[Esapi-user] OT: Questions/Comments on "OWASP Connector" and "Marketing Collateral"
noloader at gmail.com
Fri Aug 2 08:12:03 UTC 2013
I have a few off-topic questions and comments since there does not
appear to be a "OWASP Members" mailing list that members can post to.
I don't want to submit it through the "Feedback Link" for the
Marketing Collateral project page because it appears to lack
transparency. I'm also including our board and other thought leaders.
The August 1 OWASP Connector had a subtitle on "Marketing Collateral".
I can't provide a link to the Connector because none is offered in the
emailing and there is no OWASP Connector mailing list (some are
located in OWASP Summit 2013). Apparently, the recipients of OWASP
Connector are auto-generated from OWASP mailing list memberships.
The "Marketing Collateral" is described as "... a marketing project we
have been working on with Sisterworks and Design Foundry...", and
provides a link to
https://www.owasp.org/index.php/Marketing/Community_Input. The wiki
page provides a link to a presentation at
There is a set of recommendations available at
The Background Research PDF states:
The Open Web Application Security Project (OWASP) can be
positioned for increased membership and organizational growth
per the background research (phase 1) conducted by SisterWorks
Publishing, LLC, (Sworks).
1. Educate members about the value of open, security related resources
2. Engage new audiences to drive membership growth and retention
3. Encourage global collaboration and marketing synergy across the
(1) What problem is trying to be solved?
- Do OWASP members really need to be the focus of the education efforts?
- Is the organization in the budgetary red?
* Form 990 and friends are not easy to locate. The last year available on
owasp.org appears to be from 2011.
- Is membership on the decline?
- What other problems exist?
(2) Where is the growth expected to take the organization
- More chapters?
- More projects?
(3) Is growth needed at this point?
- The chapters I attend have experienced orthogonal results. They
are growing faster than they can accommodate new members.
- Should more projects be added just to grow the pool?
(4) Can the growth be accommodated at the chapter level?
- The NoVA chapter had to turn away members for the June meeting
covering "Security Automation at Twitter"
* The AV equipment did not work, so the recorded session was lost, too.
- The MD chapter is being resurrected, and they barely have money for
(5) What growth will occur at the national level?
- What precisely is expected?
- Is "growth" a guise for "increased revenue" for selected organizational
(6) What is being planned to better support the chapters during growth?
- I've been trying to make an out-of-cycle chapter donation to MD and
NoVA chapters since last year, and I am absolutely befuddled at the
complexity (it damn near required a conference call with Kate or Jessica
to figure out the steps)
* Its noteworthy that the "donate" to OWASP proper (and not a chapter)
is easy as one would expect.
- Why are chapters purchasing their own Meetup memberships
- The wiki template for chapter is broken
* The "Paypal Donate" button leads to the broken donation (after
nearly 10 steps and a number of emails explaining the process)
* Both MD and NoVA appear to need more from the template, but no
one has studied or addressed the gaps
- The presentation did not mention the broken Paypal and Event
- The presentation did not mention the lost conversions on
(7) What is being planned to better support projects during growth?
- Last month (July 16), the OWASP Connector listed projects with broken
home pages and no deliverables.
- This month (August 1) OWASP Connector has another broken project
- What's the point of highlighting broken projects with broken home pages?
- Where is the support (for example, documents and technical writers)
to help produce quality deliverables?
(8) What is being planned for infrastructure during growth?
- Are there plans for a web site design update?
* Will it be limited to SEO enhancements?
- As I understand it, OWASP uses Barracuda for spam filtering
* It bounces legitimate legitimate messages when under load (for
example, the replies to an OWASP connector mailing). Put another
way, it DoS's itself.
* This company is known to plant backdoors in their products. They
don't even follow OWASP's guidance.
* Why is OWASP business being conducted in Barracuda's cloud?
* Legitimate emails are not approved when flagged by the system (I've sent
- Why is Meetup related fodder (the servers and data) being housed at Meetup?
Why are they not local where the data can be controlled?
- Are there any plans to fix the broken Event system?
- Some of the technical material in the wiki needs updating. What plans are
there to ensure up to date information?
* Bring in more folks to stale and out of date information appears to
present a large opportunity for improvement.
- A previous suggestion to highlight pages for possible updates via the
Connector was not acted upon
(9) The organization lacks an identity
- I'd expect a marketing campaign to address identity and scope
- Is OWASP still limited to web apps and services?
* It appear so from https://www.owasp.org/index.php/About_OWASP: "About
The Open Web Application Security Project"
* It appear so from the presentation, which only recognizes the
the "web application security field"
- Is it broader, like C and C++? I seem to recall Jack Mannino
telling us it was
broader, and a mild name change was proposed or going to occur
(10) Social Media
- I understand many folks want to thei 5 minutes of fame by press releasing
through the social networking experiments, but can't we give it a break?
* If you don't want your information grepped, fondled, aggregated,
shared, abused, or mishandled, then you don't provide it in the first place
* Don't force it upon others who want no part of it.
* Mailing lists are semi-anonymous and provide archives (unlike social
media sites, which want to hold the data close to their chest)
- Will each chapter have to purchase their Hootsuite Pro membership?
(11) From "SEO & CONTENT AUDIT FOR OWASP MARKETING STRATEGY"
- I'm appalled the organization is considering spending money on cheap
SEO tricks. Quality of content will ensure every search engine returns an
OWASP page for free.
- I'm damn near appalled the organization is considering spending money
on junk emails. That's just what my inbox needs. I hope OWASP manages
these proposed junk mailing better than the OWASP Connector list (read
the notice/disclaimer at the bottom).
- I can't express what I think about swapping links with "partners" to improve
exposure and search results. I'm sure the standard disclaimers apply: we're
swapping links for exposure and revenue but we don't endorse our partner
or its products. Quality of content will ensure every search
engine returns an
OWASP page without partnerships.
- I hope the organization does not start selling ad space on its web pages.
Its bad enough we are subjected to tracking with companies like ADZERK.
- Will the optimizations ensure those looking for services get introduced to
an OWASP member providing the service?
- WIll the introductions be limited to select OWASP members, or can any
member of OWASP use this for advertising and marketing at OWASP's
- Should this even be a priority with capitol expenditures?
* Looping back to (1), what problem is it solving?
Finally, the new graphics look great.
Baltimore, MD, US
More information about the Esapi-user