[Esapi-user] OT: Questions/Comments on "OWASP Connector" and "Marketing Collateral"

Tom Brennan - OWASP tomb at owasp.org
Fri Aug 2 08:59:59 UTC 2013

Fantastic and topic focused thank you.  The next face-to-face strategic session is in Hamburg, Germany.

We will add this to the agenda: 

Please add more ((everyone in the global community)

We as the board of volunteers is also concerned and addressing many of the issues.

Semper Fi,

Tom Brennan
(t) 973-202-0122
(w) www.spiderlabs.com

On Aug 2, 2013, at 1:12 AM, Jeffrey Walton <noloader at gmail.com> wrote:

> Hi All,
> I have a few off-topic questions and comments since there does not
> appear to be a "OWASP Members" mailing list that members can post to.
> I don't want to submit it through the "Feedback Link" for the
> Marketing Collateral project page because it appears to lack
> transparency. I'm also including our board and other thought leaders.
> The August 1 OWASP Connector had a subtitle on "Marketing Collateral".
> I can't provide a link to the Connector because none is offered in the
> emailing and there is no OWASP Connector mailing list (some are
> located in OWASP Summit 2013). Apparently, the recipients of OWASP
> Connector are auto-generated from OWASP mailing list memberships.
> The "Marketing Collateral" is described as "... a marketing project we
> have been working on with Sisterworks and Design Foundry...", and
> provides a link to
> https://www.owasp.org/index.php/Marketing/Community_Input. The wiki
> page provides a link to a presentation at
> https://www.owasp.org/images/7/7c/OWASP_Background-Research_Phase1_Final_(1).pdf.
> There is a set of recommendations available at
> https://www.owasp.org/images/c/c5/OWASP_Recommendations-Presentation2-April24.pdf.
> The Background Research PDF states:
>    The Open Web Application Security Project (OWASP) can be
>    positioned for increased membership and organizational growth
>    per the background research (phase 1) conducted by SisterWorks
>    Publishing, LLC, (Sworks).
>    ...
>    Project GOALS
>    1. Educate members about the value of open, security related resources
>    2. Engage new audiences to drive membership growth and retention
>    3. Encourage global collaboration and marketing synergy across the
>        OWASP community
> (1) What problem is trying to be solved?
>  - Do OWASP members really need to be the focus of the education efforts?
>  - Is the organization in the budgetary red?
>    * Form 990 and friends are not easy to locate. The last year available on
>      owasp.org appears to be from 2011.
>  - Is membership on the decline?
>  - What other problems exist?
> (2) Where is the growth expected to take the organization
>  - More chapters?
>  - More projects?
> (3) Is growth needed at this point?
>  - The chapters I attend have experienced orthogonal results. They
>    are growing faster than they can accommodate new members.
>  - Should more projects be added just to grow the pool?
> (4) Can the growth be accommodated at the chapter level?
>  - The NoVA chapter had to turn away members for the June meeting
>    covering "Security Automation at Twitter"
>    * The AV equipment did not work, so the recorded session was lost, too.
>  - The MD chapter is being resurrected, and they barely have money for
>     refreshments.
> (5) What growth will occur at the national level?
>  - What precisely is expected?
>  - Is "growth" a guise for "increased revenue" for selected organizational
>    members?
> (6) What is being planned to better support the chapters during growth?
>  - I've been trying to make an out-of-cycle chapter donation to MD and
>    NoVA chapters since last year, and I am absolutely befuddled at the
>    complexity (it damn near required a conference call with Kate or Jessica
>    to figure out the steps)
>    * Its noteworthy that the "donate" to OWASP proper (and not a chapter)
>      is easy as one would expect.
>  - Why are chapters purchasing their own Meetup memberships
>  - The wiki template for chapter is broken
>    * The "Paypal Donate" button leads to the broken donation (after
>      nearly 10 steps and a number of emails explaining the process)
>    * Both MD and NoVA appear to need more from the template, but no
>       one has studied or addressed the gaps
>  - The presentation did not mention the broken Paypal and Event
>    donations
>  - The presentation did not mention the lost conversions on
>    donations
> (7) What is being planned to better support projects during growth?
>  - Last month (July 16), the OWASP Connector listed projects with broken
>    home pages and no deliverables.
