[Owasp-leaders] OWASP Core Values

Mike Boberski mike.boberski at gmail.com
Sun Jan 16 14:01:45 EST 2011


Ick. That's what I have to say to this and many recent threads, the past
year or so.

Give me freaking STANDARDS and READY TO USE tools that I can use to make
fixes and point others to as THE basis for instructing others to put
controls into place. Where is a freaking Agile-focused SAMM, to use a
different example than ASVS or ESAPI. I don't care about anything else as
far as OWASP or any industry organization is concerned. I'm not here to make
friends, I am non-plussed with the comparatively recent
disproportionate emphasis on building echo chambers to borrow a phrase from
a recent thread of ever-larger size, doesn't help me do my job.

I don't give a fudge about whether or not there exists a committee for this
or that. No freaking way I'm signing NDAs, just go ahead and delete me from
this list and others already if that's where you're going. My stars. It's
not rocket science why the vast majority of developers and application
owners don't care about OWASP. Stop. Focus. What is the end result from a
developer's perspective that you're trying to achieve with something.
Execute. If you're not helping Joe Developer achieve a specific result to
make a fix or to hold onto a painfully-achieved security posture you're
wasting your and their time.

Mike


On Sun, Jan 16, 2011 at 9:32 AM, Thomas Brennan <tomb at owasp.org> wrote:

> Personally I am not interested in signing any documentation (Non-Disclosure
> Agreement(s)) for any OWASP Foundation efforts, projects etc.  If people
> need and want help we're here to do that publicly with meetings, meeting
> mins., topics etc., mailing lists and collaborate as such. You will see this
> first hand at the summit Yiannis - it's NOT the loudest voice in the room it
> is by c*onsensus when the facts of been presented by both sides but very
> much governed by the Code of Ethics and Principals *
> http://www.owasp.org/index.php/About_OWASP#Code_of_Ethics
>
> Commercial ventures are very different - as a example if I need to sign
> 1000 NDA's for my work with Trustwave, Spiderlabs related to customer
> projects no problem, that is part of mutual trust in a confidential business
> matter with the customers and partners. At OWASP I like that we don't have
> this issue personally.
>
> *Loose Lips do, to Sink Ships however.*   The reality and personal
> integrity of its members and as a group is how we arrived at the below
> statement:
>
> http://www.owasp.org/index.php/Core_Values_and_Definitions
>
> Look forward to the reading of the feedback form(s) provided above at the
> Summit to start the discussion and with rough consensus.
>
> -Brennan
>
>
>
>
> On Jan 15, 2011, at 10:14 PM, Yiannis Pavlosoglou wrote:
>
> Hi all,
>
> I would like to discuss this idea of "open" a bit more; maybe this
> list is not the right forum and perhaps we can talk about it in the
> summit.
>
> Here is a simple example: Does "open" justify my address and how many
> kids I have being out on a media wiki, because I am part of owasp?
>
> Now there isn't anything to hide in my inbox or voicemails or skype
> conversations; quite sad industry reach out information is mostly what
> you will find.
>
> But at the same time we have a strong requirement (in industry at
> least) to work with not so open organisations. Consequently the case
> of signing an NDA as an individual comes up every so often. Now under
> this facade of "openness", I have no way of sharing that with even
> other industry members.
>
> Ergo, we are pushing for an NDA in industry to have the ability to
> communicate openly among ourselves. Not to mention an NDA is pretty
> much standard practice in information security.
>
> Just to clarify, this is not an attempt to make owasp "closed"; all
> source code I have ever written is under GPL and all outputs in
> industry are available to all. Still, if you call me for, say, Tobias
> number from the IETF, I will check with them before passing that
> information out.
>
> Thus the request becomes, can we please be open about what we deliver
> in web application security. Not minutes and meeting mp3s of catch-up
> calls and itinerary information. Might even assist in raising quality
> of output as well!
>
> Is that too much to ask for?
>
> Thank you,
>
> Yiannis
>
> On 15 January 2011 19:19, Michael Coates <michael.coates at owasp.org> wrote:
>
> If you haven't already done so I would really encourage everyone to take a
>
> look and submit feedback.
>
>
> http://www.owasp.org/index.php/Core_Values_and_Definitions
>
>
> We are at a point where we really need to define our core values and decide
>
> on the direction of OWASP.  This is a major step in that direction. Let's
>
> make sure we capture the right values and are heading the right way.
>
> From the link (which has a feedback submission form you should use)
>
>
> OPEN
>
>
> Everything OWASP is radically transparent from finances to code.
>
>
> EXPERIMENTATION
>
>
> OWASP encourages and supports experiments for solutions to software
> security
>
> challenges.
>
>
> GLOBAL
>
>
> Anyone around the world can participate in the OWASP community.
>
>
> INTEGRITY
>
>
> OWASP is an honest and truthful, vendor agnostic, global community.
>
>
> Michael Coates
>
> OWASP
>
>
>
> On Jan 14, 2011, at 9:53 AM, Thomas Brennan wrote:
>
>
> Just one of the many internal OWASP Foundation projects underway has been
> to
>
> work with a 3rd party management company to unify the update mission of
>
> OWASP 4.0
>
> Details of the project:
>
> http://www.owasp.org/index.php/Tesauro_Management_Counselors
>
> As a result of PHASE I, I share a milestone, pay close attention to the
>
> wording.
>
> http://www.owasp.org/index.php/Core_Values_and_Definitions
>
> This is now in RFC to the owasp-leaders with ratification at the OWASP
>
> Summit at the kick off session. If you have comments suggestions please use
>
> the feedback provided on the wiki page.
>
> Thank you in advance for your valuable time.
>
> ** If you have not looked recently at the working sessions take the time to
>
> review hundreds of volunteer man hours have been invested in the summit so
>
> far for YOU the community  http://www.owasp.org/index.php/Summit_2011 its
>
> going to be amazing!
>
>
> _______________________________________________
>
> OWASP-Leaders mailing list
>
> OWASP-Leaders at lists.owasp.org
>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
>
> OWASP-Leaders mailing list
>
> OWASP-Leaders at lists.owasp.org
>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>
>
> --
> Dr. Yiannis Pavlosoglou
> OWASP Global Industry Committee
> http://www.owasp.org/index.php/Global_Industry_Committee
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110116/f013e5be/attachment-0001.html 


More information about the OWASP-Leaders mailing list