[Owasp-board] IMPORTANT: Proposed (revised) model for the 'OWASP Commercial Services' pages

Eoin eoin.keary at owasp.org
Tue Jun 22 13:45:11 UTC 2010


I can talk for myself on this issue.
Dinis please stop talking on my behalf, speak for yourself.
Dinis' views are not one-and-the-same as Eoins, thank you very much.

-ek



On 22 June 2010 05:31, Jeff Williams <jeff.williams at owasp.org> wrote:

>  The vendor bragging board was the one Mike proposed.  The anonymous
> comment board is the model you suggested.  Sorry for the characterization,
> but I simply do not see how it is possible to avoid this.  This is not about
> Dinis and Eoin’s trustworthiness.  Everyone in the community holds you in
> the highest regard (myself included).  But without any way to authenticate
> the posters, you will be left with no way to know if their messages are
> accurate or not.  You could spend the time to track down every one and
> verify the poster and the vendor, but that would be a huge waste of time for
> very little gain.
>
>
>
> --Jeff
>
>
>
>
>
> *From:* dinis cruz [mailto:dinis.cruz at owasp.org]
> *Sent:* Monday, June 21, 2010 9:12 PM
> *To:* Jeff Williams
> *Cc:* Eoin; OWASP Foundation Board List
>
> *Subject:* Re: [Owasp-board] IMPORTANT: Proposed (revised) model for the
> 'OWASP Commercial Services' pages
>
>
>
> Jeff, when you say 'vendor bragging board or an anonymous comment board.' which
> model are you talking about?
>
>
>
>  Because the model that I proposed (i.e. the one with the N articles
> defining the rules of engagement) was designed specifically to avoid those
> bad behaviours.
>
>
> Dinis
>
>
> On 21 Jun 2010, at 14:25, Jeff Williams <jeff.williams at owasp.org> wrote:
>
>  I haven’t really thought it through.  It’s just an example of how OWASP
> can help grow the commercial market around appsec in a way that supports our
> mission *without resorting to* a vendor bragging board or an anonymous
> comment board.
>
>
>
> We **could** spend our time creating a forum/directory/registry/whatever,
> but I don’t see it as a great way to spend our valuable effort.
>
>
>
> --Jeff
>
>
>
>
>
> *From:* eoinkeary at gmail.com [mailto:eoinkeary at gmail.com] *On Behalf Of *
> Eoin
> *Sent:* Monday, June 21, 2010 7:16 AM
> *To:* Jeff Williams
> *Cc:* dinis cruz; OWASP Foundation Board List
> *Subject:* Re: [Owasp-board] IMPORTANT: Proposed (revised) model for the
> 'OWASP Commercial Services' pages
>
>
>
> Jeff, old boy, So what do you suggest?
>
>
>
> There is a slight but significant difference between interaction with
> consulting & vendor firms in the app sec domain and dealing with s/w dev,
> cio's sec mgrs in the industry space.
>
> Are you suggesting the embracement of OWASP by appsec companies (which they
> already do when they need to), I was thinking more along the lines of
> listening to industry to see what the hot issues are and looking how to
> address such issues?
>
>
>
>
>
> -ek
>
>
>
>
>
>
>
>
> On 20 June 2010 00:00, Jeff Williams <jeff.williams at owasp.org> wrote:
>
> Eoin,
>
>
>
> I was actually thinking about partnering with the commercial companies in
> the appsec space to do this.  But you’re right – they might be quite
> supportive if we set it up right.  The key is doing it in a way that’s
> completely open.
>
>
>
> --Jeff
>
>
>
>
>
> *From:* eoinkeary at gmail.com [mailto:eoinkeary at gmail.com] *On Behalf Of *
> Eoin
> *Sent:* Friday, June 18, 2010 10:58 AM
> *To:* Jeff Williams
> *Cc:* dinis cruz; OWASP Foundation Board List
> *Subject:* Re: [Owasp-board] IMPORTANT: Proposed (revised) model for the
> 'OWASP Commercial Services' pages
>
>
>
> Jess,
>
> re: "     We could partner with industry to lead a balanced industry-wide
> awareness campaign."
>
>
>
> I attempted this industry focused approach with *OWASP Industry Outreach
> (OIO)*, but got very little buy-in for the board apart from Matt and Seba.
> Do we want to rethink and fire up the project again?
>
>
>
>
>
> Eoin
>
>
>
>
>
> On 18 June 2010 02:45, Jeff Williams <jeff.williams at owasp.org> wrote:
>
> I don't understand why you think that the rules I proposed are sound but
> dismiss it from having a chance of working (and you are wrong with the
> problem with anonymous comments, since managing that is part of what the
> team behind this service needs to do).
>
>
>
> I think you’re ignoring the significant and fairly certain downside risk to
> OWASP’s reputation and the fairly limited upside to this proposal. Starting
> a slander board will not do anything to build a commercial model around
> OWASP projects except alienate people and companies in our space.
>
>
>
> You can’t manage comments when you have no way to authenticate anyone,
> whether they’re from a company or a customer. And you’ll have no way to tell
> whether the comments are accurate or not.  All this time could be better
> spent.
>
>
>
> If we want to help projects build a commercial model then we should act
> like an incubator. We should help companies build services around OWASP
> projects.  The current model puts the cart before the horse.
>
>
>
> Jeff, it is perfectly OK for you to have a position that you don't feel the
> proposed model (i.e. the original rules + the changes made by Eoin (and
> hopefully Dave)) will work, but we need to give this a go.
>
>
>
> So, I propose that we have a vote on presenting the new set of rules to the
> leaders as a 'new model to see if it works', and then let me and Eoin (and
> others who wish to be involved) run with it and see if we can get it to
> work.
>
>
>
> Fine – please consider the downside risk and whether this really
> contributes to our mission when you vote.
>
>
>
> Btw, Jeff, I really like this phrase from your last email, since it is
> exactly what I'm trying to create here:
>
>
>
> "...At the core, the idea is that we can unite our ecosystem by making it
