[Owasp-leaders] Regular OWASP polls

Michael Coates michael.coates at owasp.org
Tue Jan 7 16:42:20 UTC 2014


Great work! Good idea and glad to see you dive in and make it happen.

Michael Coates

On Tue, Jan 7, 2014 at 2:34 AM, psiinon <psiinon at gmail.com> wrote:

> As per my comment on the RSA training thread I've created an OWASP Polls
> page on the wiki: https://www.owasp.org/index.php/Polls and added the
> first poll.
> Anyone who can update the wiki can edit that page, but I think we should
> have some control over it, eg to make sure we have a regular drip feed of
> polls.
> Right now I'm happy to act as the gatekeeper for this but I'm also happy
> for anyone else to help out with this - any volunteers?
> Note that I'm not planning on creating all the polls, but they're easy to
> create via Google forms and I can help out with any questions.
> Simon
> On Mon, Jan 6, 2014 at 10:32 PM, Michael Coates <michael.coates at owasp.org>wrote:
>> On the implementation side - google forms may work well here. The
>> owasp.org accounts are provided to members and we can limit votes and
>> also track results.
>> --
>> Michael Coates
>> @_mwc
>> On Mon, Jan 6, 2014 at 2:08 PM, Konstantinos Papapanagiotou <
>> konstantinos at owasp.org> wrote:
>>> This sound good Simon, ie having polls in order to get the pulse rather
>>> than decide.
>>> For the record I strongly believe that threads like the previous one are
>>> extremely useful for OWASP and the community. My disagreement was on having
>>> what is practically a referendum for such issues. There are many issues
>>> that need to be taken in consideration if we go down that way (e.g. How
>>> many leaders will actually participate, how many votes do we need to have a
>>> binding decision, what if the outcome is close to 50-50, what constitutes a
>>> seriously enough issue to ask for the leaders' opinion, etc.). If we work
>>> on such issues, maybe direct democracy turns out to be a good idea, but
>>> meanwhile what Simon says sounds more realistic, even though in practice
>>> the above issues remain.
>>> I also support Dinis idea for open, public votes for such issues.
>>> Kostas
>>> On 6 Ιαν 2014, at 11:07, psiinon <psiinon at gmail.com> wrote:
>>> OK, this is in reply to Kostas' comment, but I've changed the title as I
>>> think it deserves a separate thread.
>>> I agree that we have a CEO and BoD for these decisions, but clearly this
>>> is something people feel very strongly about.
>>> Conversely we also often complain that it seems to be difficult to get
>>> OWASP volunteers engaged :)
>>> So how about having regular polls for such questions?
>>> (Note that this is not proposed as an alternative to the email threads,
>>> which are a great way of exploring the arguments and alternatives).
>>> The polls should be restricted, eg to people with OWASP email addresses
>>> to prevent easy abuse.
>>> They would not be 'binding' - they would be a way of getting the 'pulse'
>>> rather than the way we arrive at decisions.
>>> The board (or whoever makes the final decision) should take into account
>>> the results, but 100% against a proposal isnt very definitive if only 5
>>> people vote ;)
>>> And they wouldnt have to be just for the 'big' questions, they could be
>>> for anything OWASP related.
>>> e.g. "What is the most important feature missing from ZAP: A) ..."
>>> It might take a bit of effort setting up the right infrastructure, but
>>> if that was in place then it would be much easier to find out how the OWASP
>>> community feels about things like participation in RSAC.
>>> Simon
>>> On Sun, Jan 5, 2014 at 5:59 PM, Konstantinos Papapanagiotou <
>>> konstantinos at owasp.org> wrote:
>>>> This kind of democracy might have worked in ancient Athens (with pros
>>>> and cons) but nowadays we have a BoD and a CEO for such kind of decisions.
>>>> Kostas
>>>> On Sunday, January 5, 2014, L. Gustavo C. Barbato wrote:
>>>>> Keeping discussing philosophy and high ideals, we will never reach a
>>>>> consensus in the time frame we need, so let's let democracy wins the debay.
>>>>> On 05/01/2014, at 11:38, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>>> A key differentiator when we did this free training at AppSecUSA in
>>>>> Austin and LASCON 2013 is that it was 100% free and open to all.  No
>>>>> conference pass was required to participate.  Since that is not the case
