[Owasp-leaders] Good bye OWASP leaders - time to leave the hornet

Jim Manico jim.manico at owasp.org
Mon Nov 30 20:59:58 UTC 2015

 > If you need to write rules for everything you won't have volunteers 
doing anything.

I think this is a super important point. We cannot set policy to cover 
every situation. Our community is full of hackers who exploit weakness 
in policy for a living. Sometimes policy will fail, at OWASP more often 
than not.

The board and other members of leadership need to step in and be 
sensible during times of crisis.

If you look at social media, various OWASP email lists, the history of 
the participants and many other facts around this disaster, I think the 
best choice for the foundation is:

1) Demote or remove this project from the OWASP project inventory
2) Make a clear public statement at our disapproval of this obvious 
brand abuse
3) As best we can, try to adjust OWASP brand use guidelines and project 
review criteria

But please note, I am not king and I never was. I am just one volunteer 
speaking for myself. The board is still discussing this issue and is 
weighing the pros and cons between supporting innovation and protecting 
the brand.

Whatever happens, there is no winner here. I think this is yet another 
poisonous episode that will diminish the OWASP brand, discourage 
innovation and harm collaboration in our industry. It's a very sad 
situation and I wish I could do more to help.

I also think the board members who I disagree with are trying their best 
to make good decisions. This is just a very tough one to handle. No one 
wants to set a precedent where the board steps in and demotes or removes 
projects. There will be no winners here.