>    * https://www.owasp.org/index.php/OWASP_Windows_Binary_Executable_Files_Security_Checks_Project
>    * https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project
>  - This month (August 1) OWASP Connector has another broken project
> and homepage
>    * https://www.owasp.org/index.php/OWASP_Security_Principles_Project
>  - What's the point of highlighting broken projects with broken home pages?
>  - Where is the support (for example, documents and technical writers)
>    to help produce quality deliverables?
> (8) What is being planned for infrastructure during growth?
>  - Are there plans for a web site design update?
>    * Will it be limited to SEO enhancements?
>  - As I understand it, OWASP uses Barracuda for spam filtering
>    * It bounces legitimate legitimate messages when under load (for
>      example, the replies to an OWASP connector mailing). Put another
>     way, it DoS's itself.
>    * This company is known to plant backdoors in their products. They
>       don't even follow OWASP's guidance.
>    * Why is OWASP business being conducted in Barracuda's cloud?
>    * Legitimate emails are not approved when flagged by the system (I've sent
>      them personally)
>  - Why is Meetup related fodder (the servers and data) being housed at Meetup?
>    Why are they not local where the data can be controlled?
>  - Are there any plans to fix the broken Event system?
> (9) Website
>  - Some of the technical material in the wiki needs updating. What plans are
>    there to ensure up to date information?
>    * Bring in more folks to stale and out of date information appears to
>      present a large opportunity for improvement.
>  - A previous suggestion to highlight pages for possible updates via the
>    Connector was not acted upon
> (9) The organization lacks an identity
>  - I'd expect a marketing campaign to address identity and scope
>  - Is OWASP still limited to web apps and services?
>    * It appear so from https://www.owasp.org/index.php/About_OWASP: "About
>      The Open Web Application Security Project"
>    * It appear so from the presentation, which only recognizes the
> professional in
>      the "web application security field"
>  - Is it broader, like C and C++? I seem to recall Jack Mannino
> telling us it was
>    broader, and a mild name change was proposed or going to occur
> (10) Social Media
>  - I understand many folks want to thei 5 minutes of fame by press releasing
>    through the social networking experiments, but can't we give it a break?
>    * If you don't want your information grepped, fondled, aggregated,
>     shared, abused, or mishandled, then you don't provide it in the first place
>    * Don't force it upon others who want no part of it.
>    * Mailing lists are semi-anonymous and provide archives (unlike social
>      media sites, which want to hold the data close to their chest)
>  - Will each chapter have to purchase their Hootsuite Pro membership?
> (https://www.owasp.org/images/4/48/OWASP-SEO-Content-Audit-Final-6-7-2013.pdf)
>  - I'm appalled the organization is considering spending money on cheap
>    SEO tricks. Quality of content will ensure every search engine returns an
>    OWASP page for free.
>  - I'm damn near appalled the organization is considering spending money
>    on junk emails. That's just what my inbox needs. I hope OWASP manages
>    these proposed junk mailing better than the OWASP Connector list (read
>    the notice/disclaimer at the bottom).
>  - I can't express what I think about swapping links with "partners" to improve
>    exposure and search results. I'm sure the standard disclaimers apply: we're
>    swapping links for exposure and revenue but we don't endorse our partner
>    or its products. Quality of content will ensure every search
> engine returns an
>    OWASP page without partnerships.
>  - I hope the organization does not start selling ad space on its web pages.
>    Its bad enough we are subjected to tracking with companies like ADZERK.
>  - Will the optimizations ensure those looking for services get introduced to
>    an OWASP member providing the service?
>  - WIll the introductions be limited to select OWASP members, or can any
>    member of OWASP use this for advertising and marketing at OWASP's
>    expense?
> (12) Priorities
>  - Should this even be a priority with capitol expenditures?
>    * Looping back to (1), what problem is it solving?
>  - http://dilbert.com/strips/comic/2008-10-05/
> Finally, the new graphics look great.
> Jeffrey Walton
> Baltimore, MD, US
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20130802/b8534935/attachment.html>

More information about the Esapi-user mailing list