[Owasp-leaders] Should OWASP make a statement on the Security of the Internet and Pervasive Monitoring?

Colin Watson colin.watson at owasp.org
Thu Nov 14 14:38:11 UTC 2013


Tobias

You did call it a 'proposal'. In the past when we had an Industry
Committee, we would create discussion/draft wiki pages for responses
to particular standards, consultations, etc such as those linked from:

   https://www.owasp.org/index.php/Global_Industry_Committee/Completed_Initiatives

I believe the current approach is to use the Global Initiatives to
gather support:

   https://www.owasp.org/index.php/OWASP_Initiatives_Global_Strategic_Focus

We did not do these discussions through the leaders mailing list, but
did invite participants from there on more significant submissions. In
those Industry Committee responses, we tried to draw on existing OWASP
resources and guidance, and didn't create proactive statements of
position. However maybe OWASP should, but it must be aligned with its
principles, objectives and of course within the legal constraints of
its constitution/status. Is this proposal from Tobias exactly correct?
Probably not, but it was pitched as a first strawman (and has well and
truly been burnt at the stake!).

The wider issue would appear to be, how can OWASP as a group develop,
document and issue public statements. With such a diverse global group
of participants it is probably difficult to create a consensus, which
isn't simply a wishy-washy bland statement. That discussion could be
on the governance list.

