[Owasp-board] Proposed model for SI to hire Sandra as an OWASP resource

dinis cruz dinis.cruz at owasp.org
Wed Jan 26 10:05:23 UTC 2011

Board, I would like to send the email below to the leaders list.

Any Comments? Doubts? Questions? Worries? Ideas?

I'm CCing Sanda, Jason and Ed so that (if you want) you can include them in
your reply




I have been trying for a while to find a model that allows professional
talent to work for OWASP, as externally-paid resources, by companies who
have interested in the deliverables of that talent  ....  and .... I think
that I finally found one (including two parties that want to 'try it out')

This is the equivalent of an OWASP employee, where OWASP doesn't pay
him/her, but instead the employee's time is donated to OWASP by a 3rd party
company (who pays for the resource donated). Of course that there will be
some requirements made by the entity paying the bill, but as long as
everything is transparent and open, we should be fine.

In this specific example, we are talking about a company (SI,
http://www.securityinnovation.com) that has interest in
working/developing/releasing CC (http://creativecommons.org) OWASP materials
that can be used by:

   - the entire OWASP community, and
   - other application security services providers (like SI).

During the Academies meeting, held in Lisbon on January, Security Innovation
and Sandra Paiva became the two sides of a very interesting proposition. SI
was interested in creating eLearning courses on OWASP materials. For that,
they would need to find someone to prepare the necessary contents and create
training decks of slides that could then be used for the production of their
eLearning platforms (which SI owns and sells as a service (just like many
others)). Sandra, on the other hand, was finishing her 3 months contract to
operationalize the OWASP Academies/ OWASP Training and was available to
continue her collaboration with OWASP.

As you can see below, SI needs (for its own training business) to have
access to high quality materials from OWASP Projects. SI has taken a view
(correct in my point of view) that they have a lot to gain, if a number of
their 'OWASP related activities' and investments are shared back to OWASP
under a CC license.

Since there are obvious synergies between SI and OWASP (all done under an
CC/OpenSource umbrella) and because Sandra's current work for OWASP as been
amazing (see the OWASP Training and Academies that she worked on), ** I
suggested to both SI and Sandra that they worked together on the creation of
(CC-released) training materials for OWASP projects. I'm happy to say that
they both accepted, and if all goes well, SI is going to hire Sandra to work
for OWASP !

A significant part of Sandra's time will be spend talking/engaging with the
multiple OWASP Projects. Her focus will be to transform the existing (or
new) content into training slide-decks. In order to facilitate this (and to
maximize Sandra's 'OWASP available' time), Sandra would work with Paulo
Coimbra on his 'OWASP Projects normalization efforts' and help/facilitate
the updating/organization of those project's content (which means that
OWASP's benefits from Sandra's activities will be much greater than a set of
Slide Decks)

A critical part of this exercise, is the active involvement of the project
leaders, namely how much they are able to support Sandra (remember that
everything that Sandra is going to be working on, will be released under a
CC license!   SI (and other companies) are then free to reuse it for their
own commercial interests, just like they do it today

As  you can see, your input and help (as project leaders) will be invaluable
for the success of this engagement. In return, your projects will be
improved and supported by new (high-quality) training decks. These
slide-decks will be:

   - spread around the entire OWASP community,
   - delivered on OWASP Training events,
   - incorporated inside University courses   :)

Please take a good look at the section included at the end of this email,
which contains:

   - a general model/framework for this type of collaboration/sponsorships
   with external parties
   - the specific arrangement with Security Innovation and Sandra (note that
   the financial value of this transaction is not included since that is a
   matter between SI and Sanda (if you want to know ask them :) )

I believe that this is great development for OWASP, and one that should be
used for finding more 'professionally paid resources' to work on OWASP
projects (for example, Jim's idea for an ESAPI developer and ESAPI
documentation-focused resource).

Since OWASP can't really pay its leaders (where would it start? and how
could it chose who to pay?), I think this solution presents a perfect

Note that an 'undocumented' variation of this model is already happening in
large quantities at OWASP, this is just a way to formalize that model (see
http://www.owasp.org/index.php/Summit_2011_Attendee for a list of companies
that are paying their employees to work on 'OWASP related' activities)

What do you think?

Dinis Cruz

*PROPOSED MODEL FOR SI + SANDRA (this was created by SI with input from me
and Sandra and is designed to be posted on the OWASP WIKI)*

*General working model:*

- A Corporation hires an OWASP resource to develop a project of mutual
interest. The negotiation of duration and payment are between the
corporation and the resource.
- The Corporation may contractually oblige the OWASP resource to one or more
deliverables during the time of service. These deliverables may be specified
to an OWASP project, to the Corporation or both.
- The Corporation donates the resource to the OWASP project. The contractual
relationship between the resource and corporation includes clause that the
resource will do work for OWASP based on OWASP priorities as specified by
the organization.
- The Corporation may specify relative priority of deliverables vs. OWASP
project leader direction at their discretion.

*Specific arrangement with SI:
*- Security Innovation (SI) will hire Sandra Paiva for 6 months at a daily
rate to be negotiated between SI and Sandra.
- SI will specify a set of training deck deliverables, along with a delivery
schedule, in the contract with Sandra. These deliverables will specify a set
of topics and/or projects that should be covered by training slides as well
as the minimum quality bar and format that must be met. It will be up to
Sandra's discretion regarding how these are created and delivered. There
will be some flexibility in the deliverables to account for the
unpredictability of working with volunteer project leaders. These training
deck deliverables will be given to OWASP Academies project as well as to SI.

- SI will contractually specify that these training deck deliverables are
Sandra's first priority, however she may use additional time in her schedule
to work on additional priorities as stated by Dinis and these will be for
her to work with the OWASP Project Manager, Paulo, to spread the GPC
template for as much projects as possible.

- All materials covered in the contract with Sandra will be released under a
CC license and put available on the OWASP wiki.

- SI (and others) can use the CC materials produced to
create proprietary e-learning content or other materials at their

- SI will provide priorities and a roadmap that can be used to flesh out
training deck content. While these will be based on SI priorities and
customer feedback, they also can provide a valuable starting point for OWASP
to work from.

*As for SI's motivation, please read below the paragraph writen by them in
the process of discussing this matter:


***Why is SI doing this?*

* *In their own words:* **"**...Security Innovation is in the business of
creating world class training for our customers. We have a very good process
for turning training material into app security focused eLearning classes
that appeal to practitioners. One of our challenges is keeping our 'pipe' of
incoming high-quality training content full. We have a great team of
internal SMEs and a network of external contractors that we can source
training content from. However, none of these people have a full time
responsibility for content generation and so the stream of content can
become unpredictable at times. This arrangement with OWASP can not only
provide value to the OWASP community as a whole but will also provide a
predictable stream of high quality content to SI for the next few months.
We've determined that for a similar amount of money we could hire a
contractor to organize OWASP content and training content for us, however we
feel that cooperating with OWASP in this manner improves our connection with
the OWASP community while providing value to both OWASP and SI
simultaneously. What we lose in the process is full control over the slide
decks and sole-ownership of their content. We feel that we will be able to
differentiate enough through our eLearning development process that this
risk is mitigated and offset by the relationship we will be building with
the community at large..."*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20110126/5b9c6dc2/attachment-0002.html>

More information about the Owasp-board mailing list