[Owasp-leaders] Good bye OWASP leaders - time to leave the hornet

Paolo Perego thesp0nge at owasp.org
Tue Dec 1 13:57:48 UTC 2015

I share most of Johanna complaints. My experience is that a lot of people
are starving putting "Owasp" as keyword on linkedin... of course we're also
full of strong committers but sometimes the overall feeling is so boring
and frustrating :-(

On Tue, Dec 1, 2015 at 12:39 PM, Abdullahi Arabo <abdullahi.arabo at owasp.org>

> Thanks for your contributions Johanna. I think some steps and measures
> should be taken to stop frustrating our volunteers
> On Tuesday, 1 December 2015, Arturo 'Buanzo' Busleiman <
> buanzo at buanzo.com.ar> wrote:
>> Just to clarify, because I received a horrible off-list comment from
>> someone that will remain anonymous:
>> *I am NOT attacking Mr. Josh Sokol.*
>> I made a comment about a specific statement about 'the Board' and about
>> my perception of human relationships in a big organization.
>> If I were attacking someone, I would do it off list, and in a clear,
>> respectful way, as human beings deserve, and it would be called a
>> diacussion/argument.
>> Or better yet in person, with a beer. Some of you know what kind of
>> person I am.
>> I write this as Arturo Busleiman, aka Buanzo, former OWASP project
>> leader, that in spite of everything and some-ones, still reads what goes on
>> here, because he does not forget OWASP. And frackin' cares about it.
>> Should I?
>> Oh, the drama :)
>> On 30 Nov 2015 8:14 pm, "Arturo 'Buanzo' Busleiman" <buanzo at buanzo.com.ar>
>> wrote:
>>> Is the strategic vision failing? Stop focusing on Johanna, and focus on
>>> what she and others are saying. And feeling.
>>> Maybe that will help OWASP remember its driving force, its motivation:
>>> open web application security.
>>> On 30 Nov 2015 8:06 pm, "Josh Sokol" <josh.sokol at owasp.org> wrote:
>>>> Johanna,
>>>> I'm sorry if you feel that I have been "stinging" you.  Certainly not
>>>> my intent.  My intent was only to show that the Board has been analyzing
>>>> the situation and is in the process of taking action, even if it isn't as
>>>> rapid as some people in our community would like, or the exact actions that
>>>> they desire.  As a Board, we have entrusted our ED, staff, and volunteers
>>>> with the daily operations of the OWASP Foundation.  Sometimes people forget
>>>> that we are volunteers as well who spend hundreds, if not thousands, of
>>>> hours trying to make OWASP a better place for everyone involved.
>>>> Technically, I have just as much power in OWASP as you or any other
>>>> volunteer.  I can state my opinion, I can bring my ideas to the Board, and
>>>> they can be voted on.  The "bureaucracy" that you talk about in your
>>>> document can also be viewed as "governance" depending on the lens you are
>>>> looking through.  Yes, it can make things move slowly, I've been frustrated
>>>> by it too, but it ensures that everyone at OWASP has a seat at the table if
>>>> they want it and they will be treated fairly.  It's actually quite the
>>>> opposite of discrimination.
>>>> Our job as Board members is to help with strategic vision, not to wade
>>>> into operational issues.  We have an Executive Director and Staff for
>>>> that.  In this particular situation, the Board has stepped in to help
>>>> provide the guidance on how to resolve not only this situation, but future
>>>> situations like it.  The determination was made that we lack the policies
>>>> and procedures today to do so and we have asked Paul and Noreen to provide
>>>> those based on the Board's recommendations.  Considering that the rest of
>>>> us have full time jobs, and these individuals are paid by OWASP for these
>>>> types of activities, this seems like a reasonable action to me.  Once the
>>>> new policies are in place, then we can work on enforcing them.  I
>>>> understand that this process is not as quick as you would like, but again,
>>>> it isn't meant to be quick, it is meant to be fair.
