[Owasp-leaders] Regular OWASP polls

psiinon psiinon at gmail.com
Tue Jan 7 10:34:56 UTC 2014

As per my comment on the RSA training thread I've created an OWASP Polls
page on the wiki: https://www.owasp.org/index.php/Polls and added the first

Anyone who can update the wiki can edit that page, but I think we should
have some control over it, eg to make sure we have a regular drip feed of

Right now I'm happy to act as the gatekeeper for this but I'm also happy
for anyone else to help out with this - any volunteers?

Note that I'm not planning on creating all the polls, but they're easy to
create via Google forms and I can help out with any questions.


On Mon, Jan 6, 2014 at 10:32 PM, Michael Coates <michael.coates at owasp.org>wrote:

> On the implementation side - google forms may work well here. The
> owasp.org accounts are provided to members and we can limit votes and
> also track results.
> --
> Michael Coates
> @_mwc
> On Mon, Jan 6, 2014 at 2:08 PM, Konstantinos Papapanagiotou <
> konstantinos at owasp.org> wrote:
>> This sound good Simon, ie having polls in order to get the pulse rather
>> than decide.
>> For the record I strongly believe that threads like the previous one are
>> extremely useful for OWASP and the community. My disagreement was on having
>> what is practically a referendum for such issues. There are many issues
>> that need to be taken in consideration if we go down that way (e.g. How
>> many leaders will actually participate, how many votes do we need to have a
>> binding decision, what if the outcome is close to 50-50, what constitutes a
>> seriously enough issue to ask for the leaders' opinion, etc.). If we work
>> on such issues, maybe direct democracy turns out to be a good idea, but
>> meanwhile what Simon says sounds more realistic, even though in practice
>> the above issues remain.
>> I also support Dinis idea for open, public votes for such issues.
>> Kostas
>> On 6 Ιαν 2014, at 11:07, psiinon <psiinon at gmail.com> wrote:
>> OK, this is in reply to Kostas' comment, but I've changed the title as I
>> think it deserves a separate thread.
>> I agree that we have a CEO and BoD for these decisions, but clearly this
>> is something people feel very strongly about.
>> Conversely we also often complain that it seems to be difficult to get
>> OWASP volunteers engaged :)
>> So how about having regular polls for such questions?
>> (Note that this is not proposed as an alternative to the email threads,
>> which are a great way of exploring the arguments and alternatives).
>> The polls should be restricted, eg to people with OWASP email addresses
>> to prevent easy abuse.
>> They would not be 'binding' - they would be a way of getting the 'pulse'
>> rather than the way we arrive at decisions.
>> The board (or whoever makes the final decision) should take into account
>> the results, but 100% against a proposal isnt very definitive if only 5
>> people vote ;)
>> And they wouldnt have to be just for the 'big' questions, they could be
>> for anything OWASP related.
>> e.g. "What is the most important feature missing from ZAP: A) ..."
>> It might take a bit of effort setting up the right infrastructure, but if
>> that was in place then it would be much easier to find out how the OWASP
>> community feels about things like participation in RSAC.
>> Simon
>> On Sun, Jan 5, 2014 at 5:59 PM, Konstantinos Papapanagiotou <
>> konstantinos at owasp.org> wrote:
>>> This kind of democracy might have worked in ancient Athens (with pros
>>> and cons) but nowadays we have a BoD and a CEO for such kind of decisions.
>>> Kostas
>>> On Sunday, January 5, 2014, L. Gustavo C. Barbato wrote:
>>>> Keeping discussing philosophy and high ideals, we will never reach a
>>>> consensus in the time frame we need, so let's let democracy wins the debay.
>>>> On 05/01/2014, at 11:38, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>> A key differentiator when we did this free training at AppSecUSA in
>>>> Austin and LASCON 2013 is that it was 100% free and open to all.  No
>>>> conference pass was required to participate.  Since that is not the case
>>>> here, and since the training is only open to RSA attendees, then I think
>>>> this demonstrates a much closer tie between OWASP and RSA than I would like
