No subject

Wed Nov 1 13:33:20 EST 2006

published under Owasp HAS the FREEDOM to be used by anybody and can be =
and distributed by anybody. The fact that this material is FREE (as in =
i.e. no cost) is a nice side effect and a good inevitable practicality =
if this material had to be paid for, its FREEDOM would not exist). <br>
Starting to <b><span style=3D'font-weight:bold'>complain that 1) most =
members are 'takers' instead of 'givers' and 2) they are only =
interested in
getting from Owasp things for FREE (as in beer, i.e. no cost) , is in =
my view: </span></b><br>
&nbsp;&nbsp;&nbsp; - <b><span style=3D'font-weight:bold'>offensive =
those Owasp members (who I include myself in) since they are being =
thieves, opportunistic and selfish<br>
&nbsp;&nbsp;&nbsp; - <b><span =
since there is much more than meets the eye (things are never black or =
&nbsp;&nbsp;&nbsp; - <b><span =
since it is creating unnecessary frictions and bad feelings amongst the
community, and <br>
&nbsp;&nbsp;&nbsp; - <b><span style=3D'font-weight:bold'>Missing the =
since the main discussion point should be always about FREEDOM and not =
Going further, from my point of view, <b><span =
the current lack of participation in Owasp projects on the 'quality' of =
current Owasp community</span></b> (which are being labeled as 'takers' =
and not
'givers')<b><span style=3D'font-weight:bold'> is merely a scapegoat =
which fails to address the core problems and doesn't allows for the =
real issue
to be dealt with.</span></b><br>
In my view, <b><span style=3D'font-weight:bold'>it is not the =
responsibility and
duty of the current Owasp members</span></b> (for example the persons
subscribed to the current mailing lists) <b><span =
be active participants and to dedicate enormous amount of time to those =
In my view, <b><span style=3D'font-weight:bold'>IT IS THE SPECIFIC =
those project's members </span></b>(and the other Owasp =
style=3D'font-weight:bold'> fell motivated to participate and become =
members</span></b>. This is not easy and takes quite a lot of work, =
and patience by those project leaders. <br>
This means that it is the OWASP PROJECT LEADER THAT HAS TO: <br>
&nbsp;&nbsp;&nbsp; - make everybody aware of what is going on<br>
&nbsp;&nbsp;&nbsp; - create simple, relevant and usable mini-tasks =
which can be
executed by the community (it should be possible for somebody that =
wants to
contribute to be able to go to a web page and be given a task which =
will not
take him/her more than 30m to 2h to execute (compare that to the =
&nbsp;&nbsp;&nbsp; - actively market the Owasp project and encourage
&nbsp;&nbsp;&nbsp; - manage expectations and ensure that the project's =
are motivated and happy<br>
&nbsp;&nbsp;&nbsp; - ensure that all contributions are respectively =
and that people are rewarded for their time and commitment<br>
&nbsp;&nbsp;&nbsp; - create products based on that Project's =
(white papers, tools, security templates, etc....) which can be sold by =
Due to my past contributions to Owasp and my professional Project =
experience, I believe that I have earned the right to make these grand
statements, specially since&nbsp;<b><span style=3D'font-weight:bold'> I =
that I</span></b> (Dinis Cruz, current Owasp leader of the Owasp-dotNet
projects) <b><span style=3D'font-weight:bold'>am a very BAD LEADER =
because I was
not able to make the current 130 Owasp-DotNet subscribers participate =
in the
current Owasp-dotNet projects</span></b> (I am including myself in the
guilty-list). I have also been very bad at replying to contributors =
specially to Michael Silk (article) and Kerem Kusmezer (http module)) =
should have done much more to help those subscribers to understand how =
tools that I have developed and published work and how they can =
One of my objectives for 2005 is to make this community participate and =
to life' (and <b><span style=3D'font-weight:bold'>I don't blame them =
for not
participating, I blame myself</span></b>)<br>
<b><span style=3D'font-weight:bold'>What Owasp needs now are strong, =
creative and
active leaders who will have to continuously prove </span></b>(i.e. =
every week,
every month, every year) <b><span style=3D'font-weight:bold'>that they =
deserve to
be Owasp Leaders and that they can be responsible for his/hers =
In fact, one of the main reasons why the 'OWASP Foundation' must =
