[Owasp-leaders] Would the real OWASP please stand up!

Paulo Coimbra paulo.coimbra at owasp.org
Thu Sep 17 16:46:39 EDT 2009


Yiannis,

 

 "Then we have the self-assessment being required to be filled in under the
threat that your project is being suspended (still have that email
somewhere)".

 

Could you please give us more details? 

 

I am relatively new in OWASP but I have never seen the kind of behaviour you
refer. As far as I can understand, OWASP is an open organization in which
threats have no place at all.

 

Thanks,

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Yiannis
Pavlosoglou
Sent: quinta-feira, 17 de Setembro de 2009 19:14
To: bradcausey at owasp.org; owasp-leaders at lists.owasp.org
Cc: GPC; OWASP Global Projects Committee
Subject: Re: [Owasp-leaders] Would the real OWASP please stand up!

 

I like your stand Brad, forgive me, you are missing the point; comments
in-line:

 

2009/9/17 Brad Causey <bradcausey at owasp.org>:

> This is more directed toward Yiannis,

> 

> I do realize that the extra work you are being asked to do seems a bit 

> of a pain in the ass. You are coder, and therefore you just want to 

> make great code and it should be enough that you are offering your 

> code to OWASP. How dare us ask you for anything. I get that.

 

Coder? No; from getting DVDs burned to sending out the first member packs
(with the help of Dinis, Eion and others) there are a lot of people in this
coder category: actually the code that we write is pretty terrible: OWASP
doesn't know what to do with us and classifies folks with the coder or
equivalent tag.

 

This is a wake up call, regardless of labels and tags, in the process of one
of the coders trying to see why things are not getting done, he picked up a
ton of feedback on the same issues not been addressed over and over again.

 

> 

> One of the reasons you are seeing more 'fluff' as of late is that we 

> as an organization have identified a few weak points in our delivery 

> of said 'great code' or 'great documentation'.

 

So you create a layer above the projects to push for better documentation.
How about the fedora model of "people to do the documentation are needed?"
Typically, great documentation is achieved by bringing in a layer below that
of the software project in question; look at apache as well as ubuntu and
many others.

 

> 

> As part of the mission of OWASP, we are trying to further grow the 

> awareness of application security. Part of that, is helping those 

> folks out there be aware of these projects and why they are important. 

> JbroFuzz will get used much more if people know it exists, have a 

> reasonable expectation of its current quality, and have some idea of 

> what it does. Without these things, what differentiates us from the
'security' section of sourceforge?

 

I would argue searching for 'fuzzer' on sourceforge is far better than
browsing the owasp site under projects. Who cares if you clasify it as
alpha, beta, or release within OWASP? I can sort by downloads, popularity,
there are some metrics which actually relate to what people like to use,
instead of self-made checklists.

 

So we develop a tutorial section for a tool, to raise its publicity, spend
some money in putting videos together on how to ethically hack using OWASP
tools, but how can I do any of that when I am wasting my time trying to get
through information for documents?

 

And here you have it, a tool constantly ranked within the first 10000 on
sourceforge with 16000 downloads in its lifespan, still alpha within owasp.
Forget JBroFuzz, I do not care about its ranking, but can you see the
problem?

 

> 

> I guess what I am saying is that you are confused about what we expect 

> from 'project leaders', we expect someone to lead a project, from every
aspect.

> If we wanted coders, you'd be called a coder, and you wouldn't be 

> posting to the leader's mailing list.

 

You want me to lead? Fine, give me something to lead and get out the way;
instead of increasing the pressure and walking away by providing templates,
assign a couple of folks on the doc side, giving them OWASP exposure and the
pamphlets will be done and dusted in a week.

 

But doing so, while worrying about the commits, updating the payloads,
checking for cross platform issues, really the stuff that matters takes
priority.

 

> 

> I'm not attacking you, because I do agree to some extent with some of 

> your statements. We do need some checks and balances on a lot of 

> things. But lets be real, you've been asked for 3 slides and some 

> 'fluff' work about your project so we can HELP YOU promote your great
code.

 

I don't take this as an attack; would like to be part of something that is
respected in info-sec, maybe we are wasting a lot of time away here and
there.

