[Owasp-leaders] OWASP Core Values

Michael Menefee mmenefee at gmail.com
Sun Jan 16 18:36:22 EST 2011


Someone please remove me from this list...my repeated attempts at
interacting with the list server have been unsuccessful

Also, I resign as North Carolina chapter leader...please remove the chapter
page



On Sun, Jan 16, 2011 at 6:04 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Look at what Mike is saying, not how he is saying it.
>
> We are missing the ball here. We have tons of assessment projects. We thwap
> developers for being insecure, but do little to empower them. The developers
> guide is not prescriptive enough - it's more of an architectural level
> guide, not a developers guide. ESAPI is a bloody mess of alpha code with
> little documentation that is usable.
>
> If we as OWASP focused more on ASVS type-standards and put a real
> professional team on ESAPI full time, including prescriptive documentation,
> OWASP would matter more.
>
> Sure we have an "ecosystem" but it's a old boys club of AppSec consultants
> and pro's and its wagging the dog way to much.
>
> We rest on our beta-quality laurels, slap out companies name on it for
> marketing purposes, sing kuum-bie-ya to feel good, but do little to help
> developers in a prescriptive way to really write secure code and solutions.
>
> Mike, you are right. I don't like your tone, but the message behind that
> tone is bullseye right. And Mike, I'm partially to blame here for not fully
> supporting your documentation efforts enough.
>
> Hopefully, we can all discuss this more at the summit in a constructive
> way.
>
> -Jim Manico
> http://manico.net
>
> On Jan 16, 2011, at 11:51 AM, Jeff Williams <jeff.williams at owasp.org>
> wrote:
>
> Thanks for the blunt feedback Mike.  I think I know why there's no "Mike
> Application Security Project" now.
>
> We all want the stuff that's usable out of the box.  But you can't just
> yell at people and magically get good results.  We are building a supportive
> ecosystem for anyone who cares about appsec.  If that's too touchy feely for
> you, well I guess this isn't the right place for you.
>
> Personally I've been almost universally challenged, supported, and
> encouraged by others at OWASP, with a minimum of the negative behaviors that
> plague other communities. I think if you really deeply consider what
> actually gets the useful standards, tools, and docs you are seeking created,
> you'll understand our path better.
>
> --Jeff
>
>
>
> On Jan 16, 2011, at 2:01 PM, Mike Boberski < <mike.boberski at gmail.com>
> mike.boberski at gmail.com> wrote:
>
> Ick. That's what I have to say to this and many recent threads, the past
> year or so.
>
> Give me freaking STANDARDS and READY TO USE tools that I can use to make
> fixes and point others to as THE basis for instructing others to put
> controls into place. Where is a freaking Agile-focused SAMM, to use a
> different example than ASVS or ESAPI. I don't care about anything else as
> far as OWASP or any industry organization is concerned. I'm not here to make
> friends, I am non-plussed with the comparatively recent
> disproportionate emphasis on building echo chambers to borrow a phrase from
> a recent thread of ever-larger size, doesn't help me do my job.
>
> I don't give a fudge about whether or not there exists a committee for this
> or that. No freaking way I'm signing NDAs, just go ahead and delete me from
> this list and others already if that's where you're going. My stars. It's
> not rocket science why the vast majority of developers and application
> owners don't care about OWASP. Stop. Focus. What is the end result from a
> developer's perspective that you're trying to achieve with something.
> Execute. If you're not helping Joe Developer achieve a specific result to
> make a fix or to hold onto a painfully-achieved security posture you're
> wasting your and their time.
>
> Mike
>
>
> On Sun, Jan 16, 2011 at 9:32 AM, Thomas Brennan < <tomb at owasp.org><tomb at owasp.org>
> tomb at owasp.org> wrote:
>
>> Personally I am not interested in signing any documentation
>> (Non-Disclosure Agreement(s)) for any OWASP Foundation efforts, projects
>> etc.  If people need and want help we're here to do that publicly with
>> meetings, meeting mins., topics etc., mailing lists and collaborate as
>> such. You will see this first hand at the summit Yiannis - it's NOT the
>> loudest voice in the room it is by c*onsensus when the facts of been
>> presented by both sides but very much governed by the Code of Ethics and
>> Principals * <http://www.owasp.org/index.php/About_OWASP#Code_of_Ethics><http://www.owasp.org/index.php/About_OWASP#Code_of_Ethics>
>> http://www.owasp.org/index.php/About_OWASP#Code_of_Ethics
>>
>> Commercial ventures are very different - as a example if I need to sign
>> 1000 NDA's for my work with Trustwave, Spiderlabs related to customer
>> projects no problem, that is part of mutual trust in a confidential business
>> matter with the customers and partners. At OWASP I like that we don't have
>> this issue personally.
>>
>> *Loose Lips do, to Sink Ships however.*   The reality and personal
>> integrity of its members and as a group is how we arrived at the below
>> statement:
>>
>> <http://www.owasp.org/index.php/Core_Values_and_Definitions><http://www.owasp.org/index.php/Core_Values_and_Definitions>
>> http://www.owasp.org/index.php/Core_Values_and_Definitions
>>
>> Look forward to the reading of the feedback form(s) provided above at the
>> Summit to start the discussion and with rough consensus.
>>
>> -Brennan
>>
>>
>>
>>
>> On Jan 15, 2011, at 10:14 PM, Yiannis Pavlosoglou wrote:
>>
>> Hi all,
>>
>> I would like to discuss this idea of "open" a bit more; maybe this
>> list is not the right forum and perhaps we can talk about it in the
