<div dir="ltr"><div><div>Dennis,<br><br></div>I'm not sure that I understand the message that you are trying to convey here.  Could you please clarify?<br><br></div>~josh<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Tue, Jul 1, 2014 at 4:12 AM, Dennis Groves <span dir="ltr"><<a href="mailto:dennis.groves@owasp.org" target="_blank">dennis.groves@owasp.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div><div>ignore Dave, do what we want...<br><br></div>(ignore the man behind the curtain - owasp top 10, app-sensor, the many projects etc....) <br><br></div><div>seems more like Alice in wonderland than reality,<br>


<br><br></div>Dennis<br></div><div class="gmail_extra"><div><div class="h5"><br><br><div class="gmail_quote">On Thu, Jun 19, 2014 at 11:35 AM, Josh Sokol <span dir="ltr"><<a href="mailto:josh.sokol@owasp.org" target="_blank">josh.sokol@owasp.org</a>></span> wrote:<br>


<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>In addition, I started a discussion on what Flagship should mean for documentation projects on the Leaders list.  Feedback was low so if you have stuff to add to it, now's the time to do it!<br>


<br>
<a href="http://lists.owasp.org/pipermail/owasp-leaders/2014-June/011888.html" target="_blank">http://lists.owasp.org/pipermail/owasp-leaders/2014-June/011888.html</a><span><font color="#888888"><br><br></font></span></div>


<span><font color="#888888">~josh<br></font></span></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Thu, Jun 19, 2014 at 9:58 AM, johanna curiel curiel <span dir="ltr"><<a href="mailto:johanna.curiel@owasp.org" target="_blank">johanna.curiel@owasp.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">



<div dir="ltr">Hi Tobias<div><br></div><div>I did mention something regarding approach for reviewing projects:</div><div><a href="https://www.owasp.org/index.php/Proposal_Project_Review_QA_Approach#Approach_for_Reviewing_Document_projects" target="_blank">https://www.owasp.org/index.php/Proposal_Project_Review_QA_Approach#Approach_for_Reviewing_Document_projects</a><br>





</div><div><h3 style="color:rgb(0,0,0);margin:0px 0px 0.3em;overflow:hidden;padding-top:0.5em;padding-bottom:0.17em;border-bottom-style:none;font-size:17px;font-family:sans-serif;line-height:19.200000762939453px;background-image:none;background-repeat:initial">





<span>Approach for Reviewing Document projects</span></h3><p style="margin:0.4em 0px 0.5em;line-height:19.200000762939453px;color:rgb(0,0,0);font-family:sans-serif;font-size:13px">
It is difficult to quantify how well written and accurate or not a document is, unless the reviewer has a broad body of knowledge on the subject. Finding the right reviewer is more challenging. This one will have to spend a time reading and creating a report. An Alternative might be to hire a freelance technical editor/writer that can provide his input from the Documentation and editing point of view and how well written and consistent the document is. This is more subjective and that's why I think that we better leave documentation to the Rating system. Hiring a technical writer and editor to provide his opinion could be an option, however, it is subjective.</p>





<p style="margin:0.4em 0px 0.5em;line-height:19.200000762939453px;color:rgb(0,0,0);font-family:sans-serif;font-size:13px">----</p><p style="margin:0.4em 0px 0.5em;line-height:19.200000762939453px;color:rgb(0,0,0);font-family:sans-serif;font-size:13px">




Been that said reviewing and setting  a process for reviewing documentation is hard.</p><p style="margin:0.4em 0px 0.5em;line-height:19.200000762939453px;color:rgb(0,0,0);font-family:sans-serif;font-size:13px">
The project review technical advisory board created some criteria, but who has time to review documents in an unbiased way. I think the a flagship documents should at least:</p><p style="margin:0.4em 0px 0.5em;line-height:19.200000762939453px;color:rgb(0,0,0);font-family:sans-serif;font-size:13px">




-Have nor grammar errors</p><p style="margin:0.4em 0px 0.5em;line-height:19.200000762939453px;color:rgb(0,0,0);font-family:sans-serif;font-size:13px">-Have a way to receive feedback from readers </p><p style="margin:0.4em 0px 0.5em;line-height:19.200000762939453px;color:rgb(0,0,0);font-family:sans-serif;font-size:13px">




<span style="font-family:arial,sans-serif;line-height:normal">- take into account user feedback to improve the project</span><br></p><p style="margin:0.4em 0px 0.5em;line-height:19.200000762939453px;color:rgb(0,0,0);font-family:sans-serif;font-size:13px">




<span style="font-family:arial,sans-serif;line-height:normal">-Be reviewed by experts in the matter </span></p><p style="margin:0.4em 0px 0.5em;line-height:19.200000762939453px;color:rgb(0,0,0);font-family:sans-serif;font-size:13px">





Not a simple answer.</p><p style="margin:0.4em 0px 0.5em;line-height:19.200000762939453px;color:rgb(0,0,0);font-family:sans-serif;font-size:13px"><br></p><p style="margin:0.4em 0px 0.5em;line-height:19.200000762939453px;color:rgb(0,0,0);font-family:sans-serif;font-size:13px">




