[Owasp-leaders] Good bye OWASP leaders - time to leave the hornet

Abdullahi Arabo abdullahi.arabo at owasp.org
Tue Dec 1 11:39:29 UTC 2015

Thanks for your contributions Johanna. I think some steps and measures
should be taken to stop frustrating our volunteers

On Tuesday, 1 December 2015, Arturo 'Buanzo' Busleiman <buanzo at buanzo.com.ar>

> Just to clarify, because I received a horrible off-list comment from
> someone that will remain anonymous:
> *I am NOT attacking Mr. Josh Sokol.*
> I made a comment about a specific statement about 'the Board' and about my
> perception of human relationships in a big organization.
> If I were attacking someone, I would do it off list, and in a clear,
> respectful way, as human beings deserve, and it would be called a
> diacussion/argument.
> Or better yet in person, with a beer. Some of you know what kind of person
> I am.
> I write this as Arturo Busleiman, aka Buanzo, former OWASP project leader,
> that in spite of everything and some-ones, still reads what goes on here,
> because he does not forget OWASP. And frackin' cares about it.
> Should I?
> Oh, the drama :)
> On 30 Nov 2015 8:14 pm, "Arturo 'Buanzo' Busleiman" <buanzo at buanzo.com.ar
> <javascript:_e(%7B%7D,'cvml','buanzo at buanzo.com.ar');>> wrote:
>> Is the strategic vision failing? Stop focusing on Johanna, and focus on
>> what she and others are saying. And feeling.
>> Maybe that will help OWASP remember its driving force, its motivation:
>> open web application security.
>> On 30 Nov 2015 8:06 pm, "Josh Sokol" <josh.sokol at owasp.org
>> <javascript:_e(%7B%7D,'cvml','josh.sokol at owasp.org');>> wrote:
>>> Johanna,
>>> I'm sorry if you feel that I have been "stinging" you.  Certainly not my
>>> intent.  My intent was only to show that the Board has been analyzing the
>>> situation and is in the process of taking action, even if it isn't as rapid
>>> as some people in our community would like, or the exact actions that they
>>> desire.  As a Board, we have entrusted our ED, staff, and volunteers with
>>> the daily operations of the OWASP Foundation.  Sometimes people forget that
>>> we are volunteers as well who spend hundreds, if not thousands, of hours
>>> trying to make OWASP a better place for everyone involved.  Technically, I
>>> have just as much power in OWASP as you or any other volunteer.  I can
>>> state my opinion, I can bring my ideas to the Board, and they can be voted
>>> on.  The "bureaucracy" that you talk about in your document can also be
>>> viewed as "governance" depending on the lens you are looking through.  Yes,
>>> it can make things move slowly, I've been frustrated by it too, but it
>>> ensures that everyone at OWASP has a seat at the table if they want it and
>>> they will be treated fairly.  It's actually quite the opposite of
>>> discrimination.
>>> Our job as Board members is to help with strategic vision, not to wade
>>> into operational issues.  We have an Executive Director and Staff for
>>> that.  In this particular situation, the Board has stepped in to help
>>> provide the guidance on how to resolve not only this situation, but future
>>> situations like it.  The determination was made that we lack the policies
>>> and procedures today to do so and we have asked Paul and Noreen to provide
>>> those based on the Board's recommendations.  Considering that the rest of
>>> us have full time jobs, and these individuals are paid by OWASP for these
>>> types of activities, this seems like a reasonable action to me.  Once the
>>> new policies are in place, then we can work on enforcing them.  I
>>> understand that this process is not as quick as you would like, but again,
>>> it isn't meant to be quick, it is meant to be fair.
>>> In terms of taking the time to speak with you, I have done so many times
>>> on many topics.  I made it a point to find you at the BlackHat Arsenal a
>>> couple years ago and introduce myself.  I thanked you for everything that
>>> you have done for OWASP.  If you are questioning why nobody talked to you
>>> for this one issue, I don't know.  That said, I think we've heard your
>>> opinion on the issue loud and clear.  You have every right to be upset.
