[Owasp-board] IMPORTANT: Proposed (revised) model for the 'OWASP Commercial Services' pages

Jeff Williams jeff.williams at owasp.org
Wed Jun 16 18:10:38 UTC 2010



I've spent the last week thinking about OWASP's relationship with the
commercial market.  Like a good lawyer, I've tried to argue the sense of
engaging with commercial forces below.  But -- I can't make myself believe


Even though the model proposed is a big improvement on what's there AND the
rules are solid, I don't believe it will actually work.  The move to a
customer-driven model (vs. a corporate driven one) is a good idea.  But we
just don't have the technology or human cycles to avoid abuse - assuming it
got used enough to be abused.  Imagine the first post is terribly critical
of Veracode. This could have been a real customer or not, it could have been
a competitor - we have no way of knowing. And if someone responds we have no
way of knowing if that is real either.  Ultimately, a big pile of
untrustworthy crap that drags our reputation down for no clear benefit.


I have racked my brain about this, and I don't see a clear path forward.  I
propose we take down the CSR as a failed experiment and call it a day.


I do think there are things that we can do *with* industry where our
interests are very clearly aligned.  Things that will really actually help
us achieve our mission.  Of the ideas below, I think the industry-wide
awareness campaign is the most likely to succeed.







Hi everyone,


To achieve our goal of improving application security worldwide we need a
thriving sustainable application security ecosystem. Only through the
activity of this ecosystem can we drive progress in application security.
For more on the security ecosystem concept, please refer to


For a long time, OWASP has resisted all but the most trivial interaction
with commercial organizations in an effort to ensure that our brand is not
abused nor our mission compromised. However, the application security market
is less than 1% of what it needs to be to keep up with new software
development. Given the staggering size of the challenge we face, we may have
to change our tactics.  It goes without saying that we would never change
our values about keeping everything at OWASP free and open.


At the core, the idea is that we can unite our ecosystem by making it much
easier to earn money through OWASP. Already, many organizations use our
tools and materials in their products and services.  And many of the core
OWASP contributors work for commercial application security product and
services companies.  We are exploring ways to harness the power of market
forces to achieve our mission without compromising our principles.


The good news is that it is in everyone's interest to make our application
security ecosystem grow and thrive. 


Some ideas:


.        We could start a moderated commercial services registry.  We tried
this and it didn't work very well.  The marketing language involved wasn't
very consistent with OWASP principles, and it also wasn't attractive to
commercial firms.


.        We could turn it around and provide a forum for customers to share
their experiences with product and service companies in our space. But
without a reputation platform, there's little doubt that the service would
be abused by anonymous posters.


.        We could partner with industry to lead a balanced industry-wide
awareness campaign.


.        We can seek out and support commercial entities that are willing to
build commercial services based on OWASP projects. In a way, acting as an
incubator for good ideas in appsec.


.        We can lobby goverments around the world to take steps towards
making application security visible.


.        bzzzz





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100616/df35b3a6/attachment-0002.html>

More information about the Owasp-board mailing list