>>>> In terms of taking the time to speak with you, I have done so many
>>>> times on many topics.  I made it a point to find you at the BlackHat
>>>> Arsenal a couple years ago and introduce myself.  I thanked you for
>>>> everything that you have done for OWASP.  If you are questioning why nobody
>>>> talked to you for this one issue, I don't know.  That said, I think we've
>>>> heard your opinion on the issue loud and clear.  You have every right to be
>>>> upset.  You have every right to leave OWASP.  I don't think any of us want
>>>> those things, but you are a grown woman who can do what you'd like.  My
>>>> last e-mail was only meant to show that there are processes in place that
>>>> would allow our leaders to act in ways that they see fit, irrespective of
>>>> the Board.  I was aware that you had resigned your post, but you also said
>>>> that you were leaving OWASP then, and then came back, so I was unsure of
>>>> your status.  I made some suggestions on how to use the "bureaucracy" that
>>>> you hate so much in order to get what you want.  Is that really me
>>>> "stinging" you?
>>>> Regarding LASCON, I understand that you are trying to imply that I am
>>>> somehow "bought" by Contrast.  The fact is that my only communication with
>>>> Contrast, outside of the meeting the Board asked me to have with Jeff, was
>>>> in asking their marketing to remove me from their list...twice.  My
>>>> involvement with LASCON this year was in creating the badge game, providing
>>>> a free one-day training to ~100 people, and as an attendee.  Honestly, I
>>>> haven't been very involved in LASCON planning since Co-Chairing OWASP
>>>> AppSec 2012 in Austin.  I can honestly say that I have never had any
>>>> business dealings with Dave, Jeff, Aspect, or Contrast.  Frankly, I feel as
>>>> though I'm about as unbiased as you can get in this situation.  But, again,
>>>> I'm only one voice and my original intention was only to let Simon and
>>>> others know that the Board and our Executive Director have been actively
>>>> working on this issue behind the scenes.  I sincerely apologize for any
>>>> heartache that this situation has caused you.  We are all nothing if not
>>>> passionate, but that doesn't make one view more right than another.  You
>>>> may not see it, but we are working as best we can given the resources
>>>> available to us.  In any case, I wish you the best of luck going forward.
>>>> ~josh
>>>> On Mon, Nov 30, 2015 at 3:52 PM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>> >>We also are too sensitive to offending offenders.
>>>>> But very insensitive with volunteers.
>>>>> I have to say that I feel quite offended how I have been treated with
>>>>> all these questioning and even at the last moment when I'm leaving this
>>>>> hornet.Littlery HORNET and keep on being stung by board members
>>>>> In the first place Simon has made a complain.
>>>>> I provided feedback and made recommendations to the board including
>>>>> the review. The entire community reacts on twitter including SWAMP , and
>>>>> other vendors.
>>>>> Then what happens? Josh & Matt 'take the time' to talk to Jeff who has
>>>>> basically demean the entire DAST/SAST industry...no actions are taken
>>>>> After 2 MONTHS LATER questions are risen AGAIN by Simon and then we
>>>>> stir up the hornet again.
>>>>> That  is how you wanted to keep volunteers?
>>>>> To me this feels and writes DISCRIMINATION.
>>>>> Yes I'm not Jeff Williams owner of Contrast and sponsor of LASCON,
>>>>> just a third world woman leaving in a Caribbean Island.
>>>>> Josh when did you and Matt take the time to speak with me not even
>>>>> using Skype?
>>>>> http://lascon.org
>>>>> Check the big Contrast logo!
>>>>> On Mon, Nov 30, 2015 at 5:20 PM, Eoin Keary <eoin.keary at owasp.org>
>>>>> wrote:
>>>>>> Much of our decisions must be based on "doing what feels right" and
>>>>>> "wisdom of crowds". We need to call foul when we see it and deal with it
>>>>>> decisively.
>>>>>> We currently do neither. Gut feeling is normally right.
>>>>>> We also are too sensitive to offending offenders. Many many times
>>>>>> since 2013 bad, unethical stuff has occurred and little was done even
>>>>>> ignoring our compliance officer, whom I guess has not been asked to look at
>>>>>> the benchmark project?
>>>>>> This is crucial for OWASP to hold together , nevermind survive.
>>>>>> Eoin Keary
>>>>>> OWASP Volunteer
>>>>>> @eoinkeary
>>>>>> On 30 Nov 2015, at 8:59 p.m., Jim Manico <jim.manico at owasp.org>
>>>>>> wrote:
>>>>>> > If you need to write rules for everything you won't have volunteers
>>>>>> doing anything.
