[Owasp-board] Promotion of OWASP by Non-"non-profits"

Michael Coates michael.coates at owasp.org
Thu Feb 20 16:40:27 UTC 2014

1. I see we included mark on the board thread. This is fine, our
communications are open, but it's also worth noting that we're in a
discussion phase within the board and mark shouldn't feel required to have
to jump into the board conversion yet. For all we know we could just
resolve this with no action needed. It's no fun to be part of a long thread
if you don't need to and just want to do great security things instead.

2. Question to jim, is the trusted software alliance actually a company? I
never had an impression it was a nonprofit. It looks like a security center
that is capturing information.

3. Everything is about incentive structures. People like owasp and want to
help owasp grow. People also want themselves or their company to gain
visibility as someone who cares about security, is a thought leader, is a
community builder, etc. These things are natural and we shouldn't be
surprised. We have clear brand guidelines and should expect people to
adhere. If they are making their own reasonable decisions on a topic that
isn't covered in the guidelines - and we disagree on that decision - we
shouldn't see this as a act against owasp. Instead it's just someone trying
to do the right thing when guidance wasn't otherwise provided.

Everything I see in this scenario still seems reasonable. Yes, we should
post the owasp podcasts on an owasp page and use owasp links for official
promotion. Can someone help find a place? But also remember that anyone can
repost or syndicate, so all videos would still also be present on the twsa
page too (which is fine)

On Feb 19, 2014 10:48 PM, "Jim Manico" <jim.manico at owasp.org> wrote:

> Dennis,
> I still support Sonotype sponsoring the podcast. And I still support Mark
> doing the podcast.
> The Trusted Software Alliance has the appearance of a non profit, but it's
> not.
> This is a special case since it's a direct marketing vehicle for OWAsP
> giving Mark a de-facto spokesman role. When doing official spokesperson
> duties for OWASP there needs to be a higher standard compared to say a
> incubator project. Hence our social media guidelines. Our social media
> guidelines are fairly clear about non-promotion and non-commercialism.
> And Dennis, it will only benefit Mark  *more* if the podcast was more
> OWASP-centric and a stronger non-commercial stance was taken.
> So I'm asking that this OWASP podcast be posted primarily on OWASP media
> since it's an OWASP podcast, not a "Trusted Security Alliance" podcast. We
> should also end with OWASP's mission and a call to volunteer or donate to
> the foundation. Any sponsorship needs to avoid commercial "call to action".
> I'm ok with "Thank you to Sonotype for sponsorship..." but I'm not ok with
> "Sonotype is a trusted Partner...".
> If there was no value in doing this at OWASP then Mark would have never
> approached me to take over the show.
> When I agreed to this, I had no idea Mark's company (which has a
> non-profit appearance) was a for profit company.
> So I agree rock on with incubator projects and be flexible there. But
> folks driving our media and official communication channels need to be held
> to a higher standard per our social media guidelines. It explicitly forbids
> advertisement.
> https://www.owasp.org/index.php/Governance/Social_Media_Policy
> --
> Jim Manico
> @Manicode
> (808) 652-3805
> On Feb 20, 2014, at 6:41 AM, Dennis Groves <dennis.groves at owasp.org>
> wrote:
> I agree with the **intent** of what you are saying Gentlemen, as well as
> your motives. However, it causes me to have some questions:
> 1) We are an *information security community*
> - so if we are to be vendor neutral it is not 'all vendors' that are of
> concern it is the 'security vendors'
> - this is precisely because they have influence in OWASP that other
> security vendors do not
> - therefore,
> The solution to the problem you propose is one that is best managed by
> setting the rules and guidelines for security vendors involved in OWASP not
> the 'non-security' vendors! This is risk management, and addressing the
> lowest risk vendors while ignoring the highest risk vendors is simply not
> on.
> Second, what is the definition of Security Vendor? Please forgive me
> Gentlemen - this is an example - not an accusation nor indication that you
> personally are doing 'wrong things'  rather, it is simply a convenient
> example that is personal to the both of you:
> I would submit that we should call Michael's new role is a 'Security
> Vendor" and Jim's new role is not a "non-security-vendor'  because although
> Jim is in the security industry - he is doing security education - not
> product promotion. Where as Michaels new position is one where his
> companies assets and goals involve the promotion of their product (eg the
> financially benefit directly from promotion, where as Jim benefits
> indirectly). If I were to have concern about brand damage to OWASP I would
> want to define the rules for the 'Michaels' in the organisation and keep my
> eyes on the Jim and Marks, and set about creating rules only after abuses
> occur.
> Thirdly, from a human behaviour perspective I agree with Dinis Cruz, we
> should reward the behaviour we like, and not penalise those contributing
> not precisely as we find ideal. Policing is a kind of coercion and
> violence. Thus we must reserve policing as a very last resort.
> Thus, I conclude we should not have a problem with the "Mark Podcast" he
> is creating incredible value for OWASP and OWASP is benefiting from his
> contributions enormously just as it has from Jim's contributions. Jim does
> Jim things, Mark does Mark things. Mark gives credit where credit is due to
> the company who donates their time, money and resources to produce the
> pod-cast.
> Jim is on the board and aggressively promotes OWASP as a board member
> ideally should. Jim in an example we can all aspire toward; but not all of
> us are ready or financially secure enough to "have Jim's ethics".  Simple
> as.
> Additionally, if we want to really tackle this issue we must really get
> serious about the elephant in the room, and this is that we are all
> vendors; and not all vendors have equal access or influence in OWASP and
> that is not OPEN.
> Cheers,
> Dennis
> On Thu, Feb 20, 2014 at 3:04 AM, Jim Manico <jim.manico at owasp.org> wrote:
>> +1 Although I am very sad to see the podcast go from what I felt was
>> non-commercial to commercial, I do want to acknowledge Marks efforts.
>> My suggestions:
>> I'd like to see "trusted software alliance" removed from the equation.
>> Sonotype is sponsoring this because of OWASP, not because of the TSA which
>> is a for-profit company owned by Mark.
>> Also...
>> 1) Post podcast updates to the wiki or OWASP blog
>> 2) End the podcast with our mission statement and a call for volunteerism
>> and donations
>> 3) Tweet via the official OWASP Podcast Twitter Account
>> 4) Keep the Sonotype ad to a minimum, and avoid any "call to action"
>> around Sonotype. Right now it says "Sonotype is a trusted partner" with
>> strange implications about it's association with OWASP.
>> 5) Have Sonotype pay OWASP for podcast sponsorship and then we pay Mark
>> as a contractor. Cleaner, especially since this is an official OWASP
>> communication/marketing vehicle.
>> I feel 1-4 is critical.
>> Aloha,
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>> On Feb 20, 2014, at 12:52 AM, Michael Coates <michael.coates at owasp.org>
>> wrote:
>> Jim,
>> We should certainly convene then on our sponsorship practices. If people
>> are playing by the rules then we should be fine. If they aren't playing by
>> the rules then we can point to the rules. If the rules are wrong, we
>> shouldn't blame anyone - we should just change the rules.
>> -Michael
>> --
>> Michael Coates
>> @_mwc
>> On Wed, Feb 19, 2014 at 2:40 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>> Here is my preferred OWASP philosophy.
>>> Postels principle: Be conservative in what you do, but be liberal in
>>> what you take from others.
>>> Translating that to OWASP, I