[Owasp-leaders] Regular OWASP polls

psiinon psiinon at gmail.com
Tue Jan 7 11:55:11 UTC 2014

I've started to get requests to share this poll with people without OWASP

My initial feeling is that I shouldn't - whoever creates an OWASP poll
shouldn't be responsible for working out who is part of the OWASP
community, and if people want to take part in an OWASP poll then they need
to get an OWASP email address.

Is that a reasonable position?


On Tue, Jan 7, 2014 at 10:34 AM, psiinon <psiinon at gmail.com> wrote:

> As per my comment on the RSA training thread I've created an OWASP Polls
> page on the wiki: https://www.owasp.org/index.php/Polls and added the
> first poll.
> Anyone who can update the wiki can edit that page, but I think we should
> have some control over it, eg to make sure we have a regular drip feed of
> polls.
> Right now I'm happy to act as the gatekeeper for this but I'm also happy
> for anyone else to help out with this - any volunteers?
> Note that I'm not planning on creating all the polls, but they're easy to
> create via Google forms and I can help out with any questions.
> Simon
> On Mon, Jan 6, 2014 at 10:32 PM, Michael Coates <michael.coates at owasp.org>wrote:
>> On the implementation side - google forms may work well here. The
>> owasp.org accounts are provided to members and we can limit votes and
>> also track results.
>> --
>> Michael Coates
>> @_mwc
>> On Mon, Jan 6, 2014 at 2:08 PM, Konstantinos Papapanagiotou <
>> konstantinos at owasp.org> wrote:
>>> This sound good Simon, ie having polls in order to get the pulse rather
>>> than decide.
>>> For the record I strongly believe that threads like the previous one are
>>> extremely useful for OWASP and the community. My disagreement was on having
>>> what is practically a referendum for such issues. There are many issues
>>> that need to be taken in consideration if we go down that way (e.g. How
>>> many leaders will actually participate, how many votes do we need to have a
>>> binding decision, what if the outcome is close to 50-50, what constitutes a
>>> seriously enough issue to ask for the leaders' opinion, etc.). If we work
>>> on such issues, maybe direct democracy turns out to be a good idea, but
>>> meanwhile what Simon says sounds more realistic, even though in practice
>>> the above issues remain.
>>> I also support Dinis idea for open, public votes for such issues.
>>> Kostas
>>> On 6 Ιαν 2014, at 11:07, psiinon <psiinon at gmail.com> wrote:
>>> OK, this is in reply to Kostas' comment, but I've changed the title as I
>>> think it deserves a separate thread.
>>> I agree that we have a CEO and BoD for these decisions, but clearly this
>>> is something people feel very strongly about.
>>> Conversely we also often complain that it seems to be difficult to get
>>> OWASP volunteers engaged :)
>>> So how about having regular polls for such questions?
>>> (Note that this is not proposed as an alternative to the email threads,
>>> which are a great way of exploring the arguments and alternatives).
>>> The polls should be restricted, eg to people with OWASP email addresses
>>> to prevent easy abuse.
>>> They would not be 'binding' - they would be a way of getting the 'pulse'
>>> rather than the way we arrive at decisions.
>>> The board (or whoever makes the final decision) should take into account
>>> the results, but 100% against a proposal isnt very definitive if only 5
>>> people vote ;)
>>> And they wouldnt have to be just for the 'big' questions, they could be
>>> for anything OWASP related.
>>> e.g. "What is the most important feature missing from ZAP: A) ..."
>>> It might take a bit of effort setting up the right infrastructure, but
>>> if that was in place then it would be much easier to find out how the OWASP
>>> community feels about things like participation in RSAC.
>>> Simon
>>> On Sun, Jan 5, 2014 at 5:59 PM, Konstantinos Papapanagiotou <
>>> konstantinos at owasp.org> wrote:
>>>> This kind of democracy might have worked in ancient Athens (with pros
>>>> and cons) but nowadays we have a BoD and a CEO for such kind of decisions.
>>>> Kostas
>>>> On Sunday, January 5, 2014, L. Gustavo C. Barbato wrote:
>>>>> Keeping discussing philosophy and high ideals, we will never reach a
>>>>> consensus in the time frame we need, so let's let democracy wins the debay.
>>>>> On 05/01/2014, at 11:38, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>>> A key differentiator when we did this free training at AppSecUSA in
>>>>> Austin and LASCON 2013 is that it was 100% free and open to all.  No
