[Owasp-leaders] The Gap Between OWASP and Developers

Eoin eoin.keary at owasp.org
Wed Feb 23 10:58:09 EST 2011


To add to the industry committee points, we have now established and
agreed (at the summit) that the board does not really have much power but is
rather a supporting function. Power is with the committees in terms of
getting things done -  This clarification of empowerment and autonomy
(within the OWASP values and purpose) should give the committee verticals
the ability to achieve meaningful objectives.

On 23 February 2011 14:23, John Steven <John.Steven at owasp.org> wrote:

> Comment in line.
>
> On Wed, Feb 23, 2011 at 2:56 PM, Eoin <eoin.keary at owasp.org> wrote:
> > Hi John,
> > may I humbly respond to your observations below?
>
> It would appear so, and effectively.
>
> >> ----
> >> There is no formal conduit through which the participation of
> >> commercial entities and their employees feel comfortable contributing
> >> while protecting their organization's privacy, intellectual property,
> >> and employment.
> >> ----
> >>
> > EK - this is where the industry committee come in in some ways. It needs
> to
> > start briding the gap between OWASP and "the world".
> > We have elected an industry committee chair (Joe Bernik) who is not a
> vendor
> > which is a great start and something I support and have been preaching
> into
> > an echo chamber for the past year. This should ( I hope) start to get the
> > ball moving and give OWASP a chance to connect with the non
> > vendor/consultant community. Joe's insight into such issues should help
> > understand the challenge better and even get some stuff done rather than
> > talking about it!
>
> This is where the Industry committee _should_ come in. You and I
> discussed this during your board run (as you mentioned), at least
> obliquely. I think we're of similar mind on the issue. However, I
> think we can safely say that, to date, the industry committee has not
> successfully alleviated the problem.  This doesn't mean that the
> committee won't change course or increase speed or otherwise become
> effective and I think Joe may be a good guy to operate the helm.
>
> > EK - I am happy to volunteer or at least help but I'm from the "evil"
> board,
> > I don't know if this is an issue or not?
> > The reason I went for the board elections 14 months ago was to try and
> fix
> > the industry link issue you Jeremiah and I are talking about. I am so
> glad
> > we are getting to this point and clever guys like u and J see this
> problem.
> > I dont know about you but I am tired of talking security with security
> folk,
> > preaching to the choir when the real problem continues to grow.
>
> I think this is one issue on which we have to "talk amongst
> ourselves": we've got an existing barrier to involving more
> non-security folk. Though, that isn't to say that industry and dev
> can't help us overcome this issue. But, unless we agree as a community
> that  a framework for safe participation is necessary and actually
> build/socialize it, we won't get the leverage and bi-directional
> involvement we're all craving in our "Developers vs. Security"
> discussions. This issue _is_ important for us security guys to agree
> on because any functioning framework must have compulsory elements to
> it, to protect privacy/IP/etc. of participants. That represents a
> culture shift for some aspects of OWASP (though I don't think the
> whole culture need be affected -- this list's NDA thread was
> particularly illuminating as a misstep, IMO). And, frankly, from what
> I heard of Dinis and Jeff's "open radically transparent platform"
> commentary during the governance discussions, this _is_ a stretch for
> OWASP. As in athletics, stretching has benefits but can cause injury
> itself if underestimated.
>
> -jOHN
>



-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110223/b5ee3a36/attachment.html 


More information about the OWASP-Leaders mailing list