>>> You have every right to leave OWASP.  I don't think any of us want those
>>> things, but you are a grown woman who can do what you'd like.  My last
>>> e-mail was only meant to show that there are processes in place that would
>>> allow our leaders to act in ways that they see fit, irrespective of the
>>> Board.  I was aware that you had resigned your post, but you also said that
>>> you were leaving OWASP then, and then came back, so I was unsure of your
>>> status.  I made some suggestions on how to use the "bureaucracy" that you
>>> hate so much in order to get what you want.  Is that really me "stinging"
>>> you?
>>> Regarding LASCON, I understand that you are trying to imply that I am
>>> somehow "bought" by Contrast.  The fact is that my only communication with
>>> Contrast, outside of the meeting the Board asked me to have with Jeff, was
>>> in asking their marketing to remove me from their list...twice.  My
>>> involvement with LASCON this year was in creating the badge game, providing
>>> a free one-day training to ~100 people, and as an attendee.  Honestly, I
>>> haven't been very involved in LASCON planning since Co-Chairing OWASP
>>> AppSec 2012 in Austin.  I can honestly say that I have never had any
>>> business dealings with Dave, Jeff, Aspect, or Contrast.  Frankly, I feel as
>>> though I'm about as unbiased as you can get in this situation.  But, again,
>>> I'm only one voice and my original intention was only to let Simon and
>>> others know that the Board and our Executive Director have been actively
>>> working on this issue behind the scenes.  I sincerely apologize for any
>>> heartache that this situation has caused you.  We are all nothing if not
>>> passionate, but that doesn't make one view more right than another.  You
>>> may not see it, but we are working as best we can given the resources
>>> available to us.  In any case, I wish you the best of luck going forward.
>>> ~josh
>>> On Mon, Nov 30, 2015 at 3:52 PM, johanna curiel curiel <
>>> johanna.curiel at owasp.org
>>> <javascript:_e(%7B%7D,'cvml','johanna.curiel at owasp.org');>> wrote:
>>>> >>We also are too sensitive to offending offenders.
>>>> But very insensitive with volunteers.
>>>> I have to say that I feel quite offended how I have been treated with
>>>> all these questioning and even at the last moment when I'm leaving this
>>>> hornet.Littlery HORNET and keep on being stung by board members
>>>> In the first place Simon has made a complain.
>>>> I provided feedback and made recommendations to the board including the
>>>> review. The entire community reacts on twitter including SWAMP , and other
>>>> vendors.
>>>> Then what happens? Josh & Matt 'take the time' to talk to Jeff who has
>>>> basically demean the entire DAST/SAST industry...no actions are taken
>>>> After 2 MONTHS LATER questions are risen AGAIN by Simon and then we
>>>> stir up the hornet again.
>>>> That  is how you wanted to keep volunteers?
>>>> To me this feels and writes DISCRIMINATION.
>>>> Yes I'm not Jeff Williams owner of Contrast and sponsor of LASCON, just
>>>> a third world woman leaving in a Caribbean Island.
>>>> Josh when did you and Matt take the time to speak with me not even
>>>> using Skype?
>>>> http://lascon.org
>>>> Check the big Contrast logo!
>>>> On Mon, Nov 30, 2015 at 5:20 PM, Eoin Keary <eoin.keary at owasp.org
>>>> <javascript:_e(%7B%7D,'cvml','eoin.keary at owasp.org');>> wrote:
>>>>> Much of our decisions must be based on "doing what feels right" and
>>>>> "wisdom of crowds". We need to call foul when we see it and deal with it
>>>>> decisively.
>>>>> We currently do neither. Gut feeling is normally right.
>>>>> We also are too sensitive to offending offenders. Many many times
>>>>> since 2013 bad, unethical stuff has occurred and little was done even
>>>>> ignoring our compliance officer, whom I guess has not been asked to look at
>>>>> the benchmark project?
>>>>> This is crucial for OWASP to hold together , nevermind survive.
>>>>> Eoin Keary
>>>>> OWASP Volunteer
>>>>> @eoinkeary
>>>>> On 30 Nov 2015, at 8:59 p.m., Jim Manico <jim.manico at owasp.org
>>>>> <javascript:_e(%7B%7D,'cvml','jim.manico at owasp.org');>> wrote:
>>>>> > If you need to write rules for everything you won't have volunteers
>>>>> doing anything.
>>>>> I think this is a super important point. We cannot set policy to cover
>>>>> every situation. Our community is full of hackers who exploit weakness in
>>>>> policy for a living. Sometimes policy will fail, at OWASP more often than
>>>>> not.