- Jim

On 11/30/15 10:43 PM, johanna curiel curiel wrote:
> >>If you are no longer involved with the Project Task Force, then perhaps you could pass 
> that note along to whoever is still involved with it, if anyone.
> I'm not your employee, I'm a volunteer. I already took the time to 
> pass over the info to Claudia.I explained to her what I used to do 
> even what an ex-employee like Kait-Disney used to do and maintain and 
> support the Project Task Review with.
> >.Just thought that as the one who initiated the Committee 2.0 
> framework, it might help to answer that "who" question you had.
> Josh. You make this more complicated that it needs to be. The 
> committee I formed was just to do reviews:
> https://groups.google.com/a/owasp.org/forum/?hl=en#!searchin/projects-task-force/committee$20project$20review/projects-task-force/-UB_wQmtNO8/qlVnAQbMsjkJ 
> <https://groups.google.com/a/owasp.org/forum/?hl=en#%21searchin/projects-task-force/committee$20project$20review/projects-task-force/-UB_wQmtNO8/qlVnAQbMsjkJ>
> If you need to write rules for everything you won't have volunteers 
> doing anything.
> Keep it simple. When we think overcomplicated we end up thinking just 
> like Monty Python Football...😁
> All you need to do is kick the ball...
> For me is obvious. I just have the feeling that the board does hardly 
> read and pay attention to what I have been saying, writing etc.
> Have you though how exhausting is to keep repeating the same story 
> over again? Explaining myself every time with all your questioning? 
> Providing links, proofs, writing these email...exhausting and waste of 
> time.
> https://www.youtube.com/watch?v=ur5fGSBsfq8
> People have fun watching, this video is really funny.
> Have a nice week.
> regards
> Johanna
> On Mon, Nov 30, 2015 at 4:12 PM, Josh Sokol <josh.sokol at owasp.org 
> <mailto:josh.sokol at owasp.org>> wrote:
>     If you are no longer involved with the Project Task Force, then
>     perhaps you could pass that note along to whoever is still
>     involved with it, if anyone.  The option is there to revise the
>     guidelines which I would consider to be in scope for this
>     committee.  But, to your point, the marketing with respect to
>     Contrast around the project appears to be outside the stated scope
>     of the committee. Thus, it is the domain of the Board and we are
>     working on it.  I just thought that as the one who initiated the
>     Committee 2.0 framework, it might help to answer that "who"
>     question you had.
>     ~josh
>     On Nov 30, 2015 1:41 PM, "johanna curiel curiel"
>     <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>> wrote:
>         Josh
>         A stepped down of the Project Review task force on 2nd
>         September 2015
>         http://lists.owasp.org/pipermail/owasp-board/2015-September/016044.html
>         >>The Board will still need to provide action on the abuse of the
>         OWASP brand as there is no committee in place currently to
>         handle these concerns
>         I handled these concerns very clearly when I sent to you and
>         the entire community the project review done. I even reacted
>         to Jeff Williams on the DarkReading website.
>         BTW that was my last review done with Abbas.We both concluded
>         the same things and all of these reviews are publicly
>         available on the Project Task Force email list.
>         The problems with all the bureaucracy and guidelines and
>         Committees is, that it is very unclear *who* should take
>         action when brand abuses occur. That was never responsibility
>         of the PROJECT REVIEW team. Just to made reviews and advice.
>         I requested the board to take action , a statement that's what
>         I recommended, to make clear that OWASP does not endorse the
>         opinions of the vendor(Contrast) with regard the claims done
>         using OWASP Benchmark.
>           * My issue here is that Contrast has misused OWASP Benchmark
>             using false claims.
>           * Dave Wichers is in a position of Conflict of Interest
>         And these false claims are also demeaning against SAST/DAST
>         tools as if IAST is more superior. The arguments are false,
>         nothing can be concluded for this project as it is in Beta
>         stage, as also experts such as Kevin Wall has made it clear.
>         BTW Contrast just changed slightly his website by taking down
>         the demeaning false statements against DAST/SAST:
>         https://docs.google.com/document/d/1G3u34fxhgnbbYY8VsBmceLUjQPKax0Go1HwlphLK7lw/edit?usp=sharing
>           * "Contrast Dominates SAST & DAST in Speed and Accuracy "
>           * "SAST & DAST Leave Businesses Vulnerable"
>           * "As /clearly demonstrated by the OWASP Benchmark/, this
>             approach is not only many times more accurate, but is
>             faster and easier to deploy as well."
>         All this is FALSE FALSE FALSE. Contrast needs to take down all
>         these statements by using Benchmark as if is true.
>         Do you need more brand guidelines to take action?
>         Regards
>         Johanna
>         https://docs.google.com/document/d/1G3u34fxhgnbbYY8VsBmceLUjQPKax0Go1HwlphLK7lw/edit?usp=sharing
>         On Mon, Nov 30, 2015 at 2:46 PM, Josh Sokol
>         <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>             I am sad to see you go, Johanna.  Your efforts with
>             respect to OWASP projects has been an inspiration to many,
>             including myself.  Thank you for all your hard work and
>             dedication.
>             Before you go (assuming you haven't abandoned yet), I
>             would like to make a suggestion here.  You are currently
>             leading the Project Task Force, which is empowered to act
>             under the OWASP Committees 2.0 framework
>             (https://owasp.org/index.php/Committees_2.0). And as I
>             look to the Guidelines for OWASP Projects
>             (https://owasp.org/index.php/Guidelines_for_OWASP_Projects) I
>             note that these guidelines are maintained under the scope
>             of that committee.
>                 This page is maintained by the OWASP Project Task
>                 Force to help assist Project Leaders with information
>                 about successfully running an OWASP Project. It will
>                 be updated from time to time, and changes will be
>                 discussed and announced on the OWASP-Leaders list.
>             The Committees 2.0 framework had the goal of empowering
>             our community to effectively delegate power away from the
>             Board and to themselves within a pre-defined scope.  The
>             only question in my mind, at this point, is whether this
>             committee still has the 5 people necessary in order to
>             hold a vote.  If so, I would like to make a few
>             recommendations to the committee:
>              1.  Amend this guideline to include verbiage stating that
>                 a project leader must not have a bias that would
>                 prevent them from being objective with respect to
>                 their project.  If such a bias were to occur, the
>                 project leader would be removed and a new leader would
>                 need to be found in order for the project to continue
>                 as an OWASP project.
>              2. Amend the guidelines around project levels (Incubator,
>                 Lab, Flagship) stating that a mandatory requirement
>                 for Lab and Flagship projects is that they have a
>                 diverse enough set of contributors to support
>                 objective efforts.
>              3. Perform a blanket review of projects against these new
>                 criteria and adjust accordingly for all projects
>                 failing to meet these new requirements.
>             I believe that these actions are wholly within the stated
>             scope of the committee and is not in violation of our
>             Bylaws Code of Ethics, Mission, etc, and therefore,
>             appropriate for the committee to make.  Committee
>             decisions are considered official once a record has been
>             published to the community.
>             The Board will still need to provide action on the abuse
>             of the OWASP brand as there is no committee in place
>             currently to handle these concerns, but the power to act
>             on the project level is there should you choose to use
>             it.  Just a thought since the Board is trying to manage to
>             policy and you have the ability to change that.
>             ~josh
>             On Sun, Nov 29, 2015 at 4:24 PM, johanna curiel curiel
>             <johanna.curiel at owasp.org
>             <mailto:johanna.curiel at owasp.org>> wrote:
>                 Hi Leaders
>                 I have decided that I  stop participating at OWASP as
>                 community member , especially being involved in any
>                 new activities regarding direct volunteer efforts. If
>                 I ever considered running to the board I have
>                 definitely desist.
>                 Someone would like to know my perspective about my
>                 point of view can take the time to read this article:
>                 https://docs.google.com/document/d/1iNeG2lOBTAo8qsMiNZDARLKm4X727OME50CamzY3vn8/edit?usp=sharing
>                 I will keep supporting certain projects as I have
>                 direct contact with these project leaders, but I think
>                 OWASP is in a process of decay as an organisation.
>                 I stop Curacao Chapter , I guess there will be no
>                 caribbean region at  OWASP as none of these countries
>                 are active. This one is stopping right now. Research
>                 initiative too.
>                 I'll keep my OWASP mail and I'll be an official member
>                 as many are 'on paper'. So yes, you want to contact me
>                 and I can help you directly, always welcome.
>                 Good luck all to you.
>                 Regards
>                 Johanna
>                 _______________________________________________
>                 OWASP-Leaders mailing list
>                 OWASP-Leaders at lists.owasp.org
>                 <mailto:OWASP-Leaders at lists.owasp.org>
>                 https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151130/c0d9cc96/attachment-0001.html>

More information about the OWASP-Leaders mailing list