[Owasp-board] Proposal: OWASP 'Discounts' and promotion of suchon OWASP

Dave Wichers dave.wichers at owasp.org
Fri Jan 26 15:44:02 UTC 2007



I think a number of Dinis' ideas have merit but I'm hesitant to jump in with
both feet in all of this at the same time. I'd suggest we crawl first before
we start running. So, I think we should hold off on the rest of the ideas
for the moment and just try out the simple discount thing first. If that
seems to work well and not get out of control, we can then try slowly adding
some of the other ideas.


So, if you are OK with this, then I will moving the 'discounts' benefits to
another page at OWASP and populate it with the few, but growing discouns we
are aware of, and at the bottom of that page we can include the 'rules' for
getting listed on that page.







From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Dinis Cruz
Sent: Friday, January 26, 2007 8:39 AM
To: owasp-board at lists.owasp.org
Subject: Re: [Owasp-board] Proposal: OWASP 'Discounts' and promotion of
suchon OWASP


Ok, I share Jeff's concern but have a different reading on the issue.

Before I put down my ideas, a couple concepts:

1) Due to our highly decentralized and open structure, the amount of 'real
power (or control)' that we have over our community is very limited (we have
a lot of 'soft power' since our opinions tend to be respected, but we have
to very careful on how and where to use that power). The areas where we DO
have some control are: 

*	The www.owasp.org home page (and how is SysOp)
*	The contents of the Weekly Newsletters that goes to everybody (and
emails to owasp-all)
*	Who is a project and chapter leader ( i.e who controls the mailing
*	Who is an OWASP member (note that we can always say no)
*	Everything related to our Conferences
*	OWASP Brand (at least the guidelines on how to use it)
*	OWASP community guidelines (i.e. what is acceptable behaviour in the
OWASP community)

2) We should always apply the principle of the 'Wisdom of the Crowds' and
let our community decide on what is acceptable behaviour or not (there a
limits of course, but I would only use Board decisions as last resort). We
also need to take into account local cultures (what is acceptable behaviour
in Portugal might not be in the US) 

3) Membership benefits. As Dave mentioned, we need to have more 'things'
that only members can do or are affected by.

4) I strongly believe that it is very important for OWASP's future to have:

*	individuals (and companies) directly afected by OWASP. And here I
can speak for my self, since my involvement with OWASP has exposed me to all
of my current paid projects
*	companies providing commercial services around OWASP (training is an
obvious choice, but why don't we have companies that provide paid support
for OWASP tools? (just like what happened with Linux)) 

5) The current Web Application Security Job Market is very inefficient where
it is very hard to evaluate how good people are (OWASP can play a big part
here since employeers can look at past OWASP work) and very hard to know
'who' is available for projects. 

ok, with this said, here are my ideas on the subject:

Offers to OWASP Members

1) Only members should be allowed to post 'offers' to OWASP members

2) Any abuses on the Posting Guidelines (see below) will make that member
lose its membership (with no financial compensation)

3) The Posting Guidelines

*	All offers can ONLY be made to OWASP members (i.e. OWASP mailing
list subscribers that are not OWASP members are NOT eligeble) 
*	Posts to be made to the local chapter mailing list CCed to
offersToMembers at owasp.org (if in doubt, email offersToMembers at owasp.org
first). It is the chapter leaders responsibility to manage this process and
to make sure that the 'Posting Guidelines' are meet.
*	All Discounts or Free products/services must have real value to
owasp members and cannot be 'cheap' marketing actions 
*	Jobs offers should be placed by a direct contact responsible for
hiring (i.e. no Agencies) and must be specific to OWASP (i.e. no copy and
paste from other job locations). Again 'no cheap' recruiting 
*	Only Job offers (i.e. 'Web Security Penetration Tester is required')
or Request for Proposals are acceptable (i.e. 'We need an App Sec team to
test our website'), but again no copy and paste. When the requirement is
fulfilled another post must be made making the local chapter list aware of
the decision. 
*	Job requests are NOT acceptable (i.e. ' I/We are looking for
*	All posts must include a link to this Posting Guidelines page

4) Owasp board (or somebody appointed by it) will decide which offers are
included in the OWASP Newsletter, added as an 'official' benefit of the
'OWASP Benefits of Membership' page or posted on the relevant OWASP Jobs

5) Any abuses of these guidelines should be reported immediately to
offersToMembers at owasp.org and an investigation on the issue will be


What do you think?