<br></p><p style="margin:0.4em 0px 0.5em"><font color="#000000" face="sans-serif"><span style="line-height:19.200000762939453px"><a href="https://docs.google.com/a/owasp.org/forms/d/130ScNZPrqrQTkWUmDz2mt2X94LXfrOurNz-46tjGbEg/edit" target="_blank">https://docs.google.com/a/owasp.org/forms/d/130ScNZPrqrQTkWUmDz2mt2X94LXfrOurNz-46tjGbEg/edit</a></span></font><br>




</p><div style="overflow:hidden;zoom:1;color:rgb(0,0,0);font-family:arial,sans-serif;font-size:13px"><div style="margin:0px;outline:none;padding:1.5em 2em;zoom:1"><h2 style="margin:0px;padding:0px">
OWASP Project Quality Assessment: Documentation Projects</h2><div style="white-space:pre-wrap;word-wrap:break-word;margin-top:0.5em">Please grade each question using the points system. A reviewer can reward points between (0 - 10) (Enter 10 if Not Applicable). Projects 75 or higher are high quality, 50 - 70 medium/beta quality, and less than 50 low or alpha quality. Start awarding points once you pass the project relationship question. </div>




</div></div><div style="overflow:hidden;zoom:1;color:rgb(0,0,0);font-family:arial,sans-serif;font-size:13px"><div style="margin:0px;outline:none;padding:1.5em 2em;zoom:1"><span style="display:block;font-weight:bold">Project Version<span style="color:rgb(196,59,29)">*</span><span style="font-size:0px">Required</span></span><span style="display:block;margin:0.1em 0px 0.25em"></span><div>




<input disabled style="font-family:inherit;border-top-left-radius:1px;border-top-right-radius:1px;border-bottom-right-radius:1px;border-bottom-left-radius:1px;border-width:1px;border-style:solid;border-color:rgb(192,192,192) rgb(217,217,217) rgb(217,217,217);font-size:13px;min-height:25px;padding-right:8px;padding-left:8px;vertical-align:middle" type="text"><div>




 </div></div></div></div><div style="overflow:hidden;zoom:1;color:rgb(0,0,0);font-family:arial,sans-serif;font-size:13px"><div style="margin:0px;outline:none;padding:1.5em 2em;zoom:1"><span style="display:block;font-weight:bold">Release Status<span style="color:rgb(196,59,29)">*</span><span style="font-size:0px">Required</span></span><span style="display:block;margin:0.1em 0px 0.25em"></span><div>




<input disabled style="font-family:inherit;border-top-left-radius:1px;border-top-right-radius:1px;border-bottom-right-radius:1px;border-bottom-left-radius:1px;border-width:1px;border-style:solid;border-color:rgb(192,192,192) rgb(217,217,217) rgb(217,217,217);font-size:13px;min-height:25px;padding-right:8px;padding-left:8px;vertical-align:middle" type="text"><div>




 </div></div></div></div><div style="overflow:hidden;zoom:1;color:rgb(0,0,0);font-family:arial,sans-serif;font-size:13px"><div style="margin:0px;outline:none;padding:1.5em 2em;zoom:1"><span style="display:block;font-weight:bold">Does the material help inform consumers about a security topic?<span style="color:rgb(196,59,29)">*</span><span style="font-size:0px">Required</span></span><span style="display:block;margin:0.1em 0px 0.25em">Does the project help inform a reader/viewer about a security concern?</span><div>




<input disabled style="font-family:inherit;border-top-left-radius:1px;border-top-right-radius:1px;border-bottom-right-radius:1px;border-bottom-left-radius:1px;border-width:1px;border-style:solid;border-color:rgb(192,192,192) rgb(217,217,217) rgb(217,217,217);font-size:13px;min-height:25px;padding-right:8px;padding-left:8px;vertical-align:middle" type="text"><div>




 </div></div></div></div><div style="overflow:hidden;zoom:1;color:rgb(0,0,0);font-family:arial,sans-serif;font-size:13px"><div style="margin:0px;outline:none;padding:1.5em 2em;zoom:1"><span style="display:block;font-weight:bold">Can a user download the project artifacts from the OWASP Project wiki page?<span style="color:rgb(196,59,29)">*</span><span style="font-size:0px">Required</span></span><span style="display:block;margin:0.1em 0px 0.25em">Can a user easily determine how to download the project resources from the wiki page, whether it is from a link on the project page or a link on the project page that redirects the user to another web site where the artifacts are hosted?</span><div>




<input disabled style="font-family:inherit;border-top-left-radius:1px;border-top-right-radius:1px;border-bottom-right-radius:1px;border-bottom-left-radius:1px;border-width:1px;border-style:solid;border-color:rgb(192,192,192) rgb(217,217,217) rgb(217,217,217);font-size:13px;min-height:25px;padding-right:8px;padding-left:8px;vertical-align:middle" type="text"><div>




 </div></div></div></div><div style="overflow:hidden;zoom:1;color:rgb(0,0,0);font-family:arial,sans-serif;font-size:13px"><div style="margin:0px;outline:none;padding:1.5em 2em;zoom:1"><span style="display:block;font-weight:bold">Is the grammar correct, understandable, and the content flows well?<span style="color:rgb(196,59,29)">*</span><span style="font-size:0px">Required</span></span><span style="display:block;margin:0.1em 0px 0.25em">Is the document well written/spoken and easy to follow and understand?</span><div>




