[Owasp-board] IMPORTANT: Proposed (revised) model for the 'OWASP Commercial Services' pages

Jeff Williams jeff.williams at owasp.org
Sat Jun 19 23:00:01 UTC 2010


Eoin,

 

I was actually thinking about partnering with the commercial companies in
the appsec space to do this.  But you're right - they might be quite
supportive if we set it up right.  The key is doing it in a way that's
completely open.

 

--Jeff

 

 

From: eoinkeary at gmail.com [mailto:eoinkeary at gmail.com] On Behalf Of Eoin
Sent: Friday, June 18, 2010 10:58 AM
To: Jeff Williams
Cc: dinis cruz; OWASP Foundation Board List
Subject: Re: [Owasp-board] IMPORTANT: Proposed (revised) model for the
'OWASP Commercial Services' pages

 

Jess,

re: "     We could partner with industry to lead a balanced industry-wide
awareness campaign."

 

I attempted this industry focused approach with OWASP Industry Outreach
(OIO), but got very little buy-in for the board apart from Matt and Seba. Do
we want to rethink and fire up the project again?

 

 

Eoin



 

On 18 June 2010 02:45, Jeff Williams <jeff.williams at owasp.org> wrote:

I don't understand why you think that the rules I proposed are sound but
dismiss it from having a chance of working (and you are wrong with the
problem with anonymous comments, since managing that is part of what the
team behind this service needs to do).

 

I think you're ignoring the significant and fairly certain downside risk to
OWASP's reputation and the fairly limited upside to this proposal. Starting
a slander board will not do anything to build a commercial model around
OWASP projects except alienate people and companies in our space.

 

You can't manage comments when you have no way to authenticate anyone,
whether they're from a company or a customer. And you'll have no way to tell
whether the comments are accurate or not.  All this time could be better
spent.

 

If we want to help projects build a commercial model then we should act like
an incubator. We should help companies build services around OWASP projects.
The current model puts the cart before the horse.

 

Jeff, it is perfectly OK for you to have a position that you don't feel the
proposed model (i.e. the original rules + the changes made by Eoin (and
hopefully Dave)) will work, but we need to give this a go.

 

So, I propose that we have a vote on presenting the new set of rules to the
leaders as a 'new model to see if it works', and then let me and Eoin (and
others who wish to be involved) run with it and see if we can get it to
work.

 

Fine - please consider the downside risk and whether this really contributes
to our mission when you vote.

 

Btw, Jeff, I really like this phrase from your last email, since it is
exactly what I'm trying to create here:

 

"...At the core, the idea is that we can unite our ecosystem by making it
much easier to earn money through OWASP. Already, many organizations use our
tools and materials in their products and services.  And many of the core
OWASP contributors work for commercial application security product and
services companies.  We are exploring ways to harness the power of market
forces to achieve our mission without compromising our principles...."

 

Thanks - I do understand the importance of the commercial model for OWASP.
But I've thought about this one very hard and I can see how it's going to
come out.  I'm convinced that we should not do this and should keep looking
for alternatives.

 

I suggest we focus instead on things we can do to get commercial services
*started* around OWASP projects, not rate them *after* they exist.  Here are
a few concrete ideas.

 

1.      Start an OWASP Commercial Services Broker - WE define the services,
WE list providers (no marketing talk), WE act as a broker and get
performance ratings

 

2.      Produce an independent "buyer's guide" to application security.  An
extension to the RFP language project.

 

3.      Offer to provide support to companies wanting to run an OWASP
defined service. 

 

The more I think about it, the key is that OWASP must define the service.
That eliminates all the bias.

 

--Jeff

 

 

 

 

On 16 June 2010 19:10, Jeff Williams <jeff.williams at owasp.org> wrote:

Board,

 

I've spent the last week thinking about OWASP's relationship with the
commercial market.  Like a good lawyer, I've tried to argue the sense of
engaging with commercial forces below.  But -- I can't make myself believe
it.

 

Even though the model proposed is a big improvement on what's there AND the
rules are solid, I don't believe it will actually work.  The move to a
customer-driven model (vs. a corporate driven one) is a good idea.  But we
just don't have the technology or human cycles to avoid abuse - assuming it
got used enough to be abused.  Imagine the first post is terribly critical
of Veracode. This could have been a real customer or not, it could have been
a competitor - we have no way of knowing. And if someone responds we have no
way of knowing if that is real either.  Ultimately, a big pile of
untrustworthy crap that drags our reputation down for no clear benefit.

 

I have racked my brain about this, and I don't see a clear path forward.  I
propose we take down the CSR as a failed experiment and call it a day.

 

I do think there are things that we can do *with* industry where our
interests are very clearly aligned.  Things that will really actually help
us achieve our mission.  Of the ideas below, I think the industry-wide
awareness campaign is the most likely to succeed.

 

--Jeff

 

 

-------------

 

Hi everyone,

 

To achieve our goal of improving application security worldwide we need a
thriving sustainable application security ecosystem. Only through the
activity of this ecosystem can we drive progress in application security.
For more on the security ecosystem concept, please refer to
http://www.owasp.org/index.php/Security_Ecosystem_Project. 

 

For a long time, OWASP has resisted all but the most trivial interaction
with commercial organizations in an effort to ensure that our brand is not
abused nor our mission compromised. However, the application security market
is less than 1% of what it needs to be to keep up with new software
development. Given the staggering size of the challenge we face, we may have
to change our tactics.  It goes without saying that we would never change
our values about keeping everything at OWASP free and open.

 

At the core, the idea is that we can unite our ecosystem by making it much
easier to earn money through OWASP. Already, many organizations use our
tools and materials in their products and services.  And many of the core
OWASP contributors work for commercial application security product and
services companies.  We are exploring ways to harness the power of market
forces to achieve our mission without compromising our principles.

 

The good news is that it is in everyone's interest to make our application
security ecosystem grow and thrive. 

 

Some ideas:

 

.        We could start a moderated commercial services registry.  We tried
this and it didn't work very well.  The marketing language involved wasn't
very consistent with OWASP principles, and it also wasn't attractive to
commercial firms.

 

.        We could turn it around and provide a forum for customers to share
their experiences with product and service companies in our space. But
without a reputation platform, there's little doubt that the service would
be abused by anonymous posters.

 

.        We could partner with industry to lead a balanced industry-wide
awareness campaign.

 

.        We can seek out and support commercial entities that are willing to
build commercial services based on OWASP projects. In a way, acting as an
incubator for good ideas in appsec.

 

.        We can lobby goverments around the world to take steps towards
making application security visible.

 

.        bzzzz

 

 

 

 


_______________________________________________
Owasp-board mailing list
Owasp-board at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-board

 


_______________________________________________
Owasp-board mailing list
Owasp-board at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-board




-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
http://asg.ie/
https://twitter.com/EoinKeary

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100619/4d31a6c0/attachment-0002.html>


More information about the Owasp-board mailing list