[Owasp-board] IMPORTANT: Proposed (revised) model for the 'OWASP Commercial Services' pages

dinis cruz dinis.cruz at owasp.org
Wed Jun 16 23:14:24 UTC 2010


I disagree Jeff that we should call it a day,

I don't understand why you think that the rules I proposed are sound but
dismiss it from having a chance of working (and you are wrong with the
problem with anonymous comments, since managing that is part of what the
team behind this service needs to do).

Part of the problem so far has been Mike's cavalier approach to the problem
which has created a lot of negative energy behind this.

This is why this project/initiative should/will be lead by people that know
our community quite well and are respected by them. In this case me and
Eoin.

Jeff, it is perfectly OK for you to have a position that you don't feel the
proposed model (i.e. the original rules + the changes made by Eoin (and
hopefully Dave)) will work, but we need to give this a go.

So, I propose that we have a vote on presenting the new set of rules to the
leaders as a 'new model to see if it works', and then let me and Eoin (and
others who wish to be involved) run with it and see if we can get it to
work.

So far, Jeff has been the only one that will (probably?) vote against this
(or abstain from voting). Anybody else has issues that they would like to
raise?

Dave, can you add your comments to the document Eoin sent last time so that
I can resubmit it as the final version?

Btw, Jeff, I really like this phrase from your last email, since it is
exactly what I'm trying to create here:

"...At the core, the idea is that we can unite our ecosystem by making it
much easier to earn money through OWASP. Already, many organizations use our
tools and materials in their products and services.  And many of the core
OWASP contributors work for commercial application security product and
services companies.  We are exploring ways to harness the power of market
forces to achieve our mission without compromising our principles...."

Dinis Cruz


On 16 June 2010 19:10, Jeff Williams <jeff.williams at owasp.org> wrote:

>  Board,
>
>
>
> I’ve spent the last week thinking about OWASP’s relationship with the
> commercial market.  Like a good lawyer, I’ve tried to argue the sense of
> engaging with commercial forces below.  But -- I can’t make myself believe
> it.
>
>
>
> Even though the model proposed is a big improvement on what’s there AND the
> rules are solid, I don’t believe it will actually work.  The move to a
> customer-driven model (vs. a corporate driven one) is a good idea.  But we
> just don’t have the technology or human cycles to avoid abuse – assuming it
> got used enough to be abused.  Imagine the first post is terribly critical
> of Veracode. This could have been a real customer or not, it could have been
> a competitor – we have no way of knowing. And if someone responds we have no
> way of knowing if that is real either.  Ultimately, a big pile of
> untrustworthy crap that drags our reputation down for no clear benefit.
>
>
>
> I have racked my brain about this, and I don’t see a clear path forward.  I
> propose we take down the CSR as a failed experiment and call it a day.
>
>
>
> I do think there are things that we can do **with** industry where our
> interests are very clearly aligned.  Things that will really actually help
> us achieve our mission.  Of the ideas below, I think the industry-wide
> awareness campaign is the most likely to succeed.
>
>
>
> --Jeff
>
>
>
>
>
> -------------
>
>
>
> Hi everyone,
>
>
>
> To achieve our goal of improving application security worldwide we need a
> thriving sustainable application security ecosystem. Only through the
> activity of this ecosystem can we drive progress in application security.
> For more on the security ecosystem concept, please refer to
> http://www.owasp.org/index.php/Security_Ecosystem_Project.
>
>
>
> For a long time, OWASP has resisted all but the most trivial interaction
> with commercial organizations in an effort to ensure that our brand is not
> abused nor our mission compromised. However, the application security market
> is less than 1% of what it needs to be to keep up with new software
> development. Given the staggering size of the challenge we face, we may have
> to change our tactics.  It goes without saying that we would never change
> our values about keeping everything at OWASP free and open.
>
>
>
> At the core, the idea is that we can unite our ecosystem by making it much
> easier to earn money through OWASP. Already, many organizations use our
> tools and materials in their products and services.  And many of the core
> OWASP contributors work for commercial application security product and
> services companies.  We are exploring ways to harness the power of market
> forces to achieve our mission without compromising our principles.
>
>
>
> The good news is that it is in *everyone’s* interest to make our
> application security ecosystem grow and thrive.
>
>
>
> Some ideas:
>
>
>
> ·        We could start a moderated commercial services registry.  We
> tried this and it didn’t work very well.  The marketing language involved
> wasn’t very consistent with OWASP principles, and it also wasn’t attractive
> to commercial firms.
>
>
>
> ·        We could turn it around and provide a forum for customers to
> share their experiences with product and service companies in our space. But
> without a reputation platform, there’s little doubt that the service would
> be abused by anonymous posters.
>
>
>
> ·        We could partner with industry to lead a balanced industry-wide
> awareness campaign.
>
>
>
> ·        We can seek out and support commercial entities that are willing
> to build commercial services based on OWASP projects. In a way, acting as an
> incubator for good ideas in appsec.
>
>
>
> ·        We can lobby goverments around the world to take steps towards
> making application security visible.
>
>
>
> ·        bzzzz
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100617/3b10c14d/attachment-0002.html>


More information about the Owasp-board mailing list