[Owasp-leaders] Fwd: Stepping down as Board Member
michael.coates at owasp.org
Mon Feb 14 12:29:29 EST 2011
I think James's comments are right on the mark.
For OWASP to succeed we need representation from all of these individuals and we need to create the materials that they need - in their terms. John's comments on developer involvement/representation is a great argument for one piece of the larger issue. Let's reach out to developers more and also to the rest of the players in software creation - from end to end.
On Feb 14, 2011, at 9:14 AM, James McGovern wrote:
> There are people who don’t write code on a daily or even weekly basis but can still provide immense value. I would propose that the OWASP board in some ways mirror the typical IT organization at large as a way of attracting interest through multiple lenses. When I started in IT in 1983 (High School working for Cigna), 95% of all IT professionals knew how to code. Nowadays, if you get 25% then you are in a world-class organization that I would love to work for.
> If OWASP for example, had an IT auditor on board, could they provide guidance as to how the audit community could embrace OWASP principles and practices? If OWASP had someone from the PMP community on board, could they help find better ways of planning for security as part of the project lifecycle instead of watching it be continually be shortcutted by developers? If OWASP had a famous CIO on board, could they explain to other CIOs how to build security in using their vocabulary instead of that of developers?
> Code or no coding is a fascinating lens to see things through. I tend to think in terms of what does it take to secure an ecosystem from conception to retirement which requires more than just code..
> James McGovern
> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of John Wilander
> Sent: Monday, February 14, 2011 11:20 AM
> To: owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] Fwd: Stepping down as Board Member
> 2011/2/14 Eoin <eoin.keary at owasp.org>
> Code orientated?
> Board members have been involved or lead projects such as testing guide, code review guide, ASVS, ESAPI, Top 10 (and cheat sheets), Live CD Project, WebGoat
> .....so from the above the majority of the board are coders, app testers, inventors so not sure what ur point is....?
> The projects you list are well-known, successful, and important. I hail their project leaders. But you and I apparently have different views on what code and coding is. I'll try to explain.
> Let me start by citing Scott Adams: "The Dilbert Principle":
> If you’re writing code for a new software release, that’s fundamental, because you’re improving the product. But if you’re creating a policy about writing software then you’re one level removed.
> The term "code-oriented" is fuzzy. So to be concrete – I'd like at least two board members to write production code weekly. With that in mind, let's review the project list:
> • Testing guide – not code
> • Code review guide – not code
> • ASVS – not code
> • ESAPI – code!
> • Top 10 – not code
> • Cheat sheets – code snippets
> • Live CD Project – not code
> • WebGoat – code, but last release nine months ago
> I really appreciate all the projects above and all the work that has gone into them. Credit to their contributors! But we still need production code writers on the board.
> Why? Because coders and non-coders typically don't understand each other. So many business cases have never been pursued and so many software projects have been derailed because of this. Developers having to explain their "black magic" daily, estimates turning into negotiations, business requirements totally misunderstood, simple solutions missed, security/maintainability/testing not prioritized etc.
> Coders and non-coders need to be on the board for OWASP to be successful. Otherwise we'll end up exactly like the dead software companies in the beehive metaphor. And if we make OWASP more formal and structured the coders will not run for the board.
> Dan Kamisky put it this way:
> Generally, the bright line is "did you ship production software". Static HTML doesn't count.
> This is not a war between coders and non-coders. It's just me saying we lost one of the board's coders in Dinis and I want a new one for the sake of OWASP.
> Regards, John
> John Wilander, https://twitter.com/johnwilander
> Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
> Co-organizer Global Summit, http://www.owasp.org/index.php/Summit_2011
> Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
> Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list and 2010 FinTech 100 among others.
> This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
More information about the OWASP-Leaders