[Owasp-leaders] Would the real OWASP please stand up!

Brad Causey bradcausey at owasp.org
Thu Sep 17 14:22:36 EDT 2009


Well, when you put it that way, yes, I do see your point.

Tell you what, Yiannis....

I'd like to take your points, and discuss them on the next Global Projects
Committee meeting. Most of these changes you mention are part of changes we
are making as a Committee. Assuming there are no objections from the rest of
the GPC, maybe we could devote a single meeting to this? Would it be OK to
include Yiannis on the call?

If everyone is strapped for time, I'll personally take Yiannis's
suggestions, formalize them, and bring them to the next call. Is this
acceptable to you Yiannis? (as a first step obviously)


-Brad Causey
CISSP, MCSE, C|EH, CIFI, CGSP

http://www.owasp.org
--
Never underestimate the time, expense, and effort an opponent will expend to
break a code. (Robert Morris)
--


On Thu, Sep 17, 2009 at 1:14 PM, Yiannis Pavlosoglou <yiannis at owasp.org>wrote:

> I like your stand Brad, forgive me, you are missing the point; comments
> in-line:
>
> 2009/9/17 Brad Causey <bradcausey at owasp.org>:
> > This is more directed toward Yiannis,
> >
> > I do realize that the extra work you are being asked to do seems a bit of
> a
> > pain in the ass. You are coder, and therefore you just want to make great
> > code and it should be enough that you are offering your code to OWASP.
> How
> > dare us ask you for anything. I get that.
>
> Coder? No; from getting DVDs burned to sending out the first member
> packs (with the help of Dinis, Eion and others) there are a lot of
> people in this coder category: actually the code that we write is
> pretty terrible: OWASP doesn't know what to do with us and classifies
> folks with the coder or equivalent tag.
>
> This is a wake up call, regardless of labels and tags, in the process
> of one of the coders trying to see why things are not getting done, he
> picked up a ton of feedback on the same issues not been addressed over
> and over again.
>
> >
> > One of the reasons you are seeing more 'fluff' as of late is that we as
> an
> > organization have identified a few weak points in our delivery of said
> > 'great code' or 'great documentation'.
>
> So you create a layer above the projects to push for better
> documentation. How about the fedora model of "people to do the
> documentation are needed?" Typically, great documentation is achieved
> by bringing in a layer below that of the software project in question;
> look at apache as well as ubuntu and many others.
>
> >
> > As part of the mission of OWASP, we are trying to further grow the
> awareness
> > of application security. Part of that, is helping those folks out there
> be
> > aware of these projects and why they are important. JbroFuzz will get
> used
> > much more if people know it exists, have a reasonable expectation of its
> > current quality, and have some idea of what it does. Without these
> things,
> > what differentiates us from the 'security' section of sourceforge?
>
> I would argue searching for 'fuzzer' on sourceforge is far better than
> browsing the owasp site under projects. Who cares if you clasify it as
> alpha, beta, or release within OWASP? I can sort by downloads,
> popularity, there are some metrics which actually relate to what
> people like to use, instead of self-made checklists.
>
> So we develop a tutorial section for a tool, to raise its publicity,
> spend some money in putting videos together on how to ethically hack
> using OWASP tools, but how can I do any of that when I am wasting my
> time trying to get through information for documents?
>
> And here you have it, a tool constantly ranked within the first 10000
> on sourceforge with 16000 downloads in its lifespan, still alpha
> within owasp. Forget JBroFuzz, I do not care about its ranking, but
> can you see the problem?
>
> >
> > I guess what I am saying is that you are confused about what we expect
> from
> > 'project leaders', we expect someone to lead a project, from every
> aspect.
> > If we wanted coders, you'd be called a coder, and you wouldn't be posting
> to
> > the leader's mailing list.
>
> You want me to lead? Fine, give me something to lead and get out the
> way; instead of increasing the pressure and walking away by providing
> templates, assign a couple of folks on the doc side, giving them OWASP
> exposure and the pamphlets will be done and dusted in a week.
>
> But doing so, while worrying about the commits, updating the payloads,
