[Global_education_committee] [Owasp-leaders] Commercial delivery of courses based on OWASPmaterials

dinis cruz dinis.cruz at owasp.org
Thu May 13 20:16:12 EDT 2010


I would like to ask that this thread stays on the original* 'Commercial
delivery of courses based on OWASPmaterials'* topic and on the question I
asked.

There is another thread (started by Mike) which can be used for the
http://www.owasp.org/index.php/Commercial_Services idea

Dinis Cruz


On 14 May 2010 01:12, Mike Boberski <mike.boberski at gmail.com> wrote:

> Each tab (all five) include in bold italic at the top of each tab that
> OWASP does not endorse and so on.
>
> This is exactly inline with OWASP's mission to help people do informed
> things.
>
> Mike
>
>
> On Thu, May 13, 2010 at 8:10 PM, Brian Bertacini <
> brian at appsecconsulting.com> wrote:
>
>>  Hi Dinis,
>>
>> Some of the scenarios below create an appearance where OWASP will be
>> viewed as a commercial organization (just look at the name).
>>
>> Your proposal sounds like the PCI-SSC; collecting money to manage
>> and certify service providers.  The PCI-SSC has implemented a
>> quality assurance program and places service providers in a "Remediation
>> Status" for failing to meet defined quality standards.  Will OWASP be ready
>> to hire full time QA Analysts to police the Commercial Services
>> program?  This might be necessary to ensure consistent and high-quality
>> service delivery to protect the OWASP brand.  If I understand most of the
>> scenarios below, there is a requirement for commercial organizations to pay
>> OWASP an annual sponsorship/membership fee.  Like PCI, the annual fee is a
>> bigger burden for smaller service providers.  I could go on but I think you
>> get the point.
>>
>> Personally I like the concept of OWASP Commercial Services.  As a risk
>> management and information security professional I'm concerned about risk
>> this introduces to the OWASP brand.
>>
>> My $.02,
>> Brian Bertacini
>> Bay Area OWASP Chapter
>>
>>  ------------------------------
>> *From:* owasp-leaders-bounces at lists.owasp.org [mailto:
>> owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *dinis cruz
>> *Sent:* Thursday, May 13, 2010 4:06 PM
>> *To:* owasp-leaders at lists.owasp.org
>> *Cc:* owasp-connections-committee;
>> global_education_committee at lists.owasp.org
>> *Subject:* [Owasp-leaders] Commercial delivery of courses based on
>> OWASPmaterials
>>
>> Hi OWASP Leaders (CCing OWASP Global Education Committee, OWASP
>> Connections Committee and Mike Boberski (who is trying to figure out the
>> best way to implement the OWASP Commercial Services<http://www.owasp.org/index.php/Commercial_Services>idea))
>>
>> Question for you.
>>
>> Given the following scenario:
>>
>> "...
>> *Company XYZ is delivering commercially (i.e. paid for)  OWASP related
>> courses, such as for example: "OWASP Top 10", "Using OWASP WebGoat",
>> "Performing security assessments using the OWASP Testing Guide" , "How to
>> use OpenSAMM in your organization", "OWASP ESAPI" , "OWASP ASVS", etc...
>>
>> *
>> * - these courses are independently delivered at "NON
>> OWASP organized" events (for example a developer's Conference or bespoke
>> training sessions)*
>> * - attendees have to pay to attend (i.e. these are NOT FREE or 'OWASP
>> only' events like the one we organized and delivered at the OWASP London
>> Chapter<http://www.owasp.org/index.php/London/Training/OWASP_projects_and_resources_you_can_use_TODAY> last
>> month)  *
>> * - there is no mandatory direct financial return for OWASP (any payments
>> back to OWASP (if any at all) would have to be made at the discretion of
>> the organizing party)*
>> *
>> *
>> *..."*
>> *
>> *
>> *Given that a large part of the potential (paying) audience for these
>> courses is part of the existing  OWASP community, namely the OWASP
>> Mailing lists and WIKI viewers, the organizing party would be
>> very interested to advertise to target OWASP project the course details
>> (curriculum, trainer, delivery date, price, location, etc...)*
>> *
>> *
>> *Since this is a new area for OWASP, we have to make sure we handle this
