[Owasp-board] OWASP & Industry Vendors - Discussion

Dinis Cruz dinis at ddplus.net
Mon Aug 27 00:46:32 UTC 2007


Going there as a speaker will be a great way forward, so good luck in making
it happen

And you are spot-on when you say that this is 'food for thought for the
future of OWASP',  since what we are dealing here is in managing OWASP's
growth in a controlled and sustainable (i.e. without losing OWASP's values
on the way)

I'm sure that conversations about this will continue for months :)

Dinis

On 8/27/07, Justin Derry <JDerry at b-sec.com> wrote:
>
>  OK Guys
>
> I am trying to work with Wayne to attempt to attend the conference as one
> of his speakers.
>
> (At the request of wayne again)
>
> Agree with everything going on etc (as advised by you guys).
>
> Though long term though i think there is some food for thought for the
> future direct of OWASP.
>
> Cheers
>
> JD
>
>
>
> *From:* Dinis Cruz [mailto:dinis at ddplus.net]
> *Sent:* Monday, 27 August 2007 9:40 AM
> *To:* Justin Derry
> *Cc:* OWASP Board; Jeff Williams; Dave Wichers; Daniel Cuthbert;
> mark at curphey.com
> *Subject:* Re: OWASP & Industry Vendors - Discussion
>
>
>
> Ok, after reading these threads about the Tawain conference, I do think
> that we should let the conference go as planned.
>
> Wayne has definitely crossed some lines and we will need much more clarity
> and visibility in the future about the decision making process over there in
> Taiwan. We also need much stronger guidelines from OWASP about these issues
> (Justin here is an area which you could help a lot if you have the time :)
> )
>
> The issue with the vendors is about balance, OWASP would not make sense
> without them (not the vendors but the people hired by those vendors) and
> OWASP cannot be controlled by the vendors. The key is in finding a balance
> where the OWASP principles and values are respected and enforced.
>
> Part of the vendors (and membership) guidelines must be clauses dictating
> the reasons why a membership would be canceled (and membership cancellation
> is something that the OWASP board should enforce summarily (nothing like
> kicking a couple companies out of OWASP to make everybody take notice))
>
> Back to Wayne, following an email from Jeff, his (Wayne) responses did
> show that he understands the dangers of the perception that OWASP is
> controlled by a company, so lets see what happens next.
>
> Dinis Cruz
> Chief OWASP Evangelist
> http://www.owasp.org
>
> On 8/25/07, *Justin Derry* <JDerry at b-sec.com > wrote:
>
> Dinis,
>
> I don't mind going on record. However i also don't want to be perceived as
> a guy hitting people over the head. Basically i believe in OWASP and I
> believe in the intent the Taiwan chapter guy has. However i also believe
> that this is one of those examples where a vendor is using OWASP to
> deliberately wipe out the competition he has and use OWASP as a springboard
> for himself and his company.
>
> (By the way my i don't know if my customer source will go on record - it
> was a friendly personal phone call) but i am sure the email i have would be
> ok.)
>
>
>
> Too many people put too much effort into OWASP and i hate when i see
> misuse of OWASP. As everyone knows i have long sat in the background of
> OWASP for many years since 2001 and only since late 2005 have i actively got
> involved and will continue to push forward like many others. However my
> biggest fear with OWASP is self implosion. What i mean by this if we have
> guys running around claiming that OWASP only supports certain vendors etc
> then sooner rather then later OWASP will die out simply because no one will
> trust it as an independant and authoritive source of application security.
>
>
>
> I don't think making an example of the Taiwan guy will work, but i do
> think we need to stop it, and i also think we need to seriously look at the
> rules of vendors out there sponsorsing and getting involved in OWASP.
>
>
>
> With Taiwan i am a little supprised that he has taken it to an extent of
> registering domains etc. I was offered to speak at this conference and
> advised i couldn't and put forward Brian Chess (Fortify) (this was at a time
> when i didn't know wayne was from Amorize) and i happen to know brian and
> also knew he was already going to be in taiwan around the time and i
> received a simple email saying we wouldn't invite him as he is a
> competitior. (I'll send you the email if you don't already have it).
>
>
>
> The things i like about Wayne (Taiwan) is he is keen, pulls the numbers
> and overall i think is a nice guy. However i also think there is a small
