[Owasp-leaders] Fwd: Stepping down as Board Member

Chris Schmidt chris.schmidt at owasp.org
Mon Feb 14 11:23:26 EST 2011

All ­ I have fought the urge to jump on this thread all morning, but I want
to point out one really important thing here.

There needs to be a clear and distinct understanding of what the
responsibilities of board members are. I think that it is the job of the
Projects Committee to address a lot of Johns specific complaints here (and I
am in the process of joining said committee in an effort to bolster momentum
to address a lot of these issues)

My personal opinion is that the board should be a panel of experienced
businessmen who know how to make an organization grow and understand the
business needs of organizations. OWASP is not meant to be a Top-Down Org,
and I don¹t think that model works at all for the majority of people that
contribute to OWASP in any fashion. We should be encouraging the inventors,
researchers, developers, technical writers, analysts, and chapter leaders to
all keep bringing everything they can to the organization and in no way
limit their ability to function as individuals or small groups ­ however, we
also need standards and policies that are designed for the betterment of the
organization as a whole. I don¹t think it matters if the people who sit on
the board are coders or if they are highly advanced evangelist aliens ­ the
point is that it is the boards responsibility to further the organization as
whole and the responsibilities of the committees and project leaders to
direct the content of the organization.  It is also a primary responsibility
of the committees to present the details of matters being brought to the
board in a manner that outlines the details of the matter in a way that is
not biased and also is understandable by not only the board but the entire
OWASP community. The Board should not have to dive deep into a matter to
make a decision ­ the committees need to be providing the board with the
information they need to make those decisions.

Basically I equivicate it to this ­ Having worked in software development
for the last 6 years and hardware maintenance prior to that ­ given the
choice, I would much rather have my boss manage the people and let my best
developers write the code.

I think that the existing board members (and Dinis) have absolutely
demonstrated that ability both within and without OWASP ­ and I think that
the same should be expected of any new board members. Generally speaking, I
think it is a bad idea for board members to become so involved in the inner
workings of particular projects that it distracts them from their duties as
board members. 

I will have a long and detailed blog posting about my greater feelings about
this, as well as detailed examples and thoughts sometime this week.

On 2/14/11 1:05 PM, "Martin Knobloch" <martin.knobloch at owasp.org> wrote:

> Hi all,
> I can definitely see where John is coming from and where he is hitting with
> his wish. Myself, I have been developer quite for some time, before I left
> that area (not without many times wishing to be back) and went full time into
> security consultancy.
> Nevertheless, I have my doubts if we should demand any specific profession a
> board member has to come from.
> Of course, all members can and will for sure vote by their best opinion. But I
> my opinion, the board has more responsibility then representing the OWASP
> community. 
> You see the same differentiation in the chapters. We have more and less
> technical chapters. Some with more focus on process, the other more
> to implementation. Builders and breakers. Developers, tester, auditors. You
> name it, we got it.  Is the one more OWASP then the other?
> I can't see how to implement this on a fair manner into the election (or we
> need quite a big board).
> Being a board member, as I see this, bring the obligation to the whole
> community. All board members, no matter where they come from, have to be able
> to talk and understand all cultures inside and outside OWASP.
> To be honest, I have my doubts email is the best way of communication in
> matters like this.
> Maybe it's time we enable a forum on the OWASP site?
> We had great thoughts and results in creating an (to be shared and agreed on
> via the whole OWASP community) what we expect of the board. Hope we can
> continue that process via the web!
> Cheers,
> ~Martin
> On Mon, Feb 14, 2011 at 6:47 PM, John Wilander <john.wilander at owasp.org>
> wrote:
>> Andre, I said I wanted two board members to write production code weekly. Not
>> all board members.
>> Regarding production code and its definition ... Can you do the work of the
>> developers we try to reach out to? The guys who implement and maintain
>> Twitter, Facebook, GMail, PayPal, Amazon, and YouTube ­ could you join their
>> team and take on tasks from the backlog? At least at 80% speed? Are you
>> performing such tasks on a weekly basis? Then you fit my frame.
>> OWASP has no shortage on pentesters (proven by raised hands at the summit) so
>> I have full confidence in that we'll find one or two pentesters who can run
>> for the board too. Since pentesters build up a large part of our community I
>> would be happy to have one or two on the board.
>> The main reason I'm stressing the importance of coders on the board is
>> developer outreach. Right now we're failing in one of our core missions. I
>> believe hands-on coding among the board members will help solve this.
>> (If there's a silent majority out there either thinking I'm totally wrong or
>> right ­ please speak up. Don't let the talkative, myself included, decide for
>> you.)
>>    /John
>> 2011/2/14 Andre Gironda <andreg at gmail.com>
>>> On Mon, Feb 14, 2011 at 10:06 AM, John Wilander <john.wilander at owasp.org>
>>> wrote:
>>>> > Eoin, if you write production code weekly you're on my list of coders for
>>>> > sure. Did not know that. Cred.
>>>>> >> So you are of the opinion that writing code is of paramount importance
>>>>> >> regardless of if its done right?
>>>> >
>>>> > The "done right" addon can be applied to guidelines and policies too =>
>>>> > redundant rhetorics. I also believe I wrote "production code" which in my
>>>> > view says something about quality.
>>> It says nothing about quality. You seem obsessed with this "production
>>> code" thing, but you don't define it. So if I'm a dev-test coder, and
>>> only write code that works in integration, then somehow I'm not
>>> qualified to be an OWASP board member? What if I write 7 kloc a day
>>> and the production coders I work with only change tens of loc's per
>>> day? What if all of their success in refactorings are based on my test
>>> automation? What if the production coders are constantly making
>>> mistakes and a quality-oriented person is covering for them --
>>> correcting mistakes and making that shipped code actually work from a
>>> user perspective?
>>>> > I don't believe in non-coders teaching coders how to code better. Many
>>>> OWASP
>>>> > outreach attempts fail because we're not on the right level. Web 1.5 code
>>>> > snippets on a Powerpoint slide won't cut it. "Demo or die".
>>> I disagree with this point. Customers and users always teach coders
>>> how to code better. Quality engineers even moreso.
>>>> > As I said above, as long as you're writing production code weekly you
>>>> > understand coders and can take on that role on the board. Good!
>>> I think there is room on the board for more than one type of person.
>>> This seems to over-favor a certain type of application developer.
>>> -Andre
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders

Chris Schmidt
ESAPI Project Manager (http://www.esapi.org)
ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
Blog: http://yet-another-dev.blogspot.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110214/a4be1b2f/attachment-0001.html 

More information about the OWASP-Leaders mailing list