>>>>> conference pass was required to participate.  Since that is not the case
>>>>> here, and since the training is only open to RSA attendees, then I think
>>>>> this demonstrates a much closer tie between OWASP and RSA than I would like
>>>>> to see.  I like the idea of approaching BSides SF and seeing if maybe they
>>>>> would be interested in hosting this training for free for the community at
>>>>> large.  If we can do that, then I think its the true win here as we get the
>>>>> visibility to satisfy our mission and we remove the negative stigma of
>>>>> being associated with RSA.
>>>>> I would diaagree, however, that visibility is only a means to an end.
>>>>> Since its in our mission statement, all of our activities and
>>>>> prioritizations are required, by law, to follow that.  And if we ever reach
>>>>> the point where everyone, everywhere, knows about application security,
>>>>> then we can close up shop and move on.  There is no compromising the end
>>>>> goal here because, per the mission statement, visibility is the end goal.
>>>>> I'm sorry if that compromises your principals Sastry but its the truth
>>>>> about OWASP as a non-profit.
>>>>> ~josh
>>>>> On Jan 5, 2014 12:32 AM, "Sastry Tumuluri" <sastry.tumuluri at owasp.org>
>>>>> wrote:
>>>>> 1. The immediate focus on RSAC:
>>>>> No matter how we rationalize, the fact is that we (OWASP) have
>>>>> options. This, at worst, is one missed opportunity. So let us not, in
>>>>> our relentless pursuit of VISIBILITY, compromise on principles.
>>>>> VISIBILITY is a means to an end (better security, more secure software
>>>>> -- which in itself is likely a never-ending activity). Let us not
>>>>> compromise on the end-goal while chasing the means.
>>>>> Short term gains (of reaching some developers) will easily be lost if
>>>>> we take the low road. Even 300 more "aware" developers are for naught
>>>>> if, based on RSAC acceptance, just one more company feels that the
>>>>> risks of trucking with NSA/GCHQ and compromising underlying
>>>>> foundations are acceptable.
>>>>> Is it our job/charter to "convey such a message"? I believe so.
>>>>> Conversely, can we say "we merely advocate tech principles and
>>>>> educate... this is not for us"? If we want to be treated as a
>>>>> responsible member of the ecosystem, we can't duck like that.
>>>>> Related, but a slightly different perspective: Robert Graham's blog
>>>>> post on this:
>>>>> http://blog.erratasec.com/2014/01/why-we-have-to-boycott-rsa.html
>>>>> 2. The tough world of principles, ethics, etc:
>>>>> Jim Manico raised a very pertinent point regarding sending mixed
>>>>> messages (=> recognition-of and consistency-in-applying our
>>>>> principles). It isn't easy.
>>>>> Funding goes to the very heart of neutrality and ethics. So it is not
>>>>> so tangential, after all. I know we shouldn't accept funds or even
>>>>> projects from NSA, GCHQ, etc. Whether DHS is to be painted by the same
>>>>> brush, I don't know (depends on internal structure, etc.). Let the
>>>>> more knowledgeable people decide on this.
>>>>> Chasing "quick results at any cost" and then splitting hairs on
>>>>> legality and rationalizations will not paint us black; but will surely
>>>>> park us firmly in the gray areas of ethics. Is that what we want?
>>>>> Cheers,
>>>>> ==Sas3==
>>>>> On Sun, Jan 5, 2014 at 8:33 AM, Josh Sokol <josh.sokol at owasp.org>
>>>>> wrote:
>>>>> > My apologies in the delay in responding to this.  I've been on the
>>>>> road all
>>>>> > day today and will be slow to respond tomorrow as well.
>>>>> >
>>>>> > First off, let me admit that while my term hadn't officially begun
>>>>> yet, I am
>>>>> > one of the Board members who encouraged Jim and Eoin to move forward
>>>>> with
>>>>> > the training.  My rationale for this was simple; OWASP's mission is
>>>>> to make
>>>>> > software security visible, so that individuals and organizations
>>>>> worldwide
>>>>> > can make informed decisions about true software security risks.  The
>>>>> core of
>>>>> > this statement being VISBILITY.  We need to find and take advantage
>>>>> of as
>>>>> > many ways as possible to raise the visibility of security risks.  Our
>>>>> > mission says nothing about making political statements.  It says
>>>>> nothing
>>>>> > about ethical business practices.  Our mission can certainly
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> --
>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader

OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140107/ea60f0e0/attachment-0001.html>

More information about the OWASP-Leaders mailing list