[Governance] Fwd: [Owasp-leaders] OWASP Branding & Twitter thread from Dinis

Michael Coates michael.coates at owasp.org
Fri Aug 14 18:54:52 UTC 2015


Seems a discussion on the policy is good.

The fact of the matter is that OWASP is global and getting bigger by the
day. We need a basic amount of structure and guidance on the expectations
of our community. These shouldn't inhibit our volunteers in unreasonable
ways and they also shouldn't enable individuals to compromise core beliefs
of our organization.

At a high level we need some guidance. Without any policy things quickly
get confusing as no expectations are set and even "the best of intentions"
sends things sideways.

I'm concerned that splitting hairs over what is a "vendor" and what isn't
will lead to more frustration and confusion. So I think that the policy as
is is probably best. I

Regarding Paul's suggestion, we don't have to "police" as much, but perhaps
there just needs to be a way of having checks and balances. OWASP is vendor
neutral - if something doesn't look right then reach out to staff via X and
they can help provide some clarity.




--
Michael Coates | @_mwc <https://twitter.com/intent/user?screen_name=_mwc>
OWASP Global Board
Join me at AppSecUSA <http://AppSecUSA.org> 2015 in San Francisco!




On Fri, Aug 14, 2015 at 11:48 AM, Jim Manico <jim.manico at owasp.org> wrote:

