[Esapi-user] OT: Questions/Comments on "OWASP Connector" and "Marketing Collateral"

Owasp eoin.keary at owasp.org
Fri Aug 2 19:51:52 UTC 2013

Hi Jeffery,
Great questions. I've tried to answer them (below) but I think we should work through your email at the board meeting in hamburg.

Eoin Keary
Owasp Global Board
+353 87 977 2988

On 2 Aug 2013, at 09:12, Jeffrey Walton <noloader at gmail.com> wrote:

> Hi All,
> I have a few off-topic questions and comments since there does not
> appear to be a "OWASP Members" mailing list that members can post to.
> I don't want to submit it through the "Feedback Link" for the
> Marketing Collateral project page because it appears to lack
> transparency. I'm also including our board and other thought leaders.
> The August 1 OWASP Connector had a subtitle on "Marketing Collateral".
> I can't provide a link to the Connector because none is offered in the
> emailing and there is no OWASP Connector mailing list (some are
> located in OWASP Summit 2013). Apparently, the recipients of OWASP
> Connector are auto-generated from OWASP mailing list memberships.
> The "Marketing Collateral" is described as "... a marketing project we
> have been working on with Sisterworks and Design Foundry...", and
> provides a link to
> https://www.owasp.org/index.php/Marketing/Community_Input. The wiki
> page provides a link to a presentation at
> https://www.owasp.org/images/7/7c/OWASP_Background-Research_Phase1_Final_(1).pdf.
> There is a set of recommendations available at
> https://www.owasp.org/images/c/c5/OWASP_Recommendations-Presentation2-April24.pdf.
> The Background Research PDF states:
>    The Open Web Application Security Project (OWASP) can be
>    positioned for increased membership and organizational growth
>    per the background research (phase 1) conducted by SisterWorks
>    Publishing, LLC, (Sworks).
>    ...
>    Project GOALS
>    1. Educate members about the value of open, security related resources
>    2. Engage new audiences to drive membership growth and retention
>    3. Encourage global collaboration and marketing synergy across the
>        OWASP community
> (1) What problem is trying to be solved?
We are attempting to raise awareness of the problem with application insecurity. This has been a minor success to date. We are a great bunch at preaching to each other. From experience the problems are only getting worse or at best staying level.
This is also a rather narcissistic industry as we love to invent new hacks etc etc and big ourselves up but in the end it's the same old problems over and over.
>  - Do OWASP members really need to be the focus of the education efforts?
IMHO no. That is preaching to the choir.

>  - Is the organization in the budgetary red?
No I don't believe it is. We have a couple of hundred grand in the USA checking accounts. We actually need to spend more on stuff that makes a difference!! 
>    * Form 990 and friends are not easy to locate. The last year available on
>      owasp.org appears to be from 2011.
Sorry I'm from the EU? No idea what that is but we do get external audit and tax returns on regur basis to satisfy regulations.

>  - Is membership on the decline?
I don't think so. The eu chapters are growing.

>  - What other problems exist?
Focus on hacking. Not so much outreach to devs and the actual orgs which make frameworks and languages.
> (2) Where is the growth expected to take the organization?

More awareness? Better software? Euphoric society where hunger and crime is gone and we have secure software?
>  - More chapters?
That is community driven.

>  - More projects?
That is a good question. Logs of projects are shelf ware, vapour ware, and ego boosting vehicles used to make the resume look better. 
> (3) Is growth needed at this point?
>  - The chapters I attend have experienced orthogonal results. They
>    are growing faster than they can accommodate new members.
True but I'd never stop the flow of energy and awareness!!
>  - Should more projects be added just to grow the pool?
Yes and no. Anyone can start a project but they need to pass tollgates to be an official OWASP project. Otherwise we have 100s of half baked widgets. 
> (4) Can the growth be accommodated at the chapter level?
Yes why not
>  - The NoVA chapter had to turn away members for the June meeting
>    covering "Security Automation at Twitter"
>    * The AV equipment did not work, so the recorded session was lost, too.

Ask for money to buy stuff. Such recordings are a benefit to all!!

>  - The MD chapter is being resurrected, and they barely have money for
>     refreshments.
As for money. I believe we should spend spend spend!! What have money in the bank helping nobody but bankers !!

> (5) What growth will occur at the national level?
>  - What precisely is expected?
Organic to be honest!!
>  - Is "growth" a guise for "increased revenue" for selected organizational
>    members?
Revenue may increase but we should spend it...see above!
>  - Some of the technical material in the wiki needs updating. What plans are
>    there to ensure up to date information?
>    * Bring in more folks to stale and out of date information appears to
>      present a large opportunity for improvement.
>  - A previous suggestion to highlight pages for possible updates via the
>    Connector was not acted upon
> (9) The organization lacks an identity
>  - I'd expect a marketing campaign to address identity and scope
>  - Is OWASP still limited to web apps and services?
>    * It appear so from https://www.owasp.org/index.php/About_OWASP: "About
>      The Open Web Application Security Project"
>    * It appear so from the presentation, which only recognizes the
> professional in
>      the "web application security field"
>  - Is it broader, like C and C++? I seem to recall Jack Mannino
> telling us it was
>    broader, and a mild name change was proposed or going to occur
> (10) Social Media
>  - I understand many folks want to thei 5 minutes of fame by press releasing
>    through the social networking experiments, but can't we give it a break?
>    * If you don't want your information grepped, fondled, aggregated,
>     shared, abused, or mishandled, then you don't provide it in the first place
>    * Don't force it upon others who want no part of it.
>    * Mailing lists are semi-anonymous and provide archives (unlike social
>      media sites, which want to hold the data close to their chest)
>  - Will each chapter have to purchase their Hootsuite Pro membership?
> (https://www.owasp.org/images/4/48/OWASP-SEO-Content-Audit-Final-6-7-2013.pdf)
>  - I'm appalled the organization is considering spending money on cheap
>    SEO tricks. Quality of content will ensure every search engine returns an
>    OWASP page for free.
>  - I'm damn near appalled the organization is considering spending money
>    on junk emails. That's just what my inbox needs. I hope OWASP manages
>    these proposed junk mailing better than the OWASP Connector list (read
>    the notice/disclaimer at the bottom).
>  - I can't express what I think about swapping links with "partners" to improve
>    exposure and search results. I'm sure the standard disclaimers apply: we're
>    swapping links for exposure and revenue but we don't endorse our partner
>    or its products. Quality of content will ensure every search
> engine returns an
>    OWASP page without partnerships.
>  - I hope the organization does not start selling ad space on its web pages.
>    Its bad enough we are subjected to tracking with companies like ADZERK.
>  - Will the optimizations ensure those looking for services get introduced to
>    an OWASP member providing the service?
>  - WIll the introductions be limited to select OWASP members, or can any
>    member of OWASP use this for advertising and marketing at OWASP's
>    expense?
> (12) Priorities
>  - Should this even be a priority with capitol expenditures?
>    * Looping back to (1), what problem is it solving?
>  - http://dilbert.com/strips/comic/2008-10-05/
> Finally, the new graphics look great.
> Jeffrey Walton
> Baltimore, MD, US

More information about the Esapi-user mailing list