[Owasp-leaders] Fwd: Stepping down as Board Member

Rex Booth rex.booth at owasp.org
Mon Feb 14 13:31:53 EST 2011


Agreed 100%.

On 2/14/2011 1:30 PM, Brad Causey wrote:
> Well said Chris.
>
> Personally, I don't care what "technical skills" a given board member 
> has, as long as he's a solid leader, and understands how to run the 
> business and provide guidance and direction.
>
>
>
> -Brad Causey
> CISSP, MCSE, C|EH, CIFI, CGSP
>
> http://www.owasp.org
> --
> "Si vis pacem, para bellum"
> --
>
>
> On Mon, Feb 14, 2011 at 10:23 AM, Chris Schmidt 
> <chris.schmidt at owasp.org <mailto:chris.schmidt at owasp.org>> wrote:
>
>     All – I have fought the urge to jump on this thread all morning,
>     but I want to point out one *really* important thing here.
>
>     There needs to be a *clear* and *distinct* understanding of what
>     the responsibilities of board members are. I think that it is the
>     job of the Projects Committee to address a lot of Johns specific
>     complaints here (and I am in the process of joining said committee
>     in an effort to bolster momentum to address a lot of these issues)
>
>     My personal opinion is that the board should be a panel of
>     *experienced* businessmen who know how to make an organization
>     grow and understand the business needs of organizations. OWASP is
>     not meant to be a Top-Down Org, and I don’t think that model works
>     *at all* for the majority of people that contribute to OWASP in
>     any fashion. We should be encouraging the inventors, researchers,
>     developers, technical writers, analysts, and chapter leaders to
>     all keep bringing everything they can to the organization and in
>     no way limit their ability to function as individuals or small
>     groups – however, we also need standards and policies that are
>     designed for the betterment of the organization as a whole. I
>     don’t think it matters if the people who sit on the board are
>     coders or if they are highly advanced evangelist aliens – the
>     point is that it is the boards responsibility to further the
>     organization as whole and the responsibilities of the committees
>     and project leaders to direct the content of the organization.  It
>     is also a primary responsibility of the committees to present the
>     details of matters being brought to the board in a manner that
>     outlines the details of the matter in a way that is not biased and
>     also is understandable by not only the board but the entire OWASP
>     community. The Board should not have to dive deep into a matter to
>     make a decision – the committees need to be providing the board
>     with the information they need to make those decisions.
>
>     Basically I equivicate it to this – Having worked in software
>     development for the last 6 years and hardware maintenance prior to
>     that – given the choice, I would much rather have my boss manage
>     the people and let my best developers write the code.
>
>     I think that the existing board members (and Dinis) have
>     absolutely demonstrated that ability both within and without OWASP
>     – and I think that the same should be expected of any *new* board
>     members. Generally speaking, I think it is a *bad* idea for board
>     members to become so involved in the inner workings of particular
>     projects that it distracts them from their duties as board members.
>
>     I will have a long and detailed blog posting about my greater
>     feelings about this, as well as detailed examples and thoughts
>     sometime this week.
>
>
>
>
>     On 2/14/11 1:05 PM, "Martin Knobloch" <martin.knobloch at owasp.org
>     <http://[email protected]>> wrote:
>
>         Hi all,
>
>         I can definitely see where John is coming from and where he is
>         hitting with his wish. Myself, I have been developer quite for
>         some time, before I left that area (not without many times
>         wishing to be back) and went full time into security consultancy.
>
>         Nevertheless, I have my doubts if we should demand any
>         specific profession a board member has to come from.
>         Of course, all members can and will for sure vote by their
>         best opinion. But I my opinion, the board has more
>         responsibility then representing the OWASP community.
>         You see the same differentiation in the chapters. We have more
>         and less technical chapters. Some with more focus on process,
>         the other more to implementation. Builders and breakers.
>         Developers, tester, auditors. You name it, we got it.  Is the
>         one more OWASP then the other?
>         I can't see how to implement this on a fair manner into the
>         election (or we need quite a big board).
>
>         Being a board member, as I see this, bring the obligation to
>         the whole community. All board members, no matter where they
>         come from, have to be able to talk and understand all cultures
>         inside and outside OWASP.
>
>         To be honest, I have my doubts email is the best way of
>         communication in matters like this.
>         Maybe it's time we enable a forum on the OWASP site?
>
