<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Nov 6, 2014 at 1:57 PM, Josh Sokol <span dir="ltr"><<a href="mailto:josh.sokol@owasp.org" target="_blank">josh.sokol@owasp.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><div><div>Yvan,<br><br></div>Your post is actually about two separate things:<br><br></div>1) Action: The Board acknowledged the complaints from various members of the Foundation and had our Compliance Officer, Martin Knobloch, conduct an investigation into the matter.  Martin concluded his independent investigation into his actions and provided his report to the Board in September.  My mind is failing me as to whether it was the September or October Board Meeting (pretty sure it was at AppSecUSA on 9/16/2014), and the agenda and voting doesn't reflect it (a problem I've asked to get rectified), but the Board did vote to extend his membership ban and not give reconsideration for membership for a significant period of time.  I don't remember offhand the exact details in terms of timeframe as many different options were discussed.  Regardless, your suggestion that the Board has failed to take action on this issue is misinformed.<br></div></div></div></blockquote><div><br></div><div>Glad to hear it!  Can we get an amendment to the process that when action is taken a complainant is notified?  <br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><br></div>2) Enforcement: This is where things get tricky and is largely outside of the Board's hands.  It becomes an Operations Team issue to try and figure out how to enforce the fact that someone is not allowed to participate in OWASP.  I think that there was supposed to be some discussion with Matt in terms of figuring out how to handle it technically, but, from the recent message, it doesn't appear that it was done.  Not sure where the ball was dropped there, but I'm sure Paul can look into it as ED.<span class=""><font color="#888888"><br></font></span></div></div></blockquote><div><br></div>The technical enforcement aspect is only one part of it.  Technical measures to curtail participation are a rathole, especially for security folks since many of us have "figure out how to bypass controls" as part of our of our professional repertoire.<br></div><div class="gmail_quote"><div><br></div><div>The second part is to notify the community that a person has been blocked from participation; without the knowledge that the ban is in place, we don't have the means to advise folks that their participation is unwelcome due to past behavior.  This is important to both increase awareness that OWASP will uphold it's expectations for all community members, and to take the strain of enforcing the ban off of individual contributors or staff.  <br><br></div><div class="">Thanks for everyone's work on this, and sorry to have to stir the pot on this issue again.<br><br></div><div class="">Cheers,<br>Yvan<br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><span class=""><font color="#888888"></font></span></div><span class=""><font color="#888888">~josh<br></font></span></div><div class=""><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Nov 6, 2014 at 3:12 PM, Steven van der Baan <span dir="ltr"><<a href="mailto:steven.van.der.baan@owasp.org" target="_blank">steven.van.der.baan@owasp.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    True<br>
    <br>
    I personally would have preferred it that, for now, the leaders list
    was not included as there is already too much bickering going on
    there. And as you say, if the board fails to make a decision or is
    unable to enforce the code of ethics, then it would have been just
    to include the leaders list in a 'call to action'. I agree that the
    community deserves more. I can only hope there will be an
    announcement soon to resolve it all.<br>
    <br>
    Kind regards,<br>
    Steven.<div><div><br>
    <br>
    <br>
    <div>On 06/11/14 20:57, Yvan Boily wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">
        <div>
          <div>
            <div>It would have been out of line if I had posted this
              line of inquiry back to the individual project threads.  I
              changed the venue for these comments to the leaders list
              and the governance team.  I also added the board to this
              message.<br>
            </div>
            <div><br>
            </div>
            Bottom line, the board has not acted to protect the
            community from someone who has regularly posted abusive
            messages, and has persisted in doing so since the complaint
            was filed.  I don't really care whether his content is
            technically valid, I care about the harm that allowing known
            bad actors to continue to participate at the expense of
            others.<br>
            <br>
          </div>
          I don't know him either, and I am not personally invested in
          the outcome of the decision that the board makes regarding
          Christian; I am personally invested in knowing whether or not
          OWASP is willing to following it's own rules.  If the board is
          failing to enforce the code of ethics, then this is an issue
          for the leaders and the governance team.  OWASP contributors
          deserve better than this.<br>
          <br>
        </div>
        Regards,<br>
        Yvan Boily<br>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Thu, Nov 6, 2014 at 12:25 PM, Steven
          van der Baan <span dir="ltr"><<a href="mailto:steven.van.der.baan@owasp.org" target="_blank">steven.van.der.baan@owasp.org</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000"> Yvan,<br>
              <br>
              as far as I'm aware there has been no announcement that he
              should be blocked and to be honest I find this question
              out of place here. <br>
              No, I'm no friend of mr Heinrich. No, I do not know him.
              Yes, I realise that he can be quite a handful, but I
              firmly believe that this type of questions should not be
              expressed as open and on multiple lists like you have
              done.<br>
              <br>
              Kind regards,<br>
              Steven van der Baan.
              <div>
                <div><br>
                  <br>
                  <div>On 06/11/14 18:11, Yvan Boily wrote:<br>
                  </div>
                  <blockquote type="cite">
                    <div dir="ltr">
                      <div>Regardless of the content, Christian is
                        supposed to have been blocked from participation
                        in OWASP.  Has there been a change here?<br>
                        <br>
                      </div>
                      Regards,<br>
                      Yvan<br>
                    </div>
                    <div class="gmail_extra"><br>
                      <div class="gmail_quote">On Thu, Nov 6, 2014 at
                        7:20 AM, Bev Corwin <span dir="ltr"><<a href="mailto:bev.corwin@owasp.org" target="_blank">bev.corwin@owasp.org</a>></span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                          <div dir="ltr">Sharing FYI:
                            <div><br>
                            </div>
                            <div><clip><br>
                              <h3>Reliance on Hardening, Not Obfuscation</h3>
                              <p>Hiding code does not prevent
                                attacks—and it it foolish to assume that
                                it does. Open Source development
                                practices rely on actually hardening (or
                                improving the security of) code by
                                making it available for peers to test
                                and try to break, and then fixing the
                                problems found.</p>
                              <div></clip?</div>
                              <div><br>
                              </div>
                              <div>From:</div>
                              <div><br>
                              </div>
                              <div><a href="http://mil-oss.org/learn-more/security-model-misconceptions" target="_blank">http://mil-oss.org/learn-more/security-model-misconceptions</a><br>
                              </div>
                            </div>
                            <div><br>
                            </div>
                            <div>Bev</div>
                            <div><br>
                            </div>
                          </div>
                          <div class="gmail_extra"><br>
                            <div class="gmail_quote">On Tue, Nov 4, 2014
                              at 8:29 PM, Christian Heinrich <span dir="ltr"><<a href="mailto:christian.heinrich@cmlh.id.au" target="_blank">christian.heinrich@cmlh.id.au</a>></span>
                              wrote:<br>
                              <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Andrew,<br>
                                <span><br>
                                  On Wed, Nov 5, 2014 at 10:22 AM,
                                  Andrew van der Stock<br>
                                  <<a href="mailto:vanderaj@owasp.org" target="_blank">vanderaj@owasp.org</a>>