<input disabled style="font-family:inherit;border-top-left-radius:1px;border-top-right-radius:1px;border-bottom-right-radius:1px;border-bottom-left-radius:1px;border-width:1px;border-style:solid;border-color:rgb(192,192,192) rgb(217,217,217) rgb(217,217,217);font-size:13px;min-height:25px;padding-right:8px;padding-left:8px;vertical-align:middle" type="text"><div>




 </div></div></div></div><div style="overflow:hidden;zoom:1;color:rgb(0,0,0);font-family:arial,sans-serif;font-size:13px"><div style="margin:0px;outline:none;padding:1.5em 2em;zoom:1"><span style="display:block;font-weight:bold">Do the project leaders/contributors interact with readers and receive and reply to feedback on the project?<span style="color:rgb(196,59,29)">*</span><span style="font-size:0px">Required</span></span><span style="display:block;margin:0.1em 0px 0.25em">Can users ask questions and receive helpful answers?</span><div>




<input disabled style="font-family:inherit;border-top-left-radius:1px;border-top-right-radius:1px;border-bottom-right-radius:1px;border-bottom-left-radius:1px;border-width:1px;border-style:solid;border-color:rgb(192,192,192) rgb(217,217,217) rgb(217,217,217);font-size:13px;min-height:25px;padding-right:8px;padding-left:8px;vertical-align:middle" type="text"><div>




 </div></div></div></div><div style="overflow:hidden;zoom:1;color:rgb(0,0,0);font-family:arial,sans-serif;font-size:13px"><div style="margin:0px;outline:none;padding:1.5em 2em;zoom:1"><span style="display:block;font-weight:bold">Does the project leader adapt the documentation based on the priorities, importance, and feedback gathered by reliable sources?<span style="color:rgb(196,59,29)">*</span><span style="font-size:0px">Required</span></span><span style="display:block;margin:0.1em 0px 0.25em">Do project leaders take into account user feedback to improve the project?</span><div>




<input disabled style="font-family:inherit;border-top-left-radius:1px;border-top-right-radius:1px;border-bottom-right-radius:1px;border-bottom-left-radius:1px;border-width:1px;border-style:solid;border-color:rgb(192,192,192) rgb(217,217,217) rgb(217,217,217);font-size:13px;min-height:25px;padding-right:8px;padding-left:8px;vertical-align:middle" type="text"><div>




 </div></div></div></div><div style="overflow:hidden;zoom:1;color:rgb(0,0,0);font-family:arial,sans-serif;font-size:13px"><div style="margin:0px;outline:none;padding:1.5em 2em;zoom:1"><span style="display:block;font-weight:bold">Is the documentation translated into at least two different languages?<span style="color:rgb(196,59,29)">*</span><span style="font-size:0px">Required</span></span><span style="display:block;margin:0.1em 0px 0.25em">Has the original project been translated into another language?</span><div>




<input disabled style="font-family:inherit;border-top-left-radius:1px;border-top-right-radius:1px;border-bottom-right-radius:1px;border-bottom-left-radius:1px;border-width:1px;border-style:solid;border-color:rgb(192,192,192) rgb(217,217,217) rgb(217,217,217);font-size:13px;min-height:25px;padding-right:8px;padding-left:8px;vertical-align:middle" type="text"><div>




 </div></div></div></div><div style="overflow:hidden;zoom:1;color:rgb(0,0,0);font-family:arial,sans-serif;font-size:13px"><div style="margin:0px;outline:none;padding:1.5em 2em;zoom:1"><span style="display:block;font-weight:bold">If this document is a candidate to publish as an OWASP book, is the document in a format which can be converted to an OWASP book?<span style="color:rgb(196,59,29)">*</span><span style="font-size:0px">Required</span></span><span style="display:block;margin:0.1em 0px 0.25em">If the project is a candidate for an OWASP book, is it in the OWASP format?</span><div>




<input disabled style="font-family:inherit;border-top-left-radius:1px;border-top-right-radius:1px;border-bottom-right-radius:1px;border-bottom-left-radius:1px;border-width:1px;border-style:solid;border-color:rgb(192,192,192) rgb(217,217,217) rgb(217,217,217);font-size:13px;min-height:25px;padding-right:8px;padding-left:8px;vertical-align:middle" type="text"><div>




 </div></div></div></div><div style="overflow:hidden;zoom:1;color:rgb(0,0,0);font-family:arial,sans-serif;font-size:13px"><div style="margin:0px;outline:none;padding:1.5em 2em;zoom:1"><span style="display:block;font-weight:bold">Does the project sufficiently cover material with respect to the topic or process it is intended to cover?<span style="color:rgb(196,59,29)">*</span><span style="font-size:0px">Required</span></span><span style="display:block;margin:0.1em 0px 0.25em">Does this project provided adequate coverage of the security concern it covers?</span><div>




<input disabled style="font-family:inherit;border-top-left-radius:1px;border-top-right-radius:1px;border-bottom-right-radius:1px;border-bottom-left-radius:1px;border-width:1px;border-style:solid;border-color:rgb(192,192,192) rgb(217,217,217) rgb(217,217,217);font-size:13px;min-height:25px;padding-right:8px;padding-left:8px;vertical-align:middle" type="text"><div>