>         We had great thoughts and results in creating an (to be shared
>         and agreed on via the whole OWASP community) what we expect of
>         the board. Hope we can continue that process via the web!
>
>         Cheers,
>         ~Martin
>
>         On Mon, Feb 14, 2011 at 6:47 PM, John Wilander
>         <john.wilander at owasp.org <http://[email protected]>> wrote:
>
>             Andre, I said I wanted /two/ board members to write
>             production code weekly. Not all board members.
>
>             Regarding production code and its definition ... Can you
>             do the work of the developers we try to reach out to? The
>             guys who implement and maintain Twitter, Facebook, GMail,
>             PayPal, Amazon, and YouTube – could you join their team
>             and take on tasks from the backlog? At least at 80% speed?
>             Are you performing such tasks on a weekly basis? Then you
>             fit my frame.
>
>             OWASP has no shortage on pentesters (proven by raised
>             hands at the summit) so I have full confidence in that
>             we'll find one or two pentesters who can run for the board
>             too. Since pentesters build up a large part of our
>             community I would be happy to have one or two on the board.
>
>             The main reason I'm stressing the importance of coders on
>             the board is developer outreach. Right now we're failing
>             in one of our core missions. I believe hands-on coding
>             among the board members will help solve this.
>
>             (If there's a silent majority out there either thinking
>             I'm totally wrong or right – please speak up. Don't let
>             the talkative, myself included, decide for you.)
>
>                /John
>
>             2011/2/14 Andre Gironda <andreg at gmail.com
>             <http://[email protected]>>
>
>                 On Mon, Feb 14, 2011 at 10:06 AM, John Wilander
>                 <john.wilander at owasp.org
>                 <http://[email protected]>> wrote:
>                 > Eoin, if you write production code weekly you're on
>                 my list of coders for
>                 > sure. Did not know that. Cred.
>                 >> So you are of the opinion that writing code is of
>                 paramount importance
>                 >> regardless of if its done right?
>                 >
>                 > The "done right" addon can be applied to guidelines
>                 and policies too =>
>                 > redundant rhetorics. I also believe I wrote
>                 "production code" which in my
>                 > view says something about quality.
>
>                 It says nothing about quality. You seem obsessed with
>                 this "production
>                 code" thing, but you don't define it. So if I'm a
>                 dev-test coder, and
>                 only write code that works in integration, then
>                 somehow I'm not
>                 qualified to be an OWASP board member? What if I write
>                 7 kloc a day
>                 and the production coders I work with only change tens
>                 of loc's per
>                 day? What if all of their success in refactorings are
>                 based on my test
>                 automation? What if the production coders are
>                 constantly making
>                 mistakes and a quality-oriented person is covering for
>                 them --
>                 correcting mistakes and making that shipped code
>                 actually work from a
>                 user perspective?
>
>                 > I don't believe in non-coders teaching coders how to
>                 code better. Many OWASP
>                 > outreach attempts fail because we're not on the right
>                 level. Web 1.5 code
>                 > snippets on a Powerpoint slide won't cut it. "Demo or
>                 die".
>
>                 I disagree with this point. Customers and users always
>                 teach coders
>                 how to code better. Quality engineers even moreso.
>
>                 > As I said above, as long as you're writing production
>                 code weekly you
>                 > understand coders and can take on that role on the
>                 board. Good!
>
>                 I think there is room on the board for more than one
>                 type of person.
>                 This seems to over-favor a certain type of application
>                 developer.
>
>                 -Andre
>                 _______________________________________________
>                 OWASP-Leaders mailing list
>                 OWASP-Leaders at lists.owasp.org
>                 <http://[email protected]>
>                 https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>     Chris Schmidt
>     ESAPI Project Manager (http://www.esapi.org)
>     ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
>     Blog: http://yet-another-dev.blogspot.com
>
>
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110214/f89ec5aa/attachment-0001.html 


More information about the OWASP-Leaders mailing list