[Owasp-board] OWASP & Industry Vendors - Discussion

Justin Derry JDerry at b-sec.com
Mon Aug 27 00:12:02 UTC 2007

OK Guys 

I am trying to work with Wayne to attempt to attend the conference as
one of his speakers.

(At the request of wayne again)

Agree with everything going on etc (as advised by you guys).

Though long term though i think there is some food for thought for the
future direct of OWASP.




From: Dinis Cruz [mailto:dinis at ddplus.net] 
Sent: Monday, 27 August 2007 9:40 AM
To: Justin Derry
Cc: OWASP Board; Jeff Williams; Dave Wichers; Daniel Cuthbert;
mark at curphey.com
Subject: Re: OWASP & Industry Vendors - Discussion


Ok, after reading these threads about the Tawain conference, I do think
that we should let the conference go as planned.

Wayne has definitely crossed some lines and we will need much more
clarity and visibility in the future about the decision making process
over there in Taiwan. We also need much stronger guidelines from OWASP
about these issues (Justin here is an area which you could help a lot if
you have the time :)   ) 

The issue with the vendors is about balance, OWASP would not make sense
without them (not the vendors but the people hired by those vendors) and
OWASP cannot be controlled by the vendors. The key is in finding a
balance where the OWASP principles and values are respected and

Part of the vendors (and membership) guidelines must be clauses
dictating the reasons why a membership would be canceled (and membership
cancellation is something that the OWASP board should enforce summarily
(nothing like kicking a couple companies out of OWASP to make everybody
take notice)) 

Back to Wayne, following an email from Jeff, his (Wayne) responses did
show that he understands the dangers of the perception that OWASP is
controlled by a company, so lets see what happens next.

Dinis Cruz 
Chief OWASP Evangelist

On 8/25/07, Justin Derry <JDerry at b-sec.com > wrote:


I don't mind going on record. However i also don't want to be perceived
as a guy hitting people over the head. Basically i believe in OWASP and
I believe in the intent the Taiwan chapter guy has. However i also
believe that this is one of those examples where a vendor is using OWASP
to deliberately wipe out the competition he has and use OWASP as a
springboard for himself and his company. 

(By the way my i don't know if my customer source will go on record - it
was a friendly personal phone call) but i am sure the email i have would
be ok.)


Too many people put too much effort into OWASP and i hate when i see
misuse of OWASP. As everyone knows i have long sat in the background of
OWASP for many years since 2001 and only since late 2005 have i actively
got involved and will continue to push forward like many others. However
my biggest fear with OWASP is self implosion. What i mean by this if we
have guys running around claiming that OWASP only supports certain
vendors etc then sooner rather then later OWASP will die out simply
because no one will trust it as an independant and authoritive source of
application security. 


I don't think making an example of the Taiwan guy will work, but i do
think we need to stop it, and i also think we need to seriously look at
the rules of vendors out there sponsorsing and getting involved in


With Taiwan i am a little supprised that he has taken it to an extent of
registering domains etc. I was offered to speak at this conference and
advised i couldn't and put forward Brian Chess (Fortify) (this was at a
time when i didn't know wayne was from Amorize) and i happen to know
brian and also knew he was already going to be in taiwan around the time
and i received a simple email saying we wouldn't invite him as he is a
competitior. (I'll send you the email if you don't already have it). 


The things i like about Wayne (Taiwan) is he is keen, pulls the numbers
and overall i think is a nice guy. However i also think there is a small
hidden agenda that he has to use OWASP to further Amorize. Don't have a
problem with vendors using OWASP as an Industry standard, hey thats what
it's there for within reason, but it needs to be done in a controlled,
managed, neutral and appropriate manner. 


I have always said that i am willing to take on a more supporting role
in OWASP (with Asia or whatever) and now due to my role within our
consuting firm, i have also tasked every other consultant in my team (8
of them) with minimum 4 hours a week on OWASP related activities. ( i.e
Malathi is going to help AJV with the V3 guide etc). But i don't want to
see other people abuse the system, and it seems to mainly be some


Maybe we look at drawing up some guidelines for Vendors that are very
specific.? Maybe also we work on some guidelines and rules for any type
of mini or large conference that may involve vendors. Lets be realistic
i don't think we are going to get rid of vendors, they have the $$ and
help with the project, however having some guidelines would be good.
(The chapter rules are pretty basic).. Also maybe some way to enforce
them? and a clause if you breach the guidelines you are immediately
removed as a corporate member? I don't know that's all a quick brain


Anyhow Super keen to help out wherever anyone wants.. If i am completely
out of turn than someone throw a brick at me.





From: Dinis Cruz [mailto:dinis at ddplus.net]
Sent: Fri 8/24/2007 10:46 PM
To: Justin Derry
Cc: OWASP Board; Jeff Williams; Dave Wichers; Daniel Cuthbert;
mark at curphey.com
Subject: Re: OWASP & Industry Vendors - Discussion


You are raising very important (if not critical) issues here which I
want to fully clarify and sort out. 

I will reply in detail to your email, but before I do just one question:
"How much of this are you willing to go 'on the record', that is put
your name to it?". It doesn't mean that we will post all this to
everybody in OWASP but (for example) I want to clarify with the Taiwan
chapter leader these issues, and it will be easier if I can directly
quote you (and others (if you know other people who share your feelings
please put them in touch)) 

My objective is to turn this into a positive event, with lessons learned
for all parties involved (assuming of course that we are able to
amicably solve the current 'brand abuse' issues)

Dinis Cruz 
Chief OWASP Evangelist
http://www.owasp.org <http://www.owasp.org/>   

On 8/23/07, Justin Derry <JDerry at b-sec.com> wrote: 


Firstly i think i have meet everyone on the CC/To list and there is a
good reason why this email has not been forwarded to the
owasp-leaders at owasp.org mailing list. 

Anyhow as most of you know i have been involved in owasp (lately more
due to availability and effort during business hours) but are currently
trying to setup some conferences in Asia etc.


The reason for this selective email is simply due to the fact that it
reflects directly on some of the people on the owasp-leaders list.


Recently A chapter leader approached OWASP in regards to converting his
350+ people conference to an OWASP Asia Pacific Conference 2007, he is
currently running it as a "Taiwan Chapter" conference.

I spent some time with the person discussing some of the common goals of
a conference and ensure that the appropriate messages (i.e vendor
independence etc) being careful of how to approach these things.

He agreed and has forwarded to Dave Wichers etc for approval in which he
got. He proceeded with 48 hours of that to approach a Customer in Taiwan
and immediately tell them Amorize is the only sponsor of the OWASP 2007
Asia Pacific conference and OWASP fully supports and backs Amorize.
Which is obviously so far from the truth it's not funny. (They don't
even sponsor OWASP Corporately) 

This statement came from two different sources about the OWASP and
Amorize (not vendors but customer sources).


Anyhow the reason for the email is, this is a big problem. We all work
for companies that typically have an invested interest in the
Application Security space, but i think by most everyone plays by the
rules. Obviously there are people that don't and are abusing the OWASP
name and using the hard work of Mark, Andrew, Dave and everyone else.
Recently as a company we invested in OWASP and are also as most of you
aware investing business hours and effort in increasing the OWASP
project because i believe in it. The collective thinking is powerful and
i believe the people involved are excellent. However we currently i
believe have a serious problem with a selective few people abusing the


I agree with Mark C's comments in regards to the direction and the
comments about financial sides of OWASP and the approach that OWASP
should take moving forward. However i think we need to seriously address
the misuse immediately of the OWASP brand and approach some chapters etc
are taking. This can be achieved reasonably easily i think by completing
a few tasks. Some of which i have included below. 


Why doesn't OWASP consider (if we have the $$) employing a
administrative person to simply monitor the activity of OWASP chapters
follow up on presentations etc. This would be perfect as if each chapter
leader new that they would be asked for their presentation notes to be
published online, if there was anything inappropriate this would
hopefully reduce. (or maybe approval prior??). Yes there is alot of
chapters but with a single person review and posting presentations i
think overall someone would have an idea on what was being presented.
Also would mean we would have a great collection point? Surely this
wouldn't cost that much? An admin person here in OZ is only around
30,000 USD a year? 


Secondly vendor involvement. I like it, and i think OWASP needs it for
the future, however there should be some hard and fast rules about it.
I.e (maybe no chapter leads from vendors?? Too much temptation). Maybe
we set some strict guidelines about how they can get involved, ie. At
conferences etc. Maybe we allow them to place sponsorship on the web
site only and provide a facility. ?? Most chapter leads i believe are
good but i haven't been too many. I do look through the wiki and see
alot of "vendor" names poping up. Not a lot of consulting firms but lots
of vendor names.. 


Conferences, As you know i am trying to work on a Big OWASP Asia
conference. I see the rules being Vendors (all of them) get an invite,
allowed to provide a booth, and if the numbers allow it maybe a separate
speaking stream where they can present. Thats all still thought process,
but using the vendor money to increase awareness is actually quite good.


I don't know if this email is going down to one? Maybe these are just my
feelings, but for a person willing to put alot of effort into the OWASP
cause i am horrified to hear about this instance in Taiwan. This is
backed up by the fact he has even written in an email to me that he
doesn't want to invite any vendors and is happy for his company to pay
for the lot. Really i don't think this is the way to approach it, simply
as he is using the conference purely as a springboard for his new
company. The other problem with this, is how do the other vendors who
put in $$$$ to support owasp and they have another company not even
supporting OWASP doing this. I am sure that they wouldn't be happy as
were is their money going. 


So i suppose in summary why not look at an administrative person to
oversee presentations etc, and we set some specific guidelines (more
detailed) then the chapter rules for each chapter. We also place a wide
advice to all vendors advising them of our position and maybe even ask
them to put up money if they wish to continue referencing the OWASP
guides etc. They are all getting valuable effort without any $$ or
input. I even saw a vendor at Blackhat this year using and promoting the
OWASP WebGoat tool to promote their own tools. This was insane? 


Anyhow hopefully my rant hasn't been received poorly, sounds like a few
people are making some interesting comments in the past 24 hours, and
hopefully this all goes into a bucket to better OWASP?

If not then please kill me now.. J


BTW Dave W you probably get the feeling i am recommending that we don't
allow Taiwan to run their conference as the OWASP ASIA conference and
further probably not as a conference at all. There is alot of material
on the WIKI about his conference. 


Anyhow thanks for reading that big email guys...




Justin Derry

Application Security

Practice Leader

b-sec Consulting

Mobile:   0411 411 881

Direct:     07 3217 5936

Switch:    07 3374 3011

Fax:        07 3217 6573

www.b-sec.com <http://www.b-sec.com/> 

Disclaimer:  www.b-sec.com.au/disclaimer.txt




-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-board/attachments/20070827/9b11fb66/attachment-0001.html 

More information about the Owasp-board mailing list