[Owasp-leaders] Would the real OWASP please stand up!
yiannis at owasp.org
Mon Sep 21 04:00:46 EDT 2009
I would be more than happy to partake on the call and assist in
formalising any suggestions that might come out from this thread.
2009/9/17 Brad Causey <bradcausey at owasp.org>:
> Well, when you put it that way, yes, I do see your point.
> Tell you what, Yiannis....
> I'd like to take your points, and discuss them on the next Global Projects
> Committee meeting. Most of these changes you mention are part of changes we
> are making as a Committee. Assuming there are no objections from the rest of
> the GPC, maybe we could devote a single meeting to this? Would it be OK to
> include Yiannis on the call?
> If everyone is strapped for time, I'll personally take Yiannis's
> suggestions, formalize them, and bring them to the next call. Is this
> acceptable to you Yiannis? (as a first step obviously)
> -Brad Causey
> CISSP, MCSE, C|EH, CIFI, CGSP
> Never underestimate the time, expense, and effort an opponent will expend to
> break a code. (Robert Morris)
> On Thu, Sep 17, 2009 at 1:14 PM, Yiannis Pavlosoglou <yiannis at owasp.org>
>> I like your stand Brad, forgive me, you are missing the point; comments
>> 2009/9/17 Brad Causey <bradcausey at owasp.org>:
>> > This is more directed toward Yiannis,
>> > I do realize that the extra work you are being asked to do seems a bit
>> > of a
>> > pain in the ass. You are coder, and therefore you just want to make
>> > great
>> > code and it should be enough that you are offering your code to OWASP.
>> > How
>> > dare us ask you for anything. I get that.
>> Coder? No; from getting DVDs burned to sending out the first member
>> packs (with the help of Dinis, Eion and others) there are a lot of
>> people in this coder category: actually the code that we write is
>> pretty terrible: OWASP doesn't know what to do with us and classifies
>> folks with the coder or equivalent tag.
>> This is a wake up call, regardless of labels and tags, in the process
>> of one of the coders trying to see why things are not getting done, he
>> picked up a ton of feedback on the same issues not been addressed over
>> and over again.
>> > One of the reasons you are seeing more 'fluff' as of late is that we as
>> > an
>> > organization have identified a few weak points in our delivery of said
>> > 'great code' or 'great documentation'.
>> So you create a layer above the projects to push for better
>> documentation. How about the fedora model of "people to do the
>> documentation are needed?" Typically, great documentation is achieved
>> by bringing in a layer below that of the software project in question;
>> look at apache as well as ubuntu and many others.
>> > As part of the mission of OWASP, we are trying to further grow the
>> > awareness
>> > of application security. Part of that, is helping those folks out there
>> > be
>> > aware of these projects and why they are important. JbroFuzz will get
>> > used
>> > much more if people know it exists, have a reasonable expectation of its
>> > current quality, and have some idea of what it does. Without these
>> > things,
>> > what differentiates us from the 'security' section of sourceforge?
>> I would argue searching for 'fuzzer' on sourceforge is far better than
>> browsing the owasp site under projects. Who cares if you clasify it as
>> alpha, beta, or release within OWASP? I can sort by downloads,
>> popularity, there are some metrics which actually relate to what
>> people like to use, instead of self-made checklists.
>> So we develop a tutorial section for a tool, to raise its publicity,
>> spend some money in putting videos together on how to ethically hack
>> using OWASP tools, but how can I do any of that when I am wasting my
>> time trying to get through information for documents?
>> And here you have it, a tool constantly ranked within the first 10000
>> on sourceforge with 16000 downloads in its lifespan, still alpha
>> within owasp. Forget JBroFuzz, I do not care about its ranking, but
>> can you see the problem?
>> > I guess what I am saying is that you are confused about what we expect
>> > from
>> > 'project leaders', we expect someone to lead a project, from every
>> > aspect.
>> > If we wanted coders, you'd be called a coder, and you wouldn't be
>> > posting to
>> > the leader's mailing list.
>> You want me to lead? Fine, give me something to lead and get out the
>> way; instead of increasing the pressure and walking away by providing
>> templates, assign a couple of folks on the doc side, giving them OWASP
>> exposure and the pamphlets will be done and dusted in a week.
