[Esapi-user] OT: Questions/Comments on "OWASP Connector" and "Marketing Collateral"

Jeffrey Walton noloader at gmail.com
Fri Aug 2 08:12:03 UTC 2013

Hi All,

I have a few off-topic questions and comments since there does not
appear to be a "OWASP Members" mailing list that members can post to.
I don't want to submit it through the "Feedback Link" for the
Marketing Collateral project page because it appears to lack
transparency. I'm also including our board and other thought leaders.

The August 1 OWASP Connector had a subtitle on "Marketing Collateral".
I can't provide a link to the Connector because none is offered in the
emailing and there is no OWASP Connector mailing list (some are
located in OWASP Summit 2013). Apparently, the recipients of OWASP
Connector are auto-generated from OWASP mailing list memberships.

The "Marketing Collateral" is described as "... a marketing project we
have been working on with Sisterworks and Design Foundry...", and
provides a link to
https://www.owasp.org/index.php/Marketing/Community_Input. The wiki
page provides a link to a presentation at
There is a set of recommendations available at

The Background Research PDF states:

    The Open Web Application Security Project (OWASP) can be
    positioned for increased membership and organizational growth
    per the background research (phase 1) conducted by SisterWorks
    Publishing, LLC, (Sworks).

    Project GOALS
    1. Educate members about the value of open, security related resources
    2. Engage new audiences to drive membership growth and retention
    3. Encourage global collaboration and marketing synergy across the
        OWASP community

(1) What problem is trying to be solved?

  - Do OWASP members really need to be the focus of the education efforts?
  - Is the organization in the budgetary red?
    * Form 990 and friends are not easy to locate. The last year available on
      owasp.org appears to be from 2011.
  - Is membership on the decline?
  - What other problems exist?

(2) Where is the growth expected to take the organization

  - More chapters?
  - More projects?

(3) Is growth needed at this point?

  - The chapters I attend have experienced orthogonal results. They
    are growing faster than they can accommodate new members.
  - Should more projects be added just to grow the pool?

(4) Can the growth be accommodated at the chapter level?

  - The NoVA chapter had to turn away members for the June meeting
    covering "Security Automation at Twitter"
    * The AV equipment did not work, so the recorded session was lost, too.
  - The MD chapter is being resurrected, and they barely have money for

(5) What growth will occur at the national level?

  - What precisely is expected?
  - Is "growth" a guise for "increased revenue" for selected organizational

(6) What is being planned to better support the chapters during growth?

  - I've been trying to make an out-of-cycle chapter donation to MD and
    NoVA chapters since last year, and I am absolutely befuddled at the
    complexity (it damn near required a conference call with Kate or Jessica
    to figure out the steps)
    * Its noteworthy that the "donate" to OWASP proper (and not a chapter)
      is easy as one would expect.
  - Why are chapters purchasing their own Meetup memberships
  - The wiki template for chapter is broken
    * The "Paypal Donate" button leads to the broken donation (after
      nearly 10 steps and a number of emails explaining the process)
    * Both MD and NoVA appear to need more from the template, but no
       one has studied or addressed the gaps
  - The presentation did not mention the broken Paypal and Event
  - The presentation did not mention the lost conversions on

(7) What is being planned to better support projects during growth?

  - Last month (July 16), the OWASP Connector listed projects with broken
    home pages and no deliverables.
    * https://www.owasp.org/index.php/OWASP_Windows_Binary_Executable_Files_Security_Checks_Project
    * https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project
  - This month (August 1) OWASP Connector has another broken project
and homepage
    * https://www.owasp.org/index.php/OWASP_Security_Principles_Project
  - What's the point of highlighting broken projects with broken home pages?
  - Where is the support (for example, documents and technical writers)
    to help produce quality deliverables?

(8) What is being planned for infrastructure during growth?

  - Are there plans for a web site design update?
    * Will it be limited to SEO enhancements?
  - As I understand it, OWASP uses Barracuda for spam filtering
    * It bounces legitimate legitimate messages when under load (for
      example, the replies to an OWASP connector mailing). Put another
     way, it DoS's itself.
    * This company is known to plant backdoors in their products. They
       don't even follow OWASP's guidance.
    * Why is OWASP business being conducted in Barracuda's cloud?
    * Legitimate emails are not approved when flagged by the system (I've sent
      them personally)
  - Why is Meetup related fodder (the servers and data) being housed at Meetup?
    Why are they not local where the data can be controlled?
  - Are there any plans to fix the broken Event system?

(9) Website

  - Some of the technical material in the wiki needs updating. What plans are
    there to ensure up to date information?
    * Bring in more folks to stale and out of date information appears to
      present a large opportunity for improvement.
  - A previous suggestion to highlight pages for possible updates via the
    Connector was not acted upon

(9) The organization lacks an identity

  - I'd expect a marketing campaign to address identity and scope
  - Is OWASP still limited to web apps and services?
    * It appear so from https://www.owasp.org/index.php/About_OWASP: "About
      The Open Web Application Security Project"
    * It appear so from the presentation, which only recognizes the
professional in
      the "web application security field"
  - Is it broader, like C and C++? I seem to recall Jack Mannino
telling us it was
    broader, and a mild name change was proposed or going to occur

(10) Social Media

  - I understand many folks want to thei 5 minutes of fame by press releasing
    through the social networking experiments, but can't we give it a break?
    * If you don't want your information grepped, fondled, aggregated,
     shared, abused, or mishandled, then you don't provide it in the first place
    * Don't force it upon others who want no part of it.
    * Mailing lists are semi-anonymous and provide archives (unlike social
      media sites, which want to hold the data close to their chest)
  - Will each chapter have to purchase their Hootsuite Pro membership?


  - I'm appalled the organization is considering spending money on cheap
    SEO tricks. Quality of content will ensure every search engine returns an
    OWASP page for free.
  - I'm damn near appalled the organization is considering spending money
    on junk emails. That's just what my inbox needs. I hope OWASP manages
    these proposed junk mailing better than the OWASP Connector list (read
    the notice/disclaimer at the bottom).
  - I can't express what I think about swapping links with "partners" to improve
    exposure and search results. I'm sure the standard disclaimers apply: we're
    swapping links for exposure and revenue but we don't endorse our partner
    or its products. Quality of content will ensure every search
engine returns an
    OWASP page without partnerships.
  - I hope the organization does not start selling ad space on its web pages.
    Its bad enough we are subjected to tracking with companies like ADZERK.

  - Will the optimizations ensure those looking for services get introduced to
    an OWASP member providing the service?
  - WIll the introductions be limited to select OWASP members, or can any
    member of OWASP use this for advertising and marketing at OWASP's

(12) Priorities

  - Should this even be a priority with capitol expenditures?
    * Looping back to (1), what problem is it solving?
  - http://dilbert.com/strips/comic/2008-10-05/

Finally, the new graphics look great.

Jeffrey Walton
Baltimore, MD, US

More information about the Esapi-user mailing list