[Owasp-leaders] Good bye OWASP leaders - time to leave the hornet

Arturo 'Buanzo' Busleiman buanzo at buanzo.com.ar
Mon Nov 30 23:14:19 UTC 2015

Is the strategic vision failing? Stop focusing on Johanna, and focus on
what she and others are saying. And feeling.

Maybe that will help OWASP remember its driving force, its motivation: open
web application security.
On 30 Nov 2015 8:06 pm, "Josh Sokol" <josh.sokol at owasp.org> wrote:

> Johanna,
> I'm sorry if you feel that I have been "stinging" you.  Certainly not my
> intent.  My intent was only to show that the Board has been analyzing the
> situation and is in the process of taking action, even if it isn't as rapid
> as some people in our community would like, or the exact actions that they
> desire.  As a Board, we have entrusted our ED, staff, and volunteers with
> the daily operations of the OWASP Foundation.  Sometimes people forget that
> we are volunteers as well who spend hundreds, if not thousands, of hours
> trying to make OWASP a better place for everyone involved.  Technically, I
> have just as much power in OWASP as you or any other volunteer.  I can
> state my opinion, I can bring my ideas to the Board, and they can be voted
> on.  The "bureaucracy" that you talk about in your document can also be
> viewed as "governance" depending on the lens you are looking through.  Yes,
> it can make things move slowly, I've been frustrated by it too, but it
> ensures that everyone at OWASP has a seat at the table if they want it and
> they will be treated fairly.  It's actually quite the opposite of
> discrimination.
> Our job as Board members is to help with strategic vision, not to wade
> into operational issues.  We have an Executive Director and Staff for
> that.  In this particular situation, the Board has stepped in to help
> provide the guidance on how to resolve not only this situation, but future
> situations like it.  The determination was made that we lack the policies
> and procedures today to do so and we have asked Paul and Noreen to provide
> those based on the Board's recommendations.  Considering that the rest of
> us have full time jobs, and these individuals are paid by OWASP for these
> types of activities, this seems like a reasonable action to me.  Once the
> new policies are in place, then we can work on enforcing them.  I
> understand that this process is not as quick as you would like, but again,
> it isn't meant to be quick, it is meant to be fair.
> In terms of taking the time to speak with you, I have done so many times
> on many topics.  I made it a point to find you at the BlackHat Arsenal a
> couple years ago and introduce myself.  I thanked you for everything that
> you have done for OWASP.  If you are questioning why nobody talked to you
> for this one issue, I don't know.  That said, I think we've heard your
> opinion on the issue loud and clear.  You have every right to be upset.
> You have every right to leave OWASP.  I don't think any of us want those
> things, but you are a grown woman who can do what you'd like.  My last
> e-mail was only meant to show that there are processes in place that would
> allow our leaders to act in ways that they see fit, irrespective of the
> Board.  I was aware that you had resigned your post, but you also said that
> you were leaving OWASP then, and then came back, so I was unsure of your
> status.  I made some suggestions on how to use the "bureaucracy" that you
> hate so much in order to get what you want.  Is that really me "stinging"
> you?
> Regarding LASCON, I understand that you are trying to imply that I am
> somehow "bought" by Contrast.  The fact is that my only communication with
> Contrast, outside of the meeting the Board asked me to have with Jeff, was
> in asking their marketing to remove me from their list...twice.  My
> involvement with LASCON this year was in creating the badge game, providing
> a free one-day training to ~100 people, and as an attendee.  Honestly, I
> haven't been very involved in LASCON planning since Co-Chairing OWASP
> AppSec 2012 in Austin.  I can honestly say that I have never had any
> business dealings with Dave, Jeff, Aspect, or Contrast.  Frankly, I feel as
> though I'm about as unbiased as you can get in this situation.  But, again,
> I'm only one voice and my original intention was only to let Simon and
> others know that the Board and our Executive Director have been actively
> working on this issue behind the scenes.  I sincerely apologize for any
> heartache that this situation has caused you.  We are all nothing if not
> passionate, but that doesn't make one view more right than another.  You
> may not see it, but we are working as best we can given the resources
> available to us.  In any case, I wish you the best of luck going forward.
> ~josh
> On Mon, Nov 30, 2015 at 3:52 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>> >>We also are too sensitive to offending offenders.
