[Owasp-leaders] Mark on 'Models for Better Security Communities'

Christian Heinrich christian.heinrich at owasp.org
Thu Nov 10 23:17:54 EST 2011


Dinis,

On Mon, Nov 7, 2011 at 8:41 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
> I think Mark raises a lot of good points in his latest
> blog: http://www.curphey.com/2011/11/models-for-better-security-communities/
> I don't agree with all of its analysis, but I share some of his concerns
> about OWASP.

While you can disagree with Mark the fundamental flaw that OWASP
continues to make is that some members of the Board dismiss issues
raised by people who contribute signficantly to OWASP e.g.
https://lists.owasp.org/pipermail/owasp-board/2011-January/004292.html
even in light of the fact that this begins to snow ball with other
contributors who are unrelated and therefore not involved in colusion
e.g. https://lists.owasp.org/pipermail/owasp-board/2011-January/004311.html

Issues which are considered minor, such as the poor selection of
SourceForge i.e.
https://lists.owasp.org/pipermail/owasp-leaders/2011-November/006380.html
are systematic of other previous grievances that were unresolved.

When I presented at OWASP Asia Pacific 2008 Mark believed that OWASP
would fail within 12 months and this sentiment was shared with a
number of other people who had contirbuted to OWASP also.  Some
background, Justin Derry and I met each other at
http://www.auscert.org.au/render.html?it=8172 and this was also the
first time I had heard of OWASP.

On Mon, Nov 7, 2011 at 8:41 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
> Ironically what he wants is to get a group of focused people working
> together on a common project/initiative/ecosystem that produces high quality
> results, which is exactly what I want to do too :).

>From my brief discussion with Mark at HITB Amsterdam 2010 I am under
the impression that his definition of "group" is "developers" i.e. a
subset of the wider application security community which you are
referring too.

On Mon, Nov 7, 2011 at 8:41 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
> I still believe that OWASP is the best place to create such group, but if it
> is created outside OWASP, we should embrace it and collaborate (since the
> end goal is to help the Application Security world)

I am against yet another web/appsec group forming and the path of
least resistance and win win for everybody is to simply make a
reasonable attempt to address what Mark has raised (and is yet to
raise).

-- 
Regards,
Christian Heinrich
http://www.owasp.org/index.php/user:cmlh


More information about the OWASP-Leaders mailing list