 </div></div></div></div><div style="overflow:hidden;zoom:1;color:rgb(0,0,0);font-family:arial,sans-serif;font-size:13px"><div style="margin:0px;outline:none;padding:1.5em 2em;zoom:1"><span style="display:block;font-weight:bold">Would you recommend this project to educate them about a security concern?<span style="color:rgb(196,59,29)">*</span><span style="font-size:0px">Required</span></span><span style="display:block;margin:0.1em 0px 0.25em">Overall would you promote this project to others who want to learn about the security issue this project attempts to cover?</span><div>




<input disabled style="font-family:inherit;border-top-left-radius:1px;border-top-right-radius:1px;border-bottom-right-radius:1px;border-bottom-left-radius:1px;border-width:1px;border-style:solid;border-color:rgb(192,192,192) rgb(217,217,217) rgb(217,217,217);font-size:13px;min-height:25px;padding-right:8px;padding-left:8px;vertical-align:middle" type="text"><div>




 </div></div></div></div><div style="overflow:hidden;zoom:1;color:rgb(0,0,0);font-family:arial,sans-serif;font-size:13px"><div style="margin:0px;outline:none;padding:1.5em 2em;zoom:1"><span style="display:block;font-weight:bold">Total:<span style="color:rgb(196,59,29)">*</span></span></div>




</div></div></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jun 19, 2014 at 10:27 AM, Tobias <span dir="ltr"><<a href="mailto:tobias.gondrom@owasp.org" target="_blank">tobias.gondrom@owasp.org</a>></span> wrote:<br>




<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <div>Hi all, <br>
      <br>
      my answer is simple: status today is that <i>all</i> Flagship
      projects had been reset to Labs status. So the question is not
      whether Top10 "keeps" Flagship status, but for Top10 to regain the
      Flagship status. <br>
      <br>
      Considering that Top10 is still IMO very high quality, I would
      think it very likely for Top-10 to regain Flagship status
      relatively quickly. <br>
      <br>
      Maybe Johanna could advise on the process for a documentation
      project to achieve Flagship status? <br>
      <br>
      Best wishes, Tobias<div><div><br>
      <br>
      <br>
      On 19/06/14 06:53, Josh Sokol wrote:<br>
    </div></div></div><div><div>
    <blockquote type="cite">
      <p dir="ltr">I'd like to suggest a compromise here in that we keep
        Top 10 2013 as Flagship status and make sure that the 2016
        release is done based on the new document quality metrics once
        they are flushed out and fully approved.  I think those
        requirements should handle Jim's concerns.  We can't change the
        past, but we can certainly influence the future.</p>
      <p dir="ltr">~josh</p>
      <div class="gmail_quote">On Jun 19, 2014 12:39 AM, "Jim Manico"
        <<a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>>
        wrote:<br type="attribution">
        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div bgcolor="#FFFFFF" text="#000000"> Dave,<br>
            <br>
            I have mixed feelings here. I worry about past issues of how
            you came to conclusions for the top ten final items, issues
            with partnerships that led to the A9, and issues around how
            statistics were collected and used. Also, I also worry about
            a top ten list in general being very lacking in terms of
            helping people build a full application security program.
            (Heck, I'm working on a defense top ten as well).<br>
            <br>
            Now that aside, the work you and others have done in the Top
            Ten is very polished and is indeed useful for initial
            awareness. As it stands today, I am still a fan of the
            document and endorse it.<br>
            <br>
            I am not the decision maker here, but I personally support
            lifting the primary Top Ten to flagship status. But I
            implore you to make the next version much more transparent,
            community built, vendor neutral and be only OWASP branded.
            There is still work we can do in this area in my opinion.<br>
            <br>
            Aloha,<br>
            Jim<br>
            <br>
            <br>
            <br>
            <br>
            <div>On 6/8/14, 10:30 PM, Dave Wichers wrote:<br>
            </div>
            <blockquote type="cite">
              <div>
                <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I’m

                    wondering what this means to the OWASP Top 10
                    project. This is an active project that is currently
                    on its normal schedule. All top 10 products are
                    done, up to date, release quality. Its been
                    translated into many different languages and more
                    are actively being worked on now.</span></p>
                <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
                <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Many

                    people look at the Top 10 as a defacto standard, so
                    having it demoted to non-flagship (even temporarily)
                    is concerning to some people. (I have received
                    several direct inquiries about what this means for
                    the Top 10)  Like should they stop recommend people
                    use it?? Or should they recommend the SANS Top 25
                    instead, etc.)</span></p>
                <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
                <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Given

                    the high visibility of this particular documentation
                    project, I want to know what I have to do, if
                    anything, to either retain flagship status (It’s
                    still marked that way as far as I know), or quickly
                    get it back to that status?</span></p>
                <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
                <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">This

                    is certainly confusing and potentially harmful to my
                    project.</span></p>
                <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
                <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">-Dave</span></p>
                <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
                <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">p.s.

