[Esapi-user] OT: Questions/Comments on "OWASP Connector" and "Marketing Collateral"
Tom Brennan - OWASP
tomb at owasp.org
Fri Aug 2 08:59:59 UTC 2013
Fantastic and topic focused thank you. The next face-to-face strategic session is in Hamburg, Germany.
We will add this to the agenda:
Please add more ((everyone in the global community)
We as the board of volunteers is also concerned and addressing many of the issues.
On Aug 2, 2013, at 1:12 AM, Jeffrey Walton <noloader at gmail.com> wrote:
> Hi All,
> I have a few off-topic questions and comments since there does not
> appear to be a "OWASP Members" mailing list that members can post to.
> I don't want to submit it through the "Feedback Link" for the
> Marketing Collateral project page because it appears to lack
> transparency. I'm also including our board and other thought leaders.
> The August 1 OWASP Connector had a subtitle on "Marketing Collateral".
> I can't provide a link to the Connector because none is offered in the
> emailing and there is no OWASP Connector mailing list (some are
> located in OWASP Summit 2013). Apparently, the recipients of OWASP
> Connector are auto-generated from OWASP mailing list memberships.
> The "Marketing Collateral" is described as "... a marketing project we
> have been working on with Sisterworks and Design Foundry...", and
> provides a link to
> https://www.owasp.org/index.php/Marketing/Community_Input. The wiki
> page provides a link to a presentation at
> There is a set of recommendations available at
> The Background Research PDF states:
> The Open Web Application Security Project (OWASP) can be
> positioned for increased membership and organizational growth
> per the background research (phase 1) conducted by SisterWorks
> Publishing, LLC, (Sworks).
> Project GOALS
> 1. Educate members about the value of open, security related resources
> 2. Engage new audiences to drive membership growth and retention
> 3. Encourage global collaboration and marketing synergy across the
> OWASP community
> (1) What problem is trying to be solved?
> - Do OWASP members really need to be the focus of the education efforts?
> - Is the organization in the budgetary red?
> * Form 990 and friends are not easy to locate. The last year available on
> owasp.org appears to be from 2011.
> - Is membership on the decline?
> - What other problems exist?
> (2) Where is the growth expected to take the organization
> - More chapters?
> - More projects?
> (3) Is growth needed at this point?
> - The chapters I attend have experienced orthogonal results. They
> are growing faster than they can accommodate new members.
> - Should more projects be added just to grow the pool?
> (4) Can the growth be accommodated at the chapter level?
> - The NoVA chapter had to turn away members for the June meeting
> covering "Security Automation at Twitter"
> * The AV equipment did not work, so the recorded session was lost, too.
> - The MD chapter is being resurrected, and they barely have money for
> (5) What growth will occur at the national level?
> - What precisely is expected?
> - Is "growth" a guise for "increased revenue" for selected organizational
> (6) What is being planned to better support the chapters during growth?
> - I've been trying to make an out-of-cycle chapter donation to MD and
> NoVA chapters since last year, and I am absolutely befuddled at the
> complexity (it damn near required a conference call with Kate or Jessica
> to figure out the steps)
> * Its noteworthy that the "donate" to OWASP proper (and not a chapter)
> is easy as one would expect.
> - Why are chapters purchasing their own Meetup memberships
> - The wiki template for chapter is broken
> * The "Paypal Donate" button leads to the broken donation (after
> nearly 10 steps and a number of emails explaining the process)
> * Both MD and NoVA appear to need more from the template, but no
> one has studied or addressed the gaps
> - The presentation did not mention the broken Paypal and Event
> - The presentation did not mention the lost conversions on
> (7) What is being planned to better support projects during growth?
> - Last month (July 16), the OWASP Connector listed projects with broken
> home pages and no deliverables.
> * https://www.owasp.org/index.php/OWASP_Windows_Binary_Executable_Files_Security_Checks_Project
> * https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project
> - This month (August 1) OWASP Connector has another broken project
> and homepage
> * https://www.owasp.org/index.php/OWASP_Security_Principles_Project
> - What's the point of highlighting broken projects with broken home pages?
> - Where is the support (for example, documents and technical writers)
> to help produce quality deliverables?
> (8) What is being planned for infrastructure during growth?
> - Are there plans for a web site design update?
> * Will it be limited to SEO enhancements?
> - As I understand it, OWASP uses Barracuda for spam filtering
> * It bounces legitimate legitimate messages when under load (for
> example, the replies to an OWASP connector mailing). Put another
> way, it DoS's itself.
> * This company is known to plant backdoors in their products. They
> don't even follow OWASP's guidance.
> * Why is OWASP business being conducted in Barracuda's cloud?
> * Legitimate emails are not approved when flagged by the system (I've sent
> them personally)
> - Why is Meetup related fodder (the servers and data) being housed at Meetup?
> Why are they not local where the data can be controlled?
> - Are there any plans to fix the broken Event system?
> (9) Website
> - Some of the technical material in the wiki needs updating. What plans are
> there to ensure up to date information?
> * Bring in more folks to stale and out of date information appears to
> present a large opportunity for improvement.
> - A previous suggestion to highlight pages for possible updates via the
> Connector was not acted upon
> (9) The organization lacks an identity
> - I'd expect a marketing campaign to address identity and scope
> - Is OWASP still limited to web apps and services?
> * It appear so from https://www.owasp.org/index.php/About_OWASP: "About
> The Open Web Application Security Project"
> * It appear so from the presentation, which only recognizes the
> professional in
> the "web application security field"
> - Is it broader, like C and C++? I seem to recall Jack Mannino
> telling us it was
> broader, and a mild name change was proposed or going to occur
> (10) Social Media
> - I understand many folks want to thei 5 minutes of fame by press releasing
> through the social networking experiments, but can't we give it a break?
> * If you don't want your information grepped, fondled, aggregated,
> shared, abused, or mishandled, then you don't provide it in the first place
> * Don't force it upon others who want no part of it.
> * Mailing lists are semi-anonymous and provide archives (unlike social
> media sites, which want to hold the data close to their chest)
> - Will each chapter have to purchase their Hootsuite Pro membership?
> (11) From "SEO & CONTENT AUDIT FOR OWASP MARKETING STRATEGY"
> - I'm appalled the organization is considering spending money on cheap
> SEO tricks. Quality of content will ensure every search engine returns an
> OWASP page for free.
> - I'm damn near appalled the organization is considering spending money
> on junk emails. That's just what my inbox needs. I hope OWASP manages
> these proposed junk mailing better than the OWASP Connector list (read
> the notice/disclaimer at the bottom).
> - I can't express what I think about swapping links with "partners" to improve
> exposure and search results. I'm sure the standard disclaimers apply: we're
> swapping links for exposure and revenue but we don't endorse our partner
> or its products. Quality of content will ensure every search
> engine returns an
> OWASP page without partnerships.
> - I hope the organization does not start selling ad space on its web pages.
> Its bad enough we are subjected to tracking with companies like ADZERK.
> - Will the optimizations ensure those looking for services get introduced to
> an OWASP member providing the service?
> - WIll the introductions be limited to select OWASP members, or can any
> member of OWASP use this for advertising and marketing at OWASP's
> (12) Priorities
> - Should this even be a priority with capitol expenditures?
> * Looping back to (1), what problem is it solving?
> - http://dilbert.com/strips/comic/2008-10-05/
> Finally, the new graphics look great.
> Jeffrey Walton
> Baltimore, MD, US
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Esapi-user