[Owasp-leaders] OWASP Core Values

Michael Coates michael.coates at owasp.org
Sun Jan 16 15:05:58 EST 2011


I think we are going down a rabbit hole based on a misunderstanding.

Yiannis mentioned NDA as an example in his discussion about the "Open" principle.  This was made for discussion purposes only. As far as I know, OWASP has no plans and is not considering NDAs for anything (plus is it would be counter to these very principles that we are discussing)

The purpose of my original email was to encourage people to review the proposed principles that will be guiding our growing community and provide feedback via the URL


http://www.owasp.org/index.php/Core_Values_and_Definitions


Michael Coates
OWASP
@_mwc

On Jan 16, 2011, at 11:51 AM, Jeff Williams wrote:

> Thanks for the blunt feedback Mike.  I think I know why there's no "Mike Application Security Project" now.
> 
> We all want the stuff that's usable out of the box.  But you can't just yell at people and magically get good results.  We are building a supportive ecosystem for anyone who cares about appsec.  If that's too touchy feely for you, well I guess this isn't the right place for you.
> 
> Personally I've been almost universally challenged, supported, and encouraged by others at OWASP, with a minimum of the negative behaviors that plague other communities. I think if you really deeply consider what actually gets the useful standards, tools, and docs you are seeking created, you'll understand our path better.
> 
> --Jeff
> 
> 
> 
> On Jan 16, 2011, at 2:01 PM, Mike Boberski <mike.boberski at gmail.com> wrote:
> 
>> Ick. That's what I have to say to this and many recent threads, the past year or so. 
>> 
>> Give me freaking STANDARDS and READY TO USE tools that I can use to make fixes and point others to as THE basis for instructing others to put controls into place. Where is a freaking Agile-focused SAMM, to use a different example than ASVS or ESAPI. I don't care about anything else as far as OWASP or any industry organization is concerned. I'm not here to make friends, I am non-plussed with the comparatively recent disproportionate emphasis on building echo chambers to borrow a phrase from a recent thread of ever-larger size, doesn't help me do my job.
>> 
>> I don't give a fudge about whether or not there exists a committee for this or that. No freaking way I'm signing NDAs, just go ahead and delete me from this list and others already if that's where you're going. My stars. It's not rocket science why the vast majority of developers and application owners don't care about OWASP. Stop. Focus. What is the end result from a developer's perspective that you're trying to achieve with something. Execute. If you're not helping Joe Developer achieve a specific result to make a fix or to hold onto a painfully-achieved security posture you're wasting your and their time.
>> 
>> Mike
>> 
>> 
>> On Sun, Jan 16, 2011 at 9:32 AM, Thomas Brennan <tomb at owasp.org> wrote:
>> Personally I am not interested in signing any documentation (Non-Disclosure Agreement(s)) for any OWASP Foundation efforts, projects etc.  If people need and want help we're here to do that publicly with meetings, meeting mins., topics etc., mailing lists and collaborate as such. You will see this first hand at the summit Yiannis - it's NOT the loudest voice in the room it is by consensus when the facts of been presented by both sides but very much governed by the Code of Ethics and Principals http://www.owasp.org/index.php/About_OWASP#Code_of_Ethics
>> 
>> Commercial ventures are very different - as a example if I need to sign 1000 NDA's for my work with Trustwave, Spiderlabs related to customer projects no problem, that is part of mutual trust in a confidential business matter with the customers and partners. At OWASP I like that we don't have this issue personally.
>> 
>> Loose Lips do, to Sink Ships however.   The reality and personal integrity of its members and as a group is how we arrived at the below statement:
>> 
>> http://www.owasp.org/index.php/Core_Values_and_Definitions
>> 
>> Look forward to the reading of the feedback form(s) provided above at the Summit to start the discussion and with rough consensus.
>> 
>> -Brennan
