[Owasp_project_leader_list] OWASP Project Manager Report: March 28, 2014

Jim Manico jim.manico at owasp.org
Sun Mar 30 10:02:25 UTC 2014


Samantha,

I did contact you personally, you said "thanks for the input" and then
proceeded to post your weekly update announcing a major review effort
underway using this (what I feel to be) very incorrect form. This led me to
dig further and see other things that concern me so I went to the board. At
this juncture Sarah chimed in and dismissed my concerns saying, "do
something about it" instead of acknowledging my concerns.

As the production quality projects I curate languish in incubator for many
months, and ESAPI-untouched stays at the helm of flagship, (not to mention
thousands of foundation dollars wasted on an ESAPI hackathon that wasn't),
I made the conscious decision to go public. Hyper-transparency is not
always comfortable, but it's the core of the open source mission.

I did not once attack you personality, this is a professional concern, and
a very serious one. I'm only going to get louder about this until something
more effective is done. I am sorry if you disapprove of my methods or were
offended.

Let me ask you this, why do you think I'm doing this? Please note I've been
a Java developer since 1997 and I *really* care about web security from an
"enabling programmers" point of view, something very unserved at OWASP. So
I don't just complain, I do something about it at great consisted
multi-year efforts. And at this point I see you as a blocker preventing me
from accomplishing the OWASP mission in this regard.

--
Jim Manico
@Manicode
(808) 652-3805

On Mar 29, 2014, at 4:19 PM, Samantha Groves <samantha.groves at owasp.org>
wrote:

Agreed. You should have probably spoken to me directly instead of posting
10 rants on public mailing lists. That would have probably been the more
respectable and professional thing to do. I did just spend 4 days with
after all.


On Sat, Mar 29, 2014 at 3:45 AM, Jim Manico <jim.manico at owasp.org> wrote:

>  Samantha,
>
> I am not on the board of technical directors because it is a deep conflict
> of interest since I manage so many OWASP technical projects. I invest tons
> of energy and time as an OWASP volunteer in many other ways. I have
> provided *criteria* for technical project evaluations on several
> occasions throughout the years as well. Technical evaluation is just one
> criteria of quality, and yes I've reviewed all the links you shared and
> think you are mostly on the right track with your evaluation teams.
>
> Samantha, evaluating the quality of a OWASP project using OpenSAMM, a
> Software Development Lifecycle Evaluation criteria, seems so far from the
> mission of evaluating projects for quality, I felt I needed to step up and
> speak out so we stop this practice immediately and move to a quality based
> evaluation.
>
> The *measurement* of projects for quality is, per my understanding, the
> main reason we hired you. You have done a great job of building teams to
> work on this, but I implore you to condense the evaluation form into one
> form for each type of project, and minimize the OpenSAMM questions. I am
> loud about this because I see the evaluations underway already and we need
> to streamline this process into something that is scalable and effective.
>
> I realize you are managing 177 projects *and more*. We may want to change
> your focus from traveling to conferences (since we hired Laura Grau to
> manage conferences) so you can focus more on your project management
> duties. This is of course Sarah's call.
>
> I have no problem with your critique of my personality, that's fine. But
> that does not change the fact that we desperately need proper quality
> evaluation of projects and I implore you to heed my advice. I see in your
> report that you are about to undertake a review of all flagships, that is
> another reason why I am loudly suggesting you change course and stop using
> the OpenSAMM criteria.
>
> - Jim
>
>
>
>
>
>
>  Jim,
>
>  I am sorry to disappoint you, but no you were not the only leader to
> throw a tantrum on the staff this week. You certainly were one of them, but
> not the only one. I deal with over 100 leaders in any given day so to
> assume that my reports are only about your actions is very inaccurate.
>
>  Now, I appreciate your concerns, and if you would take the time to read
> about the very hard work our community members have accomplished (mainly
> our technical project advisors<http://owasp.blogspot.com/2013/09/meet-our-new-technical-project-advisors.html> who
> are very "Technical") that were brought together after you refused to help
> me put this assessment criteria together after yet another tantrum of
> yours, you would know the hard work that went into creating this
> system/criteria. I recommend familiarizing yourself with the process before
> making very inaccurate assumptions about what is actually happening.
>
>  What the advisors did at the summit<https://www.owasp.org/images/c/c3/OWASP_2013_PROJECT_SUMMIT_REPORT.pdf>:
> pg. 25
>
>  Definition of assessments/reviews: Chapter 7<https://www.owasp.org/images/d/d8/PROJECT_LEADER-HANDBOOK_2014.pdf>
>
>  Jim, I love and respect you as a person, but this behavior is very
> detrimental to our community and serves no purpose other than to alienate
> very hard working volunteers that are taking on a task that has not been
> able to be managed in a very long time (even before my time here) due to
> the large amount of projects we have in our inventory and the lack of
> resources we have as an organization. You, as one of our Board of
> Directors, should know this better than anyone in our community. If you
> have a better way of managing this, then by all means recommend it. Just
> remember, I am not managing 5 projects, I am managing 177 and our system
> must accommodate them all.
>
>  I implore you to take a step back, and think about what your actions are
> actually accomplishing.
>
>  With respect,
>
>  Samantha
>
>
>
>
>
> On Fri, Mar 28, 2014 at 11:43 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>>  Samantha,
>>
>> In this report you say:
>>
>> "My suggestion to those that are so very quick to criticizes the hard
>> work of others is to please familiarize yourself with the actual efforts
>> that have gone into these endeavors. If you see an issue with something
>> that we have done, please let us know, and I welcome you to pitch in and
>> help out. Many of our processes and procedures are dependent on volunteer
>> contributions, and if we have no support in these areas, then there isn't
>> much we can do on the operations side as the resources we require are
>> simply not available."
>>
>> That was most certainly me. I have been concerned that the various code
>> projects at the flagship level are not deserving of that status. I have
>> also requested that several projects I assist or manage be evaluated and
>> it's been 6+ months with no activity on that front - or better put, as a
>> project manager of 3 OWASP projects that I've requested evaluation for, no
>> one has contacted me as a project manager about the status of those
>> reviews, so I imagine other project managers in this situation have gotten
>> the same.
>>
>> What made me flip from "patience on this" to "alerting the board and
>> Sarah that I am very concerned about what is going on" is that finally when
>> you asked me to distribute a form to help folks evaluate Dependency Check,
>> it was nonsensical. It was a list of OpenSAMM categorizes that should be
>> used to evaluate a companies SDLC; categories that really have nothing to
>> do with OWASP project quality evaluation. It makes me ask, what is going
>> on? And I'm very upset that this form is being using the evaluate other
>> projects, it a step in the wrong direction. I'd like to see this fixed
>> really soon.
>>
>> Thank you.
>> - Jim
>>
>>
>>
>> On 3/29/14, 8:53 AM, Samantha Groves wrote:
>>
>>  Hello Leaders,
>>
>> Below is the link to my weekly projects report. Please reach out to me if
>> you have any questions about any of the items in the report, and I will do
>> my best to answer them.
>>
>> Projects Weekly Report: March 28, 2014<https://www.owasp.org/index.php/Projects/Reports/2014-28-03>
>>
>> Have a great weekend.
>>
>> Thank you, Leaders.
>>
>> Samantha
>>
>>  --
>>
>> *Samantha Groves, MBA*
>>
>> *OWASP Projects Manager*
>>
>>
>>  The OWASP Foundation
>>
>> Phoenix, USA
>>
>> Email: samantha.groves at owasp.org
>>
>> Skype: samanthahz
>>
>>
>>  OWASP Global Projects<https://www.owasp.org/index.php/Category:OWASP_Project>
>>
>> Book a Meeting with Me <http://goo.gl/mZXdZ>
>>
>> OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>
>>
>> New Project Application Form <http://www.tfaforms.com/263506>
>>
>>
>>
>>
>>
>>  _______________________________________________
>> Owasp_project_leader_list mailing listOwasp_project_leader_list at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp_project_leader_list
>>
>>
>>
>
>
>  --
>
> *Samantha Groves, MBA*
>
> *OWASP Projects Manager*
>
>
>  The OWASP Foundation
>
> Phoenix, USA
>
> Email: samantha.groves at owasp.org
>
> Skype: samanthahz
>
>
>  OWASP Global Projects<https://www.owasp.org/index.php/Category:OWASP_Project>
>
> Book a Meeting with Me <http://goo.gl/mZXdZ>
>
> OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>
>
> New Project Application Form <http://www.tfaforms.com/263506>
>
>
>
>
>


-- 

*Samantha Groves, MBA*

*OWASP Projects Manager*


The OWASP Foundation

Phoenix, USA

Email: samantha.groves at owasp.org

Skype: samanthahz


OWASP Global Projects<https://www.owasp.org/index.php/Category:OWASP_Project>

Book a Meeting with Me <http://goo.gl/mZXdZ>

OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>

New Project Application Form <http://www.tfaforms.com/263506>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_project_leader_list/attachments/20140330/149a540f/attachment-0001.html>


More information about the Owasp_project_leader_list mailing list