                    By the way, I support this initiative, so I’m not
                    blasting anyone. Just trying to figure out what to
                    do for my particular project.</span></p>
                <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
                <p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
                    <a href="mailto:owasp-leaders-bounces@lists.owasp.org" target="_blank">owasp-leaders-bounces@lists.owasp.org</a>
                    [<a href="mailto:owasp-leaders-bounces@lists.owasp.org" target="_blank">mailto:owasp-leaders-bounces@lists.owasp.org</a>]
                    <b>On Behalf Of </b>Josh Sokol<br>
                    <b>Sent:</b> Saturday, June 07, 2014 4:10 AM<br>
                    <b>To:</b> Yvan Boily<br>
                    <b>Cc:</b> Christian Heinrich; OWASP Leaders; <a href="mailto:owasp-testing@lists.owasp.org" target="_blank">owasp-testing@lists.owasp.org</a><br>
                    <b>Subject:</b> Re: [Owasp-leaders] [Owasp-testing]
                    Flagship Project Status</span></p>
                <p class="MsoNormal"> </p>
                <div>
                  <div>
                    <div>
                      <div>
                        <p class="MsoNormal" style="margin-bottom:12.0pt">Thanks for
                          bringing this discussion to the leaders list. 
                          I can certainly see how someone, especially
                          those running projects, would see this
                          Flagship status demotion as a hassle at best
                          and perhaps even "catastrophic" as Christian
                          put it.  I was, admittedly, a bit skeptical of
                          the value of such an action when the idea was
                          first brought to me, but upon further
                          consideration, I changed my mind.  People
                          around the world have come to respect the
                          OWASP name as a trusted source for tools and
                          documentation, but when they come to our
                          website, their experience can vary based on
                          where they land.  Think about how you'd feel
                          if you downloaded an OWASP "Flagship" document
                          with outdated information or a "Flagship" tool
                          that actually created security vulnerabilities
                          when you used it.  It becomes a situation
                          where the proverbial one rotten apple can
                          spoil the entire bunch.  Sure, you could make
                          the argument that we could evaluate each
                          current Flagship project and then demote on a
                          case-by-case basis, and you'd probably be
                          right, but as hard as the evaluator would try
                          to be objective, in the end someone is
                          probably going to get upset and cry foul. 
                          With this action, we have leveled the playing
                          field (so to speak) and the projects that
                          advance back to Flagship can do so under the
                          full support of the community.</p>
                      </div>
                      <p class="MsoNormal" style="margin-bottom:12.0pt">I
                        don't think that it's in anybody's best interest
                        to be in this limbo state for long and in the
                        interests of expediting the process, I just
                        threw out some ideas on what "Flagship" means to
                        me here:<br>
                        <br>
                        <a href="http://lists.owasp.org/pipermail/owasp-leaders/2014-June/011888.html" target="_blank">http://lists.owasp.org/pipermail/owasp-leaders/2014-June/011888.html</a></p>
                    </div>
                    <p class="MsoNormal" style="margin-bottom:12.0pt">These
                      are just suggestions, nothing set in stone, and
                      I'm hoping that you guys will follow up with your
                      feedback and perhaps even your own suggestions. 
                      In a nutshell, how do we define a process that
                      ensures that when a person goes to OWASP and
                      downloads a Flagship document, we know, without
                      hesitation, that it will be a high quality product
                      that they can rely on?  I'd say let's take the
                      next week or so to solicit feedback from the
                      community, and then maybe you guys would be
                      interested in helping to assemble the pieces that
                      make up the final process?  Johanna is already
                      working on putting the pieces in place for the
                      code projects and I'm happy to try to get the ball
                      rolling on the documentation projects as well. 
                      All things considered, I bet we can have a process
                      in place in the next 2-4 weeks.</p>
                  </div>
                  <p class="MsoNormal">~josh</p>
                </div>
                <div>
                  <p class="MsoNormal" style="margin-bottom:12.0pt"> </p>
                  <div>
                    <p class="MsoNormal">On Fri, Jun 6, 2014 at 10:17
                      PM, Yvan Boily <<a href="mailto:yvanboily@gmail.com" target="_blank">yvanboily@gmail.com</a>>
                      wrote:</p>
                    <div>
                      <div>
                        <div>
                          <p class="MsoNormal">On Fri, Jun 6, 2014 at
                            6:34 PM, Christian Heinrich <<a href="mailto:christian.heinrich@cmlh.id.au" target="_blank">christian.heinrich@cmlh.id.au</a>>

                            wrote:</p>
                          <p class="MsoNormal">Yvan,</p>
                          <div>
                            <p class="MsoNormal" style="margin-bottom:12.0pt"><br>
                              On Sat, Jun 7, 2014 at 1:05 AM, Yvan Boily
                              <<a href="mailto:yvanboily@gmail.com" target="_blank">yvanboily@gmail.com</a>>