>> But very insensitive with volunteers.
>> I have to say that I feel quite offended how I have been treated with all
>> these questioning and even at the last moment when I'm leaving this
>> hornet.Littlery HORNET and keep on being stung by board members
>> In the first place Simon has made a complain.
>> I provided feedback and made recommendations to the board including the
>> review. The entire community reacts on twitter including SWAMP , and other
>> vendors.
>> Then what happens? Josh & Matt 'take the time' to talk to Jeff who has
>> basically demean the entire DAST/SAST industry...no actions are taken
>> After 2 MONTHS LATER questions are risen AGAIN by Simon and then we stir
>> up the hornet again.
>> That  is how you wanted to keep volunteers?
>> To me this feels and writes DISCRIMINATION.
>> Yes I'm not Jeff Williams owner of Contrast and sponsor of LASCON, just a
>> third world woman leaving in a Caribbean Island.
>> Josh when did you and Matt take the time to speak with me not even using
>> Skype?
>> http://lascon.org
>> Check the big Contrast logo!
>> On Mon, Nov 30, 2015 at 5:20 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>> Much of our decisions must be based on "doing what feels right" and
>>> "wisdom of crowds". We need to call foul when we see it and deal with it
>>> decisively.
>>> We currently do neither. Gut feeling is normally right.
>>> We also are too sensitive to offending offenders. Many many times since
>>> 2013 bad, unethical stuff has occurred and little was done even ignoring
>>> our compliance officer, whom I guess has not been asked to look at the
>>> benchmark project?
>>> This is crucial for OWASP to hold together , nevermind survive.
>>> Eoin Keary
>>> OWASP Volunteer
>>> @eoinkeary
>>> On 30 Nov 2015, at 8:59 p.m., Jim Manico <jim.manico at owasp.org> wrote:
>>> > If you need to write rules for everything you won't have volunteers
>>> doing anything.
>>> I think this is a super important point. We cannot set policy to cover
>>> every situation. Our community is full of hackers who exploit weakness in
>>> policy for a living. Sometimes policy will fail, at OWASP more often than
>>> not.
>>> The board and other members of leadership need to step in and be
>>> sensible during times of crisis.
>>> If you look at social media, various OWASP email lists, the history of
>>> the participants and many other facts around this disaster, I think the
>>> best choice for the foundation is:
>>> 1) Demote or remove this project from the OWASP project inventory
>>> 2) Make a clear public statement at our disapproval of this obvious
>>> brand abuse
>>> 3) As best we can, try to adjust OWASP brand use guidelines and project
>>> review criteria
>>> But please note, I am not king and I never was. I am just one volunteer
>>> speaking for myself. The board is still discussing this issue and is
>>> weighing the pros and cons between supporting innovation and protecting the
>>> brand.
>>> Whatever happens, there is no winner here. I think this is yet another
>>> poisonous episode that will diminish the OWASP brand, discourage innovation
>>> and harm collaboration in our industry. It's a very sad situation and I
>>> wish I could do more to help.
>>> I also think the board members who I disagree with are trying their best
>>> to make good decisions. This is just a very tough one to handle. No one
>>> wants to set a precedent where the board steps in and demotes or removes
>>> projects. There will be no winners here.
>>> - Jim
>>> On 11/30/15 10:43 PM, johanna curiel curiel wrote:
>>> >>If you are no longer involved with the Project Task Force, then
>>> perhaps you could pass that note along to whoever is still involved with
>>> it, if anyone.
>>> I'm not your employee, I'm a volunteer. I already took the time to pass
>>> over the info to Claudia.I explained to her what I used to do even what an
>>> ex-employee like Kait-Disney used to do and maintain and support the
>>> Project Task Review with.
>>> >.Just thought that as the one who initiated the Committee 2.0
>>> framework, it might help to answer that "who" question you had.
>>> Josh. You make this more complicated that it needs to be. The committee
>>> I formed was just to do reviews:
>>> https://groups.google.com/a/owasp.org/forum/?hl=en#!searchin/projects-task-force/committee$20project$20review/projects-task-force/-UB_wQmtNO8/qlVnAQbMsjkJ
>>> If you need to write rules for everything you won't have volunteers
>>> doing anything.
>>> Keep it simple. When we think overcomplicated we end up thinking just
>>> like Monty Python Football...😁
>>> All you need to do is kick the ball...
>>> For me is obvious. I just have the feeling that the board does hardly
>>> read and pay attention to what I have been saying, writing etc.
>>> Have you though how exhausting is to keep repeating the same story over
>>> again? Explaining myself every time with all your questioning? Providing
>>> links, proofs, writing these email...exhausting and waste of time.
>>> https://www.youtube.com/watch?v=ur5fGSBsfq8
>>> People have fun watching, this video is really funny.
>>> Have a nice week.
>>> regards
>>> Johanna
>>> On Mon, Nov 30, 2015 at 4:12 PM, Josh Sokol <josh.sokol at owasp.org>
>>> wrote:
>>>> If you are no longer involved with the Project Task Force, then perhaps
>>>> you could pass that note along to whoever is still involved with it, if
>>>> anyone.  The option is there to revise the guidelines which I would
>>>> consider to be in scope for this committee.  But, to your point, the
>>>> marketing with respect to Contrast around the project appears to be outside
>>>> the stated scope of the committee.  Thus, it is the domain of the Board and
>>>> we are working on it.  I just thought that as the one who initiated the
>>>> Committee 2.0 framework, it might help to answer that "who" question you
>>>> had.
>>>> ~josh
>>>> On Nov 30, 2015 1:41 PM, "johanna curiel curiel" <
>>>> johanna.curiel at owasp.org> wrote:
>>>>> Josh
>>>>> A stepped down of the Project Review task force on 2nd September 2015
>>>>> http://lists.owasp.org/pipermail/owasp-board/2015-September/016044.html
>>>>> >>The Board will still need to provide action on the abuse of the
>>>>> OWASP brand as there is no committee in place currently to handle these
>>>>> concerns
>>>>> I handled these concerns very clearly when I sent to you and the
>>>>> entire community the project review done. I even reacted to Jeff Williams
>>>>> on the DarkReading website.
>>>>> BTW that was my last review done with Abbas.We both concluded the same
>>>>> things and all of these reviews are publicly available on the Project Task
>>>>> Force email list.
>>>>> The problems with all the bureaucracy and guidelines and Committees
>>>>> is, that it is very unclear *who* should take action when brand
>>>>> abuses occur. That was never responsibility of the PROJECT REVIEW team.
>>>>> Just to made reviews and advice.
>>>>> I requested the board to take action , a statement that's what I
>>>>> recommended, to make clear that OWASP does not endorse the opinions of the
>>>>> vendor(Contrast) with regard the claims done using OWASP Benchmark.
>>>>>    - My issue here is that Contrast has misused OWASP Benchmark using
>>>>>    false claims.
>>>>>    - Dave Wichers is in a position of Conflict of Interest
>>>>> And these false claims are also demeaning against SAST/DAST tools as
>>>>> if IAST is more superior. The arguments are false, nothing can be concluded
>>>>> for this project as it is in Beta stage, as also experts such as Kevin Wall
>>>>> has made it clear.
>>>>> BTW Contrast just changed slightly his website by taking down the
>>>>> demeaning false statements against DAST/SAST:
>>>>> https://docs.google.com/document/d/1G3u34fxhgnbbYY8VsBmceLUjQPKax0Go1HwlphLK7lw/edit?usp=sharing
>>>>>    - "Contrast Dominates SAST & DAST in Speed and Accuracy "
>>>>>    - "SAST & DAST Leave Businesses Vulnerable"
>>>>>    - "As *clearly demonstrated by the OWASP Benchmark*, this approach
>>>>>    is not only many times more accurate, but is faster and easier to deploy as
>>>>>    well."
>>>>> All this is FALSE FALSE FALSE. Contrast needs to take down all these
>>>>> statements by using Benchmark as if is true.
>>>>> Do you need more brand guidelines to take action?
>>>>> Regards
>>>>> Johanna
>>>>> https://docs.google.com/document/d/1G3u34fxhgnbbYY8VsBmceLUjQPKax0Go1HwlphLK7lw/edit?usp=sharing
>>>>> On Mon, Nov 30, 2015 at 2:46 PM, Josh Sokol < <josh.sokol at owasp.org>
>>>>> josh.sokol at owasp.org> wrote:
>>>>>> I am sad to see you go, Johanna.  Your efforts with respect to OWASP
>>>>>> projects has been an inspiration to many, including myself.  Thank you for
>>>>>> all your hard work and dedication.
>>>>>> Before you go (assuming you haven't abandoned yet), I would like to
>>>>>> make a suggestion here.  You are currently leading the Project Task Force,
>>>>>> which is empowered to act under the OWASP Committees 2.0 framework (
>>>>>> https://owasp.org/index.php/Committees_2.0).  And as I look to the
>>>>>> Guidelines for OWASP Projects (
>>>>>> https://owasp.org/index.php/Guidelines_for_OWASP_Projects) I note
>>>>>> that these guidelines are maintained under the scope of that committee.
>>>>>> This page is maintained by the OWASP Project Task Force to help
>>>>>>> assist Project Leaders with information about successfully running an OWASP
>>>>>>> Project. It will be updated from time to time, and changes will be
>>>>>>> discussed and announced on the OWASP-Leaders list.
>>>>>> The Committees 2.0 framework had the goal of empowering our community
>>>>>> to effectively delegate power away from the Board and to themselves within
>>>>>> a pre-defined scope.  The only question in my mind, at this point, is
>>>>>> whether this committee still has the 5 people necessary in order to hold a
>>>>>> vote.  If so, I would like to make a few recommendations to the committee:
>>>>>>    1.  Amend this guideline to include verbiage stating that a
>>>>>>    project leader must not have a bias that would prevent them from being
>>>>>>    objective with respect to their project.  If such a bias were to occur, the
>>>>>>    project leader would be removed and a new leader would need to be found in
>>>>>>    order for the project to continue as an OWASP project.
>>>>>>    2. Amend the guidelines around project levels (Incubator, Lab,
>>>>>>    Flagship) stating that a mandatory requirement for Lab and Flagship
>>>>>>    projects is that they have a diverse enough set of contributors to support
>>>>>>    objective efforts.
>>>>>>    3. Perform a blanket review of projects against these new
>>>>>>    criteria and adjust accordingly for all projects failing to meet these new
>>>>>>    requirements.
>>>>>> I believe that these actions are wholly within the stated scope of
>>>>>> the committee and is not in violation of our Bylaws Code of Ethics,
>>>>>> Mission, etc, and therefore, appropriate for the committee to make.
>>>>>> Committee decisions are considered official once a record has been
>>>>>> published to the community.
>>>>>> The Board will still need to provide action on the abuse of the OWASP
>>>>>> brand as there is no committee in place currently to handle these concerns,
>>>>>> but the power to act on the project level is there should you choose to use
>>>>>> it.  Just a thought since the Board is trying to manage to policy and you
>>>>>> have the ability to change that.
>>>>>> ~josh
>>>>>> On Sun, Nov 29, 2015 at 4:24 PM, johanna curiel curiel <
>>>>>> <johanna.curiel at owasp.org>johanna.curiel at owasp.org> wrote:
>>>>>>> Hi Leaders
>>>>>>> I have decided that I  stop participating at OWASP as community
>>>>>>> member , especially being involved in any new activities regarding direct
>>>>>>> volunteer efforts. If I ever considered running to the board I have
>>>>>>> definitely desist.
>>>>>>> Someone would like to know my perspective about my point of view can
>>>>>>> take the time to read this article:
>>>>>>> https://docs.google.com/document/d/1iNeG2lOBTAo8qsMiNZDARLKm4X727OME50CamzY3vn8/edit?usp=sharing
>>>>>>> I will keep supporting certain projects as I have direct contact
>>>>>>> with these project leaders, but I think OWASP is in a process of decay as
>>>>>>> an organisation.
>>>>>>> I stop Curacao Chapter , I guess there will be no caribbean region
>>>>>>> at  OWASP as none of these countries are active. This one is stopping right
>>>>>>> now. Research initiative too.
>>>>>>> I'll keep my OWASP mail and I'll be an official member as many are
>>>>>>> 'on paper'. So yes, you want to contact me and I can help you directly,
>>>>>>> always welcome.
>>>>>>> Good luck all to you.
>>>>>>> Regards
>>>>>>> Johanna
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> _______________________________________________
>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151130/188c3f5d/attachment-0001.html>

More information about the OWASP-Leaders mailing list