>> But doing so, while worrying about the commits, updating the payloads,
>> checking for cross platform issues, really the stuff that matters
>> takes priority.
>> > I'm not attacking you, because I do agree to some extent with some of
>> > your
>> > statements. We do need some checks and balances on a lot of things. But
>> > lets
>> > be real, you've been asked for 3 slides and some 'fluff' work about your
>> > project so we can HELP YOU promote your great code.
>> I don't take this as an attack; would like to be part of something
>> that is respected in info-sec, maybe we are wasting a lot of time away
>> here and there.
>> 3 slides and fluff:
>> Last year it was getting the code scanned through Fortify (try getting
>> that one done while working for Ounce) and having help embedded in the
>> Then we have the self-assessment being required to be filled in under
>> the threat that your project is being suspended (still have that email
>> Now in recent months, don't know why, we have 2 different roadmaps,
>> plus Paulo having to go away and update 'fluff' in every release.
>> How come and sourceforge just picks it up from the subversion commits?
>> Keep it alpha, remove it (I am flirting with the idea) from the
>> website, pick one of the decks that I have previously used for
>> presentations, but please, no more requests on fluff!
>> There is always one more step; whenever someone offers anything
>> healthy within OWASP, other folk try to bolt on top anything they can
>> get away with. So what's going to be the requirement next
>> > If I missed something, please let me know.
>> > -Brad Causey
>> > CISSP, MCSE, C|EH, CIFI, CGSP
>> > http://www.owasp.org
>> > --
>> > Never underestimate the time, expense, and effort an opponent will
>> > expend to
>> > break a code. (Robert Morris)
>> > --
>> > On Thu, Sep 17, 2009 at 11:00 AM, McGovern, James F (HTSC, IT)
>> > <James.McGovern at thehartford.com> wrote:
>> >> My thoughts inline
>> >> -----Original Message-----
>> >> From: owasp-leaders-bounces at lists.owasp.org
>> >> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Yiannis
>> >> Pavlosoglou
>> >> Sent: Thursday, September 17, 2009 11:41 AM
>> >> To: owasp-leaders at lists.owasp.org
>> >> Subject: [Owasp-leaders] Would the real OWASP please stand up!
>> >> * You turn up to any other security meeting, you don't even mention the
>> >> acronym without getting looked badly upon
>> >> [JFM] OWASP takes the high road and has lots of integrity in its
>> >> approach. This has the side effect of torquing those who have less
>> >> values.
>> >> * People actually tell me that they avoid going to particular chapter
>> >> meetings, because they are sick and tired of presenters implicitly
>> >> trying to sell their own company/service/tool
>> >> [JFM] This says that OWASP needs needs to figure out a method of
>> >> diversifying its chapter leaders. I can say that I have never attempted
>> >> to sell annuities at the Hartford chapter meeting :-)
>> >> * Chapter leaders do not want to go their own folks and ask for
>> >> donations; people that they have been together with from the beginning
>> >> of their security careers
>> >> [JFM] I think many of us feel that way. I only have enough courage to
>> >> ask for donations of those who hit me up for the same. Think Girl Scout
>> >> cookies, Lance Armstrong bracelets, etc
>> >> * You want a marketing department? Go hire one! The time that it takes
>> >> me to add double encoding payloads for sharepoint into JBroFuzz is the
>> >> time wasted on self assessment criteria. Project leader's ego aside,
>> >> which one is better?
>> >> [JFM] Expecting a bunch of techies to do marketing at best will result
>> >> in mediocrity. We should revive the notion of a separate OWASP PR
>> >> project :-)
>> >> ************************************************************
>> >> This communication, including attachments, is for the exclusive use of
>> >> addressee and may contain proprietary, confidential and/or privileged
>> >> information. If you are not the intended recipient, any use, copying,
>> >> disclosure, dissemination or distribution is strictly prohibited. If
>> >> you
>> >> are not the intended recipient, please notify the sender immediately by
>> >> return e-mail, delete this communication and destroy all copies.
>> >> ************************************************************
>> >> _______________________________________________
>> >> OWASP-Leaders mailing list
>> >> OWASP-Leaders at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
More information about the OWASP-Leaders