[Owasp-leaders] Fwd: Stepping down as Board Member

James McGovern JMcGovern at virtusa.com
Mon Feb 14 12:14:52 EST 2011

There are people who don't write code on a daily or even weekly basis
but can still provide immense value. I would propose that the OWASP
board in some ways mirror the typical IT organization at large as a way
of attracting interest through multiple lenses. When I started in IT in
1983 (High School working for Cigna), 95% of all IT professionals knew
how to code. Nowadays, if you get 25% then you are in a world-class
organization that I would love to work for.


If OWASP for example, had an IT auditor on board, could they provide
guidance as to how the audit community could embrace OWASP principles
and practices? If OWASP had someone from the PMP community on board,
could they help find better ways of planning for security as part of the
project lifecycle instead of watching it be continually be shortcutted
by developers? If OWASP had a famous CIO on board, could they explain to
other CIOs how to build security in using their vocabulary instead of
that of developers?


Code or no coding is a fascinating lens to see things through. I tend to
think in terms of what does it take to secure an ecosystem from
conception to retirement which requires more than just code..


James McGovern


From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of John
Sent: Monday, February 14, 2011 11:20 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Fwd: Stepping down as Board Member


2011/2/14 Eoin <eoin.keary at owasp.org>

	Code orientated? 

	Board members have been involved or lead projects such as
testing guide, code review guide, ASVS, ESAPI, Top 10 (and cheat
sheets), Live CD Project, WebGoat 

	.....so from the above the majority of the board are coders, app
testers, inventors so not sure what ur point is....?

The projects you list are well-known, successful, and important. I hail
their project leaders. But you and I apparently have different views on
what code and coding is. I'll try to explain.

Let me start by citing Scott Adams: "The Dilbert Principle":

If you're writing code for a new software release, that's fundamental,
because you're improving the product. But if you're creating a policy
about writing software then you're one level removed.

The term "code-oriented" is fuzzy. So to be concrete - I'd like at least
two board members to write production code weekly. With that in mind,
let's review the project list:

*	Testing guide - not code
*	Code review guide - not code
*	ASVS - not code
*	ESAPI - code!
*	Top 10 - not code
*	Cheat sheets - code snippets
*	Live CD Project - not code
*	WebGoat - code, but last release nine months ago

I really appreciate all the projects above and all the work that has
gone into them. Credit to their contributors! But we still need
production code writers on the board.

Why? Because coders and non-coders typically don't understand each
other. So many business cases have never been pursued and so many
software projects have been derailed because of this. Developers having
to explain their "black magic" daily, estimates turning into
negotiations, business requirements totally misunderstood, simple
solutions missed, security/maintainability/testing not prioritized etc.

Coders and non-coders need to be on the board for OWASP to be
successful. Otherwise we'll end up exactly like the dead software
companies in the beehive metaphor. And if we make OWASP more formal and
structured the coders will not run for the board.

Dan Kamisky put it this way:
Generally, the bright line is "did you ship production software". Static
HTML doesn't count.

This is not a war between coders and non-coders. It's just me saying we
lost one of the board's coders in Dinis and I want a new one for the
sake of OWASP.

   Regards, John

John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com

Co-organizer Global Summit, http://www.owasp.org/index.php/Summit_2011

Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee


Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list and 2010 FinTech 100 among others.


This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110214/d2662e48/attachment-0001.html 

More information about the OWASP-Leaders mailing list