guarantee and
fight for <br>
&nbsp;&nbsp;&nbsp; 1) the FREEDOM of all material produced and <br>
&nbsp;&nbsp;&nbsp; 2) the OPENNESS of its doors (i.e. anybody can join =
and be
(if desired) a non-contributor member)<br>
, is because <b><span style=3D'font-weight:bold'>when Leaders stop =
accordingly to his/hers responsibilities</span></b> (for personal or
professional reasons) <b><span style=3D'font-weight:bold'>his/hers =
replacement </span></b>(amicably
or not) <b><span style=3D'font-weight:bold'>must be an relatively easy =
strait-forward process </span></b>(following the wishes of that =
community). <br>
As in the Hacker or Open Source community, an <b><span =
Leader can only be an Owasp Leader if the Owasp community accepts and
recognizes his/hers leadership</span></b> (see the Linus example). <br>
In my view, this model creates a positive and healthy environment where =
focus is always on productivity and never (or at least as little as =
in political games and 'who is the boss' type of argument.<br>
<b><span style=3D'font-weight:bold'>B) My comments on .... Jeff as a =
OWASP leader</span></b><br>
Before I go any further let me just say that:<br>
&nbsp;&nbsp;&nbsp; - I don't question Jeff's commitment and belief in =
&nbsp;&nbsp;&nbsp; - I think that Jeff has done a great job with the =
of the Owasp Foundation<br>
&nbsp;&nbsp;&nbsp; - I think that Jeff was very brave and courageous =
when he
accepted (from Mark) the role as the main Owasp Leader<br>
&nbsp;&nbsp;&nbsp; - I think that Jeff should continue to have some =
roles in Owasp <br>
But <b><span style=3D'font-weight:bold'>I DON'T THINK THAT JEFF SHOULD =
TO BE THE MAIN Owasp Leader,</span></b> since I don't think that Jeff =
(based on his actions so far) what I would consider to be the right =
profile to
be the main leader that Owasp needs today<br>
Although <b><span style=3D'font-weight:bold'>Jeff is beyond doubt a =
very active
and productive Owasp member </span></b>(whose technical competence and
professionalism is of the highest caliber)<b><span =
style=3D'font-weight:bold'> I
don't think that Jeff</span></b> (to which I sincerely apologize for =
such a
public criticism)<b><span style=3D'font-weight:bold'> has the energy, =
vision and
'craziness' required to lead a project like Owasp (as it is =
Maybe it is Jeff's training as a Lawyer that makes him risk-adverse, =
maybe it
is just his personally, and maybe it is just the current phase that =
Owasp is
currently in (<b><span style=3D'font-weight:bold'>there is no reason =
why Jeff's
profile is not the most indicated to lead Owasp in one, two or ten =
years time</span></b>).<br>
<b><span style=3D'font-weight:bold'>What Owasp needs now is to have an =
dynamic, thought provoking and inspiring leader who can lead Owasp into =
a being
major player in the Web Application Security World,</span></b> and help =
it to
make the world a 'safer' (and better) place.<br>
From&nbsp; my point of view,&nbsp; <b><span =
Mark retakes the Job</span></b> (which is not an option at the current =
in time), <b><span style=3D'font-weight:bold'>I think that Owasp should =
in the short term) <b><span style=3D'font-weight:bold'>NOT HAVE A MAIN =
LEADER! </span></b><br>
In the short term, <b><span style=3D'font-weight:bold'>Owasp should =
only have
operational-leaders</span></b> (or whatever they would be called) =
style=3D'font-weight:bold'>responsible for specific operational tasks =
example dealing with any issues related to: the Owasp Foundation, the =
servers, the Owasp PR, the main Owasp website, the Owasp new business
development exercises, etc...).<br>
Hopefully the <b><span style=3D'font-weight:bold'>crisis created by =
departure will create an environment where the new future Owasp Leader =
appear, </span></b>and his/her promotion to Owasp leadership is
accepted/proposed by the majority of Owasp Leaders and Members.<br>
<b><span style=3D'font-weight:bold'><br>
C) My comments on ... the industry current COLD reaction to OWASP<br>
</span></b>Another factor which in my view is not helping the =
development of
Owasp is the fact that <b><span style=3D'font-weight:bold'>Owasp is =
trying to do
something that the security industry doesn't want to happen</span></b>. =
example: <br>
&nbsp;&nbsp;&nbsp; - the development of clear standards to evaluate Web
Application Security,<br>