>>>> to see.  I like the idea of approaching BSides SF and seeing if maybe they
>>>> would be interested in hosting this training for free for the community at
>>>> large.  If we can do that, then I think its the true win here as we get the
>>>> visibility to satisfy our mission and we remove the negative stigma of
>>>> being associated with RSA.
>>>> I would diaagree, however, that visibility is only a means to an end.
>>>> Since its in our mission statement, all of our activities and
>>>> prioritizations are required, by law, to follow that.  And if we ever reach
>>>> the point where everyone, everywhere, knows about application security,
>>>> then we can close up shop and move on.  There is no compromising the end
>>>> goal here because, per the mission statement, visibility is the end goal.
>>>> I'm sorry if that compromises your principals Sastry but its the truth
>>>> about OWASP as a non-profit.
>>>> ~josh
>>>> On Jan 5, 2014 12:32 AM, "Sastry Tumuluri" <sastry.tumuluri at owasp.org>
>>>> wrote:
>>>> 1. The immediate focus on RSAC:
>>>> No matter how we rationalize, the fact is that we (OWASP) have
>>>> options. This, at worst, is one missed opportunity. So let us not, in
>>>> our relentless pursuit of VISIBILITY, compromise on principles.
>>>> VISIBILITY is a means to an end (better security, more secure software
>>>> -- which in itself is likely a never-ending activity). Let us not
>>>> compromise on the end-goal while chasing the means.
>>>> Short term gains (of reaching some developers) will easily be lost if
>>>> we take the low road. Even 300 more "aware" developers are for naught
>>>> if, based on RSAC acceptance, just one more company feels that the
>>>> risks of trucking with NSA/GCHQ and compromising underlying
>>>> foundations are acceptable.
>>>> Is it our job/charter to "convey such a message"? I believe so.
>>>> Conversely, can we say "we merely advocate tech principles and
>>>> educate... this is not for us"? If we want to be treated as a
>>>> responsible member of the ecosystem, we can't duck like that.
>>>> Related, but a slightly different perspective: Robert Graham's blog
>>>> post on this:
>>>> http://blog.erratasec.com/2014/01/why-we-have-to-boycott-rsa.html
>>>> 2. The tough world of principles, ethics, etc:
>>>> Jim Manico raised a very pertinent point regarding sending mixed
>>>> messages (=> recognition-of and consistency-in-applying our
>>>> principles). It isn't easy.
>>>> Funding goes to the very heart of neutrality and ethics. So it is not
>>>> so tangential, after all. I know we shouldn't accept funds or even
>>>> projects from NSA, GCHQ, etc. Whether DHS is to be painted by the same
>>>> brush, I don't know (depends on internal structure, etc.). Let the
>>>> more knowledgeable people decide on this.
>>>> Chasing "quick results at any cost" and then splitting hairs on
>>>> legality and rationalizations will not paint us black; but will surely
>>>> park us firmly in the gray areas of ethics. Is that what we want?
>>>> Cheers,
>>>> ==Sas3==
>>>> On Sun, Jan 5, 2014 at 8:33 AM, Josh Sokol <josh.sokol at owasp.org>
>>>> wrote:
>>>> > My apologies in the delay in responding to this.  I've been on the
>>>> road all
>>>> > day today and will be slow to respond tomorrow as well.
>>>> >
>>>> > First off, let me admit that while my term hadn't officially begun
>>>> yet, I am
>>>> > one of the Board members who encouraged Jim and Eoin to move forward
>>>> with
>>>> > the training.  My rationale for this was simple; OWASP's mission is
>>>> to make
>>>> > software security visible, so that individuals and organizations
>>>> worldwide
>>>> > can make informed decisions about true software security risks.  The
>>>> core of
>>>> > this statement being VISBILITY.  We need to find and take advantage
>>>> of as
>>>> > many ways as possible to raise the visibility of security risks.  Our
>>>> > mission says nothing about making political statements.  It says
>>>> nothing
>>>> > about ethical business practices.  Our mission can certainly
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders

OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140107/ce108704/attachment-0001.html>

More information about the OWASP-Leaders mailing list