>>>>> The board and other members of leadership need to step in and be
>>>>> sensible during times of crisis.
>>>>> If you look at social media, various OWASP email lists, the history of
>>>>> the participants and many other facts around this disaster, I think the
>>>>> best choice for the foundation is:
>>>>> 1) Demote or remove this project from the OWASP project inventory
>>>>> 2) Make a clear public statement at our disapproval of this obvious
>>>>> brand abuse
>>>>> 3) As best we can, try to adjust OWASP brand use guidelines and
>>>>> project review criteria
>>>>> But please note, I am not king and I never was. I am just one
>>>>> volunteer speaking for myself. The board is still discussing this issue and
>>>>> is weighing the pros and cons between supporting innovation and protecting
>>>>> the brand.
>>>>> Whatever happens, there is no winner here. I think this is yet another
>>>>> poisonous episode that will diminish the OWASP brand, discourage innovation
>>>>> and harm collaboration in our industry. It's a very sad situation and I
>>>>> wish I could do more to help.
>>>>> I also think the board members who I disagree with are trying their
>>>>> best to make good decisions. This is just a very tough one to handle. No
>>>>> one wants to set a precedent where the board steps in and demotes or
>>>>> removes projects. There will be no winners here.
>>>>> - Jim
>>>>> On 11/30/15 10:43 PM, johanna curiel curiel wrote:
>>>>> >>If you are no longer involved with the Project Task Force, then
>>>>> perhaps you could pass that note along to whoever is still involved with
>>>>> it, if anyone.
>>>>> I'm not your employee, I'm a volunteer. I already took the time to
>>>>> pass over the info to Claudia.I explained to her what I used to do even
>>>>> what an ex-employee like Kait-Disney used to do and maintain and support
>>>>> the Project Task Review with.
>>>>> >.Just thought that as the one who initiated the Committee 2.0
>>>>> framework, it might help to answer that "who" question you had.
>>>>> Josh. You make this more complicated that it needs to be. The
>>>>> committee I formed was just to do reviews:
>>>>> https://groups.google.com/a/owasp.org/forum/?hl=en#!searchin/projects-task-force/committee$20project$20review/projects-task-force/-UB_wQmtNO8/qlVnAQbMsjkJ
>>>>> If you need to write rules for everything you won't have volunteers
>>>>> doing anything.
>>>>> Keep it simple. When we think overcomplicated we end up thinking just
>>>>> like Monty Python Football...😁
>>>>> All you need to do is kick the ball...
>>>>> For me is obvious. I just have the feeling that the board does hardly
>>>>> read and pay attention to what I have been saying, writing etc.
>>>>> Have you though how exhausting is to keep repeating the same story
>>>>> over again? Explaining myself every time with all your questioning?
>>>>> Providing links, proofs, writing these email...exhausting and waste of time.
>>>>> https://www.youtube.com/watch?v=ur5fGSBsfq8
>>>>> People have fun watching, this video is really funny.
>>>>> Have a nice week.
>>>>> regards
>>>>> Johanna
>>>>> On Mon, Nov 30, 2015 at 4:12 PM, Josh Sokol <josh.sokol at owasp.org
>>>>> <javascript:_e(%7B%7D,'cvml','josh.sokol at owasp.org');>> wrote:
>>>>>> If you are no longer involved with the Project Task Force, then
>>>>>> perhaps you could pass that note along to whoever is still involved with
>>>>>> it, if anyone.  The option is there to revise the guidelines which I would
>>>>>> consider to be in scope for this committee.  But, to your point, the
>>>>>> marketing with respect to Contrast around the project appears to be outside
>>>>>> the stated scope of the committee.  Thus, it is the domain of the Board and
>>>>>> we are working on it.  I just thought that as the one who initiated the
>>>>>> Committee 2.0 framework, it might help to answer that "who" question you
>>>>>> had.