&nbsp;&nbsp;&nbsp; - the Development of Open Source security tools, =
&nbsp;&nbsp;&nbsp; - and ultimately addressing the real problems that =
creating the current 'insecure Web Application Landscape'<br>
Most Security Companies (not everybody is like this) are making too =
much money
with Security Vulnerabilities to make REAL and ACTIVE efforts in =
solving the problems (since in most cases this would kill their =
markets). <br>
<b><span style=3D'font-weight:bold'>The reality is that the ones that =
have most
to benefit from Owasp, are the current 'Security products/services =
buyers' </span></b>because
these are the ones that are currently buying overpriced and incomplete
products/solutions. <b><span style=3D'font-weight:bold'>The problem is =
that these
'entities'</span></b> (Companies, Government Organizations, NGOs, =
persons) <b><span
style=3D'font-weight:bold'>need to have something to buy</span></b> =
(which OWASP
currently doesn't have) <b><span style=3D'font-weight:bold'>and are =
used to</span></b>
(and demand/expect) <b><span style=3D'font-weight:bold'>a credible, =
and reliable service</span></b>.<br>
In my view, Owasp should stop trying to please (and not offend) the =
Industry players and the Software Companies (from Microsoft downwards) =
should focus on these entities (companies, governments, persons, =
etc...) which
have most to benefit from Owasp work.<br>
<b><span style=3D'font-weight:bold'>The current Owasp =
successes</span></b> (like
the wide spread usage of the Top 10) <b><span =
style=3D'font-weight:bold'>must be
built upon and nurtured, since current Owasp Market credibility and =
independence is one of Owasp biggest assets</span></b><br>
<b><span style=3D'font-weight:bold'><br>
D) My comments on ... 'the Microsoft response'</span></b><br>
I also find fascinating the fact that <b><span =
current Owasp-dotNet leader</span></b> (i.e. me)<b><span =
bold'> has not been contacted by nobody from the Microsoft Asp.Net team
regarding the Owasp-DotNet tools currently published</span></b>:<br>
&nbsp;&nbsp;&nbsp; - Asp.Net Security Analyzer (ANSA)<br>
&nbsp;&nbsp;&nbsp; - Security Analyzer for Microsoft's Shared Hosting
Environment (SAM'SHE)<br>
&nbsp;&nbsp;&nbsp; - Asp.Net Reflector<br>
&nbsp;&nbsp;&nbsp; - Online Metabase explorer<br>
<b><span style=3D'font-weight:bold'>The only logic explanation =
</span></b>that I
have for this situation (since these tools DO actually work and have =
hundreds of companies to improve their Asp.Net hosting environments) =
style=3D'font-weight:bold'>is that Microsoft doesn't want to 'endorse' =
tools because all of them show how insecure and dangerous the current =
Trust Asp.Net environment is</span></b>.<br>
Microsoft's position speaks volumes about the current state of the =
since they (and their clients) would benefit tremendously from a =
development community continuously developing and improving these =
tools. The
reason why Microsoft's (lack of) response is important,&nbsp; is =
Microsoft is currently one of the most active and responsive companies =
security issues and&nbsp; shows how low the current level is :-(. <br>
For as much as I (Dinis Cruz): <br>
&nbsp;&nbsp;&nbsp; 1) criticize Microsoft (publicly and privately), =
&nbsp;&nbsp;&nbsp; 2) think that they are not doing enough, and <br>
&nbsp;&nbsp;&nbsp; 3) say that they are making a massive mistake with =
current lack of acknowledgment (and focus) of the Full Trust Asp.Net
, based on my professional experience, I still think that <b><span
style=3D'font-weight:bold'>Microsoft DOES TAKE Security much more =
Seriously than
most other Software companies out there</span></b> (which again shows =
how we
are still very far away from starting to tackle the real security =
problems and
vulnerabilities that exist in today's Web Applications).<br>
<b><span style=3D'font-weight:bold'><br>
E) My comments on ... making Money with Owasp<br>
</span></b>Before I get accused of being an idealistic or a
crazy-open-source-guy which lives on 'planet fantasy'. I would like to =
that I fully understand that Money and Financial reward is a major =
element in
our current society and way of live. I am not anti-corporations, =
or anti-making money.<br>
We all need money to live, and the best model in life is when you =
manage to get
paid to do on something that you would do for free (i.e. not charge for =
