[Owasp-leaders] OWASP Core Values

Thomas Brennan tomb at owasp.org
Sun Jan 16 09:32:08 EST 2011


Personally I am not interested in signing any documentation (Non-Disclosure Agreement(s)) for any OWASP Foundation efforts, projects etc.  If people need and want help we're here to do that publicly with meetings, meeting mins., topics etc., mailing lists and collaborate as such. You will see this first hand at the summit Yiannis - it's NOT the loudest voice in the room it is by consensus when the facts of been presented by both sides but very much governed by the Code of Ethics and Principals http://www.owasp.org/index.php/About_OWASP#Code_of_Ethics

Commercial ventures are very different - as a example if I need to sign 1000 NDA's for my work with Trustwave, Spiderlabs related to customer projects no problem, that is part of mutual trust in a confidential business matter with the customers and partners. At OWASP I like that we don't have this issue personally.

Loose Lips do, to Sink Ships however.   The reality and personal integrity of its members and as a group is how we arrived at the below statement:

http://www.owasp.org/index.php/Core_Values_and_Definitions

Look forward to the reading of the feedback form(s) provided above at the Summit to start the discussion and with rough consensus.

-Brennan




On Jan 15, 2011, at 10:14 PM, Yiannis Pavlosoglou wrote:

> Hi all,
> 
> I would like to discuss this idea of "open" a bit more; maybe this
> list is not the right forum and perhaps we can talk about it in the
> summit.
> 
> Here is a simple example: Does "open" justify my address and how many
> kids I have being out on a media wiki, because I am part of owasp?
> 
> Now there isn't anything to hide in my inbox or voicemails or skype
> conversations; quite sad industry reach out information is mostly what
> you will find.
> 
> But at the same time we have a strong requirement (in industry at
> least) to work with not so open organisations. Consequently the case
> of signing an NDA as an individual comes up every so often. Now under
> this facade of "openness", I have no way of sharing that with even
> other industry members.
> 
> Ergo, we are pushing for an NDA in industry to have the ability to
> communicate openly among ourselves. Not to mention an NDA is pretty
> much standard practice in information security.
> 
> Just to clarify, this is not an attempt to make owasp "closed"; all
> source code I have ever written is under GPL and all outputs in
> industry are available to all. Still, if you call me for, say, Tobias
> number from the IETF, I will check with them before passing that
> information out.
> 
> Thus the request becomes, can we please be open about what we deliver
> in web application security. Not minutes and meeting mp3s of catch-up
> calls and itinerary information. Might even assist in raising quality
> of output as well!
> 
> Is that too much to ask for?
> 
> Thank you,
> 
> Yiannis
> 
> On 15 January 2011 19:19, Michael Coates <michael.coates at owasp.org> wrote:
>> If you haven't already done so I would really encourage everyone to take a
>> look and submit feedback.
>> 
>> http://www.owasp.org/index.php/Core_Values_and_Definitions
>> 
>> We are at a point where we really need to define our core values and decide
>> on the direction of OWASP.  This is a major step in that direction. Let's
>> make sure we capture the right values and are heading the right way.
>> From the link (which has a feedback submission form you should use)
>> 
>> OPEN
>> 
>> Everything OWASP is radically transparent from finances to code.
>> 
>> EXPERIMENTATION
>> 
>> OWASP encourages and supports experiments for solutions to software security
>> challenges.
>> 
>> GLOBAL
>> 
>> Anyone around the world can participate in the OWASP community.
>> 
>> INTEGRITY
>> 
>> OWASP is an honest and truthful, vendor agnostic, global community.
>> 
>> Michael Coates
>> OWASP
>> 
>> 
>> On Jan 14, 2011, at 9:53 AM, Thomas Brennan wrote:
>> 
>> Just one of the many internal OWASP Foundation projects underway has been to
>> work with a 3rd party management company to unify the update mission of
>> OWASP 4.0
>> Details of the project:
>> http://www.owasp.org/index.php/Tesauro_Management_Counselors
>> As a result of PHASE I, I share a milestone, pay close attention to the
>> wording.
>> http://www.owasp.org/index.php/Core_Values_and_Definitions
>> This is now in RFC to the owasp-leaders with ratification at the OWASP
>> Summit at the kick off session. If you have comments suggestions please use
>> the feedback provided on the wiki page.
>> Thank you in advance for your valuable time.
>> ** If you have not looked recently at the working sessions take the time to
>> review hundreds of volunteer man hours have been invested in the summit so
>> far for YOU the community  http://www.owasp.org/index.php/Summit_2011 its
>> going to be amazing!
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> 
> 
> 
> 
> -- 
> Dr. Yiannis Pavlosoglou
> OWASP Global Industry Committee
> http://www.owasp.org/index.php/Global_Industry_Committee
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110116/4ae31d28/attachment.html 


More information about the OWASP-Leaders mailing list