[Owasp-board] IMPORTANT: Proposed (revised) model for the 'OWASP Commercial Services' pages

Jeff Williams jeff.williams at owasp.org
Fri Jun 18 04:10:26 UTC 2010


Actually, I see no urgency on this issue whatsoever.

 

I'd like to suggest a separate vote on pulling down the existing CSR.

 

--Jeff

 

 

From: eoinkeary at gmail.com [mailto:eoinkeary at gmail.com] On Behalf Of Eoin
Sent: Thursday, June 17, 2010 9:35 AM
To: dinis cruz; Jeff Williams; OWASP Foundation Board List
Subject: Re: [Owasp-board] IMPORTANT: Proposed (revised) model for the
'OWASP Commercial Services' pages

 

"With great power comes great responsibility", we don't have much power but
need to make a robust decision on this issue.

Not every one shall be happy with the outcome but that is democracy and the
joys of defining direction of any group or team.

 

I am happy to support this as long as it is in line with OWASP's mission.

The question is; is it?

Maybe we should put this to a vote which includes the active project (not
chapter) leads also?

 

 

-ek

 



 

On 17 June 2010 00:14, dinis cruz <dinis.cruz at owasp.org> wrote:

I disagree Jeff that we should call it a day, 

 

I don't understand why you think that the rules I proposed are sound but
dismiss it from having a chance of working (and you are wrong with the
problem with anonymous comments, since managing that is part of what the
team behind this service needs to do).

 

Part of the problem so far has been Mike's cavalier approach to the problem
which has created a lot of negative energy behind this.

 

This is why this project/initiative should/will be lead by people that know
our community quite well and are respected by them. In this case me and
Eoin.

 

Jeff, it is perfectly OK for you to have a position that you don't feel the
proposed model (i.e. the original rules + the changes made by Eoin (and
hopefully Dave)) will work, but we need to give this a go.

 

So, I propose that we have a vote on presenting the new set of rules to the
leaders as a 'new model to see if it works', and then let me and Eoin (and
others who wish to be involved) run with it and see if we can get it to
work.

 

So far, Jeff has been the only one that will (probably?) vote against this
(or abstain from voting). Anybody else has issues that they would like to
raise?

 

Dave, can you add your comments to the document Eoin sent last time so that
I can resubmit it as the final version?


Btw, Jeff, I really like this phrase from your last email, since it is
exactly what I'm trying to create here:

 

"...At the core, the idea is that we can unite our ecosystem by making it
much easier to earn money through OWASP. Already, many organizations use our
tools and materials in their products and services.  And many of the core
OWASP contributors work for commercial application security product and
services companies.  We are exploring ways to harness the power of market
forces to achieve our mission without compromising our principles...."

 

Dinis Cruz



On 16 June 2010 19:10, Jeff Williams <jeff.williams at owasp.org> wrote:

Board,

 

I've spent the last week thinking about OWASP's relationship with the
commercial market.  Like a good lawyer, I've tried to argue the sense of
engaging with commercial forces below.  But -- I can't make myself believe
it.

 

Even though the model proposed is a big improvement on what's there AND the
rules are solid, I don't believe it will actually work.  The move to a
customer-driven model (vs. a corporate driven one) is a good idea.  But we
just don't have the technology or human cycles to avoid abuse - assuming it
got used enough to be abused.  Imagine the first post is terribly critical
of Veracode. This could have been a real customer or not, it could have been
a competitor - we have no way of knowing. And if someone responds we have no
way of knowing if that is real either.  Ultimately, a big pile of
untrustworthy crap that drags our reputation down for no clear benefit.

 

I have racked my brain about this, and I don't see a clear path forward.  I
propose we take down the CSR as a failed experiment and call it a day.

 

I do think there are things that we can do *with* industry where our
interests are very clearly aligned.  Things that will really actually help
us achieve our mission.  Of the ideas below, I think the industry-wide
awareness campaign is the most likely to succeed.

 

--Jeff

 

 

-------------

 

Hi everyone,

 

To achieve our goal of improving application security worldwide we need a
thriving sustainable application security ecosystem. Only through the
activity of this ecosystem can we drive progress in application security.
For more on the security ecosystem concept, please refer to
http://www.owasp.org/index.php/Security_Ecosystem_Project. 

 

For a long time, OWASP has resisted all but the most trivial interaction
with commercial organizations in an effort to ensure that our brand is not
abused nor our mission compromised. However, the application security market
is less than 1% of what it needs to be to keep up with new software
development. Given the staggering size of the challenge we face, we may have
to change our tactics.  It goes without saying that we would never change
our values about keeping everything at OWASP free and open.

 

At the core, the idea is that we can unite our ecosystem by making it much
easier to earn money through OWASP. Already, many organizations use our
tools and materials in their products and services.  And many of the core
OWASP contributors work for commercial application security product and
services companies.  We are exploring ways to harness the power of market
forces to achieve our mission without compromising our principles.

 

The good news is that it is in everyone's interest to make our application
security ecosystem grow and thrive. 

 

Some ideas:

 

.        We could start a moderated commercial services registry.  We tried
this and it didn't work very well.  The marketing language involved wasn't
very consistent with OWASP principles, and it also wasn't attractive to
commercial firms.

 

.        We could turn it around and provide a forum for customers to share
their experiences with product and service companies in our space. But
without a reputation platform, there's little doubt that the service would
be abused by anonymous posters.

 

.        We could partner with industry to lead a balanced industry-wide
awareness campaign.

 

.        We can seek out and support commercial entities that are willing to
build commercial services based on OWASP projects. In a way, acting as an
incubator for good ideas in appsec.

 

.        We can lobby goverments around the world to take steps towards
making application security visible.

 

.        bzzzz

 

 

 

 

 

_______________________________________________
Owasp-board mailing list
Owasp-board at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-board

 


_______________________________________________
Owasp-board mailing list
Owasp-board at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-board




-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
http://asg.ie/
https://twitter.com/EoinKeary

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100618/d82ef1b2/attachment-0002.html>


More information about the Owasp-board mailing list