                                  wrote:<br>
                                  > I am ashamed to say when
                                  reviewing the ASVS 2.0, I totally
                                  missed the<br>
                                  > inclusion of V17.11, which is a
                                  Level 3 control for requiring<br>
                                  > obfuscation. Was this included
                                  because it was in the Mobile Top 10<br>
                                  > 2014?<br>
                                  <br>
                                </span>The benefit of obfuscation is
                                that the auditor has to be much higher<br>
                                skilled than the "middle of the bell
                                curve", who just copy a paste a<br>
                                report from their SAST product.<br>
                                <br>
                                This cost should be absorbed by the
                                client since the auditor is<br>
                                required to undertaken additional work.<br>
                                <br>
                                In addition, obfuscation also minimises
                                the loss of Intellectual<br>
                                property if the auditor misplaces the
                                source code because the "[wo]man<br>
                                on the street" isn't going to be able to
                                understand it or know what it<br>
                                is without some investment.<br>
                                <br>
                                I vote not to have obfuscation removed
                                from ASVS, but reworded (in the<br>
                                next ASVS release) to include the
                                additional clarification from the<br>
                                next release of the Mobile Top 10.<br>
                                <span><font color="#888888"><br>
                                    <span><font color="#888888"> <br>
                                        --<br>
                                        Regards,<br>
                                        Christian Heinrich<br>
                                        <br>
                                        <a href="http://cmlh.id.au/contact" target="_blank">http://cmlh.id.au/contact</a><br>
                                      </font></span></font></span><span><font color="#888888">
                                    <div>
                                      <div>_______________________________________________<br>
                                        Owasp-application-security-verification-standard

                                        mailing list<br>
                                        <a href="mailto:Owasp-application-security-verification-standard@lists.owasp.org" target="_blank">Owasp-application-security-verification-standard@lists.owasp.org</a><br>
                                        <a href="https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard</a><br>
                                      </div>
                                    </div>
                                  </font></span></blockquote>
                            </div>
                            <br>
                          </div>
                          <br>
_______________________________________________<br>
                          OWASP-Leaders mailing list<br>
                          <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                          <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                          <br>
                        </blockquote>
                      </div>
                      <br>
                    </div>
                    <br>
                    <fieldset></fieldset>
                    <br>
                    <pre>_______________________________________________
OWASP-Leaders mailing list
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
                  </blockquote>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </div></div></div>

</blockquote></div><br></div>
</div></div></blockquote></div><br></div></div>