[Owasp-board] Proposal: OWASP 'Discounts' and promotion of such on OWASP

Dinis Cruz dinis at ddplus.net
Fri Jan 26 13:39:20 UTC 2007

Ok, I share Jeff's concern but have a different reading on the issue.

Before I put down my ideas, a couple concepts:

1) Due to our highly decentralized and open structure, the amount of 'real
power (or control)' that we have over our community is very limited (we have
a lot of 'soft power' since our opinions tend to be respected, but we have
to very careful on how and where to use that power). The areas where we DO
have some control are:

   - The www.owasp.org home page (and how is SysOp)
   - The contents of the Weekly Newsletters that goes to everybody (and
   emails to owasp-all)
   - Who is a project and chapter leader (i.e who controls the mailing
   - Who is an OWASP member (note that we can always say no)
   - Everything related to our Conferences
   - OWASP Brand (at least the guidelines on how to use it)
   - OWASP community guidelines (i.e. what is acceptable behaviour in the
   OWASP community)

2) We should always apply the principle of the 'Wisdom of the Crowds' and
let our community decide on what is acceptable behaviour or not (there a
limits of course, but I would only use Board decisions as last resort). We
also need to take into account local cultures (what is acceptable behaviour
in Portugal might not be in the US)

3) Membership benefits. As Dave mentioned, we need to have more 'things'
that only members can do or are affected by.

4) I strongly believe that it is very important for OWASP's future to have:

   - individuals (and companies) directly afected by OWASP. And here I
   can speak for my self, since my involvement with OWASP has exposed me to all
   of my current paid projects

   - companies providing commercial services around OWASP (training is an
   obvious choice, but why don't we have companies that provide paid support
   for OWASP tools? (just like what happened with Linux))

5) The current Web Application Security Job Market is very inefficient where
it is very hard to evaluate how good people are (OWASP can play a big part
here since employeers can look at past OWASP work) and very hard to know
'who' is available for projects.

ok, with this said, here are my ideas on the subject:

Offers to OWASP Members

1) Only members should be allowed to post 'offers' to OWASP members

2) Any abuses on the Posting Guidelines (see below) will make that member
lose its membership (with no financial compensation)

3) The Posting Guidelines

   - All offers can ONLY be made to OWASP members (i.e. OWASP mailing
   list subscribers that are not OWASP members are NOT eligeble)

   - Posts to be made to the local chapter mailing list CCed to
   offersToMembers at owasp.org (if in doubt, email
   offersToMembers at owasp.org first). It is the chapter leaders
   responsibility to manage this process and to make sure that the 'Posting
   Guidelines' are meet.

   - All Discounts or Free products/services must have real value to
   owasp members and cannot be 'cheap' marketing actions

   - Jobs offers should be placed by a direct contact responsible for
   hiring (i.e. no Agencies) and must be specific to OWASP (i.e. no copy
   and paste from other job locations). Again 'no cheap' recruiting

   - Only Job offers (i.e. 'Web Security Penetration Tester is required')
   or Request for Proposals are acceptable (i.e. 'We need an App Sec team
   to test our website'), but again no copy and paste. When the requirement is
   fulfilled another post must be made making the local chapter list aware of
   the decision.

   - Job requests are NOT acceptable (i.e. ' I/We are looking for

   - All posts must include a link to this Posting Guidelines page

4) Owasp board (or somebody appointed by it) will decide which offers are
included in the OWASP Newsletter, added as an 'official' benefit of the
'OWASP Benefits of Membership' page or posted on the relevant OWASP Jobs

5) Any abuses of these guidelines should be reported immediately to
offersToMembers at owasp.org and an investigation on the issue will be


What do you think?

