[Owasp-board] Agenda for In Person Board Meeting

Dennis Groves dennis.groves at owasp.org
Tue Jul 9 20:30:47 UTC 2013

I understand that GSOC is not an OWASP project.

Take the following use-case, using OWASP AppSensor as an example:

> A bunch of students from Google SOC help us with a new reference 
> implementation; and we want to thank Google, and the students for 
> making it happen in the 'credits'?

> We are now 'branding' our project, either in the documentation, or on 
> the project website with a commercial entity, which is strictly 
> forbidden by the new guidelines, however the ethical maxim 'credit 
> where credit is due' (as well as gratitude and good manners) dictates 
> going against the new guidelines.

Additional use-cases, again using OWASP AppSensor as an example:

1. WhiteHat Security (for profit, Security Vendor) gives us $10k to 
print the OWASP AppSensor Handbook 2.0; and we **gratefully acknowledge 
and thank** WhiteHat Security within the first few pages of the handbook 
for making it possible  to give away hundreds of books.

2. What if it was IBM (for profit, non-security) instead that gave us 
the $10k, and made it possible to give away hundreds of books?

3. What if it was the Mozilla foundation (non-profit, non-security) 
instead that gave us the $10k, and made it possible to give away 
hundreds of books?

4. What if it was Amnesty International (Human Rights NGO) instead that 
gave us the $10k, and made it possible to give away hundreds of books?

5. What if it was the Department of Homeland Security (government grant) 
instead that gave us the $10k, and made it possible to give away 
hundreds of books?


The current document defines what must not be done, and I like that 
approach because it leaves open what can be done. And reduces what 
people need to know to participate - less is more. :)

However, I think it would be good to clarify and better define the word 
organisations. I have just demonstrated 5 different kinds of 
organisations, and they can not all be lumped together in the same boat. 
And I also think it would be useful to provide sample use cases like the 
above for clarity.

Over all, this is shaping up to be a great document that represents a 
positive and significant change for the community, that with a few 
modifications really nails the message on the head.



On 9 Jul 2013, at 11:58, Jim Manico wrote:

> Please note, Google summer of code is not a OWASP project in an of
> itself, but a vehicle to fund other OWASP projects. So I think it's
> acceptable.
> - Jim
>> On 8 Jul 2013, at 22:13, Michael Coates wrote:
>>> Board,
>>> We need to set the agenda for our in person board meeting at OWASP 
>>> AppSec
>>> Europe. I've started the google document to gather topic ideas and
>>> areas of
>>> focus.
>>> Please add your ideas & thoughts.
>> I don't have permissions to add my comments.
>> <Kudos Jim>
>> First of all I want to thank Jim for all his hard work on this. Fund
>> raising and policy generation is very hard and thankless work. This 
>> is
>> exactly the kind of work the board should be focused on. Policy is 
>> how
>> you protect and preserve the OWASP culture; which is to say policies 
>> are
>> a codification of the OWASP community values. Policies preserve what 
>> is
>> good about OWASP for the future. This is critical, and very difficult 
>> as
>> there are always exceptions and many points of view to balance. In
>> addition, one doesn't know in advance if the policies will work out 
>> as
>> envisioned so it is very risky. An additional big thanks to Jim for
>> taking this very difficult but necessary first step.
>> </Kudos Jim>
>> In general I agree with Jim, however, I believe that when we are 
>> talking
>> about organisations; I *reading* an assumption that we are discussing
>> 'commercial profit driven organisations.'
>> I say this because, I personally, however, do not think that I would
>> feel the same - if say Mozilla, Apache, or another open source 
>> charity
>> organisation were co-branding with OWASP (e.g. OWASP ZAP).
>> And further it makes me wonder how we handle the special case of 
>> Google
>> summer of code; which although is clearly altruistic and supports the
>> mission - we have no problem calling it ***Google*** summer of code;
>> which violates all the rules we have just proposed to set down!
>> Dennis
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board

[Dennis Groves](http://about.me/dennis.groves), MSc
[Email me](mailto:dennis.groves at owasp.org) or [schedule a 

     Unless someone like you...cares a whole awful lot...
     nothing is going to get better...It's not."
                                             -- The Lorax
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20130709/044509e5/attachment.html>

More information about the Owasp-board mailing list