[Owasp-leaders] Would the real OWASP please stand up!

Yiannis Pavlosoglou yiannis at owasp.org
Mon Sep 21 04:13:46 EDT 2009


Hi Paulo,

Email on the 10/05/2009 16:54 GMT entitled: "[GPC] Your project -
OWASP JBroFuzz - has been identified as INACTIVE - Action is required!

This is in between the release of JBroFuzz 1.3 on Wed Mar 11 2009
23:40 and 1.4 on Mon Jun 15 2009 06:16 (sourceforge timestamps) and
while code was being committed regularly.

Hope this helps,

Yiannis

2009/9/17 Paulo Coimbra <paulo.coimbra at owasp.org>:
> Yiannis,
>
>
>
>  “Then we have the self-assessment being required to be filled in under the
> threat that your project is being suspended (still have that email
> somewhere)”.
>
>
>
> Could you please give us more details?
>
>
>
> I am relatively new in OWASP but I have never seen the kind of behaviour you
> refer. As far as I can understand, OWASP is an open organization in which
> threats have no place at all.
>
>
>
> Thanks,
>
>
>
> Paulo Coimbra,
>
> OWASP Project Manager
>
>
>
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Yiannis
> Pavlosoglou
> Sent: quinta-feira, 17 de Setembro de 2009 19:14
> To: bradcausey at owasp.org; owasp-leaders at lists.owasp.org
> Cc: GPC; OWASP Global Projects Committee
> Subject: Re: [Owasp-leaders] Would the real OWASP please stand up!
>
>
>
> I like your stand Brad, forgive me, you are missing the point; comments
> in-line:
>
>
>
> 2009/9/17 Brad Causey <bradcausey at owasp.org>:
>
>> This is more directed toward Yiannis,
>
>>
>
>> I do realize that the extra work you are being asked to do seems a bit
>
>> of a pain in the ass. You are coder, and therefore you just want to
>
>> make great code and it should be enough that you are offering your
>
>> code to OWASP. How dare us ask you for anything. I get that.
>
>
>
> Coder? No; from getting DVDs burned to sending out the first member packs
> (with the help of Dinis, Eion and others) there are a lot of people in this
> coder category: actually the code that we write is pretty terrible: OWASP
> doesn't know what to do with us and classifies folks with the coder or
> equivalent tag.
>
>
>
> This is a wake up call, regardless of labels and tags, in the process of one
> of the coders trying to see why things are not getting done, he picked up a
> ton of feedback on the same issues not been addressed over and over again.
>
>
>
>>
>
>> One of the reasons you are seeing more 'fluff' as of late is that we
>
>> as an organization have identified a few weak points in our delivery
>
>> of said 'great code' or 'great documentation'.
>
>
>
> So you create a layer above the projects to push for better documentation.
> How about the fedora model of "people to do the documentation are needed?"
> Typically, great documentation is achieved by bringing in a layer below that
> of the software project in question; look at apache as well as ubuntu and
> many others.
>
>
>
>>
>
>> As part of the mission of OWASP, we are trying to further grow the
>
>> awareness of application security. Part of that, is helping those
>
>> folks out there be aware of these projects and why they are important.
>
>> JbroFuzz will get used much more if people know it exists, have a
>
>> reasonable expectation of its current quality, and have some idea of
>
>> what it does. Without these things, what differentiates us from the
>> 'security' section of sourceforge?
>
>
>
> I would argue searching for 'fuzzer' on sourceforge is far better than
> browsing the owasp site under projects. Who cares if you clasify it as
> alpha, beta, or release within OWASP? I can sort by downloads, popularity,
> there are some metrics which actually relate to what people like to use,
> instead of self-made checklists.
>
>
>
> So we develop a tutorial section for a tool, to raise its publicity, spend
> some money in putting videos together on how to ethically hack using OWASP
> tools, but how can I do any of that when I am wasting my time trying to get
> through information for documents?
>
>
>
> And here you have it, a tool constantly ranked within the first 10000 on
> sourceforge with 16000 downloads in its lifespan, still alpha within owasp.
> Forget JBroFuzz, I do not care about its ranking, but can you see the
> problem?
>
>
>
>>
>
>> I guess what I am saying is that you are confused about what we expect
>
>> from 'project leaders', we expect someone to lead a project, from every
>> aspect.
>
>> If we wanted coders, you'd be called a coder, and you wouldn't be
>
>> posting to the leader's mailing list.
>
>
>
> You want me to lead? Fine, give me something to lead and get out the way;
> instead of increasing the pressure and walking away by providing templates,
> assign a couple of folks on the doc side, giving them OWASP exposure and the
> pamphlets will be done and dusted in a week.
>
>
>
> But doing so, while worrying about the commits, updating the payloads,
> checking for cross platform issues, really the stuff that matters takes
> priority.
>
>
>
>>
>
