[Owasp-board] IMPORTANT: Proposed (revised) model for the 'OWASP Commercial Services' pages

Matt Tesauro matt.tesauro at owasp.org
Tue Jun 1 15:27:32 UTC 2010

A couple of thoughts:

* I like the idea of both proposals being heard by the board and voted 
on.  Since OWASP is an open community, lets give both ideas their "15 
minutes" and make our decision after both are heard.

* I'd like to second Eoin's great idea of an simple proposal email 
without any additional info and/or 'noise'.  I'd suggest that both Mike 
and Dinis do this prior to the board call so that we don't have to burn 
call time reviewing the basics.

* One worry I have with both plans is the perception that business will 
have about what the registry really is.  Primarily, I see something like 
Fake Corp which just became an OWASP corporate member saying "OK  I paid 
my $5,000 when do I get listed in the OWASP registry."  We have to be 
_very_ clear about our message or we may end up hurting our efforts with 
corporate memberships.

* I also keep wondering about some sort of partnership with 
securityscoreboard.com where we have enough distance between us to keep 
the no commercial aspects of OWASP clear of any misunderstanding.

Per Dinis's request, I'll address the other issue paired with this one 
in that sister thread.

-- Matt Tesauro
OWASP Board Member
OWASP Live CD Project Lead
http://AppSecLive.org - Community and Download site

