[Owasp-leaders] Should OWASP make a statement on the Security of the Internet and Pervasive Monitoring?

Jim Manico jim.manico at owasp.org
Thu Nov 14 02:31:43 UTC 2013

Just a polite note to consider, as a 501c3 tax exempt organization, we have
a •very• strict obligation to keep away from political campaigning.

a good resource that discusses what this means.

Per my understanding, we are allowed to take positions on potential laws or
policy, but we need to keep away from endorsing or supporting individual
candidates in any way.

We have not done this, but I wanted to put this out there as we wade into
political waters.

Jim Manico
(808) 652-3805

On Nov 13, 2013, at 9:20 PM, Tobias <tobias.gondrom at owasp.org> wrote:


as you saw, I removed the proposal text from the wiki within minutes and
moved it into a Google doc. This is not because I would agree with Martin
on his assumption that any page somewhere on our wiki with the title
"Proposal" would imply it would be sanctioned by the whole OWASP
organisation - but because I want us to be able to focus on the content and
not be distracted by where it is posted.

*So I like to encourage discussion of the proposal itself and not where it
is stored. *

And equally I am sure Martin was not intentionally trying to discourage any
new ideas before reading them, but just voicing his view and concerns.
Which is totally fine by me. If I couldn't take a little rough feedback
with exclamation marks here and there, I probably would not have survived
long in most open communities. ;-)

Regarding Martin's argument that we as OWASP "should not make any
statements because we are a non-political institution", I would like to
point out a few things:
1. personally, I would rather prefer to see us as "neutral" and
"non-partisan" (we don't take sides), but even if we take "non-political",
this should not mean, we shall keep quite when it comes to some parties
working actively against our mission and best practices. (And in fact, some
people may think that even our most basic notion of "secure software" could
be seen as "political" to some degree.)
2. a number of other global "non-political" organizations (as mentioned
before) were obviously able to make such statements with good conscience.
So I would invite Martin to take a closer look at this proposal, the other
organizations and whether this is really so political?
3. And last but not least, Dinis is right "this is one of those situations
that 'not having an opinion' is actually 'having an opinion' (which is to
support the status quo)"

Just my 5cents.

Cheers, Tobias

Ps.: Of course, we could also have more discussion on what posting on an
open community wiki means later on. (then please using a different
subject): Just for completion: I do not agree with Martin's notion that
anything and everything posted on the OWASP wiki would constitute or imply
an "official" OWASP statement. Especially not if it is clearly marked by
the title "proposal". We work on the wiki all the time with drafts and
content, and it would surely be surprising to assume that all these raw
discussions and documents have full community consensus. Furthermore, one
of the things I wanted to work on in the board is more transparency,
community involvement and openness and I believe an important step is that
we can continue to work on content in the wiki openly and in public.

On 14/11/13 01:11, Jason Li wrote:


 I agree that OWASP should be encouraging community activity - but that
doesn't negate Martin's point about the Wiki exposure.

 Whether we realize it, people outside of OWASP refer to the OWASP web site
as an authoritative source for all things OWASP. With the way we have
things set up now, outsiders are not going to have the understanding and
institutional knowledge to differentiate between scratch-space material and
official information. Case in point, there's a recent thread on the
security101 list where a user asks about conflicting advice on two of
OWASP's wiki pages. People are taking whatever is on the wiki - vetted or
not - as OWASP gospel.

 Given Martin's long time support and contributions to OWASP, I doubt that
his intention was to quash Tobias' effort. He's merely observing that
everything on the wiki represents the voice of OWASP. And we need to
protect that voice to some degree.

 The Board recently adopted a Social Media Policy to protect the official
"voice" of OWASP on Twitter, blogs, etc. I think the next natural evolution
of that policy is to eventually establish some templates, standards, or
markers of some sort - or perhaps somehow partition the wiki to
differentiate between "official" OWASP communications and the wiki
infrastructure we provide to enable and foster community ideas.

 Just my humble opinion.


On Wed, Nov 13, 2013 at 5:11 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

>  Martin,
>  I am extremely disappointed in your efforts to stifle Tobias' efforts
> before he even got started.  Everyone at OWASP should be encouraged to come
> up with innovative ideas and ways to drive our mission forward without fear
> of being bullied into submission.  And by immediately telling Tobias that
> the wiki is not the right place for this discussion you are actually
> violating the "openness" part of OWASP's core mission.  In my opinion,
> discussion of topics like this should be done in full visibility of the
> world at large.  This is not a political statement, but rather, one that is
> tandem to OWASP's core mission of making application security more
> visible.  Subversion of this process by any party, government or otherwise,
> should not be tolerated.  I agree fully with Tobias that guidance on this
> subject is in line with our mission and is worth our time and efforts.  Did
> you even read what he wrote before you dismissed it?
>  ~josh
> On Wed, Nov 13, 2013 at 3:47 PM, <netherlands at owasp.org> wrote:
>> Hi Tobias,
>> Before the question if OWASP should make a statement or not, by putting
>> it on the OWASP Wiki, you already did. In my opinion this is very
>> unfortunate!
>> Second, I do not think OWASP as an non-political institution should make
>> a statement in this matter. Even more as the subject itself is off OWASP
>> topics and area.
>> My 2 cents,
>> Cheers,
>> -martin
>> Sent from my BlackBerry® smartphone
>> -----Original Message-----
>> From: Tobias <tobias.gondrom at owasp.org>
>> Sender: owasp-leaders-bounces at lists.owasp.org
>> Date: Wed, 13 Nov 2013 21:28:18
>> To: <owasp-leaders at lists.owasp.org>
>> Subject: [Owasp-leaders] Should OWASP make a statement on the Security of
>>  the Internet and Pervasive Monitoring?
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

OWASP-Leaders mailing
listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131113/62aa0754/attachment-0001.html>

More information about the OWASP-Leaders mailing list