>> 
>> 
>> 
>> 
>> On Jan 15, 2011, at 10:14 PM, Yiannis Pavlosoglou wrote:
>> 
>>> Hi all,
>>> 
>>> I would like to discuss this idea of "open" a bit more; maybe this
>>> list is not the right forum and perhaps we can talk about it in the
>>> summit.
>>> 
>>> Here is a simple example: Does "open" justify my address and how many
>>> kids I have being out on a media wiki, because I am part of owasp?
>>> 
>>> Now there isn't anything to hide in my inbox or voicemails or skype
>>> conversations; quite sad industry reach out information is mostly what
>>> you will find.
>>> 
>>> But at the same time we have a strong requirement (in industry at
>>> least) to work with not so open organisations. Consequently the case
>>> of signing an NDA as an individual comes up every so often. Now under
>>> this facade of "openness", I have no way of sharing that with even
>>> other industry members.
>>> 
>>> Ergo, we are pushing for an NDA in industry to have the ability to
>>> communicate openly among ourselves. Not to mention an NDA is pretty
>>> much standard practice in information security.
>>> 
>>> Just to clarify, this is not an attempt to make owasp "closed"; all
>>> source code I have ever written is under GPL and all outputs in
>>> industry are available to all. Still, if you call me for, say, Tobias
>>> number from the IETF, I will check with them before passing that
>>> information out.
>>> 
>>> Thus the request becomes, can we please be open about what we deliver
>>> in web application security. Not minutes and meeting mp3s of catch-up
>>> calls and itinerary information. Might even assist in raising quality
>>> of output as well!
>>> 
>>> Is that too much to ask for?
>>> 
>>> Thank you,
>>> 
>>> Yiannis
>>> 
>>> On 15 January 2011 19:19, Michael Coates <michael.coates at owasp.org> wrote:
>>>> If you haven't already done so I would really encourage everyone to take a
>>>> look and submit feedback.
>>>> 
>>>> http://www.owasp.org/index.php/Core_Values_and_Definitions
>>>> 
>>>> We are at a point where we really need to define our core values and decide
>>>> on the direction of OWASP.  This is a major step in that direction. Let's
>>>> make sure we capture the right values and are heading the right way.
>>>> >From the link (which has a feedback submission form you should use)
>>>> 
>>>> OPEN
>>>> 
>>>> Everything OWASP is radically transparent from finances to code.
>>>> 
>>>> EXPERIMENTATION
>>>> 
>>>> OWASP encourages and supports experiments for solutions to software security
>>>> challenges.
>>>> 
>>>> GLOBAL
>>>> 
>>>> Anyone around the world can participate in the OWASP community.
>>>> 
>>>> INTEGRITY
>>>> 
>>>> OWASP is an honest and truthful, vendor agnostic, global community.
>>>> 
>>>> Michael Coates
>>>> OWASP
>>>> 
>>>> 
>>>> On Jan 14, 2011, at 9:53 AM, Thomas Brennan wrote:
>>>> 
>>>> Just one of the many internal OWASP Foundation projects underway has been to
>>>> work with a 3rd party management company to unify the update mission of
>>>> OWASP 4.0
>>>> Details of the project:
>>>> http://www.owasp.org/index.php/Tesauro_Management_Counselors
>>>> As a result of PHASE I, I share a milestone, pay close attention to the
>>>> wording.
>>>> http://www.owasp.org/index.php/Core_Values_and_Definitions
>>>> This is now in RFC to the owasp-leaders with ratification at the OWASP
>>>> Summit at the kick off session. If you have comments suggestions please use
>>>> the feedback provided on the wiki page.
>>>> Thank you in advance for your valuable time.
>>>> ** If you have not looked recently at the working sessions take the time to
>>>> review hundreds of volunteer man hours have been invested in the summit so
>>>> far for YOU the community  http://www.owasp.org/index.php/Summit_2011 its
>>>> going to be amazing!
>>>> 
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> 
>>>> 
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> 
>>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> Dr. Yiannis Pavlosoglou
>>> OWASP Global Industry Committee
>>> http://www.owasp.org/index.php/Global_Industry_Committee
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110116/33046613/attachment-0001.html 


More information about the OWASP-Leaders mailing list