>>>>>> I think this is a super important point. We cannot set policy to
>>>>>> cover every situation. Our community is full of hackers who exploit
>>>>>> weakness in policy for a living. Sometimes policy will fail, at OWASP more
>>>>>> often than not.
>>>>>> The board and other members of leadership need to step in and be
>>>>>> sensible during times of crisis.
>>>>>> If you look at social media, various OWASP email lists, the history
>>>>>> of the participants and many other facts around this disaster, I think the
>>>>>> best choice for the foundation is:
>>>>>> 1) Demote or remove this project from the OWASP project inventory
>>>>>> 2) Make a clear public statement at our disapproval of this obvious
>>>>>> brand abuse
>>>>>> 3) As best we can, try to adjust OWASP brand use guidelines and
>>>>>> project review criteria
>>>>>> But please note, I am not king and I never was. I am just one
>>>>>> volunteer speaking for myself. The board is still discussing this issue and
>>>>>> is weighing the pros and cons between supporting innovation and protecting
>>>>>> the brand.
>>>>>> Whatever happens, there is no winner here. I think this is yet
>>>>>> another poisonous episode that will diminish the OWASP brand, discourage
>>>>>> innovation and harm collaboration in our industry. It's a very sad
>>>>>> situation and I wish I could do more to help.
>>>>>> I also think the board members who I disagree with are trying their
>>>>>> best to make good decisions. This is just a very tough one to handle. No
>>>>>> one wants to set a precedent where the board steps in and demotes or
>>>>>> removes projects. There will be no winners here.
>>>>>> - Jim
>>>>>> On 11/30/15 10:43 PM, johanna curiel curiel wrote:
>>>>>> >>If you are no longer involved with the Project Task Force, then
>>>>>> perhaps you could pass that note along to whoever is still involved with
>>>>>> it, if anyone.
>>>>>> I'm not your employee, I'm a volunteer. I already took the time to
>>>>>> pass over the info to Claudia.I explained to her what I used to do even
>>>>>> what an ex-employee like Kait-Disney used to do and maintain and support
>>>>>> the Project Task Review with.
>>>>>> >.Just thought that as the one who initiated the Committee 2.0
>>>>>> framework, it might help to answer that "who" question you had.
>>>>>> Josh. You make this more complicated that it needs to be. The
>>>>>> committee I formed was just to do reviews:
>>>>>> https://groups.google.com/a/owasp.org/forum/?hl=en#!searchin/projects-task-force/committee$20project$20review/projects-task-force/-UB_wQmtNO8/qlVnAQbMsjkJ
>>>>>> If you need to write rules for everything you won't have volunteers
>>>>>> doing anything.
>>>>>> Keep it simple. When we think overcomplicated we end up thinking just
>>>>>> like Monty Python Football...😁
>>>>>> All you need to do is kick the ball...
>>>>>> For me is obvious. I just have the feeling that the board does hardly
>>>>>> read and pay attention to what I have been saying, writing etc.
>>>>>> Have you though how exhausting is to keep repeating the same story
>>>>>> over again? Explaining myself every time with all your questioning?
>>>>>> Providing links, proofs, writing these email...exhausting and waste of time.
>>>>>> https://www.youtube.com/watch?v=ur5fGSBsfq8
>>>>>> People have fun watching, this video is really funny.
>>>>>> Have a nice week.
>>>>>> regards
>>>>>> Johanna
>>>>>> On Mon, Nov 30, 2015 at 4:12 PM, Josh Sokol <josh.sokol at owasp.org>
>>>>>> wrote:
>>>>>>> If you are no longer involved with the Project Task Force, then
>>>>>>> perhaps you could pass that note along to whoever is still involved with
>>>>>>> it, if anyone.  The option is there to revise the guidelines which I would
>>>>>>> consider to be in scope for this committee.  But, to your point, the
>>>>>>> marketing with respect to Contrast around the project appears to be outside
>>>>>>> the stated scope of the committee.  Thus, it is the domain of the Board and
>>>>>>> we are working on it.  I just thought that as the one who initiated the
>>>>>>> Committee 2.0 framework, it might help to answer that "who" question you
>>>>>>> had.
