[Owasp-leaders] Regular OWASP polls

Samantha Groves samantha.groves at owasp.org
Mon Jan 6 16:57:18 UTC 2014

I agree. If we are to serve the community, then how are we to do that if we
don't know what you want.

On Mon, Jan 6, 2014 at 7:35 AM, Dinis Cruz <dinis.cruz at owasp.org> wrote:

> Sounds perfect, and like Simon says , this could be useful in numerous
> situations
> And the 'measuring the pulse' concept is key, since it will simplify the
> 'question creation process'
> I would just add that all votes should be public since that would increase
> transparency and integrity (and prevent any kind of voting abuse :) )
> On 6 Jan 2014 09:10, "psiinon" <psiinon at gmail.com> wrote:
>> OK, this is in reply to Kostas' comment, but I've changed the title as I
>> think it deserves a separate thread.
>> I agree that we have a CEO and BoD for these decisions, but clearly this
>> is something people feel very strongly about.
>> Conversely we also often complain that it seems to be difficult to get
>> OWASP volunteers engaged :)
>> So how about having regular polls for such questions?
>> (Note that this is not proposed as an alternative to the email threads,
>> which are a great way of exploring the arguments and alternatives).
>> The polls should be restricted, eg to people with OWASP email addresses
>> to prevent easy abuse.
>> They would not be 'binding' - they would be a way of getting the 'pulse'
>> rather than the way we arrive at decisions.
>> The board (or whoever makes the final decision) should take into account
>> the results, but 100% against a proposal isnt very definitive if only 5
>> people vote ;)
>> And they wouldnt have to be just for the 'big' questions, they could be
>> for anything OWASP related.
>> e.g. "What is the most important feature missing from ZAP: A) ..."
>> It might take a bit of effort setting up the right infrastructure, but if
>> that was in place then it would be much easier to find out how the OWASP
>> community feels about things like participation in RSAC.
>> Simon
>> On Sun, Jan 5, 2014 at 5:59 PM, Konstantinos Papapanagiotou <
>> konstantinos at owasp.org> wrote:
>>> This kind of democracy might have worked in ancient Athens (with pros
>>> and cons) but nowadays we have a BoD and a CEO for such kind of decisions.
>>> Kostas
>>> On Sunday, January 5, 2014, L. Gustavo C. Barbato wrote:
>>>> Keeping discussing philosophy and high ideals, we will never reach a
>>>> consensus in the time frame we need, so let's let democracy wins the debay.
>>>> On 05/01/2014, at 11:38, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>> A key differentiator when we did this free training at AppSecUSA in
>>>> Austin and LASCON 2013 is that it was 100% free and open to all.  No
>>>> conference pass was required to participate.  Since that is not the case
>>>> here, and since the training is only open to RSA attendees, then I think
>>>> this demonstrates a much closer tie between OWASP and RSA than I would like
>>>> to see.  I like the idea of approaching BSides SF and seeing if maybe they
>>>> would be interested in hosting this training for free for the community at
>>>> large.  If we can do that, then I think its the true win here as we get the
>>>> visibility to satisfy our mission and we remove the negative stigma of
>>>> being associated with RSA.
>>>> I would diaagree, however, that visibility is only a means to an end.
>>>> Since its in our mission statement, all of our activities and
>>>> prioritizations are required, by law, to follow that.  And if we ever reach
>>>> the point where everyone, everywhere, knows about application security,
>>>> then we can close up shop and move on.  There is no compromising the end
>>>> goal here because, per the mission statement, visibility is the end goal.
>>>> I'm sorry if that compromises your principals Sastry but its the truth
>>>> about OWASP as a non-profit.
>>>> ~josh
>>>> On Jan 5, 2014 12:32 AM, "Sastry Tumuluri" <sastry.tumuluri at owasp.org>
>>>> wrote:
>>>> 1. The immediate focus on RSAC:
>>>> No matter how we rationalize, the fact is that we (OWASP) have
>>>> options. This, at worst, is one missed opportunity. So let us not, in
>>>> our relentless pursuit of VISIBILITY, compromise on principles.
>>>> VISIBILITY is a means to an end (better security, more secure software
>>>> -- which in itself is likely a never-ending activity). Let us not
>>>> compromise on the end-goal while chasing the means.
>>>> Short term gains (of reaching some developers) will easily be lost if
>>>> we take the low road. Even 300 more "aware" developers are for naught
>>>> if, based on RSAC acceptance, just one more company feels that the
>>>> risks of trucking with NSA/GCHQ and compromising underlying
>>>> foundations are acceptable.
>>>> Is it our job/charter to "convey such a message"? I believe so.
>>>> Conversely, can we say "we merely advocate tech principles and
>>>> educate... this is not for us"? If we want to be treated as a
>>>> responsible member of the ecosystem, we can't duck like that.
>>>> Related, but a slightly different perspective: Robert Graham's blog
>>>> post on this:
>>>> http://blog.erratasec.com/2014/01/why-we-have-to-boycott-rsa.html
>>>> 2. The tough world of principles, ethics, etc:
>>>> Jim Manico raised a very pertinent point regarding sending mixed
>>>> messages (=> recognition-of and consistency-in-applying our
>>>> principles). It isn't easy.
>>>> Funding goes to the very heart of neutrality and ethics. So it is not
>>>> so tangential, after all. I know we shouldn't accept funds or even
>>>> projects from NSA, GCHQ, etc. Whether DHS is to be painted by the same
>>>> brush, I don't know (depends on internal structure, etc.). Let the
>>>> more knowledgeable people decide on this.
>>>> Chasing "quick results at any cost" and then splitting hairs on
>>>> legality and rationalizations will not paint us black; but will surely
>>>> park us firmly in the gray areas of ethics. Is that what we want?
>>>> Cheers,
>>>> ==Sas3==
>>>> On Sun, Jan 5, 2014 at 8:33 AM, Josh Sokol <josh.sokol at owasp.org>
>>>> wrote:
>>>> > My apologies in the delay in responding to this.  I've been on the
>>>> road all
>>>> > day today and will be slow to respond tomorrow as well.
>>>> >
>>>> > First off, let me admit that while my term hadn't officially begun
>>>> yet, I am
>>>> > one of the Board members who encouraged Jim and Eoin to move forward
>>>> with
>>>> > the training.  My rationale for this was simple; OWASP's mission is
>>>> to make
>>>> > software security visible, so that individuals and organizations
>>>> worldwide
>>>> > can make informed decisions about true software security risks.  The
>>>> core of
>>>> > this statement being VISBILITY.  We need to find and take advantage
>>>> of as
>>>> > many ways as possible to raise the visibility of security risks.  Our
>>>> > mission says nothing about making political statements.  It says
>>>> nothing
>>>> > about ethical business practices.  Our mission can certainly
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


*Samantha Groves, MBA*

*OWASP Projects Manager*

The OWASP Foundation

Phoenix, USA

Email: samantha.groves at owasp.org

Skype: samanthahz

OWASP Global Projects<https://www.owasp.org/index.php/Category:OWASP_Project>

Book a Meeting with Me <http://goo.gl/mZXdZ>

OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>

New Project Application Form <http://www.tfaforms.com/263506>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140106/8303ba3d/attachment-0001.html>

More information about the OWASP-Leaders mailing list