Colin



On 14 November 2013 13:02, Ludovic Petit <ludovic.petit at owasp.org> wrote:
> +1.
>
> The intent is good, I think most of us agree. However, and I agree both with
> Jim about aspects to consider (but also with Dinis and others), is it really
> the role of OWASP to make such a statement?
>
> I mean, things evolve over time, technologies, models, business(es), so the
> digital world in which we are living. And as such, OWASP can't remains too
> "monolitic" in the approach. The key is to adapt.
>
> The question is, does the Foundation have to change/modify/enhance/etc its
> model so that it could -also- encompass topics such as the -really good- one
> mentioned by Tobias?
>
> In clear, we are talking about Strategy isn'it? Huge debate in perspective,
> both for the Community... and the Board.
>
> Wise words Jim, I think the Foundation should officially state and decide a
> clear strategy about this  before any official statement, because if you
> make a statement once, the perspective to make other ones will follow as
> well don't you think?
>
> My 2 cents.
> Ludovic
>
> Le 14 nov. 2013 03:33, "Jim Manico" <jim.manico at owasp.org> a écrit :
>
>> Just a polite note to consider, as a 501c3 tax exempt organization, we
>> have a •very• strict obligation to keep away from political campaigning.
>>
>>
>> http://www.nolo.com/legal-encyclopedia/limits-political-campaigning-501c3-nonprofits-29982.html
>> is a good resource that discusses what this means.
>>
>> Per my understanding, we are allowed to take positions on potential laws
>> or policy, but we need to keep away from endorsing or supporting individual
>> candidates in any way.
>>
>> We have not done this, but I wanted to put this out there as we wade into
>> political waters.
>>
>> Aloha,
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>>
>> On Nov 13, 2013, at 9:20 PM, Tobias <tobias.gondrom at owasp.org> wrote:
>>
>> Jason,
>>
>> as you saw, I removed the proposal text from the wiki within minutes and
>> moved it into a Google doc. This is not because I would agree with Martin on
>> his assumption that any page somewhere on our wiki with the title "Proposal"
>> would imply it would be sanctioned by the whole OWASP organisation - but
>> because I want us to be able to focus on the content and not be distracted
>> by where it is posted.
>>
>> So I like to encourage discussion of the proposal itself and not where it
>> is stored.
>>
>> And equally I am sure Martin was not intentionally trying to discourage
>> any new ideas before reading them, but just voicing his view and concerns.
>> Which is totally fine by me. If I couldn't take a little rough feedback with
>> exclamation marks here and there, I probably would not have survived long in
>> most open communities. ;-)
>>
>> Regarding Martin's argument that we as OWASP "should not make any
>> statements because we are a non-political institution", I would like to
>> point out a few things:
>> 1. personally, I would rather prefer to see us as "neutral" and
>> "non-partisan" (we don't take sides), but even if we take "non-political",
>> this should not mean, we shall keep quite when it comes to some parties
>> working actively against our mission and best practices. (And in fact, some
>> people may think that even our most basic notion of "secure software" could
>> be seen as "political" to some degree.)
>> 2. a number of other global "non-political" organizations (as mentioned
>> before) were obviously able to make such statements with good conscience. So
>> I would invite Martin to take a closer look at this proposal, the other
>> organizations and whether this is really so political?
>> 3. And last but not least, Dinis is right "this is one of those situations
>> that 'not having an opinion' is actually 'having an opinion' (which is to
>> support the status quo)"
>>
>> Just my 5cents.
>>
>> Cheers, Tobias
>>
>>
>> Ps.: Of course, we could also have more discussion on what posting on an
>> open community wiki means later on. (then please using a different subject):
>> Just for completion: I do not agree with Martin's notion that anything and
>> everything posted on the OWASP wiki would constitute or imply an "official"
>> OWASP statement. Especially not if it is clearly marked by the title
>> "proposal". We work on the wiki all the time with drafts and content, and it
>> would surely be surprising to assume that all these raw discussions and
>> documents have full community consensus. Furthermore, one of the things I
>> wanted to work on in the board is more transparency, community involvement
>> and openness and I believe an important step is that we can continue to work
>> on content in the wiki openly and in public.
>>
>>
>>
>>
>> On 14/11/13 01:11, Jason Li wrote:
>>
>> Josh,
>>
>> I agree that OWASP should be encouraging community activity - but that
>> doesn't negate Martin's point about the Wiki exposure.
>>
>> Whether we realize it, people outside of OWASP refer to the OWASP web site
>> as an authoritative source for all things OWASP. With the way we have things
>> set up now, outsiders are not going to have the understanding and
>> institutional knowledge to differentiate between scratch-space material and
>> official information. Case in point, there's a recent thread on the
>> security101 list where a user asks about conflicting advice on two of
>> OWASP's wiki pages. People are taking whatever is on the wiki - vetted or
>> not - as OWASP gospel.
>>
>> Given Martin's long time support and contributions to OWASP, I doubt that
>> his intention was to quash Tobias' effort. He's merely observing that
>> everything on the wiki represents the voice of OWASP. And we need to protect
>> that voice to some degree.
>>
>> The Board recently adopted a Social Media Policy to protect the official
>> "voice" of OWASP on Twitter, blogs, etc. I think the next natural evolution
>> of that policy is to eventually establish some templates, standards, or
>> markers of some sort - or perhaps somehow partition the wiki to
>> differentiate between "official" OWASP communications and the wiki
>> infrastructure we provide to enable and foster community ideas.
>>
>> Just my humble opinion.
>>
>> -Jason
>>
>>
>> On Wed, Nov 13, 2013 at 5:11 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>
>>> Martin,
>>>
>>> I am extremely disappointed in your efforts to stifle Tobias' efforts
>>> before he even got started.  Everyone at OWASP should be encouraged to come
>>> up with innovative ideas and ways to drive our mission forward without fear
>>> of being bullied into submission.  And by immediately telling Tobias that
>>> the wiki is not the right place for this discussion you are actually
>>> violating the "openness" part of OWASP's core mission.  In my opinion,
>>> discussion of topics like this should be done in full visibility of the
>>> world at large.  This is not a political statement, but rather, one that is
>>> tandem to OWASP's core mission of making application security more visible.
>>> Subversion of this process by any party, government or otherwise, should not
>>> be tolerated.  I agree fully with Tobias that guidance on this subject is in
>>> line with our mission and is worth our time and efforts.  Did you even read
>>> what he wrote before you dismissed it?
>>>
>>> ~josh
>>>
>>>
>>> On Wed, Nov 13, 2013 at 3:47 PM, <netherlands at owasp.org> wrote:
>>>>
>>>> Hi Tobias,
>>>>
>>>> Before the question if OWASP should make a statement or not, by putting
>>>> it on the OWASP Wiki, you already did. In my opinion this is very
>>>> unfortunate!
>>>>
>>>> Second, I do not think OWASP as an non-political institution should make
>>>> a statement in this matter. Even more as the subject itself is off OWASP
>>>> topics and area.
>>>>
>>>> My 2 cents,
>>>>
>>>> Cheers,
>>>> -martin
>>>>
>>>> Sent from my BlackBerry® smartphone
>>>>
>>>> -----Original Message-----
>>>> From: Tobias <tobias.gondrom at owasp.org>
>>>> Sender: owasp-leaders-bounces at lists.owasp.org
>>>> Date: Wed, 13 Nov 2013 21:28:18
>>>> To: <owasp-leaders at lists.owasp.org>
>>>> Subject: [Owasp-leaders] Should OWASP make a statement on the Security
>>>> of
>>>>  the Internet and Pervasive Monitoring?
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>


More information about the OWASP-Leaders mailing list