasp-chapters mailing list
Owasp-chapters at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-chapters
------=_NextPart_000_000A_01C4ECAD.50D46290--





More information about the Owasp-guide mailing list