[Owasp-board] Promotion of OWASP by Non-"non-profits"

Jim Manico jim.manico at owasp.org
Thu Feb 20 00:04:43 UTC 2014

+1 Although I am very sad to see the podcast go from what I felt was
non-commercial to commercial, I do want to acknowledge Marks efforts.

My suggestions:

I'd like to see "trusted software alliance" removed from the equation.
Sonotype is sponsoring this because of OWASP, not because of the TSA which
is a for-profit company owned by Mark.


1) Post podcast updates to the wiki or OWASP blog
2) End the podcast with our mission statement and a call for volunteerism
and donations
3) Tweet via the official OWASP Podcast Twitter Account
4) Keep the Sonotype ad to a minimum, and avoid any "call to action" around
Sonotype. Right now it says "Sonotype is a trusted partner" with strange
implications about it's association with OWASP.
5) Have Sonotype pay OWASP for podcast sponsorship and then we pay Mark as
a contractor. Cleaner, especially since this is an official OWASP
communication/marketing vehicle.

I feel 1-4 is critical.

Jim Manico
(808) 652-3805

On Feb 20, 2014, at 12:52 AM, Michael Coates <michael.coates at owasp.org>


We should certainly convene then on our sponsorship practices. If people
are playing by the rules then we should be fine. If they aren't playing by
the rules then we can point to the rules. If the rules are wrong, we
shouldn't blame anyone - we should just change the rules.


Michael Coates

On Wed, Feb 19, 2014 at 2:40 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Here is my preferred OWASP philosophy.
> Postels principle: Be conservative in what you do, but be liberal in what
> you take from others.
> Translating that to OWASP, I'd like how OWASP presents itself outward be
> very clean in branding and project quality definition similar to the Apache
> model. We are already moving in that direction with changes made in the
> last year.
> But I think we should be more tolerant of how others discuss OWASP
> external to our organization.
> Vendor neutrality is the core of why OWASP is so valuable to the community.
> If we really want to focus on propping up the Application Security
> industry, then we should change status away from a open-source charity and
> instead be a non-profit trade association.
> No, a project is not only on the wiki. That is just todays reality. We
> failed to build a real project infrastructure (for software projects) and
> instead depend on Google Code, github and other places outside of OWASP
> with minimal OWASP branding. But I think we should continue to enforce at
> least some branding standards here. The wiki provides history and
> accountability that external tools do not.
> > 2. Can a company push forward with an owasp project and promote that
> project on their website too?
> Only if out project branding and sponsorship standards are followed. This
> is a bad path to go down because it will break all the work that was done
> to build a new sponsorship model.
> > 3. Do questions 1 and 2 matter provided the company/person acts per our
> brand usage
> The moment someone starts hosting major aspects of a project on a
> commercial website, the mixed branding breaks our new sponsorship model.
> I'm not a fan. We are paying a lot for the staff. Perhaps if we get better
> funding we can hire more technical resources to build real project
> infrastructure so external hosting is not necessary.
> Last, for technical projects where someone is really working hard on a
> valuable project, we could be more lenient.
> For marketing endeavors where someone is sort of a spokesperson or setting
> a standard for the organization (podcast, top 10, etc) I think more OWASP
> centric branding is necessary.
> Sonotype and the trusted software alliance are both for profit companies.
> Mark does not post on the OWASP blog and makes money that goes in his
> pocket because he advertises Sonotype on our OWASP podcast and posts
> updates on his commercial website. I spent years being super clean in the
> podcast representing OWASP with honor at my own expense. I could have
> monetized it in many ways but I did not. To see someone take the work that
> I did and immediately "cash in" for their personal profit is absolutely
> upsetting and against everything we stand for as a vendor neutral charity.
> I used to end the podcast with the OWASP mission statement and a call for
> those to volunteer and donate. Now it ends with a damn advertisement that a
> non-OWASP commercial entity makes money from. Fuck. That.
> --
> Jim Manico
> @Manicode
> (808) 652-3805
> On Feb 19, 2014, at 11:15 PM, Michael Coates <michael.coates at owasp.org>
> wrote:
> Board,
> I'd like to understand everyone's thoughts on promotion of OWASP from
> other entities - specifically those that are either corporations, private
> entities and generally companies with different motives then us and a
> non-profit.
> More specifically, what expectations to do you feel should be placed on a
> company that wants to promote an owasp project or contribute time and
> resources to the betterment of owasp that of course also benefit themselves
> too (e.g. being a good person has tangential benefits for the person and
> those associated with the person)?
> A few questions for consideration
> 1. Does an owasp project or initiative need to live only on the owasp
> wiki?
> 2. Can a company push forward with an owasp project and promote that
> project on their website too?
> 3. Do questions 1 and 2 matter provided the company/person acts per our
> brand usage
> ://www.owasp.org/index.php/Category:OWASP_Project#tab=Brand_Resources<https://www.owasp.org/index.php/Category:OWASP_Project#tab=Brand_Resources>
> I certainly have my opinions but want to open up the discussion.
> I ask these larger questions because the overall issue is more important.
> However, we can also later dive into this idea with a concrete example. We
> have a great scenario where someone is funded by a company to do things
> that benefit OWASP - the podcast series. If we have concerns about any
> aspect of that situation, I'd like to understand them in the overall
> context of how we encourage company participation.
> Also, if our expectations don't match our stated guidance we need to
> quickly update our guidance. It's hard for us to expect people to follow
> rules if we don't publish them :)
> Thanks!
> --
> Michael Coates
> @_mwc
>  _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140220/128bef22/attachment.html>

More information about the Owasp-board mailing list