>> summit.
>>
>> Here is a simple example: Does "open" justify my address and how many
>> kids I have being out on a media wiki, because I am part of owasp?
>>
>> Now there isn't anything to hide in my inbox or voicemails or skype
>> conversations; quite sad industry reach out information is mostly what
>> you will find.
>>
>> But at the same time we have a strong requirement (in industry at
>> least) to work with not so open organisations. Consequently the case
>> of signing an NDA as an individual comes up every so often. Now under
>> this facade of "openness", I have no way of sharing that with even
>> other industry members.
>>
>> Ergo, we are pushing for an NDA in industry to have the ability to
>> communicate openly among ourselves. Not to mention an NDA is pretty
>> much standard practice in information security.
>>
>> Just to clarify, this is not an attempt to make owasp "closed"; all
>> source code I have ever written is under GPL and all outputs in
>> industry are available to all. Still, if you call me for, say, Tobias
>> number from the IETF, I will check with them before passing that
>> information out.
>>
>> Thus the request becomes, can we please be open about what we deliver
>> in web application security. Not minutes and meeting mp3s of catch-up
>> calls and itinerary information. Might even assist in raising quality
>> of output as well!
>>
>> Is that too much to ask for?
>>
>> Thank you,
>>
>> Yiannis
>>
>> On 15 January 2011 19:19, Michael Coates < <michael.coates at owasp.org><michael.coates at owasp.org>
>> michael.coates at owasp.org> wrote:
>>
>> If you haven't already done so I would really encourage everyone to take a
>>
>> look and submit feedback.
>>
>>
>>  <http://www.owasp.org/index.php/Core_Values_and_Definitions><http://www.owasp.org/index.php/Core_Values_and_Definitions>
>> http://www.owasp.org/index.php/Core_Values_and_Definitions
>>
>>
>> We are at a point where we really need to define our core values and
>> decide
>>
>> on the direction of OWASP.  This is a major step in that direction. Let's
>>
>> make sure we capture the right values and are heading the right way.
>>
>> >From the link (which has a feedback submission form you should use)
>>
>>
>> OPEN
>>
>>
>> Everything OWASP is radically transparent from finances to code.
>>
>>
>> EXPERIMENTATION
>>
>>
>> OWASP encourages and supports experiments for solutions to software
>> security
>>
>> challenges.
>>
>>
>> GLOBAL
>>
>>
>> Anyone around the world can participate in the OWASP community.
>>
>>
>> INTEGRITY
>>
>>
>> OWASP is an honest and truthful, vendor agnostic, global community.
>>
>>
>> Michael Coates
>>
>> OWASP
>>
>>
>>
>> On Jan 14, 2011, at 9:53 AM, Thomas Brennan wrote:
>>
>>
>> Just one of the many internal OWASP Foundation projects underway has been
>> to
>>
>> work with a 3rd party management company to unify the update mission of
>>
>> OWASP 4.0
>>
>> Details of the project:
>>
>> <http://www.owasp.org/index.php/Tesauro_Management_Counselors><http://www.owasp.org/index.php/Tesauro_Management_Counselors>
>> http://www.owasp.org/index.php/Tesauro_Management_Counselors
>>
>> As a result of PHASE I, I share a milestone, pay close attention to the
>>
>> wording.
>>
>> <http://www.owasp.org/index.php/Core_Values_and_Definitions><http://www.owasp.org/index.php/Core_Values_and_Definitions>
>> http://www.owasp.org/index.php/Core_Values_and_Definitions
>>
>> This is now in RFC to the owasp-leaders with ratification at the OWASP
>>
>> Summit at the kick off session. If you have comments suggestions please
>> use
>>
>> the feedback provided on the wiki page.
>>
>> Thank you in advance for your valuable time.
>>
>> ** If you have not looked recently at the working sessions take the time
>> to
>>
>> review hundreds of volunteer man hours have been invested in the summit so
>>
>> far for YOU the community   <http://www.owasp.org/index.php/Summit_2011><http://www.owasp.org/index.php/Summit_2011>
>> http://www.owasp.org/index.php/Summit_2011 its
>>
>> going to be amazing!
>>
>>
>> _______________________________________________
>>
>> OWASP-Leaders mailing list
>>
>> <OWASP-Leaders at lists.owasp.org> <OWASP-Leaders at lists.owasp.org>
>> OWASP-Leaders at lists.owasp.org
>>
>> <https://lists.owasp.org/mailman/listinfo/owasp-leaders><https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>> _______________________________________________
>>
>> OWASP-Leaders mailing list
>>
>> <OWASP-Leaders at lists.owasp.org> <OWASP-Leaders at lists.owasp.org>
>> OWASP-Leaders at lists.owasp.org
>>
>> <https://lists.owasp.org/mailman/listinfo/owasp-leaders><https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>>
>>
>> --
>> Dr. Yiannis Pavlosoglou
>> OWASP Global Industry Committee
>> <http://www.owasp.org/index.php/Global_Industry_Committee><http://www.owasp.org/index.php/Global_Industry_Committee>
>> http://www.owasp.org/index.php/Global_Industry_Committee
>> _______________________________________________
>> OWASP-Leaders mailing list
>> <OWASP-Leaders at lists.owasp.org> <OWASP-Leaders at lists.owasp.org>
>> OWASP-Leaders at lists.owasp.org
>> <https://lists.owasp.org/mailman/listinfo/owasp-leaders><https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>>  <OWASP-Leaders at lists.owasp.org> <OWASP-Leaders at lists.owasp.org>
>> OWASP-Leaders at lists.owasp.org
>>  <https://lists.owasp.org/mailman/listinfo/owasp-leaders><https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
> _______________________________________________
> OWASP-Leaders mailing list
> <OWASP-Leaders at lists.owasp.org>OWASP-Leaders at lists.owasp.org
> <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110116/9429c2cd/attachment-0001.html 


More information about the OWASP-Leaders mailing list