If we can make this work, this could be another major step of OWASP, and
another massive benefit to OWASP members. Its win-win :)

If you at least agree with the principles, why don't we send an email to
owasp-leaders and ask for their opinion (then based on their answers we can
make a final decision) 


On 1/25/07, Dave Wichers <dave.wichers at owasp.org> wrote:

Jeff and I talked about this briefly and this is what I propose:

1) If someone wants to offer a discount to OWASP members, and
2) That organization also contributes something of specific benefit to OWASP
itself, then we should do the following, and ONLY the following: 

What we will do:

We should list the event/item/etc. as a single bullet under the ' Discounted
conference registration fees ...' bullet #4 on the Benefits of Membership
page. This bullet will include the minimum necessary to understand what the 
thing/event is, what the discount is, and a link to that organization's site
for more info.

I would be happy to be the conduit through which all such updates are done,
for consistency reasons. If this discount list gets large enough, we could 
make it a separate page.

What we won't do:

Mention or promote this anywhere else on the OWASP site, or allow it to be
broadcast over OWASP mailing lists. It would be OK to mention it verbally at
OWASP chapter meetings, I would think.

What qualifies as a specific benefit to OWASP:

Things like:
  Some revenue share arrangement with OWASP
  Providing some goods/services/licenses to OWASP
  Joining OWASP as a corporate member (this is important) 

What do you guys think about this limited / controlled model to allow OWASP
to 'promote' the existence of such discounts.

I like the idea, but do share Jeff's concern and I hope this provides enough

constraints so it doesn't get out of hand.

I also like the idea of expanding the member benefits in this way as it
might encourage more people to join.



-----Original Message----- 
From: Dave Wichers [mailto:dave.wichers at owasp.org]
Sent: Wednesday, January 24, 2007 10:45 AM
To: 'owasp-board at lists.owasp.org  <mailto:owasp-board at lists.owasp.org> '
Subject: RE: [Owasp-board] FW: Motivation to attend OWASP meetings


I agree with the concern but what do you consider a direct and specific
benefit? If the organization joins OWASP (which is a direct $) benefit, and 
then offers a discount to something like a conference or some training, does
that qualify? I kind of think it should, but I could be convinced otherwise.


-----Original Message-----
From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Jeff Williams
Sent: Wednesday, January 24, 2007 10:40 AM
To: OWASP Board
Subject: [Owasp-board] FW: Motivation to attend OWASP meetings


We're getting a number of requests from people to make special deals to
OWASP members.  While it seems like a 'no-harm' kind of thing, I'm a little 
concerned about the long-term effect here.  It is really misusing OWASP for
a little cheap marketing.  I'm sure nobody here has a malicious intent, but
over the long term, it makes OWASP look a little shady. 

My recommendation is that we never let anyone do this kind of advertising at
OWASP (outside the banner ad), unless there is a direct and specific benefit
to OWASP itself, and not just a corollary benefit to the members. 



Jeff Williams, Chair
The OWASP Foundation
work: 410-707-1487
main: 301-604-4882

"Dedicated to finding and fighting the causes of insecure software"

-----Original Message----- 
From: Nish Bhalla [mailto:nish at securitycompass.com]
Sent: Wednesday, January 24, 2007 10:35 AM
To: 'Jeff Williams'
Cc: dinis at ddplus.net  <mailto:dinis at ddplus.net> 
Subject: Motivation to attend OWASP meetings

Hi Guys,

We in the Toronto OWASP chapter are having very very few people (non
organizers 2 may be 3) attend OWASP monthly meetings, so we were planning to

do a raffle to give out seats in Security Compass public class (Haven't
decided which one yet but possibly a one day source code review or hacking
basics class).

We wanted to extend this to other chapters as well, we would like to do it 
in an manner that is acceptable per OWASP and organized in such a manner
that there is not a whole lot of misuse of giving this seat out.

Please let me know what you guys think of this option and how you think we 
should proceed with this.


Owasp-board mailing list
Owasp-board at lists.owasp.org

Owasp-board mailing list
Owasp-board at lists.owasp.org 

Dinis Cruz
Chief OWASP Evangelist, Are you a member yet? 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070126/c720b787/attachment-0002.html>

More information about the Owasp-board mailing list