> hidden agenda that he has to use OWASP to further Amorize. Don't have a
> problem with vendors using OWASP as an Industry standard, hey thats what
> it's there for within reason, but it needs to be done in a controlled,
> managed, neutral and appropriate manner.
>
>
>
> I have always said that i am willing to take on a more supporting role in
> OWASP (with Asia or whatever) and now due to my role within our consuting
> firm, i have also tasked every other consultant in my team (8 of them) with
> minimum 4 hours a week on OWASP related activities. ( i.e Malathi is going
> to help AJV with the V3 guide etc). But i don't want to see other people
> abuse the system, and it seems to mainly be some vendors?
>
>
>
> Maybe we look at drawing up some guidelines for Vendors that are very
> specific.? Maybe also we work on some guidelines and rules for any type of
> mini or large conference that may involve vendors. Lets be realistic i don't
> think we are going to get rid of vendors, they have the $$ and help with the
> project, however having some guidelines would be good. (The chapter rules
> are pretty basic).. Also maybe some way to enforce them? and a clause if you
> breach the guidelines you are immediately removed as a corporate member? I
> don't know that's all a quick brain dump.
>
>
>
> Anyhow Super keen to help out wherever anyone wants.. If i am completely
> out of turn than someone throw a brick at me.
>
> Cheers
>
> Justin
>
>
>  ------------------------------
>
> *From:* Dinis Cruz [mailto:dinis at ddplus.net]
> *Sent: *Fri 8/24/2007 10:46 PM
> *To:* Justin Derry
> *Cc:* OWASP Board; Jeff Williams; Dave Wichers; Daniel Cuthbert;
> mark at curphey.com
> *Subject:* Re: OWASP & Industry Vendors - Discussion
>
> Justin
>
> You are raising very important (if not critical) issues here which I want
> to fully clarify and sort out.
>
> I will reply in detail to your email, but before I do just one question:
> "How much of this are you willing to go 'on the record', that is put your
> name to it?". It doesn't mean that we will post all this to everybody in
> OWASP but (for example) I want to clarify with the Taiwan chapter leader
> these issues, and it will be easier if I can directly quote you (and others
> (if you know other people who share your feelings please put them in touch))
>
>
> My objective is to turn this into a positive event, with lessons learned
> for all parties involved (assuming of course that we are able to amicably
> solve the current 'brand abuse' issues)
>
>
> Dinis Cruz
> Chief OWASP Evangelist
> http://www.owasp.org
>
>  On 8/23/07, *Justin Derry* <JDerry at b-sec.com> wrote:
>
> Guys,
>
> Firstly i think i have meet everyone on the CC/To list and there is a good
> reason why this email has not been forwarded to the
> owasp-leaders at owasp.org mailing list.
>
> Anyhow as most of you know i have been involved in owasp (lately more due
> to availability and effort during business hours) but are currently trying
> to setup some conferences in Asia etc.
>
>
>
> The reason for this selective email is simply due to the fact that it
> reflects directly on some of the people on the owasp-leaders list.
>
>
>
> Recently A chapter leader approached OWASP in regards to converting his
> 350+ people conference to an OWASP Asia Pacific Conference 2007, he is
> currently running it as a "Taiwan Chapter" conference.
>
> I spent some time with the person discussing some of the common goals of a
> conference and ensure that the appropriate messages (i.e vendor
> independence etc) being careful of how to approach these things.
>
> He agreed and has forwarded to Dave Wichers etc for approval in which he
> got. He proceeded with 48 hours of that to approach a Customer in Taiwan and
> immediately tell them Amorize is the only sponsor of the OWASP 2007 Asia
> Pacific conference and OWASP fully supports and backs Amorize. Which is
> obviously so far from the truth it's not funny. (They don't even sponsor
> OWASP Corporately)
>
> This statement came from two different sources about the OWASP and Amorize
> (not vendors but customer sources).
>
>
>
> Anyhow the reason for the email is, this is a big problem. We all work for
> companies that typically have an invested interest in the Application
> Security space, but i think by most everyone plays by the rules. Obviously
> there are people that don't and are abusing the OWASP name and using the
> hard work of Mark, Andrew, Dave and everyone else. Recently as a company we
> invested in OWASP and are also as most of you aware investing business hours
> and effort in increasing the OWASP project because i believe in it. The