If we can make this work, this could be another major step of OWASP, and
another massive benefit to OWASP members. Its win-win :)

If you at least agree with the principles, why don't we send an email to
owasp-leaders and ask for their opinion (then based on their answers we can
make a final decision)


On 1/25/07, Dave Wichers <dave.wichers at owasp.org> wrote:
> Jeff and I talked about this briefly and this is what I propose:
> 1) If someone wants to offer a discount to OWASP members, and
> 2) That organization also contributes something of specific benefit to
> itself, then we should do the following, and ONLY the following:
> What we will do:
> We should list the event/item/etc. as a single bullet under the '
> Discounted
> conference registration fees ...' bullet #4 on the Benefits of Membership
> page. This bullet will include the minimum necessary to understand what
> the
> thing/event is, what the discount is, and a link to that organization's
> site
> for more info.
> I would be happy to be the conduit through which all such updates are
> done,
> for consistency reasons. If this discount list gets large enough, we could
> make it a separate page.
> What we won't do:
> Mention or promote this anywhere else on the OWASP site, or allow it to be
> broadcast over OWASP mailing lists. It would be OK to mention it verbally
> at
> OWASP chapter meetings, I would think.
> What qualifies as a specific benefit to OWASP:
> Things like:
>   Some revenue share arrangement with OWASP
>   Providing some goods/services/licenses to OWASP
>   Joining OWASP as a corporate member (this is important)
> What do you guys think about this limited / controlled model to allow
> to 'promote' the existence of such discounts.
> I like the idea, but do share Jeff's concern and I hope this provides
> enough
> constraints so it doesn't get out of hand.
> I also like the idea of expanding the member benefits in this way as it
> might encourage more people to join.
> Thoughts?
> -Dave
> -----Original Message-----
> From: Dave Wichers [mailto:dave.wichers at owasp.org]
> Sent: Wednesday, January 24, 2007 10:45 AM
> To: 'owasp-board at lists.owasp.org'
> Subject: RE: [Owasp-board] FW: Motivation to attend OWASP meetings
> OK,
> I agree with the concern but what do you consider a direct and specific
> benefit? If the organization joins OWASP (which is a direct $) benefit,
> and
> then offers a discount to something like a conference or some training,
> does
> that qualify? I kind of think it should, but I could be convinced
> otherwise.
> -Dave
> -----Original Message-----
> From: owasp-board-bounces at lists.owasp.org
> [mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Jeff Williams
> Sent: Wednesday, January 24, 2007 10:40 AM
> To: OWASP Board
> Subject: [Owasp-board] FW: Motivation to attend OWASP meetings
> Hi,
> We're getting a number of requests from people to make special deals to
> OWASP members.  While it seems like a 'no-harm' kind of thing, I'm a
> little
> concerned about the long-term effect here.  It is really misusing OWASP
> for
> a little cheap marketing.  I'm sure nobody here has a malicious intent,
> but
> over the long term, it makes OWASP look a little shady.
> My recommendation is that we never let anyone do this kind of advertising
> at
> OWASP (outside the banner ad), unless there is a direct and specific
> benefit
> to OWASP itself, and not just a corollary benefit to the members.
> Thoughts?
> --Jeff
> Jeff Williams, Chair
> The OWASP Foundation
> work: 410-707-1487
> main: 301-604-4882
> "Dedicated to finding and fighting the causes of insecure software"
> -----Original Message-----
> From: Nish Bhalla [mailto:nish at securitycompass.com]
> Sent: Wednesday, January 24, 2007 10:35 AM
> To: 'Jeff Williams'
> Cc: dinis at ddplus.net
> Subject: Motivation to attend OWASP meetings
> Hi Guys,
> We in the Toronto OWASP chapter are having very very few people (non
> organizers 2 may be 3) attend OWASP monthly meetings, so we were planning
> to
> do a raffle to give out seats in Security Compass public class (Haven't
> decided which one yet but possibly a one day source code review or hacking
> basics class).
> We wanted to extend this to other chapters as well, we would like to do it
> in an manner that is acceptable per OWASP and organized in such a manner
> that there is not a whole lot of misuse of giving this seat out.
> Please let me know what you guys think of this option and how you think we
> should proceed with this.
> Nish.
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-board

Dinis Cruz
Chief OWASP Evangelist, Are you a member yet?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070126/976ab16a/attachment-0002.html>

More information about the Owasp-board mailing list