 

3 slides and fluff:

 

Last year it was getting the code scanned through Fortify (try getting that
one done while working for Ounce) and having help embedded in the tool

 

Then we have the self-assessment being required to be filled in under the
threat that your project is being suspended (still have that email

somewhere)

 

Now in recent months, don't know why, we have 2 different roadmaps, plus
Paulo having to go away and update 'fluff' in every release.

 

How come and sourceforge just picks it up from the subversion commits?

 

Keep it alpha, remove it (I am flirting with the idea) from the website,
pick one of the decks that I have previously used for presentations, but
please, no more requests on fluff!

 

There is always one more step; whenever someone offers anything healthy
within OWASP, other folk try to bolt on top anything they can get away with.
So what's going to be the requirement next month/year/version_2.1?

 

> 

> If I missed something, please let me know.

> 

> 

> 

> 

> -Brad Causey

> CISSP, MCSE, C|EH, CIFI, CGSP

> 

> http://www.owasp.org

> --

> Never underestimate the time, expense, and effort an opponent will 

> expend to break a code. (Robert Morris)

> --

> 

> 

> On Thu, Sep 17, 2009 at 11:00 AM, McGovern, James F (HTSC, IT) 

> <James.McGovern at thehartford.com> wrote:

>> 

>>  My thoughts inline

>> 

>> -----Original Message-----

>> From: owasp-leaders-bounces at lists.owasp.org

>> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Yiannis 

>> Pavlosoglou

>> Sent: Thursday, September 17, 2009 11:41 AM

>> To: owasp-leaders at lists.owasp.org

>> Subject: [Owasp-leaders] Would the real OWASP please stand up!

>> 

>> * You turn up to any other security meeting, you don't even mention 

>> the acronym without getting looked badly upon

>> 

>> [JFM] OWASP takes the high road and has lots of integrity in its 

>> approach. This has the side effect of torquing those who have less 

>> values.

>> 

>> * People actually tell me that they avoid going to particular chapter 

>> meetings, because they are sick and tired of presenters implicitly 

>> trying to sell their own company/service/tool

>> 

>> [JFM] This says that OWASP needs needs to figure out a method of 

>> diversifying its chapter leaders. I can say that I have never 

>> attempted to sell annuities at the Hartford chapter meeting :-)

>> 

>> * Chapter leaders do not want to go their own folks and ask for 

>> donations; people that they have been together with from the 

>> beginning of their security careers

>> 

>> [JFM] I think many of us feel that way. I only have enough courage to 

>> ask for donations of those who hit me up for the same. Think Girl 

>> Scout cookies, Lance Armstrong bracelets, etc

>> 

>> * You want a marketing department? Go hire one! The time that it 

>> takes me to add double encoding payloads for sharepoint into JBroFuzz 

>> is the time wasted on self assessment criteria. Project leader's ego 

>> aside, which one is better?

>> 

>> [JFM] Expecting a bunch of techies to do marketing at best will 

>> result in mediocrity. We should revive the notion of a separate OWASP 

>> PR project :-)

>> 

>> ************************************************************

>> This communication, including attachments, is for the exclusive use 

>> of addressee and may contain proprietary, confidential and/or 

>> privileged information.  If you are not the intended recipient, any 

>> use, copying, disclosure, dissemination or distribution is strictly 

>> prohibited.  If you are not the intended recipient, please notify the 

>> sender immediately by return e-mail, delete this communication and
destroy all copies.

>> ************************************************************

>> 

>> _______________________________________________

>> OWASP-Leaders mailing list

>> OWASP-Leaders at lists.owasp.org

>> https://lists.owasp.org/mailman/listinfo/owasp-leaders

> 

> 

> _______________________________________________

> OWASP-Leaders mailing list

> OWASP-Leaders at lists.owasp.org

> https://lists.owasp.org/mailman/listinfo/owasp-leaders

> 

> 

_______________________________________________

OWASP-Leaders mailing list

OWASP-Leaders at lists.owasp.org

https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090917/06694c6e/attachment-0001.html 


More information about the OWASP-Leaders mailing list