                              wrote:<br>
                              > I am going to be pretty blunt about
                              this.  Those examples were from 3 or<br>
                              > more years ago.  I have been involved
                              with OWASP for 10 years (at my<br>
                              > earliest recollection, 2004, when I
                              launched the Winnipeg chapter), and I<br>
                              > have seen (on and off mailing lists)
                              that left a bad taste in my mouth; that<br>
                              > hasn't changed my desire to help my
                              chapter be better, and to find ways to<br>
                              > contribute.  There are always going
                              to be people who use organizations like<br>
                              > OWASP for self-aggrandizement, and
                              there may even be corruption by some<br>
                              > bad actors (I don't know the
                              specifics).  If you are aware of ongoing<br>
                              > corruption, then collect the
                              evidence, and put a proposal forward to
                              the<br>
                              > group for a 3rd party audit of the
                              organization and let the OWASP members<br>
                              > voice their opinions.  Otherwise
                              don't make claims that you can't back.</p>
                          </div>
                          <p class="MsoNormal">You haven't dispute the
                            evidence that I have put forth?</p>
                          <div>
                            <p class="MsoNormal"> </p>
                          </div>
                          <div>
                            <p class="MsoNormal">If *you* are aware of
                              ongoing corruption, then *you* collect the
                              evidence, and put forward a proposal for a
                              review.  I am not going to.  I have a
                              career, run a separate non-profit,
                              contribute to owasp, organize several
                              local groups, and have a family; I don't
                              (and most of the other OWASP leaders
                              probably don't) have time to investigate
                              it for you.  I am happy with the direction
                              that OWASP is going, and support the
                              direction that the current board is moving
                              in.  I am not going to do your work for
                              you.</p>
                          </div>
                          <div>
                            <p class="MsoNormal"> </p>
                          </div>
                          <blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
                            <div>
                              <p class="MsoNormal" style="margin-bottom:12.0pt"><br>
                                On Sat, Jun 7, 2014 at 1:05 AM, Yvan
                                Boily <<a href="mailto:yvanboily@gmail.com" target="_blank">yvanboily@gmail.com</a>>

                                wrote:<br>
                                > I don't know Dinis personally, but
                                I have looked at O2 on several occasions<br>
                                > since it's release, and while it
                                never took a huge place in my tool box I<br>
                                > certainly see it's value and
                                appeal; OWASP should be supporting
                                projects<br>
                                > that are innovative and try new
                                things.  It is unfortunate if money
                                spent<br>
                                > didn't have the desired outcome,
                                but those are the breaks of funding<br>
                                > research and development.  If OWASP
                                didn't back new and experimental<br>
                                > projects then it is entirely
                                possible that Simon may not have brought
                                ZAP to<br>
                                > the table when figuring out where
                                it should live.</p>
                            </div>
                            <p class="MsoNormal">No, no and no.<br>
                              <br>
                              Dinis Cruz, as an OWASP Board Member,
                              should *not* be allowed to<br>
                              manage or lead his own OWASP Projects.</p>
                          </blockquote>
                          <div>
                            <p class="MsoNormal"> </p>
                          </div>
                          <div>
                            <p class="MsoNormal">Wait what? The people
                              who are most invested in the success of
                              their projects that are contributed to
                              OWASP shouldn't be allowed take on a
                              position of greater responsibility to
                              ensure the success of the community in
                              addition to their own project?  I don't
                              know if you have leadership or management
                              experience, but in general, you want to
                              promote and/or recruit people that show
                              initiative.</p>
                          </div>
                          <div>
                            <p class="MsoNormal"> </p>
                          </div>
                          <blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
                            <p class="MsoNormal"> Neither should he be
                              allowed<br>
                              to direct "charity" funds to the
                              development of a commercial product<br>
                              owned by Security Innovation.</p>
                          </blockquote>
                          <div>
                            <p class="MsoNormal"> </p>
                          </div>
                          <div>
                            <p class="MsoNormal">I tend to agree (where
                              "Security Innovation" is replaced with "a
                              for-profit business").  So, take the
                              initiative, collect the evidence, and
                              build a case.</p>
                          </div>
                          <div>
                            <p class="MsoNormal"> </p>
                          </div>
                          <blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
                            <p class="MsoNormal"><br>
                              Reread <a href="http://lists.owasp.org/pipermail/owasp-board/2011-January/009563.html" target="_blank">http://lists.owasp.org/pipermail/owasp-board/2011-January/009563.html</a><br>
                              that supports the above.<br>
                              <br>
                              Furthermore, OWASP should not hire the
                              wife of Dinis Cruz's personal<br>
                              friend, Paulo Coimbra i.e.<br>
                              <a href="https://lists.owasp.org/pipermail/owasp-leaders/2011-January/004493.html" target="_blank">https://lists.owasp.org/pipermail/owasp-leaders/2011-January/004493.html</a><br>
                              to assist with Security Innvotations
                              commercial exploitation of OWASP<br>
                              when <a href="http://blog.diniscruz.com/2013/05/sarah-baso-as-owasp-executive-director.html" target="_blank">http://blog.diniscruz.com/2013/05/sarah-baso-as-owasp-executive-director.html</a><br>





