[Owasp-leaders] Good bye OWASP leaders - time to leave the hornet

Arturo 'Buanzo' Busleiman buanzo at buanzo.com.ar
Tue Dec 1 00:13:17 UTC 2015

Just to clarify, because I received a horrible off-list comment from
someone that will remain anonymous:

*I am NOT attacking Mr. Josh Sokol.*

I made a comment about a specific statement about 'the Board' and about my
perception of human relationships in a big organization.

If I were attacking someone, I would do it off list, and in a clear,
respectful way, as human beings deserve, and it would be called a

Or better yet in person, with a beer. Some of you know what kind of person
I am.

I write this as Arturo Busleiman, aka Buanzo, former OWASP project leader,
that in spite of everything and some-ones, still reads what goes on here,
because he does not forget OWASP. And frackin' cares about it.

Should I?

Oh, the drama :)
On 30 Nov 2015 8:14 pm, "Arturo 'Buanzo' Busleiman" <buanzo at buanzo.com.ar>

> Is the strategic vision failing? Stop focusing on Johanna, and focus on
> what she and others are saying. And feeling.
> Maybe that will help OWASP remember its driving force, its motivation:
> open web application security.
> On 30 Nov 2015 8:06 pm, "Josh Sokol" <josh.sokol at owasp.org> wrote:
>> Johanna,
>> I'm sorry if you feel that I have been "stinging" you.  Certainly not my
>> intent.  My intent was only to show that the Board has been analyzing the
>> situation and is in the process of taking action, even if it isn't as rapid
>> as some people in our community would like, or the exact actions that they
>> desire.  As a Board, we have entrusted our ED, staff, and volunteers with
>> the daily operations of the OWASP Foundation.  Sometimes people forget that
>> we are volunteers as well who spend hundreds, if not thousands, of hours
>> trying to make OWASP a better place for everyone involved.  Technically, I
>> have just as much power in OWASP as you or any other volunteer.  I can
>> state my opinion, I can bring my ideas to the Board, and they can be voted
>> on.  The "bureaucracy" that you talk about in your document can also be
>> viewed as "governance" depending on the lens you are looking through.  Yes,
>> it can make things move slowly, I've been frustrated by it too, but it
>> ensures that everyone at OWASP has a seat at the table if they want it and
>> they will be treated fairly.  It's actually quite the opposite of
>> discrimination.
>> Our job as Board members is to help with strategic vision, not to wade
>> into operational issues.  We have an Executive Director and Staff for
>> that.  In this particular situation, the Board has stepped in to help
>> provide the guidance on how to resolve not only this situation, but future
>> situations like it.  The determination was made that we lack the policies
>> and procedures today to do so and we have asked Paul and Noreen to provide
>> those based on the Board's recommendations.  Considering that the rest of
>> us have full time jobs, and these individuals are paid by OWASP for these
>> types of activities, this seems like a reasonable action to me.  Once the
>> new policies are in place, then we can work on enforcing them.  I
>> understand that this process is not as quick as you would like, but again,
>> it isn't meant to be quick, it is meant to be fair.
>> In terms of taking the time to speak with you, I have done so many times
>> on many topics.  I made it a point to find you at the BlackHat Arsenal a
>> couple years ago and introduce myself.  I thanked you for everything that
>> you have done for OWASP.  If you are questioning why nobody talked to you
>> for this one issue, I don't know.  That said, I think we've heard your
>> opinion on the issue loud and clear.  You have every right to be upset.
>> You have every right to leave OWASP.  I don't think any of us want those
>> things, but you are a grown woman who can do what you'd like.  My last
>> e-mail was only meant to show that there are processes in place that would
>> allow our leaders to act in ways that they see fit, irrespective of the
>> Board.  I was aware that you had resigned your post, but you also said that
>> you were leaving OWASP then, and then came back, so I was unsure of your
>> status.  I made some suggestions on how to use the "bureaucracy" that you
>> hate so much in order to get what you want.  Is that really me "stinging"
>> you?
>> Regarding LASCON, I understand that you are trying to imply that I am
>> somehow "bought" by Contrast.  The fact is that my only communication with
>> Contrast, outside of the meeting the Board asked me to have with Jeff, was
>> in asking their marketing to remove me from their list...twice.  My
>> involvement with LASCON this year was in creating the badge game, providing
