[Global_industry_committee] CISO Survey @ AppSecEU

Jason Li jason.li at owasp.org
Thu Jun 9 21:34:29 EDT 2011


Rex,

Thanks for clarifying - that's good to hear.

As you know, many OWASP projects are directly supported and sponsored by a
variety of security companies. Just as with conference talks, OWASP tries to
limit the extent to which companies plaster their logo across projects.

For example, the OWASP Top Ten is an OWASP documentation project that
happens to be sponsored by Aspect Security. Aspect's logo appears as a small
icon on page three under the Acknowledgments section, along with
acknowledging other Top Ten contributors. It is in every way, an
*OWASP*document, not an Aspect document. (full disclosure - I am
employed by Aspect
Security).

I know we're both personally in sync with OWASP principles, so the buzz
about exclusivity had me confused.

One other clarification - I was unclear by what you meant by "the same kind
of agreement that we have with numerous other non-profits". By "we", do you
mean your company, or by "we" do you mean OWASP?

If you mean OWASP, I don't know that we actually have these kind of
agreements for *services* like this, but I would suggest that the industry
committee use the same kind of standards we apply to conference talks and
projects? If you mean your company, I don't know what your company's typical
agreement implies, but I'm assuming it's consistent with OWASP principles.

I think it's great news that a company is interested in sponsoring this kind
of effort - good work on that front Rex!

I'm also glad that we're clearing out any misconceptions and concerns that
might have been buzzing their way around the conference.

-Jason

On Fri, Jun 10, 2011 at 2:01 AM, Rex Booth <rex.booth at owasp.org> wrote:

>  Thanks for asking for clarification.
>
> Nobody will have exclusive rights to the results.  As with everything in
> OWASP, everything will be open.
>
> The only "exclusivity" being discussed is the co-branding of the final
> report.  My firm has volunteered to take responsibility for the survey
> execution, analysis and production (although we will certainly welcome
> assistance from others within OWASP).  Because we're doing the heavy
> lifting, we want to co-brand the survey with our logo.  This is the same
> kind of agreement that we have with numerous other non-profits for whom we
> perform such surveys and is similar to Aspect's co-branding of some ESAPI
> products.
>
> The results and report will be open and free, as always.
>
> Rex
>
>
> On 6/9/2011 8:22 PM, Jason Li wrote:
>
> Hey guys,
>
>  I know that the GIC has been planning to gather feedback about a CISO
> survey at AppSecEU.
>
>  I've heard some buzz at the conference that the company sponsoring the
> survey is going to have exclusive rights to results?! I'd be extremely
> concerned about a survey executed by OWASP where we don't retain the rights
> of distribution. It goes against the open principles of OWASP and has
> borderline potential for brand abuse.
>
>  I know this kind of buzz typically get blown out of proportion when word
> travels through the grapevine, so I wanted to get the full scoop directly
> from you guys.
>
>  What's the real story?
>
>  -Jason
>
>
> _______________________________________________
> Global_industry_committee mailing listGlobal_industry_committee at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/global_industry_committee
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_industry_committee/attachments/20110610/d2895eee/attachment.html 


More information about the Global_industry_committee mailing list