                              has considerably more experience with
                              OWASP.<br>
                              <br>
                              ... and who could forget Jeff Williams own
                              opinion of Security<br>
                              Innovation i.e.<br>
                              <a href="https://lists.owasp.org/pipermail/owasp-leaders/2011-August/006011.html" target="_blank">https://lists.owasp.org/pipermail/owasp-leaders/2011-August/006011.html</a><br>
                              <br>
                              Sonatype was founded by former employees
                              of 02 and Josh Corman worked<br>
                              for Rugged Software.<br>
                              <br>
                              <a href="https://www.owasp.org/index.php/Rugged_Software" target="_blank">https://www.owasp.org/index.php/Rugged_Software</a>
                              <- WTF is this doing<br>
                              on the OWASP Wiki? 0WASP "02 With Aspect
                              Security Promotion"  :-)<br>
                              <br>
                              BTW No one expect for Dinis Cruz has any
                              idea what 02 does and Dinis<br>
                              doesn't help it when he references other
                              well known projects, such as<br>
                              HacmeBank.  Mark Curphey refers to this as
                              [Dinis Cruz] "lost in 02<br>
                              world".</p>
                          </blockquote>
                          <div>
                            <p class="MsoNormal"> </p>
                          </div>
                          <div>
                            <p class="MsoNormal">So this is a stream of
                              consciousness style write-up that doesn't
                              really make clear sense to me without
                              reading the supporting docs.  </p>
                          </div>
                          <blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
                            <p class="MsoNormal"><br>
                              I don't have an issue with Simon but the
                              fact is Michael Coates, him<br>
                              and you have all worked for Mozilla and
                              yet OWASP invested in WebScrab<br>
                              in the past.  </p>
                          </blockquote>
                          <div>
                            <p class="MsoNormal"> </p>
                          </div>
                          <div>
                            <p class="MsoNormal">Yeah, you might want to
                              educate yourself on the history of ZAP
                              before you put your foot in your mouth. 
                              Simon implemented ZAP before he was
                              involved with OWASP, and made a strong
                              positive contribution to OWASP out of the
                              gate.<br>
                              <br>
                              I don't know why you want to drag my
                              employer into this; all three of the
                              people named were OWASP contributors
                              before joining Mozilla, and actually
                              ramped up their involvement after joining
                              Mozilla.</p>
                          </div>
                          <div>
                            <p class="MsoNormal"> </p>
                          </div>
                          <blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
                            <p class="MsoNormal">In Simon's defence he
                              probably didn't know about<br>
                              WebScrab because OWASP didn't help with
                              the promotion of known<br>
                              projects since hired Dinis Cruz hired
                              personal friends to promote his<br>
                              own projects.</p>
                          </blockquote>
                          <div>
                            <p class="MsoNormal"> </p>
                          </div>
                          <div>
                            <p class="MsoNormal">Sorry to break it to
                              you, but no amount of promotion would have
                              saved WebScarab.  It was a powerful and
                              flexible tool, but it had a painful UI, a
                              terrible learning curve.  ZAP is
                              successful because it was a natural
                              progression of an effectively abandoned
                              (but still popular) tool, a generous
                              helping of new features, and alot of UI
                              love.</p>
                          </div>
                          <div>
                            <p class="MsoNormal"> </p>
                          </div>
                          <blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
                            <div>
                              <p class="MsoNormal" style="margin-bottom:12.0pt"><br>
                                On Sat, Jun 7, 2014 at 1:05 AM, Yvan
                                Boily <<a href="mailto:yvanboily@gmail.com" target="_blank">yvanboily@gmail.com</a>>

                                wrote:<br>
                                > I won't speak for the past, but the
                                current efforts to update and refresh<br>
                                > OWASP practices and policies have
                                been sorely needed, and comes at a time<br>
                                > when people are seriously
                                questioning whether or not OWASP brings
                                value to<br>
                                > the industry.  OWASP needs to put a
                                better foot forward, and part of that is<br>
                                > recognizing projects that should
                                bear the benefit of the OWASP brand,
                                *and*<br>
                                > keeping those products (whether
                                they are tool, library, or doc projects)<br>
                                > accountable to maintain their
                                status as a 'gold-star' tool.<br>
                                  </p>
                            </div>
                          </blockquote>
                          <blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
                            <p class="MsoNormal">Yeah, so in essence
                              what Jim is now doing is what Dinis Cruz
                              should<br>
                              have completed three years ago but didn't.</p>
                          </blockquote>
                          <div>
                            <p class="MsoNormal"> </p>
                          </div>
                          <div>
                            <p class="MsoNormal">Again, what?  You are
                              complaining that a current board member is
                              doing something you felt was long needed? 
                              I am not sure what your point is.  Dinis
                              isn't on the board.  Focusing your
                              aggression and frustration on a single (or
                              a small group) of individuals really
                              detracts from any significant point you
                              are trying to make.  I have yet to see a
                              single constructive point come out of
                              anything you have said in this thread. 
                              That deficiency, by the way, coupled with
                              your accusations and tone are the main
                              reasons I felt the need to respond.  You
                              aren't contributing in a constructive
                              fashion, you are actively undermining
                              folks (Jim, Johanna) that are, and you are
                              wasting peoples ime.</p>
                          </div>
                          <div>
                            <p class="MsoNormal"> </p>
                          </div>
                          <blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
                            <p class="MsoNormal"><br>
                              The OWASP Testing Guide is a documentation
                              project and as far as I am<br>
                              aware is out of being demoted now?</p>
                          </blockquote>
                          <div>
                            <p class="MsoNormal"> </p>
                          </div>
                          <div>
                            <p class="MsoNormal">If so, it is my opinion
                              that it is a mistake; once the clearly
                              defined criteria for being a flagship
                              project are available, the projects should
                              be made to apply, with no grandfathering. 
                              This forces projects to meet a quality
                              assurance guideline that means something.</p>
                          </div>
                          <div>
                            <p class="MsoNormal"> </p>
                          </div>
                          <blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
                            <div>
                              <p class="MsoNormal" style="margin-bottom:12.0pt"><br>
                                On Sat, Jun 7, 2014 at 1:05 AM, Yvan
                                Boily <<a href="mailto:yvanboily@gmail.com" target="_blank">yvanboily@gmail.com</a>>