>> a free one-day training to ~100 people, and as an attendee.  Honestly, I
>> haven't been very involved in LASCON planning since Co-Chairing OWASP
>> AppSec 2012 in Austin.  I can honestly say that I have never had any
>> business dealings with Dave, Jeff, Aspect, or Contrast.  Frankly, I feel as
>> though I'm about as unbiased as you can get in this situation.  But, again,
>> I'm only one voice and my original intention was only to let Simon and
>> others know that the Board and our Executive Director have been actively
>> working on this issue behind the scenes.  I sincerely apologize for any
>> heartache that this situation has caused you.  We are all nothing if not
>> passionate, but that doesn't make one view more right than another.  You
>> may not see it, but we are working as best we can given the resources
>> available to us.  In any case, I wish you the best of luck going forward.
>> ~josh
>> On Mon, Nov 30, 2015 at 3:52 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>> >>We also are too sensitive to offending offenders.
>>> But very insensitive with volunteers.
>>> I have to say that I feel quite offended how I have been treated with
>>> all these questioning and even at the last moment when I'm leaving this
>>> hornet.Littlery HORNET and keep on being stung by board members
>>> In the first place Simon has made a complain.
>>> I provided feedback and made recommendations to the board including the
>>> review. The entire community reacts on twitter including SWAMP , and other
>>> vendors.
>>> Then what happens? Josh & Matt 'take the time' to talk to Jeff who has
>>> basically demean the entire DAST/SAST industry...no actions are taken
>>> After 2 MONTHS LATER questions are risen AGAIN by Simon and then we stir
>>> up the hornet again.
>>> That  is how you wanted to keep volunteers?
>>> To me this feels and writes DISCRIMINATION.
>>> Yes I'm not Jeff Williams owner of Contrast and sponsor of LASCON, just
>>> a third world woman leaving in a Caribbean Island.
>>> Josh when did you and Matt take the time to speak with me not even using
>>> Skype?
>>> http://lascon.org
>>> Check the big Contrast logo!
>>> On Mon, Nov 30, 2015 at 5:20 PM, Eoin Keary <eoin.keary at owasp.org>
>>> wrote:
>>>> Much of our decisions must be based on "doing what feels right" and
>>>> "wisdom of crowds". We need to call foul when we see it and deal with it
>>>> decisively.
>>>> We currently do neither. Gut feeling is normally right.
>>>> We also are too sensitive to offending offenders. Many many times since
>>>> 2013 bad, unethical stuff has occurred and little was done even ignoring
>>>> our compliance officer, whom I guess has not been asked to look at the
>>>> benchmark project?
>>>> This is crucial for OWASP to hold together , nevermind survive.
>>>> Eoin Keary
>>>> OWASP Volunteer
>>>> @eoinkeary
>>>> On 30 Nov 2015, at 8:59 p.m., Jim Manico <jim.manico at owasp.org> wrote:
>>>> > If you need to write rules for everything you won't have volunteers
>>>> doing anything.
>>>> I think this is a super important point. We cannot set policy to cover
>>>> every situation. Our community is full of hackers who exploit weakness in
>>>> policy for a living. Sometimes policy will fail, at OWASP more often than
>>>> not.
>>>> The board and other members of leadership need to step in and be
>>>> sensible during times of crisis.
>>>> If you look at social media, various OWASP email lists, the history of
>>>> the participants and many other facts around this disaster, I think the
>>>> best choice for the foundation is:
>>>> 1) Demote or remove this project from the OWASP project inventory
>>>> 2) Make a clear public statement at our disapproval of this obvious
>>>> brand abuse
>>>> 3) As best we can, try to adjust OWASP brand use guidelines and project
>>>> review criteria
>>>> But please note, I am not king and I never was. I am just one volunteer
>>>> speaking for myself. The board is still discussing this issue and is
>>>> weighing the pros and cons between supporting innovation and protecting the
>>>> brand.
>>>> Whatever happens, there is no winner here. I think this is yet another
>>>> poisonous episode that will diminish the OWASP brand, discourage innovation
>>>> and harm collaboration in our industry. It's a very sad situation and I
>>>> wish I could do more to help.
>>>> I also think the board members who I disagree with are trying their
>>>> best to make good decisions. This is just a very tough one to handle. No
>>>> one wants to set a precedent where the board steps in and demotes or
>>>> removes projects. There will be no winners here.
>>>> - Jim
>>>> On 11/30/15 10:43 PM, johanna curiel curiel wrote:
>>>> >>If you are no longer involved with the Project Task Force, then
