[Owasp-board] Project Branding Thread

Michael Coates michael.coates at owasp.org
Wed Jul 10 18:11:14 UTC 2013

(renaming subject for threading sanity)


Interesting points. I like how you've called out specific examples for
consideration and included a view variations on the type of company and
their interests. It raises a very good question that we should all
consider, if we build a system that works, should we really care what the
motivations are of the sponsor?

What I mean is this, if we build a good system that is inline with our
values and also generates revenue for us to pursue our mission, then we
want companies to find that system advantages to them too. So, if company X
wants to reroute all their publicity dollars into sponsoring owasp
"something" (books, shirts, projects, whatever) then as long as we're happy
with the overall model design, we should welcome anyone who wants to "take
advantage of it".

The trick is for OWASP to clearly define how we want to be Vendor Neutral
(neutral is key word there, it's not absent of vendors) and in line with
our mission and values while creating a model that can involve companies so
everyone wins. This is a balancing act and we as the board need to search
for the right balance. Too much in favor of outside companies can lead to a
nascar feel and drive away our core supporters. Too much in the other
direction means we push away organizations that can help us grow, we likely
have much less revenue and we generally fail on the mission of raising
awareness because we become irrelevant.

The above thoughts are not for or against the proposal put forth by Jim,
but rather additional thoughts as we better capture how the OWASP ecosystem
will incorporate support from outside organizations.

Michael Coates | OWASP | @_mwc

On Tue, Jul 9, 2013 at 1:30 PM, Dennis Groves <dennis.groves at owasp.org>wrote:

> I understand that GSOC is not an OWASP project.
> Take the following use-case, using OWASP AppSensor as an example:
> A bunch of students from Google SOC help us with a new reference
> implementation; and we want to thank Google, and the students for making it
> happen in the 'credits'?
> We are now 'branding' our project, either in the documentation, or on the
> project website with a commercial entity, which is strictly forbidden by
> the new guidelines, however the ethical maxim 'credit where credit is due'
> (as well as gratitude and good manners) dictates going against the new
> guidelines.
> Additional use-cases, again using OWASP AppSensor as an example:
>    1.
>    WhiteHat Security (for profit, Security Vendor) gives us $10k to print
>    the OWASP AppSensor Handbook 2.0; and we *gratefully acknowledge and
>    thank* WhiteHat Security within the first few pages of the handbook
>    for making it possible to give away hundreds of books.
>    2.
>    What if it was IBM (for profit, non-security) instead that gave us the
>    $10k, and made it possible to give away hundreds of books?
>    3.
>    What if it was the Mozilla foundation (non-profit, non-security)
>    instead that gave us the $10k, and made it possible to give away hundreds
>    of books?
>    4.
>    What if it was Amnesty International (Human Rights NGO) instead that
>    gave us the $10k, and made it possible to give away hundreds of books?
>    5.
>    What if it was the Department of Homeland Security (government grant)
>    instead that gave us the $10k, and made it possible to give away hundreds
>    of books?
> The current document defines what must not be done, and I like that
> approach because it leaves open what can be done. And reduces what people
> need to know to participate - less is more. :)
> However, I think it would be good to clarify and better define the word
> organisations. I have just demonstrated 5 different kinds of organisations,
> and they can not all be lumped together in the same boat. And I also think
> it would be useful to provide sample use cases like the above for clarity.
> Over all, this is shaping up to be a great document that represents a
> positive and significant change for the community, that with a few
> modifications really nails the message on the head.
> Cheers,
> Dennis
> On 9 Jul 2013, at 11:58, Jim Manico wrote:
> Please note, Google summer of code is not a OWASP project in an of
> itself, but a vehicle to fund other OWASP projects. So I think it's
> acceptable.
>    - Jim
>  On 8 Jul 2013, at 22:13, Michael Coates wrote:
> Board,
> We need to set the agenda for our in person board meeting at OWASP AppSec
> Europe. I've started the google document to gather topic ideas and
> areas of
> focus.
> Please add your ideas & thoughts.
> I don't have permissions to add my comments.
> First of all I want to thank Jim for all his hard work on this. Fund
> raising and policy generation is very hard and thankless work. This is
> exactly the kind of work the board should be focused on. Policy is how
> you protect and preserve the OWASP culture; which is to say policies are
> a codification of the OWASP community values. Policies preserve what is
> good about OWASP for the future. This is critical, and very difficult as
> there are always exceptions and many points of view to balance. In
> addition, one doesn't know in advance if the policies will work out as
> envisioned so it is very risky. An additional big thanks to Jim for
> taking this very difficult but necessary first step.
> In general I agree with Jim, however, I believe that when we are talking
> about organisations; I *reading* an assumption that we are discussing
> 'commercial profit driven organisations.'
> I say this because, I personally, however, do not think that I would
> feel the same - if say Mozilla, Apache, or another open source charity
> organisation were co-branding with OWASP (e.g. OWASP ZAP).
> And further it makes me wonder how we handle the special case of Google
> summer of code; which although is clearly altruistic and supports the
> mission - we have no problem calling it *Google* summer of code;
> which violates all the rules we have just proposed to set down!
> Dennis
> ------------------------------
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>  Dennis
> ------------------------------
> Dennis Groves <http://about.me/dennis.groves>, MSc
> Email me <dennis.groves at owasp.org> or schedule a meeting<http://goo.gl/8sPIy>
> .
> Unless someone like you...cares a whole awful lot...
> nothing is going to get better...It's not."
>                                         -- The Lorax
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20130710/1150eb49/attachment.html>

More information about the Owasp-board mailing list