[Owasp-board] IMPORTANT: Proposed (revised) model for the 'OWASP Commercial Services' pages

Eoin eoin.keary at owasp.org
Thu Jun 17 13:34:37 UTC 2010


"With great power comes great responsibility", we don't have much power but
need to make a robust decision on this issue.
Not every one shall be happy with the outcome but that is democracy and the
joys of defining direction of any group or team.

I am happy to support this as long as it is in line with OWASP's mission.
The question is; is it?
Maybe we should put this to a vote which includes the active project (not
chapter) leads also?


-ek




On 17 June 2010 00:14, dinis cruz <dinis.cruz at owasp.org> wrote:

> I disagree Jeff that we should call it a day,
>
> I don't understand why you think that the rules I proposed are sound but
> dismiss it from having a chance of working (and you are wrong with the
> problem with anonymous comments, since managing that is part of what the
> team behind this service needs to do).
>
> Part of the problem so far has been Mike's cavalier approach to the problem
> which has created a lot of negative energy behind this.
>
> This is why this project/initiative should/will be lead by people that know
> our community quite well and are respected by them. In this case me and
> Eoin.
>
> Jeff, it is perfectly OK for you to have a position that you don't feel the
> proposed model (i.e. the original rules + the changes made by Eoin (and
> hopefully Dave)) will work, but we need to give this a go.
>
> So, I propose that we have a vote on presenting the new set of rules to the
> leaders as a 'new model to see if it works', and then let me and Eoin (and
> others who wish to be involved) run with it and see if we can get it to
> work.
>
> So far, Jeff has been the only one that will (probably?) vote against this
> (or abstain from voting). Anybody else has issues that they would like to
> raise?
>
> Dave, can you add your comments to the document Eoin sent last time so that
> I can resubmit it as the final version?
>
> Btw, Jeff, I really like this phrase from your last email, since it is
> exactly what I'm trying to create here:
>
> "...At the core, the idea is that we can unite our ecosystem by making it
> much easier to earn money through OWASP. Already, many organizations use our
> tools and materials in their products and services.  And many of the core
> OWASP contributors work for commercial application security product and
> services companies.  We are exploring ways to harness the power of market
> forces to achieve our mission without compromising our principles...."
>
> Dinis Cruz
>
>
>   On 16 June 2010 19:10, Jeff Williams <jeff.williams at owasp.org> wrote:
>
>>    Board,
>>
>>
>>
>> I’ve spent the last week thinking about OWASP’s relationship with the
>> commercial market.  Like a good lawyer, I’ve tried to argue the sense of
>> engaging with commercial forces below.  But -- I can’t make myself believe
>> it.
>>
>>
>>
>> Even though the model proposed is a big improvement on what’s there AND
>> the rules are solid, I don’t believe it will actually work.  The move to a
>> customer-driven model (vs. a corporate driven one) is a good idea.  But we
>> just don’t have the technology or human cycles to avoid abuse – assuming it
>> got used enough to be abused.  Imagine the first post is terribly critical
>> of Veracode. This could have been a real customer or not, it could have been
>> a competitor – we have no way of knowing. And if someone responds we have no
>> way of knowing if that is real either.  Ultimately, a big pile of
>> untrustworthy crap that drags our reputation down for no clear benefit.
>>
>>
>>
>> I have racked my brain about this, and I don’t see a clear path forward.
>> I propose we take down the CSR as a failed experiment and call it a day.
>>
>>
>>
>> I do think there are things that we can do **with** industry where our
>> interests are very clearly aligned.  Things that will really actually help
>> us achieve our mission.  Of the ideas below, I think the industry-wide
>> awareness campaign is the most likely to succeed.
>>
>>
>>
>> --Jeff
>>
>>
>>
>>
>>
>> -------------
>>
>>
>>
>> Hi everyone,
>>
>>
>>
>> To achieve our goal of improving application security worldwide we need a
>> thriving sustainable application security ecosystem. Only through the
>> activity of this ecosystem can we drive progress in application security.
>> For more on the security ecosystem concept, please refer to
>> http://www.owasp.org/index.php/Security_Ecosystem_Project.
>>
>>
>>
>> For a long time, OWASP has resisted all but the most trivial interaction
>> with commercial organizations in an effort to ensure that our brand is not
>> abused nor our mission compromised. However, the application security market
>> is less than 1% of what it needs to be to keep up with new software
>> development. Given the staggering size of the challenge we face, we may have
>> to change our tactics.  It goes without saying that we would never change
>> our values about keeping everything at OWASP free and open.
>>
>>
>>
>> At the core, the idea is that we can unite our ecosystem by making it much
>> easier to earn money through OWASP. Already, many organizations use our
>> tools and materials in their products and services.  And many of the core
>> OWASP contributors work for commercial application security product and
>> services companies.  We are exploring ways to harness the power of market
>> forces to achieve our mission without compromising our principles.
>>
>>
>>
>> The good news is that it is in *everyone’s* interest to make our
>> application security ecosystem grow and thrive.
>>
>>
>>
>> Some ideas:
>>
>>
>>
>> ·        We could start a moderated commercial services registry.  We
>> tried this and it didn’t work very well.  The marketing language involved
>> wasn’t very consistent with OWASP principles, and it also wasn’t attractive
>> to commercial firms.
>>
>>
>>
>> ·        We could turn it around and provide a forum for customers to
>> share their experiences with product and service companies in our space. But
>> without a reputation platform, there’s little doubt that the service would
>> be abused by anonymous posters.
>>
>>
>>
>> ·        We could partner with industry to lead a balanced industry-wide
>> awareness campaign.
>>
>>
>>
>> ·        We can seek out and support commercial entities that are willing
>> to build commercial services based on OWASP projects. In a way, acting as an
>> incubator for good ideas in appsec.
>>
>>
>>
>> ·        We can lobby goverments around the world to take steps towards
>> making application security visible.
>>
>>
>>
>> ·        bzzzz
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>


-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100617/a06a756b/attachment-0002.html>


More information about the Owasp-board mailing list