>>>>> here, and since the training is only open to RSA attendees, then I think
>>>>> this demonstrates a much closer tie between OWASP and RSA than I would like
>>>>> to see.  I like the idea of approaching BSides SF and seeing if maybe they
>>>>> would be interested in hosting this training for free for the community at
>>>>> large.  If we can do that, then I think its the true win here as we get the
>>>>> visibility to satisfy our mission and we remove the negative stigma of
>>>>> being associated with RSA.
>>>>> I would diaagree, however, that visibility is only a means to an end.
>>>>> Since its in our mission statement, all of our activities and
>>>>> prioritizations are required, by law, to follow that.  And if we ever reach
>>>>> the point where everyone, everywhere, knows about application security,
>>>>> then we can close up shop and move on.  There is no compromising the end
>>>>> goal here because, per the mission statement, visibility is the end goal.
>>>>> I'm sorry if that compromises your principals Sastry but its the truth
>>>>> about OWASP as a non-profit.
>>>>> ~josh
>>>>> On Jan 5, 2014 12:32 AM, "Sastry Tumuluri" <sastry.tumuluri at owasp.org>
>>>>> wrote:
>>>>> 1. The immediate focus on RSAC:
>>>>> No matter how we rationalize, the fact is that we (OWASP) have
>>>>> options. This, at worst, is one missed opportunity. So let us not, in
>>>>> our relentless pursuit of VISIBILITY, compromise on principles.
>>>>> VISIBILITY is a means to an end (better security, more secure software
>>>>> -- which in itself is likely a never-ending activity). Let us not
>>>>> compromise on the end-goal while chasing the means.
>>>>> Short term gains (of reaching some developers) will easily be lost if
>>>>> we take the low road. Even 300 more "aware" developers are for naught
>>>>> if, based on RSAC acceptance, just one more company feels that the
>>>>> risks of trucking with NSA/GCHQ and compromising underlying
>>>>> foundations are acceptable.
>>>>> Is it our job/charter to "convey such a message"? I believe so.
>>>>> Conversely, can we say "we merely advocate tech principles and
>>>>> educate... this is not for us"? If we want to be treated as a
>>>>> responsible member of the ecosystem, we can't duck like that.
>>>>> Related, but a slightly different perspective: Robert Graham's blog
>>>>> post on this:
>>>>> http://blog.erratasec.com/2014/01/why-we-have-to-boycott-rsa.html
>>>>> 2. The tough world of principles, ethics, etc:
>>>>> Jim Manico raised a very pertinent point regarding sending mixed
>>>>> messages (=> recognition-of and consistency-in-applying our
>>>>> principles). It isn't easy.
>>>>> Funding goes to the very heart of neutrality and ethics. So it is not
>>>>> so tangential, after all. I know we shouldn't accept funds or even
>>>>> projects from NSA, GCHQ, etc. Whether DHS is to be painted by the same
>>>>> brush, I don't know (depends on internal structure, etc.). Let the
>>>>> more knowledgeable people decide on this.
>>>>> Chasing "quick results at any cost" and then splitting hairs on
>>>>> legality and rationalizations will not paint us black; but will surely
>>>>> park us firmly in the gray areas of ethics. Is that what we want?
>>>>> Cheers,
>>>>> ==Sas3==
>>>>> On Sun, Jan 5, 2014 at 8:33 AM, Josh Sokol <josh.sokol at owasp.org>
>>>>> wrote:
>>>>> > My apologies in the delay in responding to this.  I've been on the
>>>>> road all
>>>>> > day today and will be slow to respond tomorrow as well.
>>>>> >
>>>>> > First off, let me admit that while my term hadn't officially begun
>>>>> yet, I am
>>>>> > one of the Board members who encouraged Jim and Eoin to move forward
>>>>> with
>>>>> > the training.  My rationale for this was simple; OWASP's mission is
>>>>> to make
>>>>> > software security visible, so that individuals and organizations
>>>>> worldwide
>>>>> > can make informed decisions about true software security risks.  The
>>>>> core of
>>>>> > this statement being VISBILITY.  We need to find and take advantage
>>>>> of as
>>>>> > many ways as possible to raise the visibility of security risks.  Our
>>>>> > mission says nothing about making political statements.  It says
>>>>> nothing
>>>>> > about ethical business practices.  Our mission can certainly
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> --
>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140107/6186af31/attachment-0001.html>

More information about the OWASP-Leaders mailing list