[Owasp-leaders] Mark on 'Models for Better Security Communities'

dinis cruz dinis.cruz at owasp.org
Fri Nov 11 06:15:12 EST 2011

Stephen, you absolutely shouldn't feel guilty of 'only' contributing to
OWASP through your regular bursts of energy (I put 'only' in quotes, since
you are one of my favorite OWASP stories, and a talent that I'm very proud
to have helped to attract o OWASP) . This type of contributions is one of
the things that have built OWASP and it is one of its most
amazing characteristics.

In fact, my view, the job of OWASP 'the organization' is to make sure that
when you do focus and want to commit some energy, there is an environment
(or ecosystem) that will make that process as productive, enjoyable and
efficient as possible.

In that light, OWASP 'the organization' should be much more like an event
organizer (think 'music production company') than a big 'we have the vision
and know it all' type of org.

Please don't be to hard on Mark since his heart is absolutely on the right
place (and let's not really judge Microsoft's ethics since most large
companies these days wont get a clean bill of health :)  ).

One think I learned from playing music is that you have to listen to the
audience's comments, and most of the times they say (from your point of
view of course) the right thing the wrong way (or not the same way you
would articulate it).

*Mark wants a more professional and focused approach to OWASP, where there
is energy and commitment in the creation of very professional,
high-quality, well presented, easy to use/adopt and community-friendly
deliveries (tools, books, guides, dev outreach, etc...). *

*Which is exactly what I also want.*

   - That doesn't mean that we stop supporting the grassroots movements and
   activities that allowed OWASP to be want is it today (and empower its
   contributors to 'just get on with it and try to find a solution')*. It
   means instead that we need to put a lot more investment and effort into
   creating an operational machine that will support it *(we have the
   talent at OWASP, what we don't have is the operational machine (which
   OWASP's leaders are not really good at, or have time to dedicated to it)).

Part of the problem is that there is still this view at OWASP that we need:

   - a strong mission, vision, etc...
   - high level commitments/endorsements and
   - centrally controlled activities

.... as if we had those anything would happen because of it :)

Part of the problem of this type of thinking, is that it creates an
environment where Mark (correctly under that thinking) was expecting a
level of support and endorsement for his ideas that is just not possible at

The irony is that there are lots of really great leaders inside OWASP that
share Mark's wish for a more professional and dev-community-friendly OWASP.
Unfortunately we (OWASP) still have not come up with an operational model
that allow those groups to aggregate and flourish (I don't think the
current Commitees structure are the right structure, but maybe the
https://www.owasp.org/index.php/Security_Ecosystem_Project is a better one).

Btw, for me the only vision and mission that OWASP needs is three (or maybe
two) words: *Web Application Security *or maybe just Application Security

So please embrace Mark's ideas and comments, you might not like his style
(like many don't like mine), but he is carrying a important message.

Think about this, we are lucky that Mark cared enough about OWASP that he
spent his time documenting and talking about his issues and problems. We
would be much worse if he had just ignored OWASP. In fact, I wish he
blogged more about his ideas for OWASP since there are some great stuff in
there :). He also talks to a lot of people about OWASP, specially from
people who would like to be involved at OWASP but have not found their
sweet spot. We need to hear those voices and find ways to connect to them.

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2

On 11 November 2011 07:23, Stephen Craig Evans <stephencraig.evans at gmail.com
> wrote:

> Sorry, Mark, your recent emails always sound too much like LeBron
> James' "I'm taking my talents to South Beach" :-)
> Back to our regularly scheduled programming...
> Dinis,
> OWASP is what it is.
> Except for you and many other titans - whom I won't name for fear of
> leaving somebody off the list - OWASP is a great place for people like
> me to come in and put in a burst of energy when we have time to do it.
> That's why it's rather loosely structured and stuff is scattered and a
> bit haphazard. I don't feel guilty about it. If somebody wants to come
> in, put in the effort and take over the reins on projects, then go for
> it. All contribution is always welcome.
> Yeah, it's not perfect. There should be more "polish" on projects,
> more interaction between infosec pros and developers, more this and
> that, blah, blah blah.
> But you look at OWASP at ground level, and what's better? ISACA? ISC2?
> PCI SSC? ... Give me a f*cking break. All of the bluster and flailing
> of arms at how much OWASP is broke and something has to be changed - I
> am waiting for somebody to put out something better... I am still
> waiting... I am still waiting...
> As usual, my 2 cents worth,
> Stephen
> P.S. And, if anybody is wondering, I pay my annual dues to the KC
> chapter. That's the least I can do.
> On Fri, Nov 11, 2011 at 12:12 AM, Chris Schmidt <chris.schmidt at owasp.org>
> wrote:
> > It would be Mark, the one not trolling on a professional organization
> > leaders list - thanks.
> >
> > On 11/10/2011 10:35 PM, Stephen Craig Evans wrote:
> >> One question first, Dinis...
> >>
> >> Is this Mark Curphey from Microsoft? The company that extorts money
> >> from companies over Linux patents?
> >>
> >> I wanna get this straight before I respond to your question.
> >>
> >> Thanks,
> >> Stephen
> >>
> >> On Mon, Nov 7, 2011 at 3:41 AM, dinis cruz<dinis.cruz at owasp.org>
>  wrote:
> >>> I think Mark raises a lot of good points in his latest
> >>> blog:
> http://www.curphey.com/2011/11/models-for-better-security-communities/
> >>> I don't agree with all of its analysis, but I share some of his
> concerns
> >>> about OWASP.
> >>> Ironically what he wants is to get a group of focused people working
> >>> together on a common project/initiative/ecosystem that produces high
> quality
> >>> results, which is exactly what I want to do too :).
> >>> I still believe that OWASP is the best place to create such group, but
> if it
> >>> is created outside OWASP, we should embrace it and collaborate (since
> the
> >>> end goal is to help the Application Security world)
> >>> What do you think?
> >>> Dinis Cruz
> >>>
> >>> _______________________________________________
> >>> OWASP-Leaders mailing list
> >>> OWASP-Leaders at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>
> >>>
> >>
> >>
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> --
> http://www.linkedin.com/in/stephencraigevans
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111111/639252f3/attachment.html 

More information about the OWASP-Leaders mailing list