On 6/1/10 9:28 AM, dinis cruz wrote:
> Good idea Eoin, and I will send that request/vote as soon as we get some
> comments from Jeff, Dave and Tom
> I really would like to hear what they have to say about the proposed
> 'OWASP Commercial Services' model.
> Dinis Cruz
> On 1 June 2010 15:15, Eoin <eoin.keary at owasp.org
> <mailto:eoin.keary at owasp.org>> wrote:
>     My suggestion;
>     Please send the proposal with no "noise" in the email, simply the
>     proposal, so we can review and agree/disagree with this project.
>     1. Is this a viable project. (please reflect on the benefit to OWASP
>     in making this decision) (Y/N)
>     2. If (Y), are the stated governance articles sufficient? Do they
>     need any amendment, adjustment?
>     Eoin
>     On 1 June 2010 13:49, dinis cruz <dinis.cruz at owasp.org
>     <mailto:dinis.cruz at owasp.org>> wrote:
>         On 1 Jun 2010, at 13:08, Tom Brennan - OWASP <tomb at owasp.org
>         <mailto:tomb at owasp.org>> wrote:
>>         Great clarrification, good framework.
>         Thanks, any problems with presenting this to the leaders as a
>         model that makes sense to the OWASP Board for the 'OWASP
>         Commercial Services'?
>>         Has this draft been shared with mike yet?
>         The answer to your question is at the bottom on my email. I did
>         call him and spent 16m trying to explain it to him.
>         He refused to understand, did not agree with the model, and took
>         personal offence to my comments.
>>         Perhaps we should share this, request his proposal in a
>>         similar write up and then invite him to the next board meeting
>>         to compare models "open" and a final vote on the topic after
>>         hearing both sides. Typically this would be a GPC focus.
>         Of course I want to share this (and we need to do it with the
>         'OWASP Board voice') .But Mike's latest actions (namely the
>         emails he sent yesterday to the list AFTER he spoke to me)
>         create a situation where we will have to contradict him.
>>         Might be politically correct, but we want to
>>         encourage volenteerism and use this as another example of how
>>         OWASP really works.
>         Of course that we want, but there is a moment where we have to
>         draw a line, and in this case Mike crossed several lines that he
>         shouldn't have crossed
>         Like I said in my previous email, in my view, there are two
>         courses of action which we need to decide on ASAP (i.e. today)
>         1) Approve a model that the board recommends as the 'current
>         proposed model to see if we can get this to work' (based on the
>         model I present below (please fell free to propose changes))
>         2) Start the process of opening an 'OWASP Inquire' on Mike's
>         actions as OWASP Leader (which we will also have to communicate
>         to the leaders list)
>         To make 1) more calm in the short term, we also need to remove
>         Mike from that project/initiative and leave me and Eoin in there
>         Dinis
>>         On Jun 1, 2010, at 4:49 AM, Eoin <
>>         <mailto:eoin.keary at owasp.org>eoin.keary at owasp.org
>>         <mailto:eoin.keary at owasp.org>> wrote:
>>>         Dinis/Board,
>>>         also as discussed in London,
>>>         There needs to be minimum number of feedback entries (3 or
>>>         so?) before any feedback is posted to ensure fairness and
>>>         avoid targeted emotive reviews.
>>>         Eoin
>>>         On 31 May 2010 20:17, dinis cruz <
>>>         <mailto:dinis.cruz at owasp.org>
>>>         <mailto:dinis.cruz at owasp.org>dinis.cruz at owasp.org
>>>         <mailto:dinis.cruz at owasp.org>> wrote:
>>>             Board
>>>             After much discussion with a lot of OWASP leaders (both
>>>             online and personally) and after receiving a lot of
>>>             direct comments/worries about how it was currently being
>>>             set-up (and lead), I think we (the OWASP Leaders in
>>>             London last week) have come up with a model that should
>>>             work, and is VERY compatible with OWASP values and focus
>>>             on visibility.
>>>             Here are the proposed model (read it twice (since the
>>>             first couple Articles will only really make sense the 2nd
>>>             time round :)  )
>>>             ------------------------------
>>>             Article 1: The OWASP Commercial Services (hosted at
>>>             <http://www.owasp.org/index.php/Commercial_Services>
>>>             <http://www.owasp.org/index.php/Commercial_Services>http://www.owasp.org/index.php/Commercial_Services)
>>>             is a service provided by OWASP to its community aimed at:
>>>                                     a) exposing the OWASP Community
>>>             to companies providing commercial services (good or bad)
>>>             around one or more OWASP Projects (Tools or Documents)
>>>                                     b) reward companies, individuals
>>>             or OWASP Leaders that provide successful commercial (i.e.
>>>             paid for) services around OWASP Projects (with the hope
>>>             that this will create a positive investment cycle that
>>>             will greatly benefit those OWASP Projects and community)
>>>             Article 2: The Companies or Individuals providing these
>>>             commercial services ARE NOT ALLOWED to post on the 'OWASP
>>>             Commercial Services' area any details about the services
>>>             they currently provide
>>>             Article 3: The only 'entities' that ARE ALLOWED to post
>>>             on the 'OWASP Commercial Services' area are existing
>>>             OWASP Members who are/were CLIENTS of those services, and
>>>             who, ON THE RECORD, have to provide a comment (good or
