[Owasp-leaders] Fwd: Stepping down as Board Member

Brad Causey bradcausey at owasp.org
Mon Feb 14 13:30:00 EST 2011

Well said Chris.

Personally, I don't care what "technical skills" a given board member has,
as long as he's a solid leader, and understands how to run the business and
provide guidance and direction.

-Brad Causey

"Si vis pacem, para bellum"

On Mon, Feb 14, 2011 at 10:23 AM, Chris Schmidt <chris.schmidt at owasp.org>wrote:

>  All – I have fought the urge to jump on this thread all morning, but I
> want to point out one *really* important thing here.
> There needs to be a *clear* and *distinct* understanding of what the
> responsibilities of board members are. I think that it is the job of the
> Projects Committee to address a lot of Johns specific complaints here (and I
> am in the process of joining said committee in an effort to bolster momentum
> to address a lot of these issues)
> My personal opinion is that the board should be a panel of *experienced*businessmen who know how to make an organization grow and understand the
> business needs of organizations. OWASP is not meant to be a Top-Down Org,
> and I don’t think that model works *at all* for the majority of people
> that contribute to OWASP in any fashion. We should be encouraging the
> inventors, researchers, developers, technical writers, analysts, and chapter
> leaders to all keep bringing everything they can to the organization and in
> no way limit their ability to function as individuals or small groups –
> however, we also need standards and policies that are designed for the
> betterment of the organization as a whole. I don’t think it matters if the
> people who sit on the board are coders or if they are highly advanced
> evangelist aliens – the point is that it is the boards responsibility to
> further the organization as whole and the responsibilities of the committees
> and project leaders to direct the content of the organization.  It is also a
> primary responsibility of the committees to present the details of matters
> being brought to the board in a manner that outlines the details of the
> matter in a way that is not biased and also is understandable by not only
> the board but the entire OWASP community. The Board should not have to dive
> deep into a matter to make a decision – the committees need to be providing
> the board with the information they need to make those decisions.
> Basically I equivicate it to this – Having worked in software development
> for the last 6 years and hardware maintenance prior to that – given the
> choice, I would much rather have my boss manage the people and let my best
> developers write the code.
> I think that the existing board members (and Dinis) have absolutely
> demonstrated that ability both within and without OWASP – and I think that
> the same should be expected of any *new* board members. Generally
> speaking, I think it is a *bad* idea for board members to become so
> involved in the inner workings of particular projects that it distracts them
> from their duties as board members.
> I will have a long and detailed blog posting about my greater feelings
> about this, as well as detailed examples and thoughts sometime this week.
> On 2/14/11 1:05 PM, "Martin Knobloch" <martin.knobloch at owasp.org> wrote:
> Hi all,
> I can definitely see where John is coming from and where he is hitting with
> his wish. Myself, I have been developer quite for some time, before I left
> that area (not without many times wishing to be back) and went full time
> into security consultancy.
> Nevertheless, I have my doubts if we should demand any specific profession
> a board member has to come from.
> Of course, all members can and will for sure vote by their best opinion.
> But I my opinion, the board has more responsibility then representing the
> OWASP community.
> You see the same differentiation in the chapters. We have more and less
> technical chapters. Some with more focus on process, the other more
> to implementation. Builders and breakers. Developers, tester, auditors. You
> name it, we got it.  Is the one more OWASP then the other?
> I can't see how to implement this on a fair manner into the election (or we
> need quite a big board).
> Being a board member, as I see this, bring the obligation to the whole
> community. All board members, no matter where they come from, have to be
> able to talk and understand all cultures inside and outside OWASP.
> To be honest, I have my doubts email is the best way of communication in
> matters like this.
> Maybe it's time we enable a forum on the OWASP site?
> We had great thoughts and results in creating an (to be shared and agreed
> on via the whole OWASP community) what we expect of the board. Hope we can
> continue that process via the web!
> Cheers,
> ~Martin
> On Mon, Feb 14, 2011 at 6:47 PM, John Wilander <john.wilander at owasp.org>
> wrote:
> Andre, I said I wanted *two* board members to write production code
> weekly. Not all board members.
> Regarding production code and its definition ... Can you do the work of the
> developers we try to reach out to? The guys who implement and maintain
> Twitter, Facebook, GMail, PayPal, Amazon, and YouTube – could you join their
> team and take on tasks from the backlog? At least at 80% speed? Are you
> performing such tasks on a weekly basis? Then you fit my frame.
> OWASP has no shortage on pentesters (proven by raised hands at the summit)
> so I have full confidence in that we'll find one or two pentesters who can
> run for the board too. Since pentesters build up a large part of our
> community I would be happy to have one or two on the board.
> The main reason I'm stressing the importance of coders on the board is
> developer outreach. Right now we're failing in one of our core missions. I
> believe hands-on coding among the board members will help solve this.
> (If there's a silent majority out there either thinking I'm totally wrong
> or right – please speak up. Don't let the talkative, myself included, decide
> for you.)
>    /John
> 2011/2/14 Andre Gironda <andreg at gmail.com>
> On Mon, Feb 14, 2011 at 10:06 AM, John Wilander <john.wilander at owasp.org>
> wrote:
> > Eoin, if you write production code weekly you're on my list of coders for
> > sure. Did not know that. Cred.
> >> So you are of the opinion that writing code is of paramount importance
> >> regardless of if its done right?
> >
> > The "done right" addon can be applied to guidelines and policies too =>
> > redundant rhetorics. I also believe I wrote "production code" which in my
> > view says something about quality.
> It says nothing about quality. You seem obsessed with this "production
> code" thing, but you don't define it. So if I'm a dev-test coder, and
> only write code that works in integration, then somehow I'm not
> qualified to be an OWASP board member? What if I write 7 kloc a day
> and the production coders I work with only change tens of loc's per
> day? What if all of their success in refactorings are based on my test
> automation? What if the production coders are constantly making
> mistakes and a quality-oriented person is covering for them --
> correcting mistakes and making that shipped code actually work from a
> user perspective?
> > I don't believe in non-coders teaching coders how to code better. Many
> > outreach attempts fail because we're not on the right level. Web 1.5 code
> > snippets on a Powerpoint slide won't cut it. "Demo or die".
> I disagree with this point. Customers and users always teach coders
> how to code better. Quality engineers even moreso.
> > As I said above, as long as you're writing production code weekly you
> > understand coders and can take on that role on the board. Good!
> I think there is room on the board for more than one type of person.
> This seems to over-favor a certain type of application developer.
> -Andre
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> Chris Schmidt
> ESAPI Project Manager (http://www.esapi.org)
> ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
> Blog: http://yet-another-dev.blogspot.com
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110214/5edeeee6/attachment-0001.html 

More information about the OWASP-Leaders mailing list