>> in a way that is accepted/respected by our leaders and community.*
>> *
>> *
>> *So my question to you is:
>>
>> What would anacceptable behaviour for the individuals or
>> companies organizing (and profiting) with these courses? (see
>> Variation+Options below)*
>>
>> *Variation A: the course is delivered by the Project's Leader as an
>> INDEPENDENT Trainer (this could also be a respected member of the OWASP
>> Community who: is an active/past contributor; is respected by its peers; and
>> is known to be very knowledgeable on the course's topic))*
>> *
>> *
>> *Should he/she be able to: *
>> *
>> *
>> *   Option 1: Buy advertisement space on www.owasp.org (i.e. the banner
>> that shows up at the top of the home page and the local chapters)*
>> *   Option 2: Send an email with the course's details to the respective
>> OWASP mailing list (i.e. Top-10, WebGoat, Testing Guide, openSamm, ESAPI,
>> ASVS). Assume that this is done with 'good taste' (i.e no  'snake oil' or
>> super-sales pitch)*
>> *   Option 3: Include a mention to it at the next OWASP Newsletter*
>> *   Option 4: Put a direct link to it from the respective OWASP Project
>> (maybe on a section dedicated to these type of events)*
>> *   Option 5: Put a direct link from a Training page on the OWASP
>> Commercial Services <http://www.owasp.org/index.php/Commercial_Services> section
>> of the OWASP website*
>> *
>> *
>> *
>> *
>> *Variation B: the course is delivered by the Project's Leader as a hired
>> employee/contractor for a 3rd party company*
>> *
>> *
>> *(same 5 Options from Variation A)*
>> *
>> *
>> *
>> *
>> *Variation C: the course is delivered by an existing OWASP Corporate
>> Member or Education Supporter<http://www.owasp.org/index.php/Membership#Current_OWASP_Organization_Supporters_.26_Individual_Members>
>>  (Company, University, etc..)*
>> *
>> *
>> *(same 5 Options from Variation A)*
>> *
>> *
>> *
>> *
>> *Variation D: the course is delivered by an a Governmental Organization
>> that is involved with OWASP (for example the Brazilian Government who
>> sponsored last year's OWASP Conference in Brazil)*
>> *
>> *
>> *(same 5 Options from Variation A)*
>> *
>>
>>
>>  Variation D: the course is delivered by an a Governmental Organization
>> that is NOT part of the OWASP Community
>>
>> (same 5 Options from Variation A)
>>
>>
>>  Variation E: the course is delivered by an a Industry Body
>>  that is NOT part of the OWASP Community (for example lets say that the
>> PCI Council decided to sell (and profit) from the delivery of OWASP Top 10
>> courses)
>>
>> (same 5 Options from Variation A)
>>
>>
>> Variation F: the course is delivered by a company/individual that is NOT
>> part of the OWASP Community (i.e. not a member, trainer is not an OWASP
>> Leader, nobody has really heard of them before)
>>
>> (same 5 Options from Variation A)
>> *
>>
>>
>>
>> ------------------------------------------------------------------------------------
>>
>> Taking into account that we want as many people to be exposed to OWASP
>> materials and that there should be a direct relationship between the success
>> of these courses and the market penetration of the affected OWASP Projects
>> .....  from your point of view, which Variation+Options listed above:
>>
>>    i) are compatible with OWASP's values/independence and SHOULD be
>> allowed (but monitored to prevent abuses)
>>    ii) are NOT compatible with OWASP's values and SHOULD NOT be allowed
>>   iii) should only be allowed with 'somebody' (GEC, OWASP Board, Project
>> leader) permission / validation
>>   iv) should be allowed, BUT with the information located at a very
>> specific locations (for example what happens with the the OWASP Job Board<http://www.owasp.org/index.php/OWASP_Jobs>or the OWASP
>> Commercial Services <http://www.owasp.org/index.php/Commercial_Services>)
>>
>> Looking forward to hearing your answers and points of view
>>
>> Dinis Cruz
>> OWASP Board Member
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_education_committee/attachments/20100514/548d0180/attachment-0001.html 


More information about the Global_education_committee mailing list