> Should we differentiate speaker agreements between chapters, regional
> conferences, and national conferences?
>
> Paul, I am also leaning towards #2 for chapters, but maybe something
> different for national conferences.
>
> --
> Jim Manico
> Global Board Member
> OWASP Foundation
> https://www.owasp.org
> Join me at AppSecUSA <http://appsecusa.org/> 2015!
>
> On Aug 14, 2015, at 6:08 AM, Paul Ritchie <paul.ritchie at owasp.org> wrote:
>
> To OWASP Board & Governance:
>
> Well, over the past year, I've learned a 'thick skin' is often needed here
> at OWASP.
>
> On the issue of "reminding chapter leaders to abide by the logo & branding
> policies".....I think we can all see that several strong OWASP supporters
> and leaders in the community are opposed to the policy, and state that they
> are 'ignoring' it.
>
> I'm looking for a 'concensus' decision from the leadership team on how we
> should proceed at the Staff level.
> Several on the Board have asked us on Staff to "follow through" on the
> Branding policy.....but I'd like to see if that is still a priority given
> this community feedback?
>
> 1.  We can continue to push on the rule as it sits....but its clear that
> will be disruptive to our core mission.
>
> 2.  We can 'back off' and just allow the chapter leaders to implement 'as
> they see fit' in their chapter.  Do nothing approach.
> >>  Verbally remind them of the policy, but take no policing action.
>
> 3.  We can change or modify the policy to cover the 'code of ethics' issue
> of 'no commercialism'.
>
> >>  One suggested change would be to simply ADD an "OWASP Disclaimer"
> slide or statement for use at the beginning of Chapter meetings / trainings
> / or presenter talks.
> Something like this.....several are already spread through out the Wiki.
>
> *OWASP Policy & Disclaimer* - OWASP is a worldwide not-for-profit
> charitable organization focused on improving the security of software. We
> operate under a 'no commercialisation, vendor neutral' policy and we do not
> endorse products or services. We gratefully acknowledge the support of our
> Sponsors, Volunteers and Contributors (i.e. Speakers) in the pursuit of our
> mission.
>
> Paul's opinion:   Policy policing is important, but needs to be measured
> against the disruption caused in the community.  I am leaning toward #2,
> simply because I'd rather focus on OWASP mission & objectives.
>
> Best Regards, Paul Ritchie
> OWASP Executive Director
> paul.ritchie at owasp.org
>
>
> ---------- Forwarded message ----------
> From: Tony Turner <tony.turner at owasp.org>
> Date: Fri, Aug 14, 2015 at 8:34 AM
> Subject: Re: [Owasp-leaders] OWASP Branding & Twitter thread from Dinis
> To: Josh Sokol <josh.sokol at owasp.org>
> Cc: "owasp-leaders at lists.owasp.org" <owasp-leaders at lists.owasp.org>
>
>
> So what Josh is saying, is we need to invent more bureaucracy to deal with
> the bureaucracy...
>
> Just stop the madness already so we can get back to our mission. The logo
> requirement is dumb. I have never enforced it in Orlando chapter and I
> never will. As long as the content is useful and not salesy and furthers
> the OWASP mission I could give two carps whether your logo is on every
> slide. It's only vendor biased if you don't allow competing vendors to
> present as well, or the content clearly favors a vendor product. How does
> having a logo on a slide show vendor favortism? It doesn't, but some folks
> here want to cry foul every time someone glances at a pretty
> girl/boy/person. Leave our presenters alone, you are HINDERING the OWASP
> mission. Just stop it already!
>
> On Fri, Aug 14, 2015 at 11:22 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> I think I see both sides of this pretty well.  On one hand, you have
>> people contributing to the Foundation either through their work efforts or
>> with money and some recognition for their contributions is definitely
>> deserved.  On the other hand, vendor neutrality is a key part of OWASP's
>> mission so that the community can get unbiased content from a trusted
>> source.  There is no clear and easy answer, however.  What I would like to
>> propose is that those representing both sides of this critical issue form a
>> new committee to discuss OWASP branding policies and procedures and
>> ultimately generate a revised policy that hopefully addresses these
>> issues.  Our policies as they are today suggest that we err on the side of
>> vendor neutrality and the staff is only enforcing those policies that have
>> been laid out before them.  Please do not fault them for that.  Instead of
>> complaining about the policies that exist, it would be far more beneficial
>> for those involved in this discussion to put those efforts into coming up
>> with a compromise that ideally addresses the concerns of everybody in a
>> vendor neutral way.  Some ideas off the top of my head:
>>
>>    - Clear labeling of the contribution and what was received for the
>>    contribution in the spirit of transparency.
>>    - Disclaimers on any page with a corporate logo that OWASP does not
>>    endorse the vendor/product.
>>    - Descriptions of what types of logos are appropriate, sizes,