>> I'm not attacking you, because I do agree to some extent with some of
>
>> your statements. We do need some checks and balances on a lot of
>
>> things. But lets be real, you've been asked for 3 slides and some
>
>> 'fluff' work about your project so we can HELP YOU promote your great
>> code.
>
>
>
> I don't take this as an attack; would like to be part of something that is
> respected in info-sec, maybe we are wasting a lot of time away here and
> there.
>
>
>
> 3 slides and fluff:
>
>
>
> Last year it was getting the code scanned through Fortify (try getting that
> one done while working for Ounce) and having help embedded in the tool
>
>
>
> Then we have the self-assessment being required to be filled in under the
> threat that your project is being suspended (still have that email
>
> somewhere)
>
>
>
> Now in recent months, don't know why, we have 2 different roadmaps, plus
> Paulo having to go away and update 'fluff' in every release.
>
>
>
> How come and sourceforge just picks it up from the subversion commits?
>
>
>
> Keep it alpha, remove it (I am flirting with the idea) from the website,
> pick one of the decks that I have previously used for presentations, but
> please, no more requests on fluff!
>
>
>
> There is always one more step; whenever someone offers anything healthy
> within OWASP, other folk try to bolt on top anything they can get away with.
> So what's going to be the requirement next month/year/version_2.1?
>
>
>
>>
>
>> If I missed something, please let me know.
>
>>
>
>>
>
>>
>
>>
>
>> -Brad Causey
>
>> CISSP, MCSE, C|EH, CIFI, CGSP
>
>>
>
>> http://www.owasp.org
>
>> --
>
>> Never underestimate the time, expense, and effort an opponent will
>
>> expend to break a code. (Robert Morris)
>
>> --
>
>>
>
>>
>
>> On Thu, Sep 17, 2009 at 11:00 AM, McGovern, James F (HTSC, IT)
>
>> <James.McGovern at thehartford.com> wrote:
>
>>>
>
>>>  My thoughts inline
>
>>>
>
>>> -----Original Message-----
>
>>> From: owasp-leaders-bounces at lists.owasp.org
>
>>> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Yiannis
>
>>> Pavlosoglou
>
>>> Sent: Thursday, September 17, 2009 11:41 AM
>
>>> To: owasp-leaders at lists.owasp.org
>
>>> Subject: [Owasp-leaders] Would the real OWASP please stand up!
>
>>>
>
>>> * You turn up to any other security meeting, you don't even mention
>
>>> the acronym without getting looked badly upon
>
>>>
>
>>> [JFM] OWASP takes the high road and has lots of integrity in its
>
>>> approach. This has the side effect of torquing those who have less
>
>>> values.
>
>>>
>
>>> * People actually tell me that they avoid going to particular chapter
>
>>> meetings, because they are sick and tired of presenters implicitly
>
>>> trying to sell their own company/service/tool
>
>>>
>
>>> [JFM] This says that OWASP needs needs to figure out a method of
>
>>> diversifying its chapter leaders. I can say that I have never
>
>>> attempted to sell annuities at the Hartford chapter meeting :-)
>
>>>
>
>>> * Chapter leaders do not want to go their own folks and ask for
>
>>> donations; people that they have been together with from the
>
>>> beginning of their security careers
>
>>>
>
>>> [JFM] I think many of us feel that way. I only have enough courage to
>
>>> ask for donations of those who hit me up for the same. Think Girl
>
>>> Scout cookies, Lance Armstrong bracelets, etc
>
>>>
>
>>> * You want a marketing department? Go hire one! The time that it
>
>>> takes me to add double encoding payloads for sharepoint into JBroFuzz
>
>>> is the time wasted on self assessment criteria. Project leader's ego
>
>>> aside, which one is better?
>
>>>
>
>>> [JFM] Expecting a bunch of techies to do marketing at best will
>
>>> result in mediocrity. We should revive the notion of a separate OWASP
>
>>> PR project :-)
>
>>>
>
>>> ************************************************************
>
>>> This communication, including attachments, is for the exclusive use
>
>>> of addressee and may contain proprietary, confidential and/or
>
>>> privileged information.  If you are not the intended recipient, any
>
>>> use, copying, disclosure, dissemination or distribution is strictly
>
>>> prohibited.  If you are not the intended recipient, please notify the
>
>>> sender immediately by return e-mail, delete this communication and
>>> destroy all copies.
>
>>> ************************************************************
>
>>>
>
>>> _______________________________________________
>
>>> OWASP-Leaders mailing list
>
>>> OWASP-Leaders at lists.owasp.org
>
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>>
>
>>
>
>> _______________________________________________
>
>> OWASP-Leaders mailing list
>
>> OWASP-Leaders at lists.owasp.org
>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>>
>
>>
>
> _______________________________________________
>
> OWASP-Leaders mailing list
>
> OWASP-Leaders at lists.owasp.org
>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


More information about the OWASP-Leaders mailing list