>>>>>> ~josh
>>>>>> On Nov 30, 2015 1:41 PM, "johanna curiel curiel" <
>>>>>> johanna.curiel at owasp.org
>>>>>> <javascript:_e(%7B%7D,'cvml','johanna.curiel at owasp.org');>> wrote:
>>>>>>> Josh
>>>>>>> A stepped down of the Project Review task force on 2nd September 2015
>>>>>>> http://lists.owasp.org/pipermail/owasp-board/2015-September/016044.html
>>>>>>> >>The Board will still need to provide action on the abuse of the
>>>>>>> OWASP brand as there is no committee in place currently to handle these
>>>>>>> concerns
>>>>>>> I handled these concerns very clearly when I sent to you and the
>>>>>>> entire community the project review done. I even reacted to Jeff Williams
>>>>>>> on the DarkReading website.
>>>>>>> BTW that was my last review done with Abbas.We both concluded the
>>>>>>> same things and all of these reviews are publicly available on the Project
>>>>>>> Task Force email list.
>>>>>>> The problems with all the bureaucracy and guidelines and Committees
>>>>>>> is, that it is very unclear *who* should take action when brand
>>>>>>> abuses occur. That was never responsibility of the PROJECT REVIEW team.
>>>>>>> Just to made reviews and advice.
>>>>>>> I requested the board to take action , a statement that's what I
>>>>>>> recommended, to make clear that OWASP does not endorse the opinions of the
>>>>>>> vendor(Contrast) with regard the claims done using OWASP Benchmark.
>>>>>>>    - My issue here is that Contrast has misused OWASP Benchmark
>>>>>>>    using false claims.
>>>>>>>    - Dave Wichers is in a position of Conflict of Interest
>>>>>>> And these false claims are also demeaning against SAST/DAST tools as
>>>>>>> if IAST is more superior. The arguments are false, nothing can be concluded
>>>>>>> for this project as it is in Beta stage, as also experts such as Kevin Wall
>>>>>>> has made it clear.
>>>>>>> BTW Contrast just changed slightly his website by taking down the
>>>>>>> demeaning false statements against DAST/SAST:
>>>>>>> https://docs.google.com/document/d/1G3u34fxhgnbbYY8VsBmceLUjQPKax0Go1HwlphLK7lw/edit?usp=sharing
>>>>>>>    - "Contrast Dominates SAST & DAST in Speed and Accuracy "
>>>>>>>    - "SAST & DAST Leave Businesses Vulnerable"
>>>>>>>    - "As *clearly demonstrated by the OWASP Benchmark*, this
>>>>>>>    approach is not only many times more accurate, but is faster and easier to
>>>>>>>    deploy as well."
>>>>>>> All this is FALSE FALSE FALSE. Contrast needs to take down all these
>>>>>>> statements by using Benchmark as if is true.
>>>>>>> Do you need more brand guidelines to take action?
>>>>>>> Regards
>>>>>>> Johanna
>>>>>>> https://docs.google.com/document/d/1G3u34fxhgnbbYY8VsBmceLUjQPKax0Go1HwlphLK7lw/edit?usp=sharing
>>>>>>> On Mon, Nov 30, 2015 at 2:46 PM, Josh Sokol <
>>>>>>> <javascript:_e(%7B%7D,'cvml','josh.sokol at owasp.org');>
>>>>>>> josh.sokol at owasp.org
>>>>>>> <javascript:_e(%7B%7D,'cvml','josh.sokol at owasp.org');>> wrote:
>>>>>>>> I am sad to see you go, Johanna.  Your efforts with respect to
>>>>>>>> OWASP projects has been an inspiration to many, including myself.  Thank
>>>>>>>> you for all your hard work and dedication.
>>>>>>>> Before you go (assuming you haven't abandoned yet), I would like to
>>>>>>>> make a suggestion here.  You are currently leading the Project Task Force,
>>>>>>>> which is empowered to act under the OWASP Committees 2.0 framework (
>>>>>>>> https://owasp.org/index.php/Committees_2.0).  And as I look to the
>>>>>>>> Guidelines for OWASP Projects (
>>>>>>>> https://owasp.org/index.php/Guidelines_for_OWASP_Projects) I note
>>>>>>>> that these guidelines are maintained under the scope of that committee.
>>>>>>>> This page is maintained by the OWASP Project Task Force to help
>>>>>>>>> assist Project Leaders with information about successfully running an OWASP
>>>>>>>>> Project. It will be updated from time to time, and changes will be
>>>>>>>>> discussed and announced on the OWASP-Leaders list.