>>>>>>> ~josh
>>>>>>> On Nov 30, 2015 1:41 PM, "johanna curiel curiel" <
>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>> Josh
>>>>>>>> A stepped down of the Project Review task force on 2nd September
>>>>>>>> 2015
>>>>>>>> http://lists.owasp.org/pipermail/owasp-board/2015-September/016044.html
>>>>>>>> >>The Board will still need to provide action on the abuse of the
>>>>>>>> OWASP brand as there is no committee in place currently to handle these
>>>>>>>> concerns
>>>>>>>> I handled these concerns very clearly when I sent to you and the
>>>>>>>> entire community the project review done. I even reacted to Jeff Williams
>>>>>>>> on the DarkReading website.
>>>>>>>> BTW that was my last review done with Abbas.We both concluded the
>>>>>>>> same things and all of these reviews are publicly available on the Project
>>>>>>>> Task Force email list.
>>>>>>>> The problems with all the bureaucracy and guidelines and Committees
>>>>>>>> is, that it is very unclear *who* should take action when brand
>>>>>>>> abuses occur. That was never responsibility of the PROJECT REVIEW team.
>>>>>>>> Just to made reviews and advice.
>>>>>>>> I requested the board to take action , a statement that's what I
>>>>>>>> recommended, to make clear that OWASP does not endorse the opinions of the
>>>>>>>> vendor(Contrast) with regard the claims done using OWASP Benchmark.
>>>>>>>>    - My issue here is that Contrast has misused OWASP Benchmark
>>>>>>>>    using false claims.
>>>>>>>>    - Dave Wichers is in a position of Conflict of Interest
>>>>>>>> And these false claims are also demeaning against SAST/DAST tools
>>>>>>>> as if IAST is more superior. The arguments are false, nothing can be
>>>>>>>> concluded for this project as it is in Beta stage, as also experts such as
>>>>>>>> Kevin Wall has made it clear.
>>>>>>>> BTW Contrast just changed slightly his website by taking down the
>>>>>>>> demeaning false statements against DAST/SAST:
>>>>>>>> https://docs.google.com/document/d/1G3u34fxhgnbbYY8VsBmceLUjQPKax0Go1HwlphLK7lw/edit?usp=sharing
>>>>>>>>    - "Contrast Dominates SAST & DAST in Speed and Accuracy "
>>>>>>>>    - "SAST & DAST Leave Businesses Vulnerable"
>>>>>>>>    - "As *clearly demonstrated by the OWASP Benchmark*, this
>>>>>>>>    approach is not only many times more accurate, but is faster and easier to
>>>>>>>>    deploy as well."
>>>>>>>> All this is FALSE FALSE FALSE. Contrast needs to take down all
>>>>>>>> these statements by using Benchmark as if is true.
>>>>>>>> Do you need more brand guidelines to take action?
>>>>>>>> Regards
>>>>>>>> Johanna
>>>>>>>> https://docs.google.com/document/d/1G3u34fxhgnbbYY8VsBmceLUjQPKax0Go1HwlphLK7lw/edit?usp=sharing
>>>>>>>> On Mon, Nov 30, 2015 at 2:46 PM, Josh Sokol <josh.sokol at owasp.org>
>>>>>>>> wrote:
>>>>>>>>> I am sad to see you go, Johanna.  Your efforts with respect to
>>>>>>>>> OWASP projects has been an inspiration to many, including myself.  Thank
>>>>>>>>> you for all your hard work and dedication.
>>>>>>>>> Before you go (assuming you haven't abandoned yet), I would like
>>>>>>>>> to make a suggestion here.  You are currently leading the Project Task
>>>>>>>>> Force, which is empowered to act under the OWASP Committees 2.0 framework (
>>>>>>>>> https://owasp.org/index.php/Committees_2.0).  And as I look to
>>>>>>>>> the Guidelines for OWASP Projects (
>>>>>>>>> https://owasp.org/index.php/Guidelines_for_OWASP_Projects) I note
>>>>>>>>> that these guidelines are maintained under the scope of that committee.
