[Owasp-testing] Flagship Project Status

Jason Flood jasoneflood at gmail.com
Sat Jun 7 12:05:51 UTC 2014

Hello Everyone,

I've been watching this mail thread evolve in a mixture of shock and
disappointment. I've have been the leader of a volunteer security group in
Dublin, I've been attacked, I've been publicly questioned, I've been
insulted. As the leader my hands were tied, as I was supposed to raise
myself above the natural human reaction I wanted to have. In times like
this it was great when the community itself would *jump in* and define what
it would tolerate from it's members, both at a project level but also at
the human level of how we engage and communicate with each other.

In this group - I am not on the board. I am one of the voices, freed from
the constraints of political correctness and being the "better man".

I have witnessed highly insulting name calling with the *turncoat*
statement, potentially professionally damaging statements about disgruntled
employee behavior, organisational corruption insinuated with the nepotism
theory's [without reference to the skill sets of those hired] even leaning
towards accusing someone of embezzlement of funds.

The tone, the attitude and sentiment of these communications need to stop.
The corruption "facts" need to be elevated out of this arena, and into a
far more formalized process. Public slander should not be tolerated at any
level, least of all between the OWASP community itself. Jokes and Jibes are
part an parcel of any group. I do not see the humor in this thread. Just

We are a very small community - I've met Simon, twice. I saw Dinis once at
an OWASP gig in Dublin maybe 4 years ago. I looked at O2 as a potential
project to bring into my day job to help with automation, but at the time I
found it a bit prototypy for a rollout. I have not looked at it since. It
could be great now, It could be worse.

I am stating this so you can understand I am not friends, or married to
cousins of key stake holders or go for walks with OWASP board members dogs.
My opinions are my own. My linked in profile is at least 4 years out of
date, I don't do face book - so apologies to the background checkers. The
hostile nature of this communication thread needs to end. I'll go even one
step further - and explain myself in World cup terms.

In my opinion - someone has just been tackled in the box and the striker
has gone down. The referee has to make the decision. Was there a foul
committed or did the striker take a dive? One thing is certain, at this
point it's not O.K to wave play on.

Compile your evidence of corruption. Send it discreetly to the board. Let
the powers that be evaluate it.  If the allegations are determined to be
unjustified - its either a red card offence or a yellow, the referee can
decide. Or there is a penalty due that will change the course of the game.

Arguably if this matter had of been handled more discreetly I do not think
a yellow/red card would be justified irrespective of the result. At this
point I am not so sure. People should question and protest, it's how they
question - the medium they choose, and their approach that is subject to

I also do not believe any project status should be above review. I think
downgrading everything - and then upgrading was potentially the fairest and
cleanest approach. Surely that technique is symbolic that the OWASP board
are not playing favorites.
I will not get involved in any further communication on this thread. I will
not reply to any response to this note. This is a toxic hostile thread that
needs to stop in it's current format. Compile the evidence, put it forward
and OWASP should clean house to suit the desired result of the inquiry.


On Sat, Jun 7, 2014 at 2:34 AM, psiinon <psiinon at gmail.com> wrote:

> I don't have an issue with Simon but the fact is Michael Coates, him
>> and you have all worked for Mozilla and yet OWASP invested in WebScrab
>> in the past.  In Simon's defence he probably didn't know about
>> WebScrab because OWASP didn't help with the promotion of known
>> projects since hired Dinis Cruz hired personal friends to promote his
>> own projects.
> On the contrary, I was very aware of WebScarab and its importance to OWASP
> at the time - I half expected my application for ZAP to become an OWASP
> project to be rejected due to the clear overlap with WebScarab.
> I wanted to create a powerful but easy to use security tool for
> developers, and I seriously considered using WebScarab as the basis for
> that tool.
> However while WebScarab had much more of the functionality that I wanted
> than Paros did, I found WebScarab very complicated and unintuitive.
> I decided that I would rather add functionality to Paros than try to make
> WebScarab easier to use, and I've not regretted that decision :)
> I do agree that OWASP has not been very effective at promoting any of its
> projects, including ZAP.
> However I'm not going to point fingers at any individuals.
> OWASP is primarily a volunteer organization, and its up to all of us to
> address issues that we are concerned with.
> While I think OWASP could do a better job of promoting all of its projects
> I dont have any big ideas how that could be achieved - marketing is not my
> area of expertise ;)
> I dont like criticizing unless I can offer constructive alternatives.
> Cheers,
> Simon
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing

Coimhéad fearg fhear na foighde.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20140607/f661ba62/attachment.html>

More information about the Owasp-testing mailing list