>>    locations, etc.
>>
>> Attribution is a good thing.  It encourages more participation by
>> rewarding those who put in the efforts.  Vendor neutrality is a good
>> thing.  It is the reason why the community trusts OWASP for tools and
>> documents.  Let's find the common ground and create a policy that finds the
>> right balance between the two.
>>
>> ~josh
>>
>> On Fri, Aug 14, 2015 at 9:47 AM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>
>>> It's not about time.....
>>> It's about the sea of red tape, focus on bullsh1t like updating policy
>>> documents, chasing people over email footers or logos on slides and the
>>> reason OWASP was formed was to fix software security. I'm not seeing so
>>> much of the software security aspect anymore.
>>> I love what OWASP stands for, many of the board I have vast amounts of
>>> respect for but the amount of energy and time consumed on stuff that simply
>>> has no impact if he state of software security is astounding. It's like the
>>> UN, lots of bark but little bite.
>>>
>>> Respect
>>>
>>> Eoin Keary
>>> OWASP Volunteer
>>> @eoinkeary
>>>
>>>
>>>
>>> On 14 Aug 2015, at 15:03, Azeddine Islam Mennouchi <
>>> azeddine.mennouchi at owasp.org> wrote:
>>>
>>> Johanna,
>>> what you are saying is almost like Saying : "I donate money to a
>>> childcare but I will take a chair as a souvenir" (if everyone took
>>> something from the childcare the donation will have no value)
>>> if you don't have the time to volunteer just don't it is as simple as
>>> this
>>> let's not redefine the Volunteering concept here please
>>>
>>> Regards Islam,
>>>
>>> On Fri, Aug 14, 2015 at 6:54 AM, Eoin Keary <eoin.keary at owasp.org>
>>> wrote:
>>>
>>>> I'm behind you 100%
>>>> I received a negative email after delivering a free class to 80 people
>>>> and raising €3k for Owasp. All time and slides donated by me.
>>>> I posted the slides to an alternative site after.
>>>>
>>>> Eoin Keary
>>>> OWASP Volunteer
>>>> @eoinkeary
>>>>
>>>>
>>>>
>>>> On 14 Aug 2015, at 13:14, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>> I just think the whole logo and branding rule are hypocritical rules.
>>>>
>>>> When OWASP does a conference, logos from sponsors can be placed loud
>>>> and clear on the APPSEC page. Is that vendor neutral?
>>>>
>>>> When a speaker that gets no money and no coverage for his/her traveling
>>>> cost does the same on their slides then 'we are non-profit' and cannot be
>>>> done.,,
>>>>
>>>>  The sole purpose of OWASP events is to pay operations but operations
>>>> is not the mission of owasp right?
>>>>
>>>> Keep the core mission insight. I don't care which logo is displaying or
>>>> not on those slides as long as the content is valuable and the speaker is
>>>> worth of listening.
>>>>
>>>> If OWASP wants no logos and has all these rules then I think , pay the
>>>> speaker & his time to set that presentation in that format.
>>>>
>>>> Sometimes volunteers are treated like we should be happy we work for
>>>> nothing.
>>>>
>>>> We should be happy to have Dave Rook present for free and not the other
>>>> way around and explain that awesome experience implementing security where
>>>> he is working. Love those slides they rock & they are cool.A lot of time
>>>> when into making those slides and we should respect that.
>>>>
>>>> Volunteers have bills to pay and mouths too feed too.
>>>>
>>>> Regards
>>>>
>>>> Johanna
>>>>
>>>>
>>>>
>>>> On Fri, Aug 14, 2015 at 7:25 AM, Tom Brennan <tomb at proactiverisk.com>
>>>> wrote:
>>>>
>>>>> AppSecUSA should have sessions for collaboration of people on top
>>>>> issues of projects, chapters and events.  in addition to fantastic
>>>>> presentations as always.  Blog posts like this should be reviewed as they
>>>>> have merit and I support covering a honorarium for speakers as they are the
>>>>> product.
>>>>>
>>>>> http://www.alba13.com/2014/10/free-its-just-costing-too-much.html?m=1
>>>>>
>>>>> As well as top community issues that are bubbling up not always
>>>>> addressed at the monthly board meetings.
>>>>>
>>>>> I submitted my recommendations for  several sessions for the community
>>>>> evolution aspect of the global event including these and by who... I hope
>>>>> some of these suggestions are incorporated and resonate with leaders to
>>>>> attend.
>>>>>
>>>>>  *#1 OWASP State of the Union (30)*
>>>>> * Paul CEO / Board of Directors
>>>>> - State of the Union address and kickoff - Annual report and YTD update
>>>>> - Mission, Metrics and Finances
>>>>> - kick off the event hand off to conference staffer (Laura) and
>>>>> conference chair (Michael)
>>>>>
>>>>> *AppSecUSA leader workshops *- join us for a important updates,
>>>>> debate and collaboration for FUTURE and current leadership of OWASP
>>>>> members. If you want to unlock valuable information don't miss these (3)
>>>>> sessions
>>>>>
>>>>> ** record these sessions video and get them online for the world to
>>>>> see and listen to just like any other session.
>>>>>
>>>>>
>>>>> *How to start or grow a OWASP Chapter in your region (45 mins)*
>>>>> * Paul, Noreen, Kelly
>>>>> - metrics that matter