>>>> perhaps you could pass that note along to whoever is still involved with
>>>> it, if anyone.
>>>> I'm not your employee, I'm a volunteer. I already took the time to pass
>>>> over the info to Claudia.I explained to her what I used to do even what an
>>>> ex-employee like Kait-Disney used to do and maintain and support the
>>>> Project Task Review with.
>>>> >.Just thought that as the one who initiated the Committee 2.0
>>>> framework, it might help to answer that "who" question you had.
>>>> Josh. You make this more complicated that it needs to be. The committee
>>>> I formed was just to do reviews:
>>>> https://groups.google.com/a/owasp.org/forum/?hl=en#!searchin/projects-task-force/committee$20project$20review/projects-task-force/-UB_wQmtNO8/qlVnAQbMsjkJ
>>>> If you need to write rules for everything you won't have volunteers
>>>> doing anything.
>>>> Keep it simple. When we think overcomplicated we end up thinking just
>>>> like Monty Python Football...😁
>>>> All you need to do is kick the ball...
>>>> For me is obvious. I just have the feeling that the board does hardly
>>>> read and pay attention to what I have been saying, writing etc.
>>>> Have you though how exhausting is to keep repeating the same story over
>>>> again? Explaining myself every time with all your questioning? Providing
>>>> links, proofs, writing these email...exhausting and waste of time.
>>>> https://www.youtube.com/watch?v=ur5fGSBsfq8
>>>> People have fun watching, this video is really funny.
>>>> Have a nice week.
>>>> regards
>>>> Johanna
>>>> On Mon, Nov 30, 2015 at 4:12 PM, Josh Sokol <josh.sokol at owasp.org>
>>>> wrote:
>>>>> If you are no longer involved with the Project Task Force, then
>>>>> perhaps you could pass that note along to whoever is still involved with
>>>>> it, if anyone.  The option is there to revise the guidelines which I would
>>>>> consider to be in scope for this committee.  But, to your point, the
>>>>> marketing with respect to Contrast around the project appears to be outside
>>>>> the stated scope of the committee.  Thus, it is the domain of the Board and
>>>>> we are working on it.  I just thought that as the one who initiated the
>>>>> Committee 2.0 framework, it might help to answer that "who" question you
>>>>> had.
>>>>> ~josh
>>>>> On Nov 30, 2015 1:41 PM, "johanna curiel curiel" <
>>>>> johanna.curiel at owasp.org> wrote:
>>>>>> Josh
>>>>>> A stepped down of the Project Review task force on 2nd September 2015
>>>>>> http://lists.owasp.org/pipermail/owasp-board/2015-September/016044.html
>>>>>> >>The Board will still need to provide action on the abuse of the
>>>>>> OWASP brand as there is no committee in place currently to handle these
>>>>>> concerns
>>>>>> I handled these concerns very clearly when I sent to you and the
>>>>>> entire community the project review done. I even reacted to Jeff Williams
>>>>>> on the DarkReading website.
>>>>>> BTW that was my last review done with Abbas.We both concluded the
>>>>>> same things and all of these reviews are publicly available on the Project
>>>>>> Task Force email list.
>>>>>> The problems with all the bureaucracy and guidelines and Committees
>>>>>> is, that it is very unclear *who* should take action when brand
>>>>>> abuses occur. That was never responsibility of the PROJECT REVIEW team.
>>>>>> Just to made reviews and advice.
>>>>>> I requested the board to take action , a statement that's what I
>>>>>> recommended, to make clear that OWASP does not endorse the opinions of the
>>>>>> vendor(Contrast) with regard the claims done using OWASP Benchmark.
>>>>>>    - My issue here is that Contrast has misused OWASP Benchmark
>>>>>>    using false claims.
>>>>>>    - Dave Wichers is in a position of Conflict of Interest
>>>>>> And these false claims are also demeaning against SAST/DAST tools as
>>>>>> if IAST is more superior. The arguments are false, nothing can be concluded
>>>>>> for this project as it is in Beta stage, as also experts such as Kevin Wall
>>>>>> has made it clear.
>>>>>> BTW Contrast just changed slightly his website by taking down the
>>>>>> demeaning false statements against DAST/SAST:
>>>>>> https://docs.google.com/document/d/1G3u34fxhgnbbYY8VsBmceLUjQPKax0Go1HwlphLK7lw/edit?usp=sharing
>>>>>>    - "Contrast Dominates SAST & DAST in Speed and Accuracy "
>>>>>>    - "SAST & DAST Leave Businesses Vulnerable"
>>>>>>    - "As *clearly demonstrated by the OWASP Benchmark*, this
>>>>>>    approach is not only many times more accurate, but is faster and easier to
>>>>>>    deploy as well."
>>>>>> All this is FALSE FALSE FALSE. Contrast needs to take down all these
>>>>>> statements by using Benchmark as if is true.
>>>>>> Do you need more brand guidelines to take action?
>>>>>> Regards
>>>>>> Johanna
