[Owasp-leaders] Regular OWASP polls

Michael Coates michael.coates at owasp.org
Mon Jan 6 22:32:58 UTC 2014

On the implementation side - google forms may work well here. The
owasp.orgaccounts are provided to members and we can limit votes and
also track

Michael Coates

On Mon, Jan 6, 2014 at 2:08 PM, Konstantinos Papapanagiotou <
konstantinos at owasp.org> wrote:

> This sound good Simon, ie having polls in order to get the pulse rather
> than decide.
> For the record I strongly believe that threads like the previous one are
> extremely useful for OWASP and the community. My disagreement was on having
> what is practically a referendum for such issues. There are many issues
> that need to be taken in consideration if we go down that way (e.g. How
> many leaders will actually participate, how many votes do we need to have a
> binding decision, what if the outcome is close to 50-50, what constitutes a
> seriously enough issue to ask for the leaders' opinion, etc.). If we work
> on such issues, maybe direct democracy turns out to be a good idea, but
> meanwhile what Simon says sounds more realistic, even though in practice
> the above issues remain.
> I also support Dinis idea for open, public votes for such issues.
> Kostas
> On 6 Ιαν 2014, at 11:07, psiinon <psiinon at gmail.com> wrote:
> OK, this is in reply to Kostas' comment, but I've changed the title as I
> think it deserves a separate thread.
> I agree that we have a CEO and BoD for these decisions, but clearly this
> is something people feel very strongly about.
> Conversely we also often complain that it seems to be difficult to get
> OWASP volunteers engaged :)
> So how about having regular polls for such questions?
> (Note that this is not proposed as an alternative to the email threads,
> which are a great way of exploring the arguments and alternatives).
> The polls should be restricted, eg to people with OWASP email addresses to
> prevent easy abuse.
> They would not be 'binding' - they would be a way of getting the 'pulse'
> rather than the way we arrive at decisions.
> The board (or whoever makes the final decision) should take into account
> the results, but 100% against a proposal isnt very definitive if only 5
> people vote ;)
> And they wouldnt have to be just for the 'big' questions, they could be
> for anything OWASP related.
> e.g. "What is the most important feature missing from ZAP: A) ..."
> It might take a bit of effort setting up the right infrastructure, but if
> that was in place then it would be much easier to find out how the OWASP
> community feels about things like participation in RSAC.
> Simon
> On Sun, Jan 5, 2014 at 5:59 PM, Konstantinos Papapanagiotou <
> konstantinos at owasp.org> wrote:
>> This kind of democracy might have worked in ancient Athens (with pros and
>> cons) but nowadays we have a BoD and a CEO for such kind of decisions.
>> Kostas
>> On Sunday, January 5, 2014, L. Gustavo C. Barbato wrote:
>>> Keeping discussing philosophy and high ideals, we will never reach a
>>> consensus in the time frame we need, so let's let democracy wins the debay.
>>> On 05/01/2014, at 11:38, Josh Sokol <josh.sokol at owasp.org> wrote:
>>> A key differentiator when we did this free training at AppSecUSA in
>>> Austin and LASCON 2013 is that it was 100% free and open to all.  No
>>> conference pass was required to participate.  Since that is not the case
>>> here, and since the training is only open to RSA attendees, then I think
>>> this demonstrates a much closer tie between OWASP and RSA than I would like
>>> to see.  I like the idea of approaching BSides SF and seeing if maybe they
>>> would be interested in hosting this training for free for the community at
>>> large.  If we can do that, then I think its the true win here as we get the
>>> visibility to satisfy our mission and we remove the negative stigma of
>>> being associated with RSA.
>>> I would diaagree, however, that visibility is only a means to an end.
>>> Since its in our mission statement, all of our activities and
>>> prioritizations are required, by law, to follow that.  And if we ever reach
>>> the point where everyone, everywhere, knows about application security,
>>> then we can close up shop and move on.  There is no compromising the end
>>> goal here because, per the mission statement, visibility is the end goal.
>>> I'm sorry if that compromises your principals Sastry but its the truth
>>> about OWASP as a non-profit.
>>> ~josh
>>> On Jan 5, 2014 12:32 AM, "Sastry Tumuluri" <sastry.tumuluri at owasp.org>
>>> wrote:
>>> 1. The immediate focus on RSAC:
>>> No matter how we rationalize, the fact is that we (OWASP) have
>>> options. This, at worst, is one missed opportunity. So let us not, in
>>> our relentless pursuit of VISIBILITY, compromise on principles.
>>> VISIBILITY is a means to an end (better security, more secure software
>>> -- which in itself is likely a never-ending activity). Let us not
>>> compromise on the end-goal while chasing the means.
>>> Short term gains (of reaching some developers) will easily be lost if
>>> we take the low road. Even 300 more "aware" developers are for naught
>>> if, based on RSAC acceptance, just one more company feels that the
>>> risks of trucking with NSA/GCHQ and compromising underlying
>>> foundations are acceptable.
>>> Is it our job/charter to "convey such a message"? I believe so.
>>> Conversely, can we say "we merely advocate tech principles and
>>> educate... this is not for us"? If we want to be treated as a
>>> responsible member of the ecosystem, we can't duck like that.
>>> Related, but a slightly different perspective: Robert Graham's blog
>>> post on this:
>>> http://blog.erratasec.com/2014/01/why-we-have-to-boycott-rsa.html
>>> 2. The tough world of principles, ethics, etc:
>>> Jim Manico raised a very pertinent point regarding sending mixed
>>> messages (=> recognition-of and consistency-in-applying our
>>> principles). It isn't easy.
>>> Funding goes to the very heart of neutrality and ethics. So it is not
>>> so tangential, after all. I know we shouldn't accept funds or even
>>> projects from NSA, GCHQ, etc. Whether DHS is to be painted by the same
>>> brush, I don't know (depends on internal structure, etc.). Let the
>>> more knowledgeable people decide on this.
>>> Chasing "quick results at any cost" and then splitting hairs on
>>> legality and rationalizations will not paint us black; but will surely
>>> park us firmly in the gray areas of ethics. Is that what we want?
>>> Cheers,
>>> ==Sas3==
>>> On Sun, Jan 5, 2014 at 8:33 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>> > My apologies in the delay in responding to this.  I've been on the
>>> road all
>>> > day today and will be slow to respond tomorrow as well.
>>> >
>>> > First off, let me admit that while my term hadn't officially begun
>>> yet, I am
>>> > one of the Board members who encouraged Jim and Eoin to move forward
>>> with
>>> > the training.  My rationale for this was simple; OWASP's mission is to
>>> make
>>> > software security visible, so that individuals and organizations
>>> worldwide
>>> > can make informed decisions about true software security risks.  The
>>> core of
>>> > this statement being VISBILITY.  We need to find and take advantage of
>>> as
>>> > many ways as possible to raise the visibility of security risks.  Our
>>> > mission says nothing about making political statements.  It says
>>> nothing
>>> > about ethical business practices.  Our mission can certainly
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140106/276df7d2/attachment-0001.html>

More information about the OWASP-Leaders mailing list