[Owasp-leaders] Should OWASP make a statement on the Security of the Internet and Pervasive Monitoring?

Ludovic Petit ludovic.petit at owasp.org
Thu Nov 14 13:02:41 UTC 2013


+1.

The intent is good, I think most of us agree. However, and I agree both
with Jim about aspects to consider (but also with Dinis and others), is it
really the role of OWASP to make such a statement?

I mean, things evolve over time, technologies, models, business(es), so the
digital world in which we are living. And as such, OWASP can't remains too
"monolitic" in the approach. The key is to adapt.

The question is, does the Foundation have to change/modify/enhance/etc its
model so that it could -also- encompass topics such as the -really good-
one mentioned by Tobias?

In clear, we are talking about Strategy isn'it? Huge debate in perspective,
both for the Community... and the Board.

Wise words Jim, I think the Foundation should officially state and decide a
clear strategy about this  before any official statement, because if you
make a statement once, the perspective to make other ones will follow as
well don't you think?

My 2 cents.
Ludovic
 Le 14 nov. 2013 03:33, "Jim Manico" <jim.manico at owasp.org> a écrit :

> Just a polite note to consider, as a 501c3 tax exempt organization, we
> have a •very• strict obligation to keep away from political campaigning.
>
>
> http://www.nolo.com/legal-encyclopedia/limits-political-campaigning-501c3-nonprofits-29982.htmlis a good resource that discusses what this means.
>
> Per my understanding, we are allowed to take positions on potential laws
> or policy, but we need to keep away from endorsing or supporting individual
> candidates in any way.
>
> We have not done this, but I wanted to put this out there as we wade into
> political waters.
>
> Aloha,
> --
> Jim Manico
> @Manicode
> (808) 652-3805
>
> On Nov 13, 2013, at 9:20 PM, Tobias <tobias.gondrom at owasp.org> wrote:
>
> Jason,
>
> as you saw, I removed the proposal text from the wiki within minutes and
> moved it into a Google doc. This is not because I would agree with Martin
> on his assumption that any page somewhere on our wiki with the title
> "Proposal" would imply it would be sanctioned by the whole OWASP
> organisation - but because I want us to be able to focus on the content and
> not be distracted by where it is posted.
>
> *So I like to encourage discussion of the proposal itself and not where it
> is stored. *
>
> And equally I am sure Martin was not intentionally trying to discourage
> any new ideas before reading them, but just voicing his view and concerns.
> Which is totally fine by me. If I couldn't take a little rough feedback
> with exclamation marks here and there, I probably would not have survived
> long in most open communities. ;-)
>
> Regarding Martin's argument that we as OWASP "should not make any
> statements because we are a non-political institution", I would like to
> point out a few things:
> 1. personally, I would rather prefer to see us as "neutral" and
> "non-partisan" (we don't take sides), but even if we take "non-political",
> this should not mean, we shall keep quite when it comes to some parties
> working actively against our mission and best practices. (And in fact, some
> people may think that even our most basic notion of "secure software" could
> be seen as "political" to some degree.)
> 2. a number of other global "non-political" organizations (as mentioned
> before) were obviously able to make such statements with good conscience.
> So I would invite Martin to take a closer look at this proposal, the other
> organizations and whether this is really so political?
> 3. And last but not least, Dinis is right "this is one of those situations
> that 'not having an opinion' is actually 'having an opinion' (which is to
> support the status quo)"
>
> Just my 5cents.
>
> Cheers, Tobias
>
>
> Ps.: Of course, we could also have more discussion on what posting on an
> open community wiki means later on. (then please using a different
> subject): Just for completion: I do not agree with Martin's notion that
> anything and everything posted on the OWASP wiki would constitute or imply
> an "official" OWASP statement. Especially not if it is clearly marked by
> the title "proposal". We work on the wiki all the time with drafts and
> content, and it would surely be surprising to assume that all these raw
> discussions and documents have full community consensus. Furthermore, one
> of the things I wanted to work on in the board is more transparency,
> community involvement and openness and I believe an important step is that
> we can continue to work on content in the wiki openly and in public.
>
>
>
>
> On 14/11/13 01:11, Jason Li wrote:
>
> Josh,
>
>  I agree that OWASP should be encouraging community activity - but that
> doesn't negate Martin's point about the Wiki exposure.
>
>  Whether we realize it, people outside of OWASP refer to the OWASP web
> site as an authoritative source for all things OWASP. With the way we have
> things set up now, outsiders are not going to have the understanding and
> institutional knowledge to differentiate between scratch-space material and
> official information. Case in point, there's a recent thread on the
> security101 list where a user asks about conflicting advice on two of
> OWASP's wiki pages. People are taking whatever is on the wiki - vetted or
> not - as OWASP gospel.
>
>  Given Martin's long time support and contributions to OWASP, I doubt
> that his intention was to quash Tobias' effort. He's merely observing that
> everything on the wiki represents the voice of OWASP. And we need to
> protect that voice to some degree.
>
>  The Board recently adopted a Social Media Policy to protect the official
> "voice" of OWASP on Twitter, blogs, etc. I think the next natural evolution
> of that policy is to eventually establish some templates, standards, or
> markers of some sort - or perhaps somehow partition the wiki to
> differentiate between "official" OWASP communications and the wiki
> infrastructure we provide to enable and foster community ideas.
>
>  Just my humble opinion.
>
>  -Jason
>
>
> On Wed, Nov 13, 2013 at 5:11 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>>  Martin,
>>
>>  I am extremely disappointed in your efforts to stifle Tobias' efforts
>> before he even got started.  Everyone at OWASP should be encouraged to come
>> up with innovative ideas and ways to drive our mission forward without fear
>> of being bullied into submission.  And by immediately telling Tobias that
>> the wiki is not the right place for this discussion you are actually
>> violating the "openness" part of OWASP's core mission.  In my opinion,
>> discussion of topics like this should be done in full visibility of the
>> world at large.  This is not a political statement, but rather, one that is
>> tandem to OWASP's core mission of making application security more
>> visible.  Subversion of this process by any party, government or otherwise,
>> should not be tolerated.  I agree fully with Tobias that guidance on this
>> subject is in line with our mission and is worth our time and efforts.  Did
>> you even read what he wrote before you dismissed it?
>>
>>  ~josh
>>
>>
>> On Wed, Nov 13, 2013 at 3:47 PM, <netherlands at owasp.org> wrote:
>>
>>> Hi Tobias,
>>>
>>> Before the question if OWASP should make a statement or not, by putting
>>> it on the OWASP Wiki, you already did. In my opinion this is very
>>> unfortunate!
>>>
>>> Second, I do not think OWASP as an non-political institution should make
>>> a statement in this matter. Even more as the subject itself is off OWASP
>>> topics and area.
>>>
>>> My 2 cents,
>>>
>>> Cheers,
>>> -martin
>>>
>>> Sent from my BlackBerry® smartphone
>>>
>>> -----Original Message-----
>>> From: Tobias <tobias.gondrom at owasp.org>
>>> Sender: owasp-leaders-bounces at lists.owasp.org
>>> Date: Wed, 13 Nov 2013 21:28:18
>>> To: <owasp-leaders at lists.owasp.org>
>>> Subject: [Owasp-leaders] Should OWASP make a statement on the Security of
>>>  the Internet and Pervasive Monitoring?
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131114/b662ef21/attachment.html>


More information about the OWASP-Leaders mailing list