[Owasp-board] IMPORTANT: Proposed (revised) model for the 'OWASP Commercial Services' pages

Eoin eoin.keary at owasp.org
Fri Jun 18 14:57:53 UTC 2010


Jess,
re: "     We could partner with industry to lead a balanced industry-wide
awareness campaign."

I attempted this industry focused approach with *OWASP Industry Outreach
(OIO)*, but got very little buy-in for the board apart from Matt and Seba.
Do we want to rethink and fire up the project again?


Eoin



On 18 June 2010 02:45, Jeff Williams <jeff.williams at owasp.org> wrote:

>   I don't understand why you think that the rules I proposed are sound but
> dismiss it from having a chance of working (and you are wrong with the
> problem with anonymous comments, since managing that is part of what the
> team behind this service needs to do).
>
>
>
> I think you’re ignoring the significant and fairly certain downside risk to
> OWASP’s reputation and the fairly limited upside to this proposal. Starting
> a slander board will not do anything to build a commercial model around
> OWASP projects except alienate people and companies in our space.
>
>
>
> You can’t manage comments when you have no way to authenticate anyone,
> whether they’re from a company or a customer. And you’ll have no way to tell
> whether the comments are accurate or not.  All this time could be better
> spent.
>
>
>
> If we want to help projects build a commercial model then we should act
> like an incubator. We should help companies build services around OWASP
> projects.  The current model puts the cart before the horse.
>
>
>
> Jeff, it is perfectly OK for you to have a position that you don't feel the
> proposed model (i.e. the original rules + the changes made by Eoin (and
> hopefully Dave)) will work, but we need to give this a go.
>
>
>
> So, I propose that we have a vote on presenting the new set of rules to the
> leaders as a 'new model to see if it works', and then let me and Eoin (and
> others who wish to be involved) run with it and see if we can get it to
> work.
>
>
>
> Fine – please consider the downside risk and whether this really
> contributes to our mission when you vote.
>
>
>
> Btw, Jeff, I really like this phrase from your last email, since it is
> exactly what I'm trying to create here:
>
>
>
> "...At the core, the idea is that we can unite our ecosystem by making it
> much easier to earn money through OWASP. Already, many organizations use our
> tools and materials in their products and services.  And many of the core
> OWASP contributors work for commercial application security product and
> services companies.  We are exploring ways to harness the power of market
> forces to achieve our mission without compromising our principles...."
>
>
>
> Thanks – I do understand the importance of the commercial model for OWASP.
> But I’ve thought about this one very hard and I can see how it’s going to
> come out.  I’m convinced that we should not do this and should keep looking
> for alternatives.
>
>
>
> I suggest we focus instead on things we can do to get commercial services *
> *started** around OWASP projects, not rate them **after** they exist.
> Here are a few concrete ideas…
>
>
>
> 1.      Start an OWASP Commercial Services Broker - WE define the
> services, WE list providers (no marketing talk), WE act as a broker and get
> performance ratings
>
>
>
> 2.      Produce an independent “buyer’s guide” to application security.
> An extension to the RFP language project.
>
>
>
> 3.      Offer to provide support to companies wanting to run an OWASP
> defined service.
>
>
>
> The more I think about it, the key is that OWASP must define the service.
> That eliminates all the bias.
>
>
>
> --Jeff
>
>
>
>
>
>
>
>
>
> On 16 June 2010 19:10, Jeff Williams <jeff.williams at owasp.org> wrote:
>
> Board,
>
>
>
> I’ve spent the last week thinking about OWASP’s relationship with the
> commercial market.  Like a good lawyer, I’ve tried to argue the sense of
> engaging with commercial forces below.  But -- I can’t make myself believe
> it.
>
>
>
> Even though the model proposed is a big improvement on what’s there AND the
> rules are solid, I don’t believe it will actually work.  The move to a
> customer-driven model (vs. a corporate driven one) is a good idea.  But we
> just don’t have the technology or human cycles to avoid abuse – assuming it
> got used enough to be abused.  Imagine the first post is terribly critical
> of Veracode. This could have been a real customer or not, it could have been
> a competitor – we have no way of knowing. And if someone responds we have no
> way of knowing if that is real either.  Ultimately, a big pile of
> untrustworthy crap that drags our reputation down for no clear benefit.
>
>
>
> I have racked my brain about this, and I don’t see a clear path forward.  I
> propose we take down the CSR as a failed experiment and call it a day.
>
>
>
> I do think there are things that we can do **with** industry where our
> interests are very clearly aligned.  Things that will really actually help
> us achieve our mission.  Of the ideas below, I think the industry-wide
> awareness campaign is the most likely to succeed.
>
>
>
> --Jeff
>
>
>
>
>
> -------------
>
>
>
> Hi everyone,
>
>
>
> To achieve our goal of improving application security worldwide we need a
> thriving sustainable application security ecosystem. Only through the
> activity of this ecosystem can we drive progress in application security.
> For more on the security ecosystem concept, please refer to
> http://www.owasp.org/index.php/Security_Ecosystem_Project.
>
>
>
> For a long time, OWASP has resisted all but the most trivial interaction
> with commercial organizations in an effort to ensure that our brand is not
> abused nor our mission compromised. However, the application security market
> is less than 1% of what it needs to be to keep up with new software
> development. Given the staggering size of the challenge we face, we may have
> to change our tactics.  It goes without saying that we would never change
> our values about keeping everything at OWASP free and open.
>
>
>
> At the core, the idea is that we can unite our ecosystem by making it much
> easier to earn money through OWASP. Already, many organizations use our
> tools and materials in their products and services.  And many of the core
> OWASP contributors work for commercial application security product and
> services companies.  We are exploring ways to harness the power of market
> forces to achieve our mission without compromising our principles.
>
>
>
> The good news is that it is in *everyone’s* interest to make our
> application security ecosystem grow and thrive.
>
>
>
> Some ideas:
>
>
>
> ·        We could start a moderated commercial services registry.  We
> tried this and it didn’t work very well.  The marketing language involved
> wasn’t very consistent with OWASP principles, and it also wasn’t attractive
> to commercial firms.
>
>
>
> ·        We could turn it around and provide a forum for customers to
> share their experiences with product and service companies in our space. But
> without a reputation platform, there’s little doubt that the service would
> be abused by anonymous posters.
>
>
>
> ·        We could partner with industry to lead a balanced industry-wide
> awareness campaign.
>
>
>
> ·        We can seek out and support commercial entities that are willing
> to build commercial services based on OWASP projects. In a way, acting as an
> incubator for good ideas in appsec.
>
>
>
> ·        We can lobby goverments around the world to take steps towards
> making application security visible.
>
>
>
> ·        bzzzz
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>


-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100618/c604f7d1/attachment-0002.html>


More information about the Owasp-board mailing list