[Owasp-board] OWASP and Armorize

Dinis Cruz dinis at ddplus.net
Mon Aug 27 00:28:38 UTC 2007


I also agree that we should see how this pans out.

And we definitely need to clarify these rules

Dinis

On 8/26/07, Jeff Williams <jeff.williams at owasp.org> wrote:
>
>  I had a long call with Wayne to discuss.  I believe he's right on track.
> He's going to Google video the whole conference so that anyone can verify.
> I think we should add something to the chapter rules, and to the front page,
> about the commitment that OWASP has to keeping our community free from
> vendor scum….or somthing to that effect.
>
>
>
> Agree?
>
>
>
> --Jeff
>
>
>
> *From:* Dave Wichers [mailto:dave.wichers at owasp.org]
> *Sent:* Saturday, August 25, 2007 4:47 PM
> *To:* jeff.williams at owasp.org
> *Cc:* 'Dinis Cruz'
> *Subject:* RE: OWASP and Armorize
>
>
>
> I think this response is pretty reasonable and not making big changes now
> is also reasonable too. As far as sponsorship, if its like what we do now at
> OWASP conference (logo's, handouts, etc.) but no booths or whatever, we
> could ask them to add that kind of sponsorship, but I'm inclined at this
> point to leave things alone given they are so short on time.
>
>
>
> What do you think?
>
>
>
> -Dave
>
>
>
> *From:* Wayne Huang [mailto:wayne at armorize.com]
> *Sent:* Saturday, August 25, 2007 5:22 AM
> *To:* jeff.williams at owasp.org
> *Cc:* Dave Wichers; Dinis Cruz
> *Subject:* RE: OWASP and Armorize
>
>
>
> Hi Jeff,
>
>
>
> It's quite disappointing to have spent a huge amount of effort and still
> being questioned. But anyways, please find my response below.
>
>
>
> 1)      OWASP does not endorse *any* product, service, or company -
> including Armorize
>
>
>
> That's understood, not only by me but by everyone in Taiwan who knows
> about OWASP I believe.
>
>
>
> 2)      You cannot use OWASP for the commercial advantage of Armorize
>
>
>
> If I had been using OWASP for any commercial advantages of Armorize, I
> wouldn't have been able to pull together such a large audience, and people
> would immediately stop supporting OWASP in Taiwan
>
>
>
> 3)      You cannot exclude other vendors from participating with OWASP
>
>
>
> For this, originally we wanted to have  an OWASP Taiwan gathering, so we
> started putting together one. Then I thought it would be good to pull in
> some foreign speakers, so I allocated funding from my company to do it.
> However, to the public, they don't know who's sponsoring the event, because
> we will not have a single Armorize logo or word associated with the event.
>
>
>
> I think it is also because of this, that people started to support OWASP
> Taiwan, because there has been too many security conferences with strong
> commercial flavors.
>
>
>
> If you remember, we tried hard to invite both you and Dave here. If we
> were trying to abuse OWASP, we wouldn't have done so. We also tried to
> invite Justin, but he couldn't make it either. After that we have fixed the
> speakers and program, as there's barely four weeks left.
>
>
>
> If you remember, we started planning since May, and the conference has
> already been postponed once, but still, we weren't able to invite Jeff, Dave
> and Justin. I don't think it's a good idea to postpone again.
>
>
>
> 4)      You cannot use the OWASP Brand in any commercial context
>
>
>
> We haven't been doing that at all. Again, OWASP Taiwan Chapter is just to
> promote OWASP and to host conferences for the security community here. There
> has been numerous non-profit security organizations in Taiwan, but because,
> in the end, the commercial flavor all turned too obvious, so they started to
> lose support. I've seen the entire lifetime many times and I don't intent
> that to happen with the OWASP Taiwan Chapter that I am leading. Besides,
> Taiwan is so small, if you're talking about business, there's only one dozen
> banks for example. Everyone knows Armorize already, so we really don't need
> to leverage the OWASP brand.
>
>
>
> Again, if we wanted to abuse it, we wouldn't have tried very hard to
> invite you or Dave or Justin. Maybe now other vendors hope to sponsor
> because word is out that there will be a big audience. However, with the
> limited amount of time left, I'd suggest that we do the following:
>
>
>
> 1.       Keep the conference the way it is for this time, and next time we
> can plan much earlier in advance and have all companies interested in
> sponsorships sponsor.
>
> 2.       For this time, I can have a couple of non-profit and government
> organizations sponsor the entire event, which means that even Armorize won't
> be sponsoring this year, if you think that that is more fair.
>
>
> Justin has suggested that we do two tracks for next year, one technical
> and one for vendors. That's a very good idea. For this one though, there's
> only going to one track, and I hope to keep it as technical-driven and
> vendor-free as possible, if you agree.
>
>
>
> Can you please also confirm that:
>
>
>
> 1)      Other vendors will be allowed to sponsor the Taiwan conference
>
>
>
> There's no time to do that for this year. I talked to the venue and we
> didn't book the hallways for booths etc, and even if they allow us to book,
> the prices are very expensive now as it is very close to the conference. My
> suggestion would be, if we do a good job at making the audience feel that
> OWASP conferences are very neutral and a good source of information, without
> vendor pitches etc, they will be keen on attending the next conference, and
> for the next conference we can have two tracks, so that people attending the
> vendor track are those that are interested in learning what the vendors has
> to provide. For this one, given the limited amount of time, I don't think we
> can make it.
>
>
>
> 2)      Speakers from other companies will be allowed to speak at the
> conference
>
>
>
> That of course. This year's foreign speakers, Mike Shema and Jeremiah
> Grossman, for example, are not Armorize. The only Armorize speaker would be
> myself. This year the program is an attempt to cover a wide variety of Web
> application security solutions, including penetration testing and
> professional services, automated scanners, Web application firewalls, and
