[WASC-WAFEC] Links to history

vanderaj vanderaj vanderaj at owasp.org
Mon Nov 19 08:15:28 EST 2012


Hi folks,

I note that Christian again brings me up as some sort of evidence
against Aspect or someone or some company doing something I really
don't understand or care about. I don't know why there is such a focus
on this stuff and the past, but it's just absolute rubbish.

Christian, please stop referring to me in your mails about OWASP.
There's no conspiracy here when everything you posit is more easily
explained by changes in personal lives (like my daughter being born,
moving countries, marital situation associated with a  health issue
I'm not going to disclose on a public mailing list, personal interests
changing, and when the personal itch to do something evaporates.)
Folks come and go from all vibrant open source projects. That is
expected and natural.

What is not expected is that I would be brought up as some sort of
evidence of I don't know what on a project I have nothing really to do
with, but wish only the best for. I bet this noise is a distraction
that the WAFEC contributors could easily do without.

Jeff and Dave from Aspect contributed greatly to the formation and
early years of OWASP, contributing many of their own materials that
are the basis of what most of you consider to be OWASP materials as if
these came unbidden from whole cloth. We all stand on the shoulders of
giants, including one 6'7" tall giant. I consider them friends, and I
had a great time living in the US whilst working for them. Does this
make me biased? You betchya.

Correlation is not causation. You can't hire secure coding ninjas
without hiring someone who has a longish history with OWASP even if
that history is not precisely with OWASP. Christian correctly points
out that Trustwave has this exalted position right now because they've
been hiring anyone with a pulse who can spell "code review", and guess
what, they hired OWASP project leads and other ninjas, too. And
accidentally a few zombies, because they forgot to take their pulse
before doing reference checks on Linked In but not noticing their
interest in brains along with a mandatory lolcats quota.

It's not surprising that at least a few long term project leaders /
contributors would be involved in committees or the board. Does this
mean OWASP is a stooge to vested interests? No one bothered to send me
the memo for sure. Not then, not now. The idea is ludicrous. I had to
register as an honorary member three times just so I could vote.
Organizations who can't keep a good record of project leads have no
chance of being led successfully by an underground secret cabal. The
very idea of a secret cabal leading OWASP (or this project!) makes me
smile a big broad grin whilst feeling sad for those who think there is
such a thing. Cat herding at its finest. If Mark Curphey couldn't do
it three times, what chance has anyone else got?

Seriously, firms are encouraged to make fees from performing services
based off freely available OWASP materials. This is the services model
that underpins the open source community. No one is forced to buy from
you, and if someone else does a better job, then they get the work.
Many DAST tools offer "OWASP Top 10" scans. Does anyone ping IBM or HP
or ... or ... for making money off OWASP materials? No, of course not.
Would I like to see IBM or HP offer to help WASC or OWASP more in
terms of contributing people to projects like Aspect or Trustwave do?
You betchya.

People use open source licensed OWASP materials in a way that
constantly surprises and amazes me. As a content creator who gives
away his effort in the hope it will be used, there's no higher reward.
Why the double standard for Aspect or Trustwave? I don't think it
really matters. Those who contribute are feted and promoted as per
every other open source project. I bet WASC is no different.

I wish the WASC guys and the WAFEC effort all the very best. They do
good work on an important topic, and those who do stuff ... win. I
look forward to seeing it finished and widely adopted.

Good luck folks!

thanks,
Andrew




More information about the wasc-wafec mailing list