[Owasp-testing] Flagship Project Status

Yvan Boily yvanboily at gmail.com
Sat Jun 7 03:17:34 UTC 2014

On Fri, Jun 6, 2014 at 6:34 PM, Christian Heinrich <
christian.heinrich at cmlh.id.au> wrote:

> Yvan,
> On Sat, Jun 7, 2014 at 1:05 AM, Yvan Boily <yvanboily at gmail.com> wrote:
> > I am going to be pretty blunt about this.  Those examples were from 3 or
> > more years ago.  I have been involved with OWASP for 10 years (at my
> > earliest recollection, 2004, when I launched the Winnipeg chapter), and I
> > have seen (on and off mailing lists) that left a bad taste in my mouth;
> that
> > hasn't changed my desire to help my chapter be better, and to find ways
> to
> > contribute.  There are always going to be people who use organizations
> like
> > OWASP for self-aggrandizement, and there may even be corruption by some
> > bad actors (I don't know the specifics).  If you are aware of ongoing
> > corruption, then collect the evidence, and put a proposal forward to the
> > group for a 3rd party audit of the organization and let the OWASP members
> > voice their opinions.  Otherwise don't make claims that you can't back.
> You haven't dispute the evidence that I have put forth?

If *you* are aware of ongoing corruption, then *you* collect the evidence,
and put forward a proposal for a review.  I am not going to.  I have a
career, run a separate non-profit, contribute to owasp, organize several
local groups, and have a family; I don't (and most of the other OWASP
leaders probably don't) have time to investigate it for you.  I am happy
with the direction that OWASP is going, and support the direction that the
current board is moving in.  I am not going to do your work for you.

> On Sat, Jun 7, 2014 at 1:05 AM, Yvan Boily <yvanboily at gmail.com> wrote:
> > I don't know Dinis personally, but I have looked at O2 on several
> occasions
> > since it's release, and while it never took a huge place in my tool box I
> > certainly see it's value and appeal; OWASP should be supporting projects
> > that are innovative and try new things.  It is unfortunate if money spent
> > didn't have the desired outcome, but those are the breaks of funding
> > research and development.  If OWASP didn't back new and experimental
> > projects then it is entirely possible that Simon may not have brought
> ZAP to
> > the table when figuring out where it should live.
> No, no and no.
> Dinis Cruz, as an OWASP Board Member, should *not* be allowed to
> manage or lead his own OWASP Projects.

Wait what? The people who are most invested in the success of their
projects that are contributed to OWASP shouldn't be allowed take on a
position of greater responsibility to ensure the success of the community
in addition to their own project?  I don't know if you have leadership or
management experience, but in general, you want to promote and/or recruit
people that show initiative.

>  Neither should he be allowed
> to direct "charity" funds to the development of a commercial product
> owned by Security Innovation.

I tend to agree (where "Security Innovation" is replaced with "a for-profit
business").  So, take the initiative, collect the evidence, and build a

> Reread
> http://lists.owasp.org/pipermail/owasp-board/2011-January/009563.html
> that supports the above.
> Furthermore, OWASP should not hire the wife of Dinis Cruz's personal
> friend, Paulo Coimbra i.e.
> https://lists.owasp.org/pipermail/owasp-leaders/2011-January/004493.html
> to assist with Security Innvotations commercial exploitation of OWASP
> when
> http://blog.diniscruz.com/2013/05/sarah-baso-as-owasp-executive-director.html
> has considerably more experience with OWASP.
> ... and who could forget Jeff Williams own opinion of Security
> Innovation i.e.
> https://lists.owasp.org/pipermail/owasp-leaders/2011-August/006011.html
> Sonatype was founded by former employees of 02 and Josh Corman worked
> for Rugged Software.
> https://www.owasp.org/index.php/Rugged_Software <- WTF is this doing
> on the OWASP Wiki? 0WASP "02 With Aspect Security Promotion"  :-)
> BTW No one expect for Dinis Cruz has any idea what 02 does and Dinis
> doesn't help it when he references other well known projects, such as
> HacmeBank.  Mark Curphey refers to this as [Dinis Cruz] "lost in 02
> world".

