[Owasp-leaders] OWASP Board decision that I don't agree with

Dinis Cruz dinis.cruz at owasp.org
Sun Jan 5 22:43:42 UTC 2014

I think a vote would be good , but the key is making sure the question(s)
are neutral and balanced (ie the outcome of the vote is very dependent on
how the question(s) are asked)

And as I said many times before, the Center of gravity for OWASP should be
with its leaders (and community) and not with the board, so a vote is a
good way to make sure the leader's voice is heard (on related topic I also
think that votes should be 'on the record' and public). Note : if we are
going to have a thread about voting, its better to change the email thread
On 5 Jan 2014 22:36, "L. Gustavo C. Barbato" <lgbarbato at owasp.org> wrote:

> Have you ever heard about plesbicite?
> This discussion is one example: we have given power to board members to
> take decision on behalf of our community. So if they want to present, in
> your belief, they can go ahead without this useless thread discussion.
> However, I dont believe this is useless , but a very strategic decision
> with several point of views already presented here.
> That's why I am advocating that we vote as a plebiscite process where
> board members have the same Power as everybody else here.
> Gustavo.
> On 05/01/2014, at 15:59, Konstantinos Papapanagiotou <
> konstantinos at owasp.org> wrote:
> This kind of democracy might have worked in ancient Athens (with pros and
> cons) but nowadays we have a BoD and a CEO for such kind of decisions.
> Kostas
> On Sunday, January 5, 2014, L. Gustavo C. Barbato wrote:
>> Keeping discussing philosophy and high ideals, we will never reach a
>> consensus in the time frame we need, so let's let democracy wins the debay.
>> On 05/01/2014, at 11:38, Josh Sokol <josh.sokol at owasp.org> wrote:
>> A key differentiator when we did this free training at AppSecUSA in
>> Austin and LASCON 2013 is that it was 100% free and open to all.  No
>> conference pass was required to participate.  Since that is not the case
>> here, and since the training is only open to RSA attendees, then I think
>> this demonstrates a much closer tie between OWASP and RSA than I would like
>> to see.  I like the idea of approaching BSides SF and seeing if maybe they
>> would be interested in hosting this training for free for the community at
>> large.  If we can do that, then I think its the true win here as we get the
>> visibility to satisfy our mission and we remove the negative stigma of
>> being associated with RSA.
>> I would diaagree, however, that visibility is only a means to an end.
>> Since its in our mission statement, all of our activities and
>> prioritizations are required, by law, to follow that.  And if we ever reach
>> the point where everyone, everywhere, knows about application security,
>> then we can close up shop and move on.  There is no compromising the end
>> goal here because, per the mission statement, visibility is the end goal.
>> I'm sorry if that compromises your principals Sastry but its the truth
>> about OWASP as a non-profit.
>> ~josh
>> On Jan 5, 2014 12:32 AM, "Sastry Tumuluri" <sastry.tumuluri at owasp.org>
>> wrote:
>> 1. The immediate focus on RSAC:
>> No matter how we rationalize, the fact is that we (OWASP) have
>> options. This, at worst, is one missed opportunity. So let us not, in
>> our relentless pursuit of VISIBILITY, compromise on principles.
>> VISIBILITY is a means to an end (better security, more secure software
>> -- which in itself is likely a never-ending activity). Let us not
>> compromise on the end-goal while chasing the means.
>> Short term gains (of reaching some developers) will easily be lost if
>> we take the low road. Even 300 more "aware" developers are for naught
>> if, based on RSAC acceptance, just one more company feels that the
>> risks of trucking with NSA/GCHQ and compromising underlying
>> foundations are acceptable.
>> Is it our job/charter to "convey such a message"? I believe so.
>> Conversely, can we say "we merely advocate tech principles and
>> educate... this is not for us"? If we want to be treated as a
>> responsible member of the ecosystem, we can't duck like that.
>> Related, but a slightly different perspective: Robert Graham's blog
>> post on this:
>> http://blog.erratasec.com/2014/01/why-we-have-to-boycott-rsa.html
>> 2. The tough world of principles, ethics, etc:
>> Jim Manico raised a very pertinent point regarding sending mixed
>> messages (=> recognition-of and consistency-in-applying our
>> principles). It isn't easy.
>> Funding goes to the very heart of neutrality and ethics. So it is not
>> so tangential, after all. I know we shouldn't accept funds or even
>> projects from NSA, GCHQ, etc. Whether DHS is to be painted by the same
>> brush, I don't know (depends on internal structure, etc.). Let the
>> more knowledgeable people decide on this.
>> Chasing "quick results at any cost" and then splitting hairs on
>> legality and rationalizations will not paint us black; but will surely
>> park us firmly in the gray areas of ethics. Is that what we want?
>> Cheers,
>> ==Sas3==
>> On Sun, Jan 5, 2014 at 8:33 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>> > My apologies in the delay in responding to this.  I've been on the road
>> all
>> > day today and will be slow to respond tomorrow as well.
>> >
>> > First off, let me admit that while my term hadn't officially begun yet,
>> I am
>> > one of the Board members who encouraged Jim and Eoin to move forward
>> with
>> > the training.  My rationale for this was simple; OWASP's mission is to
>> make
>> > software security visible, so that individuals and organizations
>> worldwide
>> > can make informed decisions about true software security risks.  The
>> core of
>> > this statement being VISBILITY.  We need to find and take advantage of
>> as
>> > many ways as possible to raise the visibility of security risks.  Our
>> > mission says nothing about making political statements.  It says nothing
>> > about ethical business practices.  Our mission can certainly
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140105/8864dd84/attachment-0001.html>

More information about the OWASP-Leaders mailing list