>>>>> - requirements defined 15 mins
>>>>> - tips form out chapter leaders (panel) 30 mins
>>>>> -- growing attendance
>>>>> -- vendor relationships/sponsors
>>>>> -- regional events
>>>>> -- how OWASP employees help
>>>>> -- money in/out other
>>>>> -- secrets to success
>>>>> -- WASPY awards
>>>>>
>>>>> *2016 services and resources for OWASP chapter and project leaders
>>>>> (45mins)*
>>>>> * Paul, Noreen, Claudia
>>>>> -- metrics that matter
>>>>> -- annual report review
>>>>> -- general membership
>>>>> -- projects
>>>>> -- chapters
>>>>> --WASPY awards
>>>>> -- what can we do better discussion
>>>>>
>>>>> *2016 + Summits Conferences Events (45 mins)*
>>>>> ** Laura, Noreen, Claudia, Kelly
>>>>> -- metrics that matter
>>>>> -- motivation why do it?
>>>>> -- the new definition(s), money splits etc.
>>>>> -- expectations and current policy
>>>>> -- resources (budgets, templates, process) review of successful and
>>>>> failure events
>>>>> -- WASPY awards
>>>>>
>>>>> The organization is an interesting position for evolution.  With
>>>>> professional discussion and debate we can set the agenda moving forward
>>>>> with swift adjustments where needed by rough consensus.
>>>>>
>>>>> Tom Brennan
>>>>> 9732020122
>>>>>
>>>>> Need to book a meeting for a new or existing project?
>>>>> http://www.proactiverisk.com/book-meeting/
>>>>>
>>>>>
>>>>> On Aug 14, 2015, at 6:36 AM, Dinis Cruz <dinis.cruz at owasp.org> wrote:
>>>>>
>>>>> Sorry if I gave the impression that this is urgent, it is not
>>>>>
>>>>> I'm just trying to raise a concern that was raised to me
>>>>> On 14 Aug 2015 10:36, "Jim Manico" <jim.manico at owasp.org> wrote:
>>>>>
>>>>>> Dinis,
>>>>>>
>>>>>> Two points.
>>>>>>
>>>>>> 1) Mr Rook is on vacation. I do not agree with your sense of urgency.
>>>>>> We hired a full time staff, lets please use them first as opposed to heated
>>>>>> conversations over Twitter.
>>>>>>
>>>>>> 2) Dinis, I am just one of several board members. Please just email
>>>>>> the board list if you think this is a board level issue (as opposed to just
>>>>>> calling me out over Twitter, I am just one board member).
>>>>>>
>>>>>> So Dinis, I asked you politely to first talk to staff about this, and
>>>>>> if you did not find that satisfactory, then to email the board list so the
>>>>>> full board can weigh in.
>>>>>>
>>>>>> And I suggested these things to minimize stress and get more
>>>>>> leadership to look at this - as opposed to having a Twitter argument over
>>>>>> this.
>>>>>>
>>>>>> Dinis, I am trying to take the adult and calm path here. Please join
>>>>>> me in that pursuit.
>>>>>>
>>>>>> Aloha,
>>>>>> Jim
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 8/13/15 10:04 PM, Dinis Cruz wrote:
>>>>>>
>>>>>> CCing owasp leaders list in order to get 'feedback' from the community
>>>>>>
>>>>>> And Jim come on, owasp is not a Fortune 100 company with high levels
>>>>>> of processes and bureaucracy, the problem is pretty obvious on the
>>>>>> https://twitter.com/davidrook/status/631699570603462656 thread (and
>>>>>> a couple other similar threads)
>>>>>>
>>>>>> This is a case of common sense.
>>>>>>
>>>>>> The focus of owasp needs to be on application security (for example
>>>>>> sharing knowledge), not in blindly following rules
>>>>>>
>>>>>> Yes we need to have rules in place to prevent abuse (in this case
>>>>>> vendor pitches), but if those rules start to affect high value owasp
>>>>>> contributors, then there is something wrong with the rules
>>>>>> On 13 Aug 2015 21:11, "Jim Manico" < <jim.manico at owasp.org>
>>>>>> jim.manico at owasp.org> wrote:
>>>>>>
>>>>>>> > So what happens when the content is not from a 'vendor'
>>>>>>>
>>>>>>> Our guidelines do not differentiate that right now. So what Paul is
>>>>>>> doing is following the current policy that was created by input from a
>>>>>>> large number of people from our community.
>>>>>>>
>>>>>>> Dinis, if you think this needs to be changed then I believe your
>>>>>>> next step is to petition the board to change policy. Even better, before
>>>>>>> talking to the board, consider taking this conversation to the governance
>>>>>>> list and get feedback from those members of our community.
>>>>>>>
>>>>>>> Aloha,
>>>>>>> Jim
>>>>>>>
>>>>>>> On 8/13/15 9:42 AM, Dinis Cruz wrote:
>>>>>>>
>>>>>>> So what happens when the content is not from a 'vendor'?
>>>>>>>
>>>>>>> Which is David's case
>>>>>>> On 13 Aug 2015 20:26, "Paul Ritchie" <paul.ritchie at owasp.org> wrote:
>>>>>>>
>>>>>>>> Hi Dinis:    I wanted to follow up on your email from yesterday as
>>>>>>>> well as your posting of a "case" or customer service ticket #  06774.
>>>>>>>> Long answer.....explaining the OWASP position and our actions, and we have
>>>>>>>> communicated this a couple times to the community, but obviously need to do
>>>>>>>> more......
>>>>>>>>
>>>>>>>> *Big Issue* is our effort from the Foundation to "remind and
>>>>>>>> encourage" Chapter leaders to follow the Branding Guidelines, Code of
>>>>>>>> Ethics and Speaker Agreement as defined in the Chapter Leaders Handbook.
>>>>>>>>  The more support we can get from leaders like you and Jim and BoD, then