I have to say that lately I have been very privileged to be in that =
where most projects that I worked where projects that I would gladly do =
free (if I could financially afford it). And what is very relevant to =
Owasp, is
the fact that a <b><span style=3D'font-weight:bold'>substantial =
percentage of my
income for the past 6 months originated in projects directly related to =
participation and contributions to Owasp</span></b>.<br>
Which means that I have to personally thank Owasp for the exposure that =
received as the leader of the Owasp-DotNet projects. So here it is: =
style=3D'font-weight:bold'>Thank you Owasp</span></b><br>
In some ways I am a good success-story of how <b><span =
can directly and indirectly provide a good financial and professional =
reward to
active and participative members.</span></b><br>
I also would like to point that given the current skill shortage in =
areas of Web Security (for example Asp.Net Security), <b><span
style=3D'font-weight:bold'>Owasp has the opportunity to become a =
center' for high-skilled, reliable and effective developers</span></b> =
all that the employers would need to do is to look at the prospective =
participation and contribution record)<b><span =
<b><span style=3D'font-weight:bold'>F) My comments on ... the fact that =
Owasp projects have no participation from the community<br>
</span></b>In my view there are several <b><span =
why most Owasp Projects don't have more than 2 to 5 active =
&nbsp;&nbsp;&nbsp; 1) <b><span style=3D'font-weight:bold'>lack of time: =
good and knowledgeable members are currently very busy and have very =
time to dedicate to personal projects<br>
&nbsp;&nbsp;&nbsp; 2) <b><span style=3D'font-weight:bold'>the current =
'2h to
start being productive' paradigm</span></b>: which means that if I (for
example) want to participate in a project, I will need to dedicate at =
least 2
hours to the project in order to start being productive (sometimes even =
simple things like adding content to the new website!). <b><span
style=3D'font-weight:bold'>What we need is the</span></b> <b><span
style=3D'font-weight:bold'>'30m to start being productive' paradigm =
even better the '10m to start being productive paradigm' (which when
functional, actually create an environment where participants regularly =
spend 2
hours or more on the project). Let me give a musical analogy (for the =
ones that
don't know, I am also a part-time professional drummer): If you want to
practice a music instrument on a regular basis (for example every day), =
must create an environment where there is there is almost no effort =
required to
start practicing (i.e. there should be no set-up time and one should be =
able to
start practicing 5m after deciding one wants to practice a little bit). =
means that your musical instrument and practice environment must always =
set-up (e.g.drums) or plugged-in (e.g. guitar) since that will allow =
spontaneous practice sessions (which usually are the most productive) =
when the
musician thinks 'I am just going to play for 10m - 15m' (which usually =
'extended' into 1h to 2h sessions :) ). This creates an environment =
where it is
easy to practice and in the musician's mind, practicing is not =
associated with
spending 30m to set-up the practice environment.<br>
&nbsp;&nbsp;&nbsp; 3) <b><span style=3D'font-weight:bold'>Most Owasp =
don't have clear 'this is want you can do to participate' =
and require quite a lot of work and effort by the would-be contributors =
&nbsp;&nbsp;&nbsp; 4) <b><span style=3D'font-weight:bold'>Owasp =
memberships is
not big enough </span></b>where there are enough people with an 'itch' =
problem or requirement) similar to the project leader's 'itch', which =
will make
them go one step further and spend the time, effort and dedication =
required to
become an active participant and member<br>
&nbsp;&nbsp;&nbsp; 5) <b><span style=3D'font-weight:bold'>Most projects =
are very
dependent on the availability and energy-level of the project =
(which usually is also its author / creator). Hopefully we will soon =
reach a
critical mass point (the 10,000 member mark?) where the community =
surrounding a
project is vibrant enough to compensate for the regular MIA (Missing in =
&nbsp;&nbsp;&nbsp; 6) and probably the most important one. <b><span
style=3D'font-weight:bold'>Collaborating in an Open Source project is =
VERY HARD</span></b>.
