[Owasp-leaders] Would the real OWASP please stand up!

Yiannis Pavlosoglou yiannis at owasp.org
Thu Sep 17 14:14:05 EDT 2009

I like your stand Brad, forgive me, you are missing the point; comments in-line:

2009/9/17 Brad Causey <bradcausey at owasp.org>:
> This is more directed toward Yiannis,
> I do realize that the extra work you are being asked to do seems a bit of a
> pain in the ass. You are coder, and therefore you just want to make great
> code and it should be enough that you are offering your code to OWASP. How
> dare us ask you for anything. I get that.

Coder? No; from getting DVDs burned to sending out the first member
packs (with the help of Dinis, Eion and others) there are a lot of
people in this coder category: actually the code that we write is
pretty terrible: OWASP doesn't know what to do with us and classifies
folks with the coder or equivalent tag.

This is a wake up call, regardless of labels and tags, in the process
of one of the coders trying to see why things are not getting done, he
picked up a ton of feedback on the same issues not been addressed over
and over again.

> One of the reasons you are seeing more 'fluff' as of late is that we as an
> organization have identified a few weak points in our delivery of said
> 'great code' or 'great documentation'.

So you create a layer above the projects to push for better
documentation. How about the fedora model of "people to do the
documentation are needed?" Typically, great documentation is achieved
by bringing in a layer below that of the software project in question;
look at apache as well as ubuntu and many others.

> As part of the mission of OWASP, we are trying to further grow the awareness
> of application security. Part of that, is helping those folks out there be
> aware of these projects and why they are important. JbroFuzz will get used
> much more if people know it exists, have a reasonable expectation of its
> current quality, and have some idea of what it does. Without these things,
> what differentiates us from the 'security' section of sourceforge?

I would argue searching for 'fuzzer' on sourceforge is far better than
browsing the owasp site under projects. Who cares if you clasify it as
alpha, beta, or release within OWASP? I can sort by downloads,
popularity, there are some metrics which actually relate to what
people like to use, instead of self-made checklists.

So we develop a tutorial section for a tool, to raise its publicity,
spend some money in putting videos together on how to ethically hack
using OWASP tools, but how can I do any of that when I am wasting my
time trying to get through information for documents?

And here you have it, a tool constantly ranked within the first 10000
on sourceforge with 16000 downloads in its lifespan, still alpha
within owasp. Forget JBroFuzz, I do not care about its ranking, but
can you see the problem?

> I guess what I am saying is that you are confused about what we expect from
> 'project leaders', we expect someone to lead a project, from every aspect.
> If we wanted coders, you'd be called a coder, and you wouldn't be posting to
> the leader's mailing list.

You want me to lead? Fine, give me something to lead and get out the
way; instead of increasing the pressure and walking away by providing
templates, assign a couple of folks on the doc side, giving them OWASP
exposure and the pamphlets will be done and dusted in a week.

But doing so, while worrying about the commits, updating the payloads,
checking for cross platform issues, really the stuff that matters
takes priority.

> I'm not attacking you, because I do agree to some extent with some of your
> statements. We do need some checks and balances on a lot of things. But lets
> be real, you've been asked for 3 slides and some 'fluff' work about your
> project so we can HELP YOU promote your great code.

I don't take this as an attack; would like to be part of something
that is respected in info-sec, maybe we are wasting a lot of time away
here and there.

3 slides and fluff:

Last year it was getting the code scanned through Fortify (try getting
that one done while working for Ounce) and having help embedded in the

Then we have the self-assessment being required to be filled in under
the threat that your project is being suspended (still have that email

Now in recent months, don't know why, we have 2 different roadmaps,
plus Paulo having to go away and update 'fluff' in every release.

How come and sourceforge just picks it up from the subversion commits?

Keep it alpha, remove it (I am flirting with the idea) from the
website, pick one of the decks that I have previously used for
presentations, but please, no more requests on fluff!

There is always one more step; whenever someone offers anything
healthy within OWASP, other folk try to bolt on top anything they can
get away with. So what's going to be the requirement next

> If I missed something, please let me know.
> -Brad Causey
> http://www.owasp.org
> --
> Never underestimate the time, expense, and effort an opponent will expend to
> break a code. (Robert Morris)
> --
> On Thu, Sep 17, 2009 at 11:00 AM, McGovern, James F (HTSC, IT)
> <James.McGovern at thehartford.com> wrote:
>>  My thoughts inline
>> -----Original Message-----
>> From: owasp-leaders-bounces at lists.owasp.org
>> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Yiannis
>> Pavlosoglou
>> Sent: Thursday, September 17, 2009 11:41 AM
>> To: owasp-leaders at lists.owasp.org
>> Subject: [Owasp-leaders] Would the real OWASP please stand up!
>> * You turn up to any other security meeting, you don't even mention the
>> acronym without getting looked badly upon
>> [JFM] OWASP takes the high road and has lots of integrity in its
>> approach. This has the side effect of torquing those who have less
>> values.
>> * People actually tell me that they avoid going to particular chapter
>> meetings, because they are sick and tired of presenters implicitly
>> trying to sell their own company/service/tool
>> [JFM] This says that OWASP needs needs to figure out a method of
>> diversifying its chapter leaders. I can say that I have never attempted
>> to sell annuities at the Hartford chapter meeting :-)
>> * Chapter leaders do not want to go their own folks and ask for
>> donations; people that they have been together with from the beginning
>> of their security careers
>> [JFM] I think many of us feel that way. I only have enough courage to
>> ask for donations of those who hit me up for the same. Think Girl Scout
>> cookies, Lance Armstrong bracelets, etc
>> * You want a marketing department? Go hire one! The time that it takes
>> me to add double encoding payloads for sharepoint into JBroFuzz is the
>> time wasted on self assessment criteria. Project leader's ego aside,
>> which one is better?
>> [JFM] Expecting a bunch of techies to do marketing at best will result
>> in mediocrity. We should revive the notion of a separate OWASP PR
>> project :-)
>> ************************************************************
>> This communication, including attachments, is for the exclusive use of
>> addressee and may contain proprietary, confidential and/or privileged
>> information.  If you are not the intended recipient, any use, copying,
>> disclosure, dissemination or distribution is strictly prohibited.  If you
>> are not the intended recipient, please notify the sender immediately by
>> return e-mail, delete this communication and destroy all copies.
>> ************************************************************
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list