>>>>>>>> the less 'pushback' we will see from individuals who are uncomfortable
>>>>>>>> being reminded of the policy.
>>>>>>>>
>>>>>>>> 1.  We noticed the adherence to the policy was getting a little
>>>>>>>> weak, based on several examples where policy wasn't followed.  Examples
>>>>>>>> included leaders and past BoD members too.
>>>>>>>>
>>>>>>>> 2.  Once we pointed out the policy, several of the key leaders,
>>>>>>>> like Eoin & now David were "surprised" that we were serious, and actually
>>>>>>>> gave us some push back.
>>>>>>>>
>>>>>>>> 3.  Bottom line, I understand the pushback, but we really "must"
>>>>>>>> ask OWASP Leaders to follow the policy.
>>>>>>>>
>>>>>>>> 4.  As a Charitable, nonprofit organization,* we have an
>>>>>>>> obligation to follow our Code of Conduct* concerning vendor
>>>>>>>> neutrality and non-endorsement of commercial products or services.
>>>>>>>>
>>>>>>>> Our Code of Conduct policies are* well documented and were created
>>>>>>>> by our community*, to provide clarity as we grow globally.  They
>>>>>>>> apply to many areas including Trade organizations, Government bodies,
>>>>>>>> Standards groups and Certifying Bodies.
>>>>>>>>
>>>>>>>> https://www.owasp.org/index.php/OWASP_Codes_of_Conduct
>>>>>>>>
>>>>>>>> 5.  Also, For speakers at events AND at Chapter Meetings, the
>>>>>>>> Speakers agreement does apply, and it is noted in the Chapters Leaders
>>>>>>>> Handbook.
>>>>>>>>
>>>>>>>> Speakers Agreement
>>>>>>>> *CONTENT - Speakers are encouraged to include their contact
>>>>>>>> information when introducing themselves, but may NOT include their logo on
>>>>>>>> any visual and handout materials. Speakers are to avoid any appearance of
>>>>>>>> commercialism in their session and presentations are to be of a technical
>>>>>>>> or solutions emphasis. Further, I understand that the program tracks of the
>>>>>>>> conference/event/chapter are an educational event, not a sales or marketing
>>>>>>>> platform. I agree that my presentation(s) will be an objective review of
>>>>>>>> the topic on which I am presenting, and will not contain any content that
>>>>>>>> is a sales or promotional pitch for any specific product(s) or
>>>>>>>> company(ies). My materials will also be reflective of the current status of
>>>>>>>> the topic(s) I am addressing.*
>>>>>>>>
>>>>>>>> 6.  So, Net, net.   We are reaching out to a number of chapters
>>>>>>>> who have posted presentations to the OWASP wiki that appear to violate our
>>>>>>>> branding rules. All presentations given at chapter meetings or at
>>>>>>>> conferences when representing OWASP, and those posted to wiki pages must be
>>>>>>>> vendor neutral. This includes the content of the presentation as well as
>>>>>>>> the graphics used in the presentation layout.
>>>>>>>>
>>>>>>>> Any non-OWASP branded material, such as a speaker's corporate
>>>>>>>> logo, must be removed from the presentation. Exceptions may exist
>>>>>>>> such as when the context of a slide calls for a logo as an illustration.
>>>>>>>> And, we am happy to review anything that might be questionable.
>>>>>>>>
>>>>>>>> So, @Jim and @Dinis - Is there something we need to do to reach out
>>>>>>>> directly to any individuals like David Rook?
>>>>>>>>
>>>>>>>> Best Regards, Paul Ritchie
>>>>>>>> OWASP Executive Director
>>>>>>>> paul.ritchie at owasp.org
>>>>>>>>
>>>>>>>>
>>>>>>> --
>>>>>>> Jim Manico
>>>>>>> Global Board Member
>>>>>>> OWASP Foundationhttps://www.owasp.org
>>>>>>> Join me at AppSecUSA 2015!
>>>>>>>
>>>>>>>
>>>>>> --
>>>>>> Jim Manico
>>>>>> Global Board Member
>>>>>> OWASP Foundationhttps://www.owasp.org
>>>>>> Join me at AppSecUSA 2015!
>>>>>>
>>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>> WARNING: E-mail transmission cannot be guaranteed to be secure or
>>>>> error-free as information could be intercepted, corrupted, lost, destroyed,
>>>>> arrive late or incomplete, or contain viruses. The sender therefore does
>>>>> not accept liability for any errors or omissions in the contents of this
>>>>> message, which arise as a result of e-mail transmission. No employee
>>>>> or agent is authorized to conclude any binding agreement on behalf of
>>>>> ProactiveRISK with another party by email.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>>
>>> --
>>> Islam Azeddine Mennouchi
>>> Consultant at ITS
>>> http://www.infotoolssolutions.dz/
>>> OWASP ALGERIA Chapter Leader
>>> phone n°: +213658227651
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> --
> Tony Turner
> OWASP Orlando Chapter Founder/Co-Leader
> WAFEC Project Leader
> STING Game Project Leader
> tony.turner at owasp.org
> https://www.owasp.org/index.php/Orlando
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> Governance mailing list
> Governance at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/governance
>
>
> _______________________________________________
> Governance mailing list
> Governance at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/governance
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/governance/attachments/20150814/dcb0c072/attachment-0001.html>


More information about the Governance mailing list