[Owasp-board] Project Branding Thread

Dennis Groves dennis.groves at owasp.org
Thu Jul 11 12:36:57 UTC 2013

Cheers for that Michael,

I agree the cause is good - we just need to tune it with 
balance/harmony. Additionally, my personal viewpoint is that OWASP 
totally wins when somebody wants to sponsor OWASP; motivations aside.

When Mozilla picked up Simon, I couldn't have been happier! It is 
contribution/sponsorship at best and co-opetition at worst! Either way 
it is a giant win for OWASP/Mozilla and Simon! In my world Mozilla 
instantly earned a 'shout-out' of gratitude on the OWASP Zap project 
page, if not in the product itself!

     OWASP Zap is made possible by a generous contribution from The 
Mozilla foundation.

Granted, it could also be easily viewed as a threat, since Simon is now 
paid by somebody else. However, my world view is to assume the best in 
people, not the worst. Seriously, I grew up on the wrong side of town, 
but I work very hard at keeping this attitude and funny enough my life 
experiences lead me to believe that you often find what ever you 

< Quote: Contact>

> David Drumlin: I know you must think this is all very unfair. Maybe 
> that's an understatement. What you don't know is I agree. I wish the 
> world was a place where fair was the bottom line, where the kind of 
> idealism you showed at the hearing was rewarded, not taken advantage 
> of. Unfortunately, we don't live in that world.
> Ellie Arroway: Funny, I've always believed that the world is what we 
> make of it.

< /Quote: Contact>

That said, I think we definitely need to have rules, and Jim is doing a 
good thing attempting to tackle such tremendously difficult issue…

Personally, I would ultimately like to see a situation where we reserve 
the right for Sponsors to use the OWASP brand on their websites as a 
reward for sponsoring OWASP (affiliate marketing  - it works!).

Currently we allow anybody which I feel dilutes the brand far worse than 
affiliate marketing which would at least encourage sponsors to 
contribute money to the foundation in exchange for the use of the brand. 

The only major drawback I can think of is that policing and enforcement 
of violators will be difficult and costly. Another is that the community 
seems to be split on the issue.



On 10 Jul 2013, at 11:11, Michael Coates wrote:

> (renaming subject for threading sanity)
> Dennis,
> Interesting points. I like how you've called out specific examples for
> consideration and included a view variations on the type of company 
> and
> their interests. It raises a very good question that we should all
> consider, if we build a system that works, should we really care what 
> the
> motivations are of the sponsor?
> What I mean is this, if we build a good system that is inline with our
> values and also generates revenue for us to pursue our mission, then 
> we
> want companies to find that system advantages to them too. So, if 
> company X
> wants to reroute all their publicity dollars into sponsoring owasp
> "something" (books, shirts, projects, whatever) then as long as we're 
> happy
> with the overall model design, we should welcome anyone who wants to 
> "take
> advantage of it".
> The trick is for OWASP to clearly define how we want to be Vendor 
> Neutral
> (neutral is key word there, it's not absent of vendors) and in line 
> with
> our mission and values while creating a model that can involve 
> companies so
> everyone wins. This is a balancing act and we as the board need to 
> search
> for the right balance. Too much in favor of outside companies can lead 
> to a
> nascar feel and drive away our core supporters. Too much in the other
> direction means we push away organizations that can help us grow, we 
> likely
> have much less revenue and we generally fail on the mission of raising
> awareness because we become irrelevant.
> The above thoughts are not for or against the proposal put forth by 
> Jim,
> but rather additional thoughts as we better capture how the OWASP 
> ecosystem
> will incorporate support from outside organizations.
> --
> Michael Coates | OWASP | @_mwc
> On Tue, Jul 9, 2013 at 1:30 PM, Dennis Groves 
> <dennis.groves at owasp.org>wrote:
>> I understand that GSOC is not an OWASP project.
>> Take the following use-case, using OWASP AppSensor as an example:
>> A bunch of students from Google SOC help us with a new reference
>> implementation; and we want to thank Google, and the students for 
>> making it
>> happen in the 'credits'?
>> We are now 'branding' our project, either in the documentation, or on 
>> the
>> project website with a commercial entity, which is strictly forbidden 
>> by
>> the new guidelines, however the ethical maxim 'credit where credit is 
>> due'
>> (as well as gratitude and good manners) dictates going against the 
>> new
>> guidelines.
>> Additional use-cases, again using OWASP AppSensor as an example:
>> 1.
>> WhiteHat Security (for profit, Security Vendor) gives us $10k to 
>> print
>> the OWASP AppSensor Handbook 2.0; and we *gratefully acknowledge and
>> thank* WhiteHat Security within the first few pages of the handbook
>> for making it possible to give away hundreds of books.
>> 2.
>> What if it was IBM (for profit, non-security) instead that gave us 
>> the
>> $10k, and made it possible to give away hundreds of books?
>> 3.
>> What if it was the Mozilla foundation (non-profit, non-security)
>> instead that gave us the $10k, and made it possible to give away 
>> hundreds
>> of books?
>> 4.
>> What if it was Amnesty International (Human Rights NGO) instead that
>> gave us the $10k, and made it possible to give away hundreds of 
>> books?
>> 5.
>> What if it was the Department of Homeland Security (government grant)
>> instead that gave us the $10k, and made it possible to give away 
>> hundreds
>> of books?
>> The current document defines what must not be done, and I like that
>> approach because it leaves open what can be done. And reduces what 
>> people
>> need to know to participate - less is more. :)
>> However, I think it would be good to clarify and better define the 
>> word
>> organisations. I have just demonstrated 5 different kinds of 
>> organisations,
>> and they can not all be lumped together in the same boat. And I also 
>> think
>> it would be useful to provide sample use cases like the above for 
>> clarity.
>> Over all, this is shaping up to be a great document that represents a
>> positive and significant change for the community, that with a few
>> modifications really nails the message on the head.
>> Cheers,
>> Dennis
>> On 9 Jul 2013, at 11:58, Jim Manico wrote:
>> Please note, Google summer of code is not a OWASP project in an of
>> itself, but a vehicle to fund other OWASP projects. So I think it's
>> acceptable.
>> - Jim
>> On 8 Jul 2013, at 22:13, Michael Coates wrote:
>> Board,
>> We need to set the agenda for our in person board meeting at OWASP 
>> AppSec
>> Europe. I've started the google document to gather topic ideas and
>> areas of
>> focus.
>> Please add your ideas & thoughts.
>> I don't have permissions to add my comments.
>> First of all I want to thank Jim for all his hard work on this. Fund
>> raising and policy generation is very hard and thankless work. This 
>> is
>> exactly the kind of work the board should be focused on. Policy is 
>> how
>> you protect and preserve the OWASP culture; which is to say policies 
>> are
>> a codification of the OWASP community values. Policies preserve what 
>> is
>> good about OWASP for the future. This is critical, and very difficult 
>> as
>> there are always exceptions and many points of view to balance. In
>> addition, one doesn't know in advance if the policies will work out 
>> as
>> envisioned so it is very risky. An additional big thanks to Jim for
>> taking this very difficult but necessary first step.
>> In general I agree with Jim, however, I believe that when we are 
>> talking
>> about organisations; I *reading* an assumption that we are discussing
>> 'commercial profit driven organisations.'
>> I say this because, I personally, however, do not think that I would
>> feel the same - if say Mozilla, Apache, or another open source 
>> charity
>> organisation were co-branding with OWASP (e.g. OWASP ZAP).
>> And further it makes me wonder how we handle the special case of 
>> Google
>> summer of code; which although is clearly altruistic and supports the
>> mission - we have no problem calling it *Google* summer of code;
>> which violates all the rules we have just proposed to set down!
>> Dennis

[Dennis Groves](http://about.me/dennis.groves), MSc
[Email me](mailto:dennis.groves at owasp.org) or [schedule a 

     Unless someone like you...cares a whole awful lot...
     nothing is going to get better...It's not."
                                             -- The Lorax
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20130711/1213cbff/attachment.html>

More information about the Owasp-board mailing list