[Owasp-board] Promotion of OWASP by Non-"non-profits"

Jim Manico jim.manico at owasp.org
Wed Feb 19 22:40:34 UTC 2014

Here is my preferred OWASP philosophy.

Postels principle: Be conservative in what you do, but be liberal in what
you take from others.

Translating that to OWASP, I'd like how OWASP presents itself outward be
very clean in branding and project quality definition similar to the Apache
model. We are already moving in that direction with changes made in the
last year.

But I think we should be more tolerant of how others discuss OWASP external
to our organization.

Vendor neutrality is the core of why OWASP is so valuable to the community.

If we really want to focus on propping up the Application Security
industry, then we should change status away from a open-source charity and
instead be a non-profit trade association.

No, a project is not only on the wiki. That is just todays reality. We
failed to build a real project infrastructure (for software projects) and
instead depend on Google Code, github and other places outside of OWASP
with minimal OWASP branding. But I think we should continue to enforce at
least some branding standards here. The wiki provides history and
accountability that external tools do not.

> 2. Can a company push forward with an owasp project and promote that
project on their website too?

Only if out project branding and sponsorship standards are followed. This
is a bad path to go down because it will break all the work that was done
to build a new sponsorship model.

> 3. Do questions 1 and 2 matter provided the company/person acts per our
brand usage

The moment someone starts hosting major aspects of a project on a
commercial website, the mixed branding breaks our new sponsorship model.
I'm not a fan. We are paying a lot for the staff. Perhaps if we get better
funding we can hire more technical resources to build real project
infrastructure so external hosting is not necessary.

Last, for technical projects where someone is really working hard on a
valuable project, we could be more lenient.

For marketing endeavors where someone is sort of a spokesperson or setting
a standard for the organization (podcast, top 10, etc) I think more OWASP
centric branding is necessary.

Sonotype and the trusted software alliance are both for profit companies.
Mark does not post on the OWASP blog and makes money that goes in his
pocket because he advertises Sonotype on our OWASP podcast and posts
updates on his commercial website. I spent years being super clean in the
podcast representing OWASP with honor at my own expense. I could have
monetized it in many ways but I did not. To see someone take the work that
I did and immediately "cash in" for their personal profit is absolutely
upsetting and against everything we stand for as a vendor neutral charity.

I used to end the podcast with the OWASP mission statement and a call for
those to volunteer and donate. Now it ends with a damn advertisement that a
non-OWASP commercial entity makes money from. Fuck. That.

Jim Manico
(808) 652-3805

On Feb 19, 2014, at 11:15 PM, Michael Coates <michael.coates at owasp.org>


I'd like to understand everyone's thoughts on promotion of OWASP from other
entities - specifically those that are either corporations, private
entities and generally companies with different motives then us and a

More specifically, what expectations to do you feel should be placed on a
company that wants to promote an owasp project or contribute time and
resources to the betterment of owasp that of course also benefit themselves
too (e.g. being a good person has tangential benefits for the person and
those associated with the person)?

A few questions for consideration
1. Does an owasp project or initiative need to live only on the owasp wiki?
2. Can a company push forward with an owasp project and promote that
project on their website too?
3. Do questions 1 and 2 matter provided the company/person acts per our
brand usage

I certainly have my opinions but want to open up the discussion.

I ask these larger questions because the overall issue is more important.
However, we can also later dive into this idea with a concrete example. We
have a great scenario where someone is funded by a company to do things
that benefit OWASP - the podcast series. If we have concerns about any
aspect of that situation, I'd like to understand them in the overall
context of how we encourage company participation.

Also, if our expectations don't match our stated guidance we need to
quickly update our guidance. It's hard for us to expect people to follow
rules if we don't publish them :)


Michael Coates

Owasp-board mailing list
Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140219/5bad51e0/attachment.html>

More information about the Owasp-board mailing list