[Owasp-leaders] Fwd: Stepping down as Board Member
eoin.keary at owasp.org
Mon Feb 14 11:55:12 EST 2011
So you are of the opinion that writing code is of paramount importance
regardless of if its done right? Lets write millions of lines of code
that only a few care about (consultants) or assist developers to code
properly by using teaching aids, example driven techniques etc (E.g. The
The "teach a man to fish..." principle fits nicely around the guides etc.
Point is just because you write a guide does not mutually exclude you from
being a coder. I have been writing code for over 10 years but I've also
assisted with SAMM, ASVS, CRG and TG does that make me a coder or a policy
writer, can I be both.
I dont think you could call the Dev, TG or CRG as policy documents?? I
believe we call them guides.
On Mon, Feb 14, 2011 at 4:20 PM, John Wilander <john.wilander at owasp.org>wrote:
> 2011/2/14 Eoin <eoin.keary at owasp.org>
>> Code orientated?
>> Board members have been involved or lead projects such as testing guide,
>> code review guide, ASVS, ESAPI, Top 10 (and cheat sheets), Live CD Project,
> .....so from the above the majority of the board are coders, app testers,
>> inventors so not sure what ur point is....?
> The projects you list are well-known, successful, and important. I hail
> their project leaders. But you and I apparently have different views on what
> code and coding is. I'll try to explain.
> Let me start by citing Scott Adams: "The Dilbert Principle":
> *If you’re writing code for a new software release, that’s fundamental,
> because you’re improving the product. But if you’re creating a policy about
> writing software then you’re one level removed.*
> The term "code-oriented" is fuzzy. So to be concrete – *I'd like at least
> two board members to write production code weekly*. With that in mind,
> let's review the project list:
> - Testing guide – not code
> - Code review guide – not code
> - ASVS – not code
> - ESAPI – code!
> - Top 10 – not code
> - Cheat sheets – code snippets
> - Live CD Project – not code
> - WebGoat – code, but last release nine months ago
> I really appreciate all the projects above and all the work that has gone
> into them. Credit to their contributors! But we still need production code
> writers on the board.
> Why? Because coders and non-coders typically don't understand each other.
> So many business cases have never been pursued and so many software projects
> have been derailed because of this. Developers having to explain their
> "black magic" daily, estimates turning into negotiations, business
> requirements totally misunderstood, simple solutions missed,
> security/maintainability/testing not prioritized etc.
> Coders and non-coders need to be on the board for OWASP to be successful.
> Otherwise we'll end up exactly like the dead software companies in the
> beehive metaphor. And if we make OWASP more formal and structured the coders
> will not run for the board.
> Dan Kamisky put it this way:
> *Generally, the bright line is "did you ship production software". Static
> HTML doesn't count.*
> This is not a war between coders and non-coders. It's just me saying we
> lost one of the board's coders in Dinis and I want a new one for the sake of
> Regards, John
> John Wilander, https://twitter.com/johnwilander
> Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
> <http://owaspsweden.blogspot.com/>Co-organizer Global Summit,
> <http://www.owasp.org/index.php/Summit_2011>Conf Comm,
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders