<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
    <title></title>
  </head>
  <body text="#000000" bgcolor="#ffffff">
    I respectfully disagree.<br>
    <br>
    I think Mike is right in one respect: "What is the end result from a
    developer's perspective that you're trying to achieve with
    something. "  This is very true, and it's also why working security
    in through grassroots and bottom-up approaches has failed time and
    time again - and will continue to fail.<br>
    <br>
    Tools like ESAPI and other developer-oriented projects are necessary
    and valuable components to our mission.  They clearly make it easier
    for the developer to incorporate security into their application. 
    But what happens when the developers simply don't care?  As Mike
    said, unless it's a functional requirement, it's likely not going to
    get their attention.<br>
    <br>
    The real driver for the widespread recognition of the need for
    security is a top-down approach.  Working with the application
    owners, standards bodies, and auditing organizations is absolutely
    key to realizing our mission.  Those who dismiss such efforts are
    missing the bigger picture and clearly don't understand the IT
    ecosystem outside of the technical lifecycle.<br>
    <br>
    Is there room for improvement?  Absolutely.  But let's be respectful
    of the wide variety of activities required by OWASP in order for us
    to effectively pursue our mission - both technical and
    non-technical.<br>
    <br>
    Rex<br>
    <br>
    <br>
    On 1/16/2011 6:04 PM, Jim Manico wrote:
    <blockquote
      cite="mid:2E12240F-44CC-40A6-817C-A628C6060B63@owasp.org"
      type="cite">
      <div>Look at what Mike is saying, not how he is saying it.</div>
      <div><br>
      </div>
      <div>We are missing the ball here. We have tons of assessment
        projects. We thwap developers for being insecure, but do little
        to empower them. The developers guide is not prescriptive enough
        - it's more of an architectural level guide, not a developers
        guide. ESAPI is a bloody mess of alpha code with little
        documentation that is usable. </div>
      <div><br>
      </div>
      <div>If we as OWASP focused more on ASVS type-standards and put a
        real professional team on ESAPI full time, including
        prescriptive documentation, OWASP would matter more.</div>
      <div><br>
      </div>
      <div>Sure we have an "ecosystem" but it's a old boys club of
        AppSec consultants and pro's and its wagging the dog way to
        much. </div>
      <div><br>
      </div>
      <div>We rest on our beta-quality laurels, slap out companies name
        on it for marketing purposes, sing kuum-bie-ya to feel good, but
        do little to help developers in a prescriptive way to really
        write secure code and solutions.</div>
      <div><br>
      </div>
      <div>Mike, you are right. I don't like your tone, but the message
        behind that tone is bullseye right. And Mike, I'm partially to
        blame here for not fully supporting your documentation efforts
        enough.</div>
      <div><br>
      </div>
      <div>Hopefully, we can all discuss this more at the summit in a
        constructive way.</div>
      <div><br>
        -Jim Manico
        <div><a moz-do-not-send="true" href="http://manico.net">http://manico.net</a></div>
      </div>
      <div><br>
        On Jan 16, 2011, at 11:51 AM, Jeff Williams &lt;<a
          moz-do-not-send="true" href="mailto:jeff.williams@owasp.org">jeff.williams@owasp.org</a>&gt;
        wrote:<br>
        <br>
      </div>
      <blockquote type="cite">
        <div>
          <div>Thanks for the blunt feedback Mike.  I think I know why
            there's no "Mike Application Security Project" now.</div>
          <div><br>
          </div>
          <div>We all want the stuff that's usable out of the box.  But
            you can't just yell at people and magically get good
            results.  We are building a supportive ecosystem for anyone
            who cares about appsec.  If that's too touchy feely for you,
            well I guess this isn't the right place for you.</div>
          <div><br>
          </div>
          <div>Personally I've been almost universally challenged,
            supported, and encouraged by others at OWASP, with a minimum
            of the negative behaviors that plague other communities. I
            think if you really deeply consider what actually gets the
            useful standards, tools, and docs you are seeking created,
            you'll understand our path better.</div>
          <div><br>
          </div>
          <div>--Jeff
            <div><br>
            </div>
            <div><br>
            </div>
          </div>
          <div><br>
            On Jan 16, 2011, at 2:01 PM, Mike Boberski &lt;<a
              moz-do-not-send="true"
              href="mailto:mike.boberski@gmail.com">mike.boberski@gmail.com</a>&gt;
            wrote:<br>
            <br>
          </div>
          <blockquote type="cite">
            <div>Ick. That's what I have to say to this and many recent
              threads, the past year or so. 
              <div><br>
              </div>
              <div>Give me freaking STANDARDS and READY TO USE tools
                that I can use to make fixes and point others to as THE
                basis for instructing others to put controls into place.
                Where is a freaking Agile-focused SAMM, to use a
                different example than ASVS or ESAPI. I don't care about
                anything else as far as OWASP or any industry
                organization is concerned. I'm not here to make friends,
                I am non-plussed with the comparatively recent
                disproportionate emphasis on building echo chambers to
                borrow a phrase from a recent thread of ever-larger
                size, doesn't help me do my job.</div>
              <div><br>
              </div>
              <div>I don't give a fudge about whether or not there
                exists a committee for this or that. No freaking way I'm
                signing NDAs, just go ahead and delete me from this list
                and others already if that's where you're going. My
                stars. It's not rocket science why the vast majority of
                developers and application owners don't care about
                OWASP. Stop. Focus. What is the end result from a
                developer's perspective that you're trying to achieve
                with something. Execute. If you're not helping Joe
                Developer achieve a specific result to make a fix or to
                hold onto a painfully-achieved security posture you're
                wasting your and their time.</div>
              <div><br>
              </div>
              <div>Mike</div>
              <div>
                <div>
                  <br>
                  <br>
                  <div class="gmail_quote">On Sun, Jan 16, 2011 at 9:32
                    AM, Thomas Brennan <span dir="ltr">&lt;<a
                        moz-do-not-send="true"
                        href="mailto:tomb@owasp.org">tomb@owasp.org</a>&gt;</span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin: 0pt
                      0pt 0pt 0.8ex; border-left: 1px solid rgb(204,
                      204, 204); padding-left: 1ex;">
                      <div style="word-wrap: break-word;">Personally I
                        am not interested in signing any documentation
                        (Non-Disclosure Agreement(s)) for any OWASP
                        Foundation efforts, projects etc.  If people
                        need and want help we're here to do that
                        publicly with meetings, meeting mins., topics
                        etc., mailing lists and collaborate as such. You
                        will see this first hand at the summit Yiannis -
                        it's NOT the loudest voice in the room it is by
                        c<span><em>onsensus when the facts of been
                            presented by both sides but very much
                            governed by the Code of Ethics and
                            Principals </em></span><a
                          moz-do-not-send="true"
                          href="http://www.owasp.org/index.php/About_OWASP#Code_of_Ethics">http://www.owasp.org/index.php/About_OWASP#Code_of_Ethics</a>
                        <div>
                          <div><br>
                          </div>
                          <div>Commercial ventures are very different -
                            as a example if I need to sign 1000 NDA's
                            for my work with Trustwave, Spiderlabs
                            related to customer projects no problem,
                            that is part of mutual trust in a
                            confidential business matter with the
                            customers and partners. At OWASP I like that
                            we don't have this issue personally.</div>
                          <div><br>
                          </div>
                          <div><b>Loose Lips do, to Sink Ships however.</b>  
                            The reality and personal integrity of its
                            members and as a group is how we arrived at
                            the below statement:</div>
                          <div>
                            <div><br>
                            </div>
                            <div><a moz-do-not-send="true"
                                href="http://www.owasp.org/index.php/Core_Values_and_Definitions">http://www.owasp.org/index.php/Core_Values_and_Definitions</a></div>
                            <div><br>
                            </div>
                          </div>
                          <div>Look forward to the reading of the
                            feedback form(s) provided above at the
                            Summit to start the discussion and with <span
                              style="font-family: sans-serif; font-size:
                              13px; line-height: 19px;">rough consensus.</span></div>
                          <div><span style="font-family: sans-serif;
                              font-size: 13px; line-height: 19px;"><br>
                            </span></div>
                          <font color="#888888">
                            <div><span style="font-family: sans-serif;
                                font-size: 13px; line-height: 19px;">-Brennan</span></div>
                          </font>
                          <div>
                            <div>
                            </div>
                            <div>
                              <div><span style="font-family: sans-serif;
                                  font-size: 13px; line-height: 19px;"><br>
                                </span></div>
                              <div><br>
                                <div><br>
                                </div>
                                <div><br>
                                  <div>
                                    <div>On Jan 15, 2011, at 10:14 PM,
                                      Yiannis Pavlosoglou wrote:</div>
                                    <br>
                                    <blockquote type="cite">
                                      <div>Hi all,<br>
                                        <br>
                                        I would like to discuss this
                                        idea of "open" a bit more; maybe
                                        this<br>
                                        list is not the right forum and
                                        perhaps we can talk about it in
                                        the<br>
                                        summit.<br>
                                        <br>
                                        Here is a simple example: Does
                                        "open" justify my address and
                                        how many<br>
                                        kids I have being out on a media
                                        wiki, because I am part of
                                        owasp?<br>
                                        <br>
                                        Now there isn't anything to hide
                                        in my inbox or voicemails or
                                        skype<br>
                                        conversations; quite sad
                                        industry reach out information
                                        is mostly what<br>
                                        you will find.<br>
                                        <br>
                                        But at the same time we have a
                                        strong requirement (in industry
                                        at<br>
                                        least) to work with not so open
                                        organisations. Consequently the
                                        case<br>
                                        of signing an NDA as an
                                        individual comes up every so
                                        often. Now under<br>
                                        this facade of "openness", I
                                        have no way of sharing that with
                                        even<br>
                                        other industry members.<br>
                                        <br>
                                        Ergo, we are pushing for an NDA
                                        in industry to have the ability
                                        to<br>
                                        communicate openly among
                                        ourselves. Not to mention an NDA
                                        is pretty<br>
                                        much standard practice in
                                        information security.<br>
                                        <br>
                                        Just to clarify, this is not an
                                        attempt to make owasp "closed";
                                        all<br>
                                        source code I have ever written
                                        is under GPL and all outputs in<br>
                                        industry are available to all.
                                        Still, if you call me for, say,
                                        Tobias<br>
                                        number from the IETF, I will
                                        check with them before passing
                                        that<br>
                                        information out.<br>
                                        <br>
                                        Thus the request becomes, can we
                                        please be open about what we
                                        deliver<br>
                                        in web application security. Not
                                        minutes and meeting mp3s of
                                        catch-up<br>
                                        calls and itinerary information.
                                        Might even assist in raising
                                        quality<br>
                                        of output as well!<br>
                                        <br>
                                        Is that too much to ask for?<br>
                                        <br>
                                        Thank you,<br>
                                        <br>
                                        Yiannis<br>
                                        <br>
                                        On 15 January 2011 19:19,
                                        Michael Coates &lt;<a
                                          moz-do-not-send="true"
                                          href="mailto:michael.coates@owasp.org">michael.coates@owasp.org</a>&gt;
                                        wrote:<br>
                                        <blockquote type="cite">If you
                                          haven't already done so I
                                          would really encourage
                                          everyone to take a<br>
                                        </blockquote>
                                        <blockquote type="cite">look and
                                          submit feedback.<br>
                                        </blockquote>
                                        <blockquote type="cite"><br>
                                        </blockquote>
                                        <blockquote type="cite"><a
                                            moz-do-not-send="true"
                                            href="http://www.owasp.org/index.php/Core_Values_and_Definitions">http://www.owasp.org/index.php/Core_Values_and_Definitions</a><br>
                                        </blockquote>
                                        <blockquote type="cite"><br>
                                        </blockquote>
                                        <blockquote type="cite">We are
                                          at a point where we really
                                          need to define our core values
                                          and decide<br>
                                        </blockquote>
                                        <blockquote type="cite">on the
                                          direction of OWASP.  This is a
                                          major step in that direction.
                                          Let's<br>
                                        </blockquote>
                                        <blockquote type="cite">make
                                          sure we capture the right
                                          values and are heading the
                                          right way.<br>
                                        </blockquote>
                                        <blockquote type="cite">&gt;From
                                          the link (which has a feedback
                                          submission form you should
                                          use)<br>
                                        </blockquote>
                                        <blockquote type="cite"><br>
                                        </blockquote>
                                        <blockquote type="cite">OPEN<br>
                                        </blockquote>
                                        <blockquote type="cite"><br>
                                        </blockquote>
                                        <blockquote type="cite">Everything
                                          OWASP is radically transparent
                                          from finances to code.<br>
                                        </blockquote>
                                        <blockquote type="cite"><br>
                                        </blockquote>
                                        <blockquote type="cite">EXPERIMENTATION<br>
                                        </blockquote>
                                        <blockquote type="cite"><br>
                                        </blockquote>
                                        <blockquote type="cite">OWASP
                                          encourages and supports
                                          experiments for solutions to
                                          software security<br>
                                        </blockquote>
                                        <blockquote type="cite">challenges.<br>
                                        </blockquote>
                                        <blockquote type="cite"><br>
                                        </blockquote>
                                        <blockquote type="cite">GLOBAL<br>
                                        </blockquote>
                                        <blockquote type="cite"><br>
                                        </blockquote>
                                        <blockquote type="cite">Anyone
                                          around the world can
                                          participate in the OWASP
                                          community.<br>
                                        </blockquote>
                                        <blockquote type="cite"><br>
                                        </blockquote>
                                        <blockquote type="cite">INTEGRITY<br>
                                        </blockquote>
                                        <blockquote type="cite"><br>
                                        </blockquote>
                                        <blockquote type="cite">OWASP is
                                          an honest and truthful, vendor
                                          agnostic, global community.<br>
                                        </blockquote>
                                        <blockquote type="cite"><br>
                                        </blockquote>
                                        <blockquote type="cite">Michael
                                          Coates<br>
                                        </blockquote>
                                        <blockquote type="cite">OWASP<br>
                                        </blockquote>
                                        <blockquote type="cite"><br>
                                        </blockquote>
                                        <blockquote type="cite">
                                          <br>
                                        </blockquote>
                                        <blockquote type="cite">On Jan
                                          14, 2011, at 9:53 AM, Thomas
                                          Brennan wrote:<br>
                                        </blockquote>
                                        <blockquote type="cite"><br>
                                        </blockquote>
                                        <blockquote type="cite">Just one
                                          of the many internal OWASP
                                          Foundation projects underway
                                          has been to<br>
                                        </blockquote>
                                        <blockquote type="cite">work
                                          with a 3rd party management
                                          company to unify the update
                                          mission of<br>
                                        </blockquote>
                                        <blockquote type="cite">OWASP
                                          4.0<br>
                                        </blockquote>
                                        <blockquote type="cite">Details
                                          of the project:<br>
                                        </blockquote>
                                        <blockquote type="cite"><a
                                            moz-do-not-send="true"
                                            href="http://www.owasp.org/index.php/Tesauro_Management_Counselors">http://www.owasp.org/index.php/Tesauro_Management_Counselors</a><br>
                                        </blockquote>
                                        <blockquote type="cite">
                                          As a result of PHASE I, I
                                          share a milestone, pay close
                                          attention to the<br>
                                        </blockquote>
                                        <blockquote type="cite">wording.<br>
                                        </blockquote>
                                        <blockquote type="cite"><a
                                            moz-do-not-send="true"
                                            href="http://www.owasp.org/index.php/Core_Values_and_Definitions">http://www.owasp.org/index.php/Core_Values_and_Definitions</a><br>
                                        </blockquote>
                                        <blockquote type="cite">This is
                                          now in RFC to the
                                          owasp-leaders with
                                          ratification at the OWASP<br>
                                        </blockquote>
                                        <blockquote type="cite">Summit
                                          at the kick off session. If
                                          you have comments suggestions
                                          please use<br>
                                        </blockquote>
                                        <blockquote type="cite">the
                                          feedback provided on the wiki
                                          page.<br>
                                        </blockquote>
                                        <blockquote type="cite">Thank
                                          you in advance for your
                                          valuable time.<br>
                                        </blockquote>
                                        <blockquote type="cite">** If
                                          you have not looked recently
                                          at the working sessions take
                                          the time to<br>
                                        </blockquote>
                                        <blockquote type="cite">review
                                          hundreds of volunteer man
                                          hours have been invested in
                                          the summit so<br>
                                        </blockquote>
                                        <blockquote type="cite">far for
                                          YOU the community  <a
                                            moz-do-not-send="true"
                                            href="http://www.owasp.org/index.php/Summit_2011">http://www.owasp.org/index.php/Summit_2011</a> its<br>
                                        </blockquote>
                                        <blockquote type="cite">going to
                                          be amazing!<br>
                                        </blockquote>
                                        <blockquote type="cite"><br>
                                        </blockquote>
                                        <blockquote type="cite">_______________________________________________<br>
                                        </blockquote>
                                        <blockquote type="cite">
                                          OWASP-Leaders mailing list<br>
                                        </blockquote>
                                        <blockquote type="cite"><a
                                            moz-do-not-send="true"
                                            href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a><br>
                                        </blockquote>
                                        <blockquote type="cite"><a
                                            moz-do-not-send="true"
                                            href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                                        </blockquote>
                                        <blockquote type="cite"><br>
                                        </blockquote>
                                        <blockquote type="cite"><br>
                                        </blockquote>
                                        <blockquote type="cite">_______________________________________________<br>
                                        </blockquote>
                                        <blockquote type="cite">OWASP-Leaders
                                          mailing list<br>
                                        </blockquote>
                                        <blockquote type="cite"><a
                                            moz-do-not-send="true"
                                            href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a><br>
                                        </blockquote>
                                        <blockquote type="cite"><a
                                            moz-do-not-send="true"
                                            href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                                        </blockquote>
                                        <blockquote type="cite"><br>
                                        </blockquote>
                                        <blockquote type="cite"><br>
                                        </blockquote>
                                        <br>
                                        <br>
                                        <br>
                                        -- <br>
                                        Dr. Yiannis Pavlosoglou<br>
                                        OWASP Global Industry Committee<br>
                                        <a moz-do-not-send="true"
                                          href="http://www.owasp.org/index.php/Global_Industry_Committee">http://www.owasp.org/index.php/Global_Industry_Committee</a><br>
_______________________________________________<br>
                                        OWASP-Leaders mailing list<br>
                                        <a moz-do-not-send="true"
                                          href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a><br>
                                        <a moz-do-not-send="true"
                                          href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                                      </div>
                                    </blockquote>
                                  </div>
                                  <br>
                                </div>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                      <br>
                      _______________________________________________<br>
                      OWASP-Leaders mailing list<br>
                      <a moz-do-not-send="true"
                        href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a><br>
                      <a moz-do-not-send="true"
                        href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                      <br>
                    </blockquote>
                  </div>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
          <blockquote type="cite">
            <div><span>_______________________________________________</span><br>
              <span>OWASP-Leaders mailing list</span><br>
              <span><a moz-do-not-send="true"
                  href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a></span><br>
              <span><a moz-do-not-send="true"
                  href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a></span><br>
            </div>
          </blockquote>
        </div>
      </blockquote>
      <blockquote type="cite">
        <div><span>_______________________________________________</span><br>
          <span>OWASP-Leaders mailing list</span><br>
          <span><a moz-do-not-send="true"
              href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a></span><br>
          <span><a moz-do-not-send="true"
              href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a></span><br>
        </div>
      </blockquote>
      <pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
OWASP-Leaders mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a>
<a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>