> much easier to earn money through OWASP. Already, many organizations use our
> tools and materials in their products and services.  And many of the core
> OWASP contributors work for commercial application security product and
> services companies.  We are exploring ways to harness the power of market
> forces to achieve our mission without compromising our principles...."
>
>
>
> Thanks – I do understand the importance of the commercial model for OWASP.
> But I’ve thought about this one very hard and I can see how it’s going to
> come out.  I’m convinced that we should not do this and should keep looking
> for alternatives.
>
>
>
> I suggest we focus instead on things we can do to get commercial services *
> *started** around OWASP projects, not rate them **after** they exist.
> Here are a few concrete ideas…
>
>
>
> 1.      Start an OWASP Commercial Services Broker - WE define the
> services, WE list providers (no marketing talk), WE act as a broker and get
> performance ratings
>
>
>
> 2.      Produce an independent “buyer’s guide” to application security.
> An extension to the RFP language project.
>
>
>
> 3.      Offer to provide support to companies wanting to run an OWASP
> defined service.
>
>
>
> The more I think about it, the key is that OWASP must define the service.
> That eliminates all the bias.
>
>
>
> --Jeff
>
>
>
>
>
>
>
>
>
> On 16 June 2010 19:10, Jeff Williams <jeff.williams at owasp.org> wrote:
>
> Board,
>
>
>
> I’ve spent the last week thinking about OWASP’s relationship with the
> commercial market.  Like a good lawyer, I’ve tried to argue the sense of
> engaging with commercial forces below.  But -- I can’t make myself believe
> it.
>
>
>
> Even though the model proposed is a big improvement on what’s there AND the
> rules are solid, I don’t believe it will actually work.  The move to a
> customer-driven model (vs. a corporate driven one) is a good idea.  But we
> just don’t have the technology or human cycles to avoid abuse – assuming it
> got used enough to be abused.  Imagine the first post is terribly critical
> of Veracode. This could have been a real customer or not, it could have been
> a competitor – we have no way of knowing. And if someone responds we have no
> way of knowing if that is real either.  Ultimately, a big pile of
> untrustworthy crap that drags our reputation down for no clear benefit.
>
>
>
> I have racked my brain about this, and I don’t see a clear path forward.  I
> propose we take down the CSR as a failed experiment and call it a day.
>
>
>
> I do think there are things that we can do **with** industry where our
> interests are very clearly aligned.  Things that will really actually help
> us achieve our mission.  Of the ideas below, I think the industry-wide
> awareness campaign is the most likely to succeed.
>
>
>
> --Jeff
>
>
>
>
>
> -------------
>
>
>
> Hi everyone,
>
>
>
> To achieve our goal of improving application security worldwide we need a
> thriving sustainable application security ecosystem. Only through the
> activity of this ecosystem can we drive progress in application security.
> For more on the security ecosystem concept, please refer to
> http://www.owasp.org/index.php/Security_Ecosystem_Project.
>
>
>
> For a long time, OWASP has resisted all but the most trivial interaction
> with commercial organizations in an effort to ensure that our brand is not
> abused nor our mission compromised. However, the application security market
> is less than 1% of what it needs to be to keep up with new software
> development. Given the staggering size of the challenge we face, we may have
> to change our tactics.  It goes without saying that we would never change
> our values about keeping everything at OWASP free and open.
>
>
>
> At the core, the idea is that we can unite our ecosystem by making it much
> easier to earn money through OWASP. Already, many organizations use our
> tools and materials in their products and services.  And many of the core
> OWASP contributors work for commercial application security product and
> services companies.  We are exploring ways to harness the power of market
> forces to achieve our mission without compromising our principles.
>
>
>
> The good news is that it is in *everyone’s* interest to make our
> application security ecosystem grow and thrive.
>
>
>
> Some ideas:
>
>
>
> ·        We could start a moderated commercial services registry.  We
> tried this and it didn’t work very well.  The marketing language involved
> wasn’t very consistent with OWASP principles, and it also wasn’t attractive
> to commercial firms.
>
>
>
> ·        We could turn it around and provide a forum for customers to
> share their experiences with product and service companies in our space. But
> without a reputation platform, there’s little doubt that the service would
> be abused by anonymous posters.
>
>
>
> ·        We could partner with industry to lead a balanced industry-wide
> awareness campaign.
>
>
>
> ·        We can seek out and support commercial entities that are willing
> to build commercial services based on OWASP projects. In a way, acting as an
> incubator for good ideas in appsec.
>
>
>
> ·        We can lobby goverments around the world to take steps towards
> making application security visible.
>
>
>
> ·        bzzzz
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
> --
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
>
> Sent from my i-Transmogrifier
> http://asg.ie/
> https://twitter.com/EoinKeary
>
>
>
>
> --
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
>
> Sent from my i-Transmogrifier
> http://asg.ie/
> https://twitter.com/EoinKeary
>
>


-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100622/1447a9be/attachment-0002.html>


More information about the Owasp-board mailing list