Sometime I fell an urge to hit persons who make FUD claims such as =
'Open Source
projects are created by a network of Kids and clueless programmers' =
(note that
I am a non-violent person and very rarely get angry). Sending a comment =
&quot;humm, i clicked on this button and the application crashed&quot; =
is very
easy and anybody can do it, sending a comment like &quot;I installed =
application and I had a problem with XYZ function which I traced back =
to the
method AAA.BBB.CCC, and I wrote a patch for it which solved the =
or &quot;I've read this 50 page document and here are my comments&quot; =
is :<br>
&nbsp;&nbsp;&nbsp; - VERY HARD TO DO (since one is reading other's code =
&nbsp;&nbsp;&nbsp; - TAKES A LOT OF TIME, <br>
&nbsp;&nbsp;&nbsp; - REQUIRES A LOT OF CONFIDENCE (since you are in =
sending a criticism of someone else's work)<br>
&nbsp;&nbsp;&nbsp; - FORCES THE CONTRIBUTOR TO TAKE A POSITION (i.e. =
think that this is a better way to do it...&quot;) which is always a =
hard thing
to do<br>
&nbsp;&nbsp;&nbsp; - IS VERY DEPENDING OF THE RECEIVER'S (i.e. that =
So, don't tell me that it is kids that make-up the main body of =
of successful Open Source projects. Most successfully Open Source =
projects have
as their main contributors highly intelligent, competent, dedicated and
creative IT Professionals. <br>
<b><span style=3D'font-weight:bold'><br>
G) My comments on ... Why I haven't participate on other Owasp =
</span></b>Following my previous points, I can now speak on the first =
and say that<b><span style=3D'font-weight:bold'> I am as guilty of =
anybody else
for not participating in other Owasp projects. <br>
I am particularly ashame by not having contributed to the WebGoat, =
Owasp Top 10, Testing Guide and the Penetration Test guide, since I =
have used
them professionally.<br>
And the <b><span style=3D'font-weight:bold'>reasons that I have for not
participating are:</span></b><br>
&nbsp;&nbsp;&nbsp; -&nbsp; <b><span style=3D'font-weight:bold'>I didn't =
the required <b><span style=3D'font-weight:bold'>time </span></b>to put =
myself in
a position where I was able to send meaningful contributions <br>
&nbsp;&nbsp;&nbsp; - Those<b><span style=3D'font-weight:bold'> project =
didn't put any pressure on me to participate and didn't actively =
encourage it</span></b>
(when one is working on several projects at the same time, =
unfortunately the
projects that don't make any noise and are not critical tend to live
permanently on the 'to-do-list-when-I-have-2-free-hours' pile)<br>
&nbsp;&nbsp;&nbsp; - There is almost <b><span =
documentation to help</span></b>&nbsp; (although I do admit that I =
didn't make
a huge effort to find it)<br>
&nbsp;&nbsp;&nbsp; - I <b><span style=3D'font-weight:bold'>didn't need
professionally an improved version of those tools/documents</span></b> =
(i.e. I
didn't had the 'itch' that those projects are scratching)<br>
<b><span style=3D'font-weight:bold'>To start contributing in these =
projects I
needed to be given simple, quick and meaningful</span></b> (i.e. could =
be used
in the actual project) <b><span style=3D'font-weight:bold'>tasks =
'30m task' paradigm) and I have to be 'sold' on the idea of why I =
participate. <br>
I must be in a position where I am proud to participate and must =
feel that my efforts will be appreciated.<br>
I am assuming that If motivated and focused I&nbsp; would produce =
material of
high quality and that the project leader would find valuable (although =
should be able to join an Owasp project, the Owasp leader has no duty =
to spend
any time motivating and nurturing people who don't have the appropriate =
knowledge, attitude or commitment)<br>
And this is the bottom line:<b><span style=3D'font-weight:bold'> it is =
leaders of these projects </span></b>(WebGoat, WebScarab, Owasp Top 10, =
Guide and the Penetration Test list)<b><span =
style=3D'font-weight:bold'> that
have the responsibility and duty to motivate me to =
participate</span></b>, and
if they don't want to do it (since that is hard and takes time), then =
should <br>
&nbsp;&nbsp;&nbsp; 1) step down (from leaders), <br>
&nbsp;&nbsp;&nbsp; 2) become 'normal' project members, <br>
&nbsp;&nbsp;&nbsp; 3) continue to submit their contributions&nbsp; and =
&nbsp;&nbsp;&nbsp; 4) give (i.e. assign) the leadership to another =
Owasp member
that is willing to do it.<br>
Now, <b><span style=3D'font-weight:bold'>does my lack of participation =
on these
projects make me a 'taker'! </span></b>Somebody that is 'exploiting' =
the work
of the talented and dedicated persons who worked on this projects? =
style=3D'font-weight:bold'>Do I deserve</span></b> (due to my lack of
participation) <b><span style=3D'font-weight:bold'>to be kicked out of =
current mailing lists and not be member of those projects?<br>
H) My comments on ... Mark's influence on Owasp<br>
