[Owasp-leaders] Fwd: Stepping down as Board Member

Bhatt, Deven Deven_Bhatt at WrightExpress.com
Mon Feb 14 13:29:53 EST 2011

I am a newbie here, trying to start a chapter in the state of Maine. My 2 cents worth, I agree that if C-level management support is not there, these efforts will not succeed. It took commitment from Bill Gates and then only Microsoft SDL and Trustworthy computing took off and people paid attention to it and was funded. I am a C-level VP CISO but need buy in from others to make secure development a priority. PCI DSS says provide such training to developers but how many seriously get the training?

Deven Bhatt
Wright Express

----- Original Message -----
From: owasp-leaders-bounces at lists.owasp.org <owasp-leaders-bounces at lists.owasp.org>
To: John Wilander <john.wilander at owasp.org>
Cc: owasp-leaders at lists.owasp.org Leaders <owasp-leaders at lists.owasp.org>
Sent: Mon Feb 14 12:57:41 2011
Subject: Re: [Owasp-leaders] Fwd: Stepping down as Board Member

John and all,

I don't want to state the obvious: we have plenty of technical knowledge in OWASP, and I'd love to see every role represented in the board, like James suggested. But what I think it's severely unrepresented now is the C-level. No security effort can succeed without management support and commitment. That's why I'd love to have both Bill Gates AND Steve Jobs in the board. :-)


On Feb 14, 2011, at 12:47 PM, John Wilander wrote:

> Andre, I said I wanted two board members to write production code weekly. Not all board members.
> Regarding production code and its definition ... Can you do the work of the developers we try to reach out to? The guys who implement and maintain Twitter, Facebook, GMail, PayPal, Amazon, and YouTube – could you join their team and take on tasks from the backlog? At least at 80% speed? Are you performing such tasks on a weekly basis? Then you fit my frame.
> OWASP has no shortage on pentesters (proven by raised hands at the summit) so I have full confidence in that we'll find one or two pentesters who can run for the board too. Since pentesters build up a large part of our community I would be happy to have one or two on the board.
> The main reason I'm stressing the importance of coders on the board is developer outreach. Right now we're failing in one of our core missions. I believe hands-on coding among the board members will help solve this.
> (If there's a silent majority out there either thinking I'm totally wrong or right – please speak up. Don't let the talkative, myself included, decide for you.)
>    /John
> 2011/2/14 Andre Gironda <andreg at gmail.com>
> On Mon, Feb 14, 2011 at 10:06 AM, John Wilander <john.wilander at owasp.org> wrote:
> > Eoin, if you write production code weekly you're on my list of coders for
> > sure. Did not know that. Cred.
> >> So you are of the opinion that writing code is of paramount importance
> >> regardless of if its done right?
> >
> > The "done right" addon can be applied to guidelines and policies too =>
> > redundant rhetorics. I also believe I wrote "production code" which in my
> > view says something about quality.
> It says nothing about quality. You seem obsessed with this "production
> code" thing, but you don't define it. So if I'm a dev-test coder, and
> only write code that works in integration, then somehow I'm not
> qualified to be an OWASP board member? What if I write 7 kloc a day
> and the production coders I work with only change tens of loc's per
> day? What if all of their success in refactorings are based on my test
> automation? What if the production coders are constantly making
> mistakes and a quality-oriented person is covering for them --
> correcting mistakes and making that shipped code actually work from a
> user perspective?
> > I don't believe in non-coders teaching coders how to code better. Many OWASP
> > outreach attempts fail because we're not on the right level. Web 1.5 code
> > snippets on a Powerpoint slide won't cut it. "Demo or die".
> I disagree with this point. Customers and users always teach coders
> how to code better. Quality engineers even moreso.
> > As I said above, as long as you're writing production code weekly you
> > understand coders and can take on that role on the board. Good!
> I think there is room on the board for more than one type of person.
> This seems to over-favor a certain type of application developer.
> -Andre
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> -- 
> John Wilander, https://twitter.com/johnwilander
> Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
> Co-organizer Global Summit, http://www.owasp.org/index.php/Summit_2011
> Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110214/852fa97e/attachment.html 

More information about the OWASP-Leaders mailing list