[Owasp-board] FW: [Owasp-leaders] What do you want OWASP to become?

Jeff Williams jeff.williams at aspectsecurity.com
Sat Nov 10 00:35:40 UTC 2007


The original rationale for keeping the rates relatively high was to
limit the overhead of having to deal with a large number of members. Now
that we have an employee, perhaps it's time to revisit.  I'd like to see
some estimates of how many members people think will join at various
levels.  A million $1 members?  I'd rather have a hundred 10,000
members.

--Jeff

-----Original Message-----
From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Dave Wichers
Sent: Friday, November 09, 2007 11:21 AM
To: 'OWASP Board'
Subject: [Owasp-board] FW: [Owasp-leaders] What do you want OWASP to
become?

What do you think about Ivan's proposal to create some smaller/cheaper
corporate membership categories for very small companies that want to
join,
but won't because it's too expensive.

-Dave

-----Original Message-----
From: Ivan Ristic [mailto:ivan.ristic at gmail.com] 
Sent: Friday, November 09, 2007 9:32 AM
To: Dave Wichers
Subject: Re: [Owasp-leaders] What do you want OWASP to become?

Speaking from experience (when I was the only employee in my company),
I would have paid $500 essentially without thinking. (By the way, I
did pay for my personal membership then but I didn't think it would be
ethical to associate my business with OWASP just because I paid $100.)
But there was no way I could justify spending $3000. Even $1000 would
be too much. But I imagine 1-person companies are relatively rare, no?
I think having a $1000 membership would be a significant improvement.
We could have something like $500 (1-3 people) $1000 (<= 9), $3000 (<=
24), and $8000 (25+). I think this would make it easier for smaller
organisations to support OWASP. Just my 2 cents.

BTW, vendors that want to pay $9000 would probably pay $10000 too :)

See you at the conference!

On Nov 9, 2007 1:44 AM, Dave Wichers <dave.wichers at owasp.org> wrote:
> Ivan,
>
> Do you think adding in a $1K or maybe only $500 level for independent
> consultants makes sense? Would be helpful? I would think that such
people
> would simply sign up as an individual member for $100. I wouldn't
expect
an
> independent consultant to expect to get his logo listed at OWASP as a
> corporate member. You can always donate if you want to pay more than
the
> $100.
>
> -Dave
>
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org
>
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Ivan
Ristic
> Sent: Thursday, November 08, 2007 6:22 PM
> To: Dinis Cruz
> Cc: OWASP Leaders
> Subject: Re: [Owasp-leaders] What do you want OWASP to become?
>
> Some random thoughts:
>
> * I think we should continue along the path we are on right now and
> strengthen our positions. Continue to grow the network of Chapters,
> work on our conferences, and so on. Increase quality before expanding
> to new venues.
>
> * I also very much like the organisation of the Apache Foundation.
>
> * We need to introduce concept of project incubation, minimal criteria
> required for a project to officially become an OWASP project.
>
> * I like the idea of certification but I don't think we are ready at
> this point. Also, this is an effort that needs to be handled
> professionally by full-time staff.
>
> * As I said before, I think whoever wants to be called a member needs
> to pay for it. Perhaps we could waive the fees for certain individuals
> after the first year. Also, the last time I looked the entry level
> fees for organisations were too high for very small business (e.g.
> independent security consultants).
>
>
> On Nov 1, 2007 12:34 AM, Dinis Cruz <dinis at ddplus.net> wrote:
> > Taking Adam's question head on (Adam's original email is included at
the
> > end),
> >
> > OWASP Leaders, please answer these questions:
> >
> > As it grows: what do you want OWASP to become?
> >
> > A certifying and CBK type pseudo-company like (ISC)2?
> > An open source project organized along the lines of Debian, Apache,
or a
> > similar group that owns a set of projects?
> > Does OWASP want to certify apps, testers, both or none? (I've seen
all
POV
> > advocated)
> > Who will be required to pay what kind of dues, if any?
> > How formal of an organization will OWASP become?
> > Is the status quo preferable to the proposed change?
> > Other?For the newer members of this list, here are some pages from
our
> > www.owasp.org website which you might find interesting:
> >
> > https://www.owasp.org/index.php/About_OWASP
> >  https://www.owasp.org/index.php/How_OWASP_Works
> >
>
https://www.owasp.org/index.php?title=How_OWASP_Works&diff=22690&oldid=1
5689
> > (this is a previous version of the 'How OWASP Works' page which
contains
> > some ideas about the future)
> > https://www.owasp.org/index.php/OWASP_brand_usage_rules
> > https://www.owasp.org/index.php/Chapter_Rules
> > https://www.owasp.org/index.php/Chapter_Leader_Handbook
> > https://www.owasp.org/index.php/Category:Chapter_Resources
> > http://www.owasp.org/index.php/Tutorial#Editing_OWASP And finally,
if
you
> > haven't seen this amazing page created by Sebastien a while back
with
> > descirptions and links to past OWASP presentations, you must check
it
out
> > now: http://www.owasp.org/index.php/OWASP_Education_Presentation
> >
> > Back to the topic at hand. Now is the time to present and defend
your
> ideas
> > and vision for OWASP (if you not are comfortable in sending them to
the
> > list, send them to me directly on dinis.cruz at owasp.net)
> >
> > Thanks Adam for kickstarting this conversation :)
> >
> > Dinis Cruz
> >
> >
> > On 10/31/07, Adam Muntner <adam.muntner at quietmove.com> wrote:
> > > There is a lot of conversation about how to best organize OWASP -
> > > interesting discussion but if we take that approach we may end up
with
> > >  an OWASP that doesn't meet anyone's needs goal-wise, just
> > > structure-wise. Which doesn't mean much.
> > >
> > > It sounds like more fundamantally theres a debate going on about
the
> > > direction of OWASP -as it grows, what's it to become?
> > >
> > > - A certifying and CBK type pseudo-company like (ISC)2?
> > > - An open source project organized along the lines of Debian,
Apache,
or
> > > a similar group that owns a set of projects?
> > > - Does OWASP want to certify apps, testers, both or none? (I've
seen
all
> > > POV advocated)
> > > - Who will be required to pay what kind of dues, if any?
> > > - How formal of an organization will OWASP become?
> > > - Is the status quo preferable to the proposed change?
> > >
> > > These are some of the more basic questions I've seen bubble to
> > > the surface... IMO better to address these big questions and then
> > > figure out how the structure could best support it... rather than
end
up
> > > with a bunch of rules and regs that don't fit anyone in
particular.
> > >
> > > Just my .02!
> > >
> > >
> > >
> > >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >
>
>
>
> --
> Ivan Ristic
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>



-- 
Ivan Ristic


_______________________________________________
Owasp-board mailing list
Owasp-board at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-board



More information about the Owasp-board mailing list