[Owasp-testing] Flagship Project Status

Christian Heinrich christian.heinrich at cmlh.id.au
Sat Jun 7 01:34:23 UTC 2014


On Sat, Jun 7, 2014 at 1:05 AM, Yvan Boily <yvanboily at gmail.com> wrote:
> I am going to be pretty blunt about this.  Those examples were from 3 or
> more years ago.  I have been involved with OWASP for 10 years (at my
> earliest recollection, 2004, when I launched the Winnipeg chapter), and I
> have seen (on and off mailing lists) that left a bad taste in my mouth; that
> hasn't changed my desire to help my chapter be better, and to find ways to
> contribute.  There are always going to be people who use organizations like
> OWASP for self-aggrandizement, and there may even be corruption by some
> bad actors (I don't know the specifics).  If you are aware of ongoing
> corruption, then collect the evidence, and put a proposal forward to the
> group for a 3rd party audit of the organization and let the OWASP members
> voice their opinions.  Otherwise don't make claims that you can't back.

You haven't dispute the evidence that I have put forth?

On Sat, Jun 7, 2014 at 1:05 AM, Yvan Boily <yvanboily at gmail.com> wrote:
> I don't know Dinis personally, but I have looked at O2 on several occasions
> since it's release, and while it never took a huge place in my tool box I
> certainly see it's value and appeal; OWASP should be supporting projects
> that are innovative and try new things.  It is unfortunate if money spent
> didn't have the desired outcome, but those are the breaks of funding
> research and development.  If OWASP didn't back new and experimental
> projects then it is entirely possible that Simon may not have brought ZAP to
> the table when figuring out where it should live.

No, no and no.

Dinis Cruz, as an OWASP Board Member, should *not* be allowed to
manage or lead his own OWASP Projects.  Neither should he be allowed
to direct "charity" funds to the development of a commercial product
owned by Security Innovation.

Reread http://lists.owasp.org/pipermail/owasp-board/2011-January/009563.html
that supports the above.

Furthermore, OWASP should not hire the wife of Dinis Cruz's personal
friend, Paulo Coimbra i.e.
to assist with Security Innvotations commercial exploitation of OWASP
when http://blog.diniscruz.com/2013/05/sarah-baso-as-owasp-executive-director.html
has considerably more experience with OWASP.

... and who could forget Jeff Williams own opinion of Security
Innovation i.e.

Sonatype was founded by former employees of 02 and Josh Corman worked
for Rugged Software.

https://www.owasp.org/index.php/Rugged_Software <- WTF is this doing
on the OWASP Wiki? 0WASP "02 With Aspect Security Promotion"  :-)

BTW No one expect for Dinis Cruz has any idea what 02 does and Dinis
doesn't help it when he references other well known projects, such as
HacmeBank.  Mark Curphey refers to this as [Dinis Cruz] "lost in 02

I don't have an issue with Simon but the fact is Michael Coates, him
and you have all worked for Mozilla and yet OWASP invested in WebScrab
in the past.  In Simon's defence he probably didn't know about
WebScrab because OWASP didn't help with the promotion of known
projects since hired Dinis Cruz hired personal friends to promote his
own projects.

On Sat, Jun 7, 2014 at 1:05 AM, Yvan Boily <yvanboily at gmail.com> wrote:
> I won't speak for the past, but the current efforts to update and refresh
> OWASP practices and policies have been sorely needed, and comes at a time
> when people are seriously questioning whether or not OWASP brings value to
> the industry.  OWASP needs to put a better foot forward, and part of that is
> recognizing projects that should bear the benefit of the OWASP brand, *and*
> keeping those products (whether they are tool, library, or doc projects)
> accountable to maintain their status as a 'gold-star' tool.

Yeah, so in essence what Jim is now doing is what Dinis Cruz should
have completed three years ago but didn't.

The OWASP Testing Guide is a documentation project and as far as I am
aware is out of being demoted now?

On Sat, Jun 7, 2014 at 1:05 AM, Yvan Boily <yvanboily at gmail.com> wrote:
> If you think putting in some basic effort to preserve the OWASP brand is an
> unnecessary burden, then I question your commitment to protecting OWASP,
> not the team working on the QA project.

<- Yeah, Dinis Cruz just wants to see the world burn.

BTW I don't see how your reply is relevant to the OWASP Testing Guide.

Christian Heinrich


More information about the Owasp-testing mailing list