> checking for cross platform issues, really the stuff that matters
> takes priority.
>
> >
> > I'm not attacking you, because I do agree to some extent with some of
> your
> > statements. We do need some checks and balances on a lot of things. But
> lets
> > be real, you've been asked for 3 slides and some 'fluff' work about your
> > project so we can HELP YOU promote your great code.
>
> I don't take this as an attack; would like to be part of something
> that is respected in info-sec, maybe we are wasting a lot of time away
> here and there.
>
> 3 slides and fluff:
>
> Last year it was getting the code scanned through Fortify (try getting
> that one done while working for Ounce) and having help embedded in the
> tool
>
> Then we have the self-assessment being required to be filled in under
> the threat that your project is being suspended (still have that email
> somewhere)
>
> Now in recent months, don't know why, we have 2 different roadmaps,
> plus Paulo having to go away and update 'fluff' in every release.
>
> How come and sourceforge just picks it up from the subversion commits?
>
> Keep it alpha, remove it (I am flirting with the idea) from the
> website, pick one of the decks that I have previously used for
> presentations, but please, no more requests on fluff!
>
> There is always one more step; whenever someone offers anything
> healthy within OWASP, other folk try to bolt on top anything they can
> get away with. So what's going to be the requirement next
> month/year/version_2.1?
>
> >
> > If I missed something, please let me know.
> >
> >
> >
> >
> > -Brad Causey
> > CISSP, MCSE, C|EH, CIFI, CGSP
> >
> > http://www.owasp.org
> > --
> > Never underestimate the time, expense, and effort an opponent will expend
> to
> > break a code. (Robert Morris)
> > --
> >
> >
> > On Thu, Sep 17, 2009 at 11:00 AM, McGovern, James F (HTSC, IT)
> > <James.McGovern at thehartford.com> wrote:
> >>
> >>  My thoughts inline
> >>
> >> -----Original Message-----
> >> From: owasp-leaders-bounces at lists.owasp.org
> >> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Yiannis
> >> Pavlosoglou
> >> Sent: Thursday, September 17, 2009 11:41 AM
> >> To: owasp-leaders at lists.owasp.org
> >> Subject: [Owasp-leaders] Would the real OWASP please stand up!
> >>
> >> * You turn up to any other security meeting, you don't even mention the
> >> acronym without getting looked badly upon
> >>
> >> [JFM] OWASP takes the high road and has lots of integrity in its
> >> approach. This has the side effect of torquing those who have less
> >> values.
> >>
> >> * People actually tell me that they avoid going to particular chapter
> >> meetings, because they are sick and tired of presenters implicitly
> >> trying to sell their own company/service/tool
> >>
> >> [JFM] This says that OWASP needs needs to figure out a method of
> >> diversifying its chapter leaders. I can say that I have never attempted
> >> to sell annuities at the Hartford chapter meeting :-)
> >>
> >> * Chapter leaders do not want to go their own folks and ask for
> >> donations; people that they have been together with from the beginning
> >> of their security careers
> >>
> >> [JFM] I think many of us feel that way. I only have enough courage to
> >> ask for donations of those who hit me up for the same. Think Girl Scout
> >> cookies, Lance Armstrong bracelets, etc
> >>
> >> * You want a marketing department? Go hire one! The time that it takes
> >> me to add double encoding payloads for sharepoint into JBroFuzz is the
> >> time wasted on self assessment criteria. Project leader's ego aside,
> >> which one is better?
> >>
> >> [JFM] Expecting a bunch of techies to do marketing at best will result
> >> in mediocrity. We should revive the notion of a separate OWASP PR
> >> project :-)
> >>
> >> ************************************************************
> >> This communication, including attachments, is for the exclusive use of
> >> addressee and may contain proprietary, confidential and/or privileged
> >> information.  If you are not the intended recipient, any use, copying,
> >> disclosure, dissemination or distribution is strictly prohibited.  If
> you
> >> are not the intended recipient, please notify the sender immediately by
> >> return e-mail, delete this communication and destroy all copies.
> >> ************************************************************
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090917/951f05d3/attachment-0001.html 


More information about the OWASP-Leaders mailing list