> collective thinking is powerful and i believe the people involved are
> excellent. However we currently i believe have a serious problem with a
> selective few people abusing the system.
>
>
>
> I agree with Mark C's comments in regards to the direction and the
> comments about financial sides of OWASP and the approach that OWASP should
> take moving forward. However i think we need to seriously address the misuse
> immediately of the OWASP brand and approach some chapters etc are taking.
> This can be achieved reasonably easily i think by completing a few tasks.
> Some of which i have included below.
>
>
>
> Why doesn't OWASP consider (if we have the $$) employing a administrative
> person to simply monitor the activity of OWASP chapters follow up on
> presentations etc. This would be perfect as if each chapter leader new that
> they would be asked for their presentation notes to be published online, if
> there was anything inappropriate this would hopefully reduce. (or maybe
> approval prior??). Yes there is alot of chapters but with a single person
> review and posting presentations i think overall someone would have an idea
> on what was being presented. Also would mean we would have a great
> collection point? Surely this wouldn't cost that much? An admin person here
> in OZ is only around 30,000 USD a year?
>
>
>
> Secondly vendor involvement. I like it, and i think OWASP needs it for the
> future, however there should be some hard and fast rules about it. I.e(maybe no chapter leads from vendors?? Too much temptation). Maybe we set
> some strict guidelines about how they can get involved, ie. At conferences
> etc. Maybe we allow them to place sponsorship on the web site only and
> provide a facility. ?? Most chapter leads i believe are good but i haven't
> been too many. I do look through the wiki and see alot of "vendor" names
> poping up. Not a lot of consulting firms but lots of vendor names..
>
>
>
> Conferences, As you know i am trying to work on a Big OWASP Asia
> conference. I see the rules being Vendors (all of them) get an invite,
> allowed to provide a booth, and if the numbers allow it maybe a separate
> speaking stream where they can present. Thats all still thought process, but
> using the vendor money to increase awareness is actually quite good.
>
>
>
> I don't know if this email is going down to one? Maybe these are just my
> feelings, but for a person willing to put alot of effort into the OWASP
> cause i am horrified to hear about this instance in Taiwan. This is backed
> up by the fact he has even written in an email to me that he doesn't want to
> invite any vendors and is happy for his company to pay for the lot. Really i
> don't think this is the way to approach it, simply as he is using the
> conference purely as a springboard for his new company. The other problem
> with this, is how do the other vendors who put in $$$$ to support owasp and
> they have another company not even supporting OWASP doing this. I am sure
> that they wouldn't be happy as were is their money going.
>
>
>
> So i suppose in summary why not look at an administrative person to
> oversee presentations etc, and we set some specific guidelines (more
> detailed) then the chapter rules for each chapter. We also place a wide
> advice to all vendors advising them of our position and maybe even ask them
> to put up money if they wish to continue referencing the OWASP guides etc.
> They are all getting valuable effort without any $$ or input. I even saw a
> vendor at Blackhat this year using and promoting the OWASP WebGoat tool to
> promote their own tools. This was insane?
>
>
>
> Anyhow hopefully my rant hasn't been received poorly, sounds like a few
> people are making some interesting comments in the past 24 hours, and
> hopefully this all goes into a bucket to better OWASP?
>
> If not then please kill me now.. J
>
>
>
> BTW Dave W you probably get the feeling i am recommending that we don't
> allow Taiwan to run their conference as the OWASP ASIA conference and
> further probably not as a conference at all. There is alot of material on
> the WIKI about his conference.
>
>
>
> Anyhow thanks for reading that big email guys...
>
> Cheers
>
> Justin
>
>
>
> Justin Derry
>
> Application Security
>
> Practice Leader
>
> *b-sec Consulting*
>
> *Mobile:   0411 411 881*
>
> Direct:     07 3217 5936
>
> Switch:    07 3374 3011
>
> Fax:        07 3217 6573
>
> *www.b-sec.com *
>
> *Disclaimer:  www.b-sec.com.au/disclaimer.txt*
>
>
>
>
>
>
> --
>
>
>
>
> --
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070827/8335e80c/attachment-0002.html>


More information about the Owasp-board mailing list