</span></b>I can honestly say that Mark is the main reason why I am in =
today. <br>
It was his energy, principles and commitment to Openness (i.e. Open =
that made me join this community, donate my Asp.Net work and lead the
Owasp-dotNet efforts.<br>
Mark's has also been a very good influence on me since we share the =
same ideals
and it is always very refreshing when one meets other like-minded =
Mark's departure also makes me think that I should had done more to =
help Owasp
in 2004 and puts me in a position where I am guilty and partly =
responsible for
his decision. <b><span style=3D'font-weight:bold'>The main reason I am =
this 'Open Letter to Owasp' is so that Mark's departure is not in vain =
Owasp is able to learn from its mistakes and change the current =
which caused one of Owasp most important members to =
Knowing how much Mark loves Owasp I can't even imagine how hard must =
have been
for him to take this decision. <br>
<b><span style=3D'font-weight:bold'>I hope that this 'Open Letter to =
kick-starts a healthy discussion and is well received by the other =
Leaders and Members. </span></b><br>
Do send me your comments and criticisms, and if you think that I am out =
order, or what I am saying is stupid and doesn't make sense, please do =
let me
know. <br>
I also need to be happy in this community and if my ideas and ideals =
are not
welcomed at Owasp, then I will have to (with a heavy heart) also quit =
and find
(or create) another Community<br>
<b><span style=3D'font-weight:bold'>I) My comments on Owasp can =
</span></b>Just before I get into practical solutions (because one =
cannot only
talk, one must also present solutions), here are some ideas of where =
Owasp can
make money:<b><span style=3D'font-weight:bold'><br>
</span></b>&nbsp;- Owasp Project sponsorships or Research Grants <br>
&nbsp;- Owasp Consultancy <br>
&nbsp;- Owasp Accreditations <br>
&nbsp;- Owasp Official Curriculum<br>
&nbsp;- Owasp Books and White papers<br>
&nbsp;- Owasp Products (based on the developed tools)<br>
&nbsp;- Owasp Fund raising Events (Dinners, Presentations)<br>
&nbsp;- Owasp Conferences<br>
<b><span style=3D'font-weight:bold'><br>
And what could this money be used for? <br>
In my view it should be used to pay for:</span></b><br>
&nbsp;&nbsp;&nbsp; - Owasp Administrative services <br>
&nbsp;&nbsp;&nbsp; - Developer's time spend on specific (or sponsored) =
&nbsp;&nbsp;&nbsp; - Creation of Documentation<br>
&nbsp;&nbsp;&nbsp; - Packaging of Owasp Products <br>
&nbsp;&nbsp;&nbsp; - Marketing and PR<br>
&nbsp;&nbsp;&nbsp; - Sales<br>
&nbsp;&nbsp;&nbsp; - Support to Owasp's product or services <br>
<b><span style=3D'font-weight:bold'>J) Ideas for the Future:<br>
</span></b>Finally, here are some ideas which hopefully will point =
Owasp in the
right direction:<b><span style=3D'font-weight:bold'><br>
</span></b>&nbsp;&nbsp;&nbsp;&nbsp; - <b><span =
style=3D'font-weight:bold'>In the
short-term, there should be no main OWASP Leader</span></b>, since this
position (which in my eyes currently still belongs to Mark) must be =
earned not
given. This means that the next Owasp's leader should be chosen by =
Leaders with full support by Owasp's community<br>
&nbsp;&nbsp;&nbsp; - <b><span style=3D'font-weight:bold'>Jeff should =
continue to
have several responsibilities within Owasp management</span></b>, but =
Owasp leaders should be able to say &quot;I would like to take =
for 'XYZ' task&quot; <br>
&nbsp;&nbsp;&nbsp;&nbsp; - <b><span style=3D'font-weight:bold'>The =
current Owasp
leaders should do what I recommended earlier and actively encourage =
communities to participate in their project.</span></b><br>
&nbsp;&nbsp;&nbsp;&nbsp; - <b><span style=3D'font-weight:bold'>The =
current Owasp
leaders should also make an effort to participate in each others =
&nbsp;&nbsp;&nbsp; - <b><span style=3D'font-weight:bold'>A series of =
30m tasks
should be defined for each project, which will allow the Owasp members =
easily contribute and participate</span></b><br>
&nbsp;&nbsp;&nbsp; - <b><span style=3D'font-weight:bold'>On the short =
term, Owasp
must have a CMS </span></b>(Content Management System) <b><span
style=3D'font-weight:bold'>solution which allows authorized members to =
(in minutes) and EASILY (not too many clicks) add content to the LIVE =
Hosting the main Owasp and individual project's websites.</span></b> I =
care if this is done with the current Magnolia solution, with b-sec's =
(, a very Expensive donated CMS (<a
href=3D""></a>), with FrontPage, =
Dreamweaver or with NOTEPAD!!!! <b><span style=3D'font-weight:bold'>What=
 I want
is something that doesn't get in the way, and I can get my content =
uploaded and
published to Owasp website in 10m</span></b>. And (please don't kill me =
this), in the beginning I don't really care about how secure this =
system is.