>>>             bad) about the services they receive.
>>>             Article 4: The Companies or Individuals providing these
>>>             commercial services ARE ALLOWED to comment on the
>>>             comments made about them (i.e. from Article 3.)
>>>             Article 5: ONLY the OWASP Project/Chapter Leaders ARE
>>>             ALLOWED, at their discretion, good taste and common
>>>             sense, to regularly communicate (i.e. advertise) to THEIR
>>>             PROJECT MAILING LIST the commercial services provided
>>>             around their project/chapter
>>>             Article 6: There will be very clear points of contact for
>>>             the reporting of any abuses on the 'OWASP Commercial
>>>             Services' model (which optionally can be
>>>             made anonymously). Any reports will will be investigated
>>>             by a team made of several OWASP Committee and Board
>>>             members, with their findings and recommendations acted upon.
>>>             Article 7: The first phase of the 'OWASP Commercial
>>>             Services' will be implemented on top of the existing
>>>             OWASP Website engine (i.e. MediaWiki) and as the
>>>             transaction volume grows, and if needed, the service will
>>>             move to a more powerful community/social web solution
>>>             ------------------------------
>>>             And that's it :)
>>>             Here is what I like about this model and the problems it
>>>             solves/prevents:
>>>                 * it puts our community at the heard of this service
>>>                   in a way they they also have a lot to benefit from
>>>                   its existence (in fact, we do this right and some
>>>                   companies could even join because of this)
>>>                 * It only allows existing and
>>>                   (hopefully) successful commercial deliveries of
>>>                   'OWASP Projects related services' to be listed
>>>                   (i.e. there is a hard requirement that the listings
>>>                   start with a 'real world' delivery of one of these
>>>                   services)
>>>                 * prevents the proactive existence  of 'Marketing
>>>                   Speak', of the tendency to write a 'Super list of
>>>                   ALL potential OWASP related services provided by
>>>                   Company XYZ' and (more importantly)
>>>                   the exaggeration of the type of services provided
>>>                 * It creates a way for our projects/chapter leaders
>>>                   to advertise to their communities the services
>>>                   being provided around their project (including the
>>>                   ones they (the project leader) are providing and
>>>                   delivering)
>>>                 * The room for abuse is quite limited by the fact
>>>                   that everything is on the record (although we have
>>>                   to leave an obvious open channel  for direct
>>>                   reports on such abuses)
>>>                 * The fact that we put the onus of managing these
>>>                   commercial communities on the project/chapter
>>>                   leader (or whoever he delegates to), creates a nice
>>>                   'self protecting system'. This happens because the
>>>                   project/chapter leaders are 'by design' pressured
>>>                   to have an independent and balance opinion/position
>>>                   (since if he/she abuses his/her community he/she
>>>                   will be killing it)
>>>                 * finally if we get this right, we should see a huge
>>>                   increase in the number of OWASP Leaders being
>>>                   directly paid to work on OWASP projects, which has
>>>                   to be a good thing :)
>>>             What do you think?
>>>             Lets see if we can get a consensus from the board on this
>>>             one, so that we can present this to the owasp-leaders
>>>             and, vote on it at the OWASP Board meeting next week.
>>>             (Btw, I just called Mike Boberski to explain him this
>>>             'revised' model and he was NOT happy with this model, but
>>>             that is the topic for another email)
>>>             Dinis Cruz
>>>             _______________________________________________
>>>             Owasp-board mailing list
>>>             <mailto:Owasp-board at lists.owasp.org>
>>>             <mailto:Owasp-board at lists.owasp.org>Owasp-board at lists.owasp.org
>>>             <mailto:Owasp-board at lists.owasp.org>
>>>             <https://lists.owasp.org/mailman/listinfo/owasp-board>
>>>             <https://lists.owasp.org/mailman/listinfo/owasp-board>https://lists.owasp.org/mailman/listinfo/owasp-board
>>>         --
>>>         Eoin Keary
>>>         OWASP Global Board Member
>>>         OWASP Code Review Guide Lead Author
>>>         <http://asg.ie/> <http://asg.ie/>http://asg.ie/
>>>         <https://twitter.com/EoinKeary>
>>>         <https://twitter.com/EoinKeary>https://twitter.com/EoinKeary
>>>         _______________________________________________
>>>         Owasp-board mailing list
>>>         <mailto:Owasp-board at lists.owasp.org>Owasp-board at lists.owasp.org
>>>         <mailto:Owasp-board at lists.owasp.org>
>>>         <https://lists.owasp.org/mailman/listinfo/owasp-board>https://lists.owasp.org/mailman/listinfo/owasp-board
>     --
>     Eoin Keary
>     OWASP Global Board Member
>     OWASP Code Review Guide Lead Author
>     http://asg.ie/
>     https://twitter.com/EoinKeary
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-- Matt Tesauro
OWASP Board Member
OWASP Live CD Project Lead
http://AppSecLive.org - Community and Download site

More information about the Owasp-board mailing list