No subject

Wed Nov 1 13:33:20 EST 2006

published under Owasp HAS the FREEDOM to be used by anybody and can be
shared and distributed by anybody. The fact that this material is FREE (as
in beer, i.e. no cost) is a nice side effect and a good inevitable
practicality (since if this material had to be paid for, its FREEDOM would
not exist). 

Starting to complain that 1) most Owasp members are 'takers' instead of
'givers' and 2) they are only interested in getting from Owasp things for
FREE (as in beer, i.e. no cost) , is in my view: 

    - offensive to those Owasp members (who I include myself in) since they
are being called: thieves, opportunistic and selfish
    - short-sighted, since there is much more than meets the eye (things are
never black or white)
    - counter-productive, since it is creating unnecessary frictions and bad
feelings amongst the community, and 
    - Missing the point, since the main discussion point should be always
about FREEDOM and not about COST

Going further, from my point of view, blaming the current lack of
participation in Owasp projects on the 'quality' of the current Owasp
community (which are being labeled as 'takers' and not 'givers') is merely a
scapegoat exercise which fails to address the core problems and doesn't
allows for the real issue to be dealt with.

In my view, it is not the responsibility and duty of the current Owasp
members (for example the persons subscribed to the current mailing lists) to
be active participants and to dedicate enormous amount of time to those

members (and the other Owasp leaders) fell motivated to participate and
become active members. This is not easy and takes quite a lot of work,
dedication and patience by those project leaders. 

This means that it is the OWASP PROJECT LEADER THAT HAS TO: 

    - make everybody aware of what is going on
    - create simple, relevant and usable mini-tasks which can be executed by
the community (it should be possible for somebody that wants to contribute
to be able to go to a web page and be given a task which will not take
him/her more than 30m to 2h to execute (compare that to the current
    - actively market the Owasp project and encourage participation
    - manage expectations and ensure that the project's members are
motivated and happy
    - ensure that all contributions are respectively credited and that
people are rewarded for their time and commitment
    - create products based on that Project's deliverables (white papers,
tools, security templates, etc....) which can be sold by Owasp

Due to my past contributions to Owasp and my professional Project manager
experience, I believe that I have earned the right to make these grand
statements, specially since  I consider that I (Dinis Cruz, current Owasp
leader of the Owasp-dotNet projects) am a very BAD LEADER because I was not
able to make the current 130 Owasp-DotNet subscribers participate in the
current Owasp-dotNet projects (I am including myself in the guilty-list). I
have also been very bad at replying to contributors (sorry specially to
Michael Silk (article) and Kerem Kusmezer (http module)) and should have
done much more to help those subscribers to understand how the tools that I
have developed and published work and how they can contribute.

One of my objectives for 2005 is to make this community participate and
'come to life' (and I don't blame them for not participating, I blame

What Owasp needs now are strong, creative and active leaders who will have
to continuously prove (i.e. every week, every month, every year) that they
deserve to be Owasp Leaders and that they can be responsible for his/hers

In fact, one of the main reasons why the 'OWASP Foundation' must guarantee
and fight for 

    1) the FREEDOM of all material produced and 
    2) the OPENNESS of its doors (i.e. anybody can join and be (if desired)
a non-contributor member)

, is because when Leaders stop behaving accordingly to his/hers
responsibilities (for personal or professional reasons) his/hers replacement
(amicably or not) must be an relatively easy and strait-forward process
(following the wishes of that project's community). 

As in the Hacker or Open Source community, an Owasp Leader can only be an
Owasp Leader if the Owasp community accepts and recognizes his/hers
leadership (see the Linus example). 

In my view, this model creates a positive and healthy environment where the
focus is always on productivity and never (or at least as little as
possible) in political games and 'who is the boss' type of argument.

B) My comments on .... Jeff as a OWASP leader

Before I go any further let me just say that:

    - I don't question Jeff's commitment and belief in Owasp
    - I think that Jeff has done a great job with the creation of the Owasp
    - I think that Jeff was very brave and courageous when he accepted (from
Mark) the role as the main Owasp Leader
    - I think that Jeff should continue to have some management roles in

since I don't think that Jeff has (based on his actions so far) what I would
consider to be the right profile to be the main leader that Owasp needs

Although Jeff is beyond doubt a very active and productive Owasp member
(whose technical competence and professionalism is of the highest caliber) I
don't think that Jeff (to which I sincerely apologize for such a public
criticism) has the energy, vision and 'craziness' required to lead a project
like Owasp (as it is today). Maybe it is Jeff's training as a Lawyer that
makes him risk-adverse, maybe it is just his personally, and maybe it is
just the current phase that Owasp is currently in (there is no reason why
Jeff's profile is not the most indicated to lead Owasp in one, two or ten
years time).

What Owasp needs now is to have an energetic, dynamic, thought provoking and
inspiring leader who can lead Owasp into a being major player in the Web
Application Security World, and help it to make the world a 'safer' (and
better) place.

More information about the Owasp-guide mailing list