>>>>>> https://docs.google.com/document/d/1G3u34fxhgnbbYY8VsBmceLUjQPKax0Go1HwlphLK7lw/edit?usp=sharing
>>>>>> On Mon, Nov 30, 2015 at 2:46 PM, Josh Sokol < <josh.sokol at owasp.org>
>>>>>> josh.sokol at owasp.org> wrote:
>>>>>>> I am sad to see you go, Johanna.  Your efforts with respect to OWASP
>>>>>>> projects has been an inspiration to many, including myself.  Thank you for
>>>>>>> all your hard work and dedication.
>>>>>>> Before you go (assuming you haven't abandoned yet), I would like to
>>>>>>> make a suggestion here.  You are currently leading the Project Task Force,
>>>>>>> which is empowered to act under the OWASP Committees 2.0 framework (
>>>>>>> https://owasp.org/index.php/Committees_2.0).  And as I look to the
>>>>>>> Guidelines for OWASP Projects (
>>>>>>> https://owasp.org/index.php/Guidelines_for_OWASP_Projects) I note
>>>>>>> that these guidelines are maintained under the scope of that committee.
>>>>>>> This page is maintained by the OWASP Project Task Force to help
>>>>>>>> assist Project Leaders with information about successfully running an OWASP
>>>>>>>> Project. It will be updated from time to time, and changes will be
>>>>>>>> discussed and announced on the OWASP-Leaders list.
>>>>>>> The Committees 2.0 framework had the goal of empowering our
>>>>>>> community to effectively delegate power away from the Board and to
>>>>>>> themselves within a pre-defined scope.  The only question in my mind, at
>>>>>>> this point, is whether this committee still has the 5 people necessary in
>>>>>>> order to hold a vote.  If so, I would like to make a few recommendations to
>>>>>>> the committee:
>>>>>>>    1.  Amend this guideline to include verbiage stating that a
>>>>>>>    project leader must not have a bias that would prevent them from being
>>>>>>>    objective with respect to their project.  If such a bias were to occur, the
>>>>>>>    project leader would be removed and a new leader would need to be found in
>>>>>>>    order for the project to continue as an OWASP project.
>>>>>>>    2. Amend the guidelines around project levels (Incubator, Lab,
>>>>>>>    Flagship) stating that a mandatory requirement for Lab and Flagship
>>>>>>>    projects is that they have a diverse enough set of contributors to support
>>>>>>>    objective efforts.
>>>>>>>    3. Perform a blanket review of projects against these new
>>>>>>>    criteria and adjust accordingly for all projects failing to meet these new
>>>>>>>    requirements.
>>>>>>> I believe that these actions are wholly within the stated scope of
>>>>>>> the committee and is not in violation of our Bylaws Code of Ethics,
>>>>>>> Mission, etc, and therefore, appropriate for the committee to make.
>>>>>>> Committee decisions are considered official once a record has been
>>>>>>> published to the community.
>>>>>>> The Board will still need to provide action on the abuse of the
>>>>>>> OWASP brand as there is no committee in place currently to handle these
>>>>>>> concerns, but the power to act on the project level is there should you
>>>>>>> choose to use it.  Just a thought since the Board is trying to manage to
>>>>>>> policy and you have the ability to change that.
>>>>>>> ~josh
>>>>>>> On Sun, Nov 29, 2015 at 4:24 PM, johanna curiel curiel <
>>>>>>> <johanna.curiel at owasp.org>johanna.curiel at owasp.org> wrote:
>>>>>>>> Hi Leaders
>>>>>>>> I have decided that I  stop participating at OWASP as community
>>>>>>>> member , especially being involved in any new activities regarding direct
>>>>>>>> volunteer efforts. If I ever considered running to the board I have
>>>>>>>> definitely desist.
>>>>>>>> Someone would like to know my perspective about my point of view
>>>>>>>> can take the time to read this article:
>>>>>>>> https://docs.google.com/document/d/1iNeG2lOBTAo8qsMiNZDARLKm4X727OME50CamzY3vn8/edit?usp=sharing
>>>>>>>> I will keep supporting certain projects as I have direct contact
>>>>>>>> with these project leaders, but I think OWASP is in a process of decay as
>>>>>>>> an organisation.
>>>>>>>> I stop Curacao Chapter , I guess there will be no caribbean region
>>>>>>>> at  OWASP as none of these countries are active. This one is stopping right
>>>>>>>> now. Research initiative too.
>>>>>>>> I'll keep my OWASP mail and I'll be an official member as many are
>>>>>>>> 'on paper'. So yes, you want to contact me and I can help you directly,
>>>>>>>> always welcome.
>>>>>>>> Good luck all to you.
>>>>>>>> Regards
>>>>>>>> Johanna
>>>>>>>> _______________________________________________
>>>>>>>> OWASP-Leaders mailing list
>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> _______________________________________________
>>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151130/a5d1aa97/attachment-0001.html>

More information about the OWASP-Leaders mailing list