>>>>>>>> The Committees 2.0 framework had the goal of empowering our
>>>>>>>> community to effectively delegate power away from the Board and to
>>>>>>>> themselves within a pre-defined scope.  The only question in my mind, at
>>>>>>>> this point, is whether this committee still has the 5 people necessary in
>>>>>>>> order to hold a vote.  If so, I would like to make a few recommendations to
>>>>>>>> the committee:
>>>>>>>>    1.  Amend this guideline to include verbiage stating that a
>>>>>>>>    project leader must not have a bias that would prevent them from being
>>>>>>>>    objective with respect to their project.  If such a bias were to occur, the
>>>>>>>>    project leader would be removed and a new leader would need to be found in
>>>>>>>>    order for the project to continue as an OWASP project.
>>>>>>>>    2. Amend the guidelines around project levels (Incubator, Lab,
>>>>>>>>    Flagship) stating that a mandatory requirement for Lab and Flagship
>>>>>>>>    projects is that they have a diverse enough set of contributors to support
>>>>>>>>    objective efforts.
>>>>>>>>    3. Perform a blanket review of projects against these new
>>>>>>>>    criteria and adjust accordingly for all projects failing to meet these new
>>>>>>>>    requirements.
>>>>>>>> I believe that these actions are wholly within the stated scope of
>>>>>>>> the committee and is not in violation of our Bylaws Code of Ethics,
>>>>>>>> Mission, etc, and therefore, appropriate for the committee to make.
>>>>>>>> Committee decisions are considered official once a record has been
>>>>>>>> published to the community.
>>>>>>>> The Board will still need to provide action on the abuse of the
>>>>>>>> OWASP brand as there is no committee in place currently to handle these
>>>>>>>> concerns, but the power to act on the project level is there should you
>>>>>>>> choose to use it.  Just a thought since the Board is trying to manage to
>>>>>>>> policy and you have the ability to change that.
>>>>>>>> ~josh
>>>>>>>> On Sun, Nov 29, 2015 at 4:24 PM, johanna curiel curiel <
>>>>>>>> <javascript:_e(%7B%7D,'cvml','johanna.curiel at owasp.org');>
>>>>>>>> johanna.curiel at owasp.org
>>>>>>>> <javascript:_e(%7B%7D,'cvml','johanna.curiel at owasp.org');>> wrote:
>>>>>>>>> Hi Leaders
>>>>>>>>> I have decided that I  stop participating at OWASP as community
>>>>>>>>> member , especially being involved in any new activities regarding direct
>>>>>>>>> volunteer efforts. If I ever considered running to the board I have
>>>>>>>>> definitely desist.
>>>>>>>>> Someone would like to know my perspective about my point of view
>>>>>>>>> can take the time to read this article:
>>>>>>>>> https://docs.google.com/document/d/1iNeG2lOBTAo8qsMiNZDARLKm4X727OME50CamzY3vn8/edit?usp=sharing
>>>>>>>>> I will keep supporting certain projects as I have direct contact
>>>>>>>>> with these project leaders, but I think OWASP is in a process of decay as
>>>>>>>>> an organisation.
>>>>>>>>> I stop Curacao Chapter , I guess there will be no caribbean region
>>>>>>>>> at  OWASP as none of these countries are active. This one is stopping right
>>>>>>>>> now. Research initiative too.
>>>>>>>>> I'll keep my OWASP mail and I'll be an official member as many are
>>>>>>>>> 'on paper'. So yes, you want to contact me and I can help you directly,
>>>>>>>>> always welcome.
>>>>>>>>> Good luck all to you.
>>>>>>>>> Regards
>>>>>>>>> Johanna
>>>>>>>>> _______________________________________________
>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>>> <javascript:_e(%7B%7D,'cvml','OWASP-Leaders at lists.owasp.org');>
>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.org <javascript:_e(%7B%7D,'cvml','OWASP-Leaders at lists.owasp.org');>https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> <javascript:_e(%7B%7D,'cvml','OWASP-Leaders at lists.owasp.org');>
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> <javascript:_e(%7B%7D,'cvml','OWASP-Leaders at lists.owasp.org');>
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> <javascript:_e(%7B%7D,'cvml','OWASP-Leaders at lists.owasp.org');>
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders

Dr A Arabo Jr.
OWASP Nigerian Chapter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151201/02e32c89/attachment-0001.html>

More information about the OWASP-Leaders mailing list