                                wrote:<br>
                                > If you think putting in some basic
                                effort to preserve the OWASP brand is an<br>
                                > unnecessary burden, then I question
                                your commitment to protecting OWASP,<br>
                                > not the team working on the QA
                                project.</p>
                            </div>
                            <p class="MsoNormal"><a href="http://lists.owasp.org/pipermail/owasp-board/2011-January/009590.html" target="_blank">http://lists.owasp.org/pipermail/owasp-board/2011-January/009590.html</a><br>





                              <- Yeah, Dinis Cruz just wants to see
                              the world burn.</p>
                          </blockquote>
                          <blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
                            <p class="MsoNormal"><br>
                              BTW I don't see how your reply is relevant
                              to the OWASP Testing Guide.</p>
                          </blockquote>
                          <div>
                            <p class="MsoNormal"> </p>
                          </div>
                          <div>
                            <p class="MsoNormal">I reference the testing
                              guide a fair bit.  I have designed several
                              training courses that reference them; I am
                              interested in seeing the Guide remain a
                              flagship project, but not at the expense
                              of seeing a process implemented that says
                              the 'Flagship' stamp actually means
                              something.</p>
                          </div>
                          <div>
                            <p class="MsoNormal" style="margin-bottom:12.0pt"><br>
                              You are correct.  Pushing to the leaders
                              list since this makes more sense there.  I
                              don't care much about the issues you have
                              with past board members, unless you are
                              going to position them in way that focuses
                              on being constructive (learning from
                              mistakes made in the past is constructive,
                              dwelling on them isn't).</p>
                          </div>
                          <div>
                            <p class="MsoNormal">Cheers,</p>
                          </div>
                          <div>
                            <p class="MsoNormal">Yvan</p>
                          </div>
                          <div>
                            <p class="MsoNormal"> </p>
                          </div>
                          <blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
                            <div>
                              <div>
                                <p class="MsoNormal"><br>
                                  <span style="color:#888888"><br>
                                    <span>--</span><br>
                                    <span>Regards,</span><br>
                                    <span>Christian Heinrich</span><br>
                                    <br>
                                    <span><a href="http://cmlh.id.au/contact" target="_blank">http://cmlh.id.au/contact</a></span></span></p>
                              </div>
                            </div>
                          </blockquote>
                        </div>
                        <p class="MsoNormal"> </p>
                      </div>
                    </div>
                    <p class="MsoNormal" style="margin-bottom:12.0pt"><br>
                      _______________________________________________<br>
                      OWASP-Leaders mailing list<br>
                      <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                      <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a></p>
                  </div>
                  <p class="MsoNormal"> </p>
                </div>
              </div>
              <br>
              <fieldset></fieldset>
              <br>
              <pre>_______________________________________________
OWASP-Leaders mailing list
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
            </blockquote>
            <br>
          </div>
          <br>
          _______________________________________________<br>
          OWASP-Leaders mailing list<br>
          <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
          <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
          <br>
        </blockquote>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>_______________________________________________
OWASP-Leaders mailing list
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
    </blockquote>
    <br>
  </div></div></div>

<br>_______________________________________________<br>
OWASP-Leaders mailing list<br>
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
OWASP-Leaders mailing list<br>
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
<br></blockquote></div><br><br clear="all"><br></div></div><span class="HOEnZb"><font color="#888888">-- <br><div dir="ltr"><span style="background-color:rgb(255,255,255)"><span style="font-family:verdana,sans-serif"><font size="1"><span style="border-collapse:collapse"><a href="http://about.me/dennis.groves" target="_blank">Dennis Groves</a>, MSc</span></font></span></span><div>


<span style="background-color:rgb(255,255,255)"><span style="font-family:verdana,sans-serif"><font size="1"><span style="border-collapse:collapse"><a href="mailto:dennis.groves@owasp.org" target="_blank">Email me,</a> or <a href="http://goo.gl/8sPIy" target="_blank">schedule a meeting</a>.<br>


</span></font></span></span></div><div><div style="text-align:left"><i><span style="background-color:rgb(255,255,255)"><span style="font-family:verdana,sans-serif"><font size="1">This email is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB" target="_blank">CC BY-ND 3.0</a> <font size="1">license</font>.</font></span></span></i></div>


<div style="text-align:left"><span style="font-family:verdana,sans-serif"><font size="1"><font color="#999999"><span style="border-collapse:collapse"><span style="color:rgb(0,0,0)"><span style="background-color:rgb(255,255,0)"><a href="http://www.fsf.org/campaigns/secure-boot/statement" target="_blank">Stand up for your freedom to install free software.</a></span></span><br>


</span></font></font></span><span style="font-family:verdana,sans-serif"><font size="1"><font color="#999999"><span style="border-collapse:collapse"><span style="color:rgb(102,102,102)">Please do not send me Microsoft Office/Apple iWork documents. <br>


Send <a href="http://fsf.org/campaigns/opendocument/" target="_blank">OpenDocument</a> instead!</span><br><br></span></font></font></span><div style="text-align:left"><span style="font-family:verdana,sans-serif"><font size="1"><font color="#999999"><span style="border-collapse:collapse"><a href="http://www.owasp.org/" target="_blank"><img src="http://www.owasp.org/skins/monobook/ologo.png" height="92" width="96"></a></span></font></font></span><br>


</div><span style="font-family:verdana,sans-serif"></span></div></div></div>
</font></span></div>
</blockquote></div><br></div>