The first objective is to create a dynamic, vibrant and very active =
If we get maliciously hacked, then so be it!!!&nbsp; Note that I am not =
that Owasp should not have (and be able to provide as a template) a =
hosting environment. Just to avoid confusions let me say it again: =
style=3D'font-weight:bold'>&quot;I do think that Owasp should host its =
content in an locked down environment which is as secure as =
What I trying to say is that the current priority should be in creating =
communities (which could, as one of its projects build a tool to create =
configure secure hosting environments)<br>
&nbsp;&nbsp;&nbsp; <b><span style=3D'font-weight:bold'>- There must be =
clarity of Owasp finances and financial operations</span></b>. The =
current lack
of transparency is not healthy and doesn't promote contributions. I =
know that
there are some short-term credibility issues with the current =
low-turnover but
I strongly believe that the advantages of full openness are far bigger =
than the
&nbsp;&nbsp;&nbsp; - Once the current Owasp finances are published, =
style=3D'font-weight:bold'>a short term investment plan should be =
created which
defines what Owasp wants to do, how much money it requires, and where =
is that
money going to come from</span></b> (for example I can (through my UK =
make some financial contributions to OWASP)<br>
&nbsp;&nbsp;&nbsp; - <b><span style=3D'font-weight:bold'>A series of =
Products' should be created</span></b> (based on the current Owasp =
style=3D'font-weight:bold'> and sold online</span></b><br>
&nbsp;&nbsp;&nbsp; - <b><span style=3D'font-weight:bold'>Owasp should =
take a much
more aggressive position in the Industry and start making its Voice =
heard. </span></b>And
if this creates controversy, then so be it (the open letter sent last =
month was
a good start). From my point of view, the moment Owasp starts to be =
attacked by
'respected' security companies and organizations, is the moment that =
Owasp is
starting to do its job right and is starting to change the world<br>
&nbsp;&nbsp; <br>
&nbsp;&nbsp;&nbsp; - <b><span style=3D'font-weight:bold'>A formal Owasp =
recognition process should be created which publicly recognizes current =
Leaders</span></b> <b><span style=3D'font-weight:bold'>and most active =
contributors</span></b> (since this will help those person's careers =
and will
encourage others to become leaders them selfs)<br>
&nbsp;&nbsp;&nbsp; - <b><span style=3D'font-weight:bold'>A formal =
'Thank you'
letter should be sent to Mark</span></b> (signed by as many members as
possible) as a gesture of gratitude for what he has done for Owasp<br>
<b><span style=3D'font-weight:bold'>&nbsp;&nbsp;&nbsp; - A meeting =
should take
place to discuss this (and other) ideas</span></b><br>
<b><span style=3D'font-weight:bold'><br>
</span></b>I hope that this made sense and if you made it this far, =
thanks for
your patience for reading this long, rambling and of my entire =
'Open Letter to Owasp'<br>
I'm looking forward to your comments<br>
Best regards<br>
Dinis Cruz<br>
PS: My apologies in advance for my spelling and grammatical errors, I =
am not a
Native-English speaker and I currently live in the <u1:country-region =
w:st=3D"on">UK</st1:country-region></u1:country-region> (which might =
make some of
my analogies and words sound a bit weird to the <u1:country-region =
u2:st=3D"on"><u1:place u2:st=3D"on"><st1:country-region
w:st=3D"on"><st1:place =






More information about the Owasp-guide mailing list