So this is a stream of consciousness style write-up that doesn't really
make clear sense to me without reading the supporting docs.

> I don't have an issue with Simon but the fact is Michael Coates, him
> and you have all worked for Mozilla and yet OWASP invested in WebScrab
> in the past.

Yeah, you might want to educate yourself on the history of ZAP before you
put your foot in your mouth.  Simon implemented ZAP before he was involved
with OWASP, and made a strong positive contribution to OWASP out of the

I don't know why you want to drag my employer into this; all three of the
people named were OWASP contributors before joining Mozilla, and actually
ramped up their involvement after joining Mozilla.

> In Simon's defence he probably didn't know about
> WebScrab because OWASP didn't help with the promotion of known
> projects since hired Dinis Cruz hired personal friends to promote his
> own projects.

Sorry to break it to you, but no amount of promotion would have saved
WebScarab.  It was a powerful and flexible tool, but it had a painful UI, a
terrible learning curve.  ZAP is successful because it was a natural
progression of an effectively abandoned (but still popular) tool, a
generous helping of new features, and alot of UI love.

> On Sat, Jun 7, 2014 at 1:05 AM, Yvan Boily <yvanboily at gmail.com> wrote:
> > I won't speak for the past, but the current efforts to update and refresh
> > OWASP practices and policies have been sorely needed, and comes at a time
> > when people are seriously questioning whether or not OWASP brings value
> to
> > the industry.  OWASP needs to put a better foot forward, and part of
> that is
> > recognizing projects that should bear the benefit of the OWASP brand,
> *and*
> > keeping those products (whether they are tool, library, or doc projects)
> > accountable to maintain their status as a 'gold-star' tool.
> Yeah, so in essence what Jim is now doing is what Dinis Cruz should
> have completed three years ago but didn't.

Again, what?  You are complaining that a current board member is doing
something you felt was long needed?  I am not sure what your point is.
Dinis isn't on the board.  Focusing your aggression and frustration on a
single (or a small group) of individuals really detracts from any
significant point you are trying to make.  I have yet to see a single
constructive point come out of anything you have said in this thread.  That
deficiency, by the way, coupled with your accusations and tone are the main
reasons I felt the need to respond.  You aren't contributing in a
constructive fashion, you are actively undermining folks (Jim, Johanna)
that are, and you are wasting peoples ime.

> The OWASP Testing Guide is a documentation project and as far as I am
> aware is out of being demoted now?

If so, it is my opinion that it is a mistake; once the clearly defined
criteria for being a flagship project are available, the projects should be
made to apply, with no grandfathering.  This forces projects to meet a
quality assurance guideline that means something.

> On Sat, Jun 7, 2014 at 1:05 AM, Yvan Boily <yvanboily at gmail.com> wrote:
> > If you think putting in some basic effort to preserve the OWASP brand is
> an
> > unnecessary burden, then I question your commitment to protecting OWASP,
> > not the team working on the QA project.
> http://lists.owasp.org/pipermail/owasp-board/2011-January/009590.html
> <- Yeah, Dinis Cruz just wants to see the world burn.

> BTW I don't see how your reply is relevant to the OWASP Testing Guide.

I reference the testing guide a fair bit.  I have designed several training
courses that reference them; I am interested in seeing the Guide remain a
flagship project, but not at the expense of seeing a process implemented
that says the 'Flagship' stamp actually means something.

You are correct.  Pushing to the leaders list since this makes more sense
there.  I don't care much about the issues you have with past board
members, unless you are going to position them in way that focuses on being
constructive (learning from mistakes made in the past is constructive,
dwelling on them isn't).


> --
> Regards,
> Christian Heinrich
> http://cmlh.id.au/contact
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20140606/95ed305d/attachment-0001.html>

More information about the Owasp-testing mailing list