[Owasp-testing] [Owasp-leaders] Flagship Project Status

Josh Sokol josh.sokol at owasp.org
Sat Jun 7 08:09:41 UTC 2014


Thanks for bringing this discussion to the leaders list.  I can certainly
see how someone, especially those running projects, would see this Flagship
status demotion as a hassle at best and perhaps even "catastrophic" as
Christian put it.  I was, admittedly, a bit skeptical of the value of such
an action when the idea was first brought to me, but upon further
consideration, I changed my mind.  People around the world have come to
respect the OWASP name as a trusted source for tools and documentation, but
when they come to our website, their experience can vary based on where
they land.  Think about how you'd feel if you downloaded an OWASP
"Flagship" document with outdated information or a "Flagship" tool that
actually created security vulnerabilities when you used it.  It becomes a
situation where the proverbial one rotten apple can spoil the entire
bunch.  Sure, you could make the argument that we could evaluate each
current Flagship project and then demote on a case-by-case basis, and you'd
probably be right, but as hard as the evaluator would try to be objective,
in the end someone is probably going to get upset and cry foul.  With this
action, we have leveled the playing field (so to speak) and the projects
that advance back to Flagship can do so under the full support of the
community.

I don't think that it's in anybody's best interest to be in this limbo
state for long and in the interests of expediting the process, I just threw
out some ideas on what "Flagship" means to me here:

http://lists.owasp.org/pipermail/owasp-leaders/2014-June/011888.html

These are just suggestions, nothing set in stone, and I'm hoping that you
guys will follow up with your feedback and perhaps even your own
suggestions.  In a nutshell, how do we define a process that ensures that
when a person goes to OWASP and downloads a Flagship document, we know,
without hesitation, that it will be a high quality product that they can
rely on?  I'd say let's take the next week or so to solicit feedback from
the community, and then maybe you guys would be interested in helping to
assemble the pieces that make up the final process?  Johanna is already
working on putting the pieces in place for the code projects and I'm happy
to try to get the ball rolling on the documentation projects as well.  All
things considered, I bet we can have a process in place in the next 2-4
weeks.

~josh


On Fri, Jun 6, 2014 at 10:17 PM, Yvan Boily <yvanboily at gmail.com> wrote:

> On Fri, Jun 6, 2014 at 6:34 PM, Christian Heinrich <
> christian.heinrich at cmlh.id.au> wrote:
>
>> Yvan,
>>
>> On Sat, Jun 7, 2014 at 1:05 AM, Yvan Boily <yvanboily at gmail.com> wrote:
>> > I am going to be pretty blunt about this.  Those examples were from 3 or
>> > more years ago.  I have been involved with OWASP for 10 years (at my
>> > earliest recollection, 2004, when I launched the Winnipeg chapter), and
>> I
>> > have seen (on and off mailing lists) that left a bad taste in my mouth;
>> that
>> > hasn't changed my desire to help my chapter be better, and to find ways
>> to
>> > contribute.  There are always going to be people who use organizations
>> like
>> > OWASP for self-aggrandizement, and there may even be corruption by some
>> > bad actors (I don't know the specifics).  If you are aware of ongoing
>> > corruption, then collect the evidence, and put a proposal forward to the
>> > group for a 3rd party audit of the organization and let the OWASP
>> members
>> > voice their opinions.  Otherwise don't make claims that you can't back.
>>
>> You haven't dispute the evidence that I have put forth?
>>
>
> If *you* are aware of ongoing corruption, then *you* collect the evidence,
> and put forward a proposal for a review.  I am not going to.  I have a
> career, run a separate non-profit, contribute to owasp, organize several
> local groups, and have a family; I don't (and most of the other OWASP
> leaders probably don't) have time to investigate it for you.  I am happy
> with the direction that OWASP is going, and support the direction that the
> current board is moving in.  I am not going to do your work for you.
>
>
>>
>> On Sat, Jun 7, 2014 at 1:05 AM, Yvan Boily <yvanboily at gmail.com> wrote:
>> > I don't know Dinis personally, but I have looked at O2 on several
>> occasions
>> > since it's release, and while it never took a huge place in my tool box
>> I
>> > certainly see it's value and appeal; OWASP should be supporting projects
>> > that are innovative and try new things.  It is unfortunate if money
>> spent
>> > didn't have the desired outcome, but those are the breaks of funding
>> > research and development.  If OWASP didn't back new and experimental
>> > projects then it is entirely possible that Simon may not have brought
>> ZAP to
>> > the table when figuring out where it should live.
>>
>> No, no and no.
>>
>> Dinis Cruz, as an OWASP Board Member, should *not* be allowed to
>> manage or lead his own OWASP Projects.
>
>
> Wait what? The people who are most invested in the success of their
> projects that are contributed to OWASP shouldn't be allowed take on a
> position of greater responsibility to ensure the success of the community
> in addition to their own project?  I don't know if you have leadership or
> management experience, but in general, you want to promote and/or recruit
> people that show initiative.
>
>
>>  Neither should he be allowed
>> to direct "charity" funds to the development of a commercial product
>> owned by Security Innovation.
>>
>
> I tend to agree (where "Security Innovation" is replaced with "a
> for-profit business").  So, take the initiative, collect the evidence, and
> build a case.
>
>
>>
>> Reread
>> http://lists.owasp.org/pipermail/owasp-board/2011-January/009563.html
>> that supports the above.
>>
>> Furthermore, OWASP should not hire the wife of Dinis Cruz's personal
>> friend, Paulo Coimbra i.e.
>> https://lists.owasp.org/pipermail/owasp-leaders/2011-January/004493.html
>> to assist with Security Innvotations commercial exploitation of OWASP
>> when
>> http://blog.diniscruz.com/2013/05/sarah-baso-as-owasp-executive-director.html
>> has considerably more experience with OWASP.
>>
>> ... and who could forget Jeff Williams own opinion of Security
>> Innovation i.e.
>> https://lists.owasp.org/pipermail/owasp-leaders/2011-August/006011.html
>>
>> Sonatype was founded by former employees of 02 and Josh Corman worked
>> for Rugged Software.
>>
>> https://www.owasp.org/index.php/Rugged_Software <- WTF is this doing
>> on the OWASP Wiki? 0WASP "02 With Aspect Security Promotion"  :-)
>>
>> BTW No one expect for Dinis Cruz has any idea what 02 does and Dinis
>> doesn't help it when he references other well known projects, such as
>> HacmeBank.  Mark Curphey refers to this as [Dinis Cruz] "lost in 02
>> world".
>>
>
> So this is a stream of consciousness style write-up that doesn't really
> make clear sense to me without reading the supporting docs.
>
>>
>> I don't have an issue with Simon but the fact is Michael Coates, him
>> and you have all worked for Mozilla and yet OWASP invested in WebScrab
>> in the past.
>
>
> Yeah, you might want to educate yourself on the history of ZAP before you
> put your foot in your mouth.  Simon implemented ZAP before he was involved
> with OWASP, and made a strong positive contribution to OWASP out of the
> gate.
>
> I don't know why you want to drag my employer into this; all three of the
> people named were OWASP contributors before joining Mozilla, and actually
> ramped up their involvement after joining Mozilla.
>
>
>> In Simon's defence he probably didn't know about
>> WebScrab because OWASP didn't help with the promotion of known
>> projects since hired Dinis Cruz hired personal friends to promote his
>> own projects.
>>
>
> Sorry to break it to you, but no amount of promotion would have saved
> WebScarab.  It was a powerful and flexible tool, but it had a painful UI, a
> terrible learning curve.  ZAP is successful because it was a natural
> progression of an effectively abandoned (but still popular) tool, a
> generous helping of new features, and alot of UI love.
>
>
>>
>> On Sat, Jun 7, 2014 at 1:05 AM, Yvan Boily <yvanboily at gmail.com> wrote:
>> > I won't speak for the past, but the current efforts to update and
>> refresh
>> > OWASP practices and policies have been sorely needed, and comes at a
>> time
>> > when people are seriously questioning whether or not OWASP brings value
>> to
>> > the industry.  OWASP needs to put a better foot forward, and part of
>> that is
>> > recognizing projects that should bear the benefit of the OWASP brand,
>> *and*
>> > keeping those products (whether they are tool, library, or doc projects)
>> > accountable to maintain their status as a 'gold-star' tool.
>>
>>
>> Yeah, so in essence what Jim is now doing is what Dinis Cruz should
>> have completed three years ago but didn't.
>>
>
> Again, what?  You are complaining that a current board member is doing
> something you felt was long needed?  I am not sure what your point is.
> Dinis isn't on the board.  Focusing your aggression and frustration on a
> single (or a small group) of individuals really detracts from any
> significant point you are trying to make.  I have yet to see a single
> constructive point come out of anything you have said in this thread.  That
> deficiency, by the way, coupled with your accusations and tone are the main
> reasons I felt the need to respond.  You aren't contributing in a
> constructive fashion, you are actively undermining folks (Jim, Johanna)
> that are, and you are wasting peoples ime.
>
>
>>
>> The OWASP Testing Guide is a documentation project and as far as I am
>> aware is out of being demoted now?
>>
>
> If so, it is my opinion that it is a mistake; once the clearly defined
> criteria for being a flagship project are available, the projects should be
> made to apply, with no grandfathering.  This forces projects to meet a
> quality assurance guideline that means something.
>
>
>>
>> On Sat, Jun 7, 2014 at 1:05 AM, Yvan Boily <yvanboily at gmail.com> wrote:
>> > If you think putting in some basic effort to preserve the OWASP brand
>> is an
>> > unnecessary burden, then I question your commitment to protecting OWASP,
>> > not the team working on the QA project.
>>
>> http://lists.owasp.org/pipermail/owasp-board/2011-January/009590.html
>> <- Yeah, Dinis Cruz just wants to see the world burn.
>>
>
>> BTW I don't see how your reply is relevant to the OWASP Testing Guide.
>>
>
> I reference the testing guide a fair bit.  I have designed several
> training courses that reference them; I am interested in seeing the Guide
> remain a flagship project, but not at the expense of seeing a process
> implemented that says the 'Flagship' stamp actually means something.
>
> You are correct.  Pushing to the leaders list since this makes more sense
> there.  I don't care much about the issues you have with past board
> members, unless you are going to position them in way that focuses on being
> constructive (learning from mistakes made in the past is constructive,
> dwelling on them isn't).
>
> Cheers,
> Yvan
>
>
>>
>>
>> --
>> Regards,
>> Christian Heinrich
>>
>> http://cmlh.id.au/contact
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20140607/c3a84e8d/attachment-0001.html>


More information about the Owasp-testing mailing list