[Owasp-leaders] Should OWASP make a statement on the Security of the Internet and Pervasive Monitoring?

Tobias tobias.gondrom at owasp.org
Thu Nov 14 02:19:16 UTC 2013


Jason,

as you saw, I removed the proposal text from the wiki within minutes and
moved it into a Google doc. This is not because I would agree with
Martin on his assumption that any page somewhere on our wiki with the
title "Proposal" would imply it would be sanctioned by the whole OWASP
organisation - but because I want us to be able to focus on the content
and not be distracted by where it is posted.
*
**So I like to encourage discussion of the proposal itself and not where
it is stored. *

And equally I am sure Martin was not intentionally trying to discourage
any new ideas before reading them, but just voicing his view and
concerns. Which is totally fine by me. If I couldn't take a little rough
feedback with exclamation marks here and there, I probably would not
have survived long in most open communities. ;-)

Regarding Martin's argument that we as OWASP "should not make any
statements because we are a non-political institution", I would like to
point out a few things:
1. personally, I would rather prefer to see us as "neutral" and
"non-partisan" (we don't take sides), but even if we take
"non-political", this should not mean, we shall keep quite when it comes
to some parties working actively against our mission and best practices.
(And in fact, some people may think that even our most basic notion of
"secure software" could be seen as "political" to some degree.)
2. a number of other global "non-political" organizations (as mentioned
before) were obviously able to make such statements with good
conscience. So I would invite Martin to take a closer look at this
proposal, the other organizations and whether this is really so political?
3. And last but not least, Dinis is right "this is one of those
situations that 'not having an opinion' is actually 'having an opinion'
(which is to support the status quo)"

Just my 5cents.

Cheers, Tobias


Ps.: Of course, we could also have more discussion on what posting on an
open community wiki means later on. (then please using a different
subject): Just for completion: I do not agree with Martin's notion that
anything and everything posted on the OWASP wiki would constitute or
imply an "official" OWASP statement. Especially not if it is clearly
marked by the title "proposal". We work on the wiki all the time with
drafts and content, and it would surely be surprising to assume that all
these raw discussions and documents have full community consensus.
Furthermore, one of the things I wanted to work on in the board is more
transparency, community involvement and openness and I believe an
important step is that we can continue to work on content in the wiki
openly and in public.




On 14/11/13 01:11, Jason Li wrote:
> Josh,
>
> I agree that OWASP should be encouraging community activity - but that
> doesn't negate Martin's point about the Wiki exposure.
>
> Whether we realize it, people outside of OWASP refer to the OWASP web
> site as an authoritative source for all things OWASP. With the way we
> have things set up now, outsiders are not going to have the
> understanding and institutional knowledge to differentiate between
> scratch-space material and official information. Case in point,
> there's a recent thread on the security101 list where a user asks
> about conflicting advice on two of OWASP's wiki pages. People are
> taking whatever is on the wiki - vetted or not - as OWASP gospel.
>
> Given Martin's long time support and contributions to OWASP, I doubt
> that his intention was to quash Tobias' effort. He's merely observing
> that everything on the wiki represents the voice of OWASP. And we need
> to protect that voice to some degree.
>
> The Board recently adopted a Social Media Policy to protect the
> official "voice" of OWASP on Twitter, blogs, etc. I think the next
> natural evolution of that policy is to eventually establish some
> templates, standards, or markers of some sort - or perhaps somehow
> partition the wiki to differentiate between "official" OWASP
> communications and the wiki infrastructure we provide to enable and
> foster community ideas.
>
> Just my humble opinion.
>
> -Jason
>
>
> On Wed, Nov 13, 2013 at 5:11 PM, Josh Sokol <josh.sokol at owasp.org
> <mailto:josh.sokol at owasp.org>> wrote:
>
>     Martin,
>
>     I am extremely disappointed in your efforts to stifle Tobias'
>     efforts before he even got started.  Everyone at OWASP should be
>     encouraged to come up with innovative ideas and ways to drive our
>     mission forward without fear of being bullied into submission. 
>     And by immediately telling Tobias that the wiki is not the right
>     place for this discussion you are actually violating the
>     "openness" part of OWASP's core mission.  In my opinion,
>     discussion of topics like this should be done in full visibility
>     of the world at large.  This is not a political statement, but
>     rather, one that is tandem to OWASP's core mission of making
>     application security more visible.  Subversion of this process by
>     any party, government or otherwise, should not be tolerated.  I
>     agree fully with Tobias that guidance on this subject is in line
>     with our mission and is worth our time and efforts.  Did you even
>     read what he wrote before you dismissed it?
>
>     ~josh
>
>
>     On Wed, Nov 13, 2013 at 3:47 PM, <netherlands at owasp.org
>     <mailto:netherlands at owasp.org>> wrote:
>
>         Hi Tobias,
>
>         Before the question if OWASP should make a statement or not,
>         by putting it on the OWASP Wiki, you already did. In my
>         opinion this is very unfortunate!
>
>         Second, I do not think OWASP as an non-political institution
>         should make a statement in this matter. Even more as the
>         subject itself is off OWASP topics and area.
>
>         My 2 cents,
>
>         Cheers,
>         -martin
>
>         Sent from my BlackBerry® smartphone
>
>         -----Original Message-----
>         From: Tobias <tobias.gondrom at owasp.org
>         <mailto:tobias.gondrom at owasp.org>>
>         Sender: owasp-leaders-bounces at lists.owasp.org
>         <mailto:owasp-leaders-bounces at lists.owasp.org>
>         Date: Wed, 13 Nov 2013 21:28:18
>         To: <owasp-leaders at lists.owasp.org
>         <mailto:owasp-leaders at lists.owasp.org>>
>         Subject: [Owasp-leaders] Should OWASP make a statement on the
>         Security of
>          the Internet and Pervasive Monitoring?
>
>         _______________________________________________
>         OWASP-Leaders mailing list
>         OWASP-Leaders at lists.owasp.org
>         <mailto:OWASP-Leaders at lists.owasp.org>
>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>         _______________________________________________
>         OWASP-Leaders mailing list
>         OWASP-Leaders at lists.owasp.org
>         <mailto:OWASP-Leaders at lists.owasp.org>
>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131114/6d5d4a06/attachment.html>


More information about the OWASP-Leaders mailing list