>>>>>>>>> This page is maintained by the OWASP Project Task Force to help
>>>>>>>>>> assist Project Leaders with information about successfully running an OWASP
>>>>>>>>>> Project. It will be updated from time to time, and changes will be
>>>>>>>>>> discussed and announced on the OWASP-Leaders list.
>>>>>>>>> The Committees 2.0 framework had the goal of empowering our
>>>>>>>>> community to effectively delegate power away from the Board and to
>>>>>>>>> themselves within a pre-defined scope.  The only question in my mind, at
>>>>>>>>> this point, is whether this committee still has the 5 people necessary in
>>>>>>>>> order to hold a vote.  If so, I would like to make a few recommendations to
>>>>>>>>> the committee:
>>>>>>>>>    1.  Amend this guideline to include verbiage stating that a
>>>>>>>>>    project leader must not have a bias that would prevent them from being
>>>>>>>>>    objective with respect to their project.  If such a bias were to occur, the
>>>>>>>>>    project leader would be removed and a new leader would need to be found in
>>>>>>>>>    order for the project to continue as an OWASP project.
>>>>>>>>>    2. Amend the guidelines around project levels (Incubator, Lab,
>>>>>>>>>    Flagship) stating that a mandatory requirement for Lab and Flagship
>>>>>>>>>    projects is that they have a diverse enough set of contributors to support
>>>>>>>>>    objective efforts.
>>>>>>>>>    3. Perform a blanket review of projects against these new
>>>>>>>>>    criteria and adjust accordingly for all projects failing to meet these new
>>>>>>>>>    requirements.
>>>>>>>>> I believe that these actions are wholly within the stated scope of
>>>>>>>>> the committee and is not in violation of our Bylaws Code of Ethics,
>>>>>>>>> Mission, etc, and therefore, appropriate for the committee to make.
>>>>>>>>> Committee decisions are considered official once a record has been
>>>>>>>>> published to the community.
>>>>>>>>> The Board will still need to provide action on the abuse of the
>>>>>>>>> OWASP brand as there is no committee in place currently to handle these
>>>>>>>>> concerns, but the power to act on the project level is there should you
>>>>>>>>> choose to use it.  Just a thought since the Board is trying to manage to
>>>>>>>>> policy and you have the ability to change that.
>>>>>>>>> ~josh
>>>>>>>>> On Sun, Nov 29, 2015 at 4:24 PM, johanna curiel curiel <
>>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>>> Hi Leaders
>>>>>>>>>> I have decided that I  stop participating at OWASP as community
>>>>>>>>>> member , especially being involved in any new activities regarding direct
>>>>>>>>>> volunteer efforts. If I ever considered running to the board I have
>>>>>>>>>> definitely desist.
>>>>>>>>>> Someone would like to know my perspective about my point of view
>>>>>>>>>> can take the time to read this article:
>>>>>>>>>> https://docs.google.com/document/d/1iNeG2lOBTAo8qsMiNZDARLKm4X727OME50CamzY3vn8/edit?usp=sharing
>>>>>>>>>> I will keep supporting certain projects as I have direct contact
>>>>>>>>>> with these project leaders, but I think OWASP is in a process of decay as
>>>>>>>>>> an organisation.
>>>>>>>>>> I stop Curacao Chapter , I guess there will be no caribbean
>>>>>>>>>> region at  OWASP as none of these countries are active. This one is
>>>>>>>>>> stopping right now. Research initiative too.
>>>>>>>>>> I'll keep my OWASP mail and I'll be an official member as many
>>>>>>>>>> are 'on paper'. So yes, you want to contact me and I can help you directly,
>>>>>>>>>> always welcome.
>>>>>>>>>> Good luck all to you.
>>>>>>>>>> Regards
>>>>>>>>>> Johanna
>>>>>>>>>> _______________________________________________
>>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> --
> Dr A Arabo Jr.
> OWASP Nigerian Chapter
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

"... static analysis is fun, again!"

OWASP Orizon project leader, http://github.com/thesp0nge/owasp-orizon
OWASP Esapi Ruby project leader,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151201/86672217/attachment-0001.html>

More information about the OWASP-Leaders mailing list