> source code analysis.
>
>
>
> 3)      You will transfer the www.owasp.org.tw to the OWASP Foundation
>
>
>
> That's not a problem.
>
>
>
> To be frank, originally we never thought that there would be such a big
> audience. Taiwan is small, it's hard to get foreign speakers to come over. I
> guess we did a very good with promoting OWASP here and because we've
> maintained neutral, people are showing their support by attending the
> conference. In order to attract foreign speakers, I usually offer to also
> take them around the island while they are here. I believe I made the same
> offer to both Jeff and Dave in the beginning, and also to Justin later.
> However, I'm less keen in taking my competitors, for example, on the same
> trip. This would be the only difference. I don't think they would be keen on
> hanging out with me either.
>
>
>
> We do appreciate all foreign speakers that agreed to come over and give
> talks, and so we will also do our best to make their trip to Taiwan
> pleasurable. It is also because of these speakers' support, that we were
> able to pull together a good audience. For this conference though, I suggest
> that we keep the program the way it is. OWASP is a long term thing, we will
> be devoting our time to OWASP for the next ten years. It wouldn't be good to
> have to now take up sponsors or change the program to try to include other
> speakers. Then it would feel like they are willing to support OWASP Taiwan
> after learning that there will be a big audience for this conference. The
> initial speakers didn't know how big the audience would be—neither did I.
> But we still spent our time and put aside our other very important business
> opportunities to make time to prepare and give a talk in this OWASP
> conference. I must say we're lucky to have an unexpected large number of
> audience, and that our efforts have paid off in that we were successful in
> growing the OWASP Taiwan chapter. But also because of this, if other
> vendors, after learning this, now want to sponsor or have a slot to give a
> talk, I suggest they wait until the next conference. Again, OWASP is a long
> term dedication and as long as we do a good job and maintain neutral, there
> are many many successful conferences to come in the future.
>
>
>
> It's very important that not only we stay neutral, but OWASP itself as
> well. I was responsible for recommending how the Taiwan government set its
> regulations on Web security, and there were numerous debates on whether we
> establish our own non-profit organization to set the standard and offer
> certification services, or we support OWASP. I strongly recommended that we
> endorse OWASP and the end result is we did.
>
>
>
> To further show that OWASP is neutral and is helping to promote Web
> security globally, we then started the OWASP Taiwan chapter. When the
> current foreign speakers decided to come, we didn't really know what kind of
> an audience we would be able to pull. I can understand how some vendors,
> after learning that it turned out that we'll be having a good audience,
> would like to speak at the conference. I think Justin's proposal for a
> two-tracked conference next time is a very good idea, but for now with four
> weeks left, I think it is better to leave the conference the way it is for
> now. Actually, I had expected that if this OWASP conference is successful,
> we would be able to have a good number of companies willing to sponsor for
> the next conference, which is a very good thing for the OWASP Taiwan Chapter
> of course.
>
>
>
> It's too bad that neither Jeff nor Dave (and not even Justin) can make it
> to this conference. If you were here you would see how much of an effort we
> have spent in trying to pull together a good conference, and I don't have to
> flight against the out-of-nowhere accuses. OWASP Taiwan Chapter is more than
> willing to take sponsorships from other companies in the future. However,
> for the conference ahead, the time is too short and it would be very
> difficult to change the program given such a short notice. As for vendors
> getting a slot because of their sponsorship, I sincerely suggest a two-track
> arrangement so that we have a neutral technical track, otherwise there is a
> risk of OWASP Taiwan chapter losing support.
>
>
>
> Wayne
>
>
>
>
>
> *From:* Jeff Williams [mailto:jeff.williams at owasp.org]
> *Sent:* Saturday, August 25, 2007 12:14 PM
> *To:* Wayne Huang
> *Cc:* Dave Wichers; Dinis Cruz
> *Subject:* OWASP and Armorize
>
>
>
> Hi Wayne,
>
>
>
> I have been receiving several reports that Armorize may be taking unfair
> advantage of their relationship with OWASP and the OWASP Taiwan chapter.  I
> only have one side of the story and I don't jump to conclusions, so please
> treat this message as a simple inquiry and not any kind of accusation.  I
> just want to make absolutely sure that you understand that:
>
>
>
> 5)      OWASP does not endorse *any* product, service, or company -
> including Armorize
>
> 6)      You cannot use OWASP for the commercial advantage of Armorize
>
> 7)      You cannot exclude other vendors from participating with OWASP
>
> 8)      You cannot use the OWASP Brand in any commercial context
>
>
>
> Essentially, when you are in the role of OWASP Chapter Lead, you must do
> what is in the best interest of OWASP without consideration of your
> company.  I'm sure you already knew this, but I'd like to to please
> acknowledge that you agree with these rules.
>
>
>
> Can you please also confirm that:
>
>
>
> 4)      Other vendors will be allowed to sponsor the Taiwan conference
>
> 5)      Speakers from other companies will be allowed to speak at the
> conference
>
> 6)      You will transfer the www.owasp.org.tw to the OWASP Foundation
>
>
>
> Thanks for your understanding in this matter.
>
>
>
> --Jeff
>
>
>
> Jeff Williams, Chair
>
> The OWASP Foundation <http://www.owasp.org/>
>
> Work: 410-707-1487
>
> Main: 301-604-4882
>
> "Dedicated to finding and fighting the causes of insecure software"
>
>
>



-- 
Dinis Cruz
Chief OWASP Evangelist
http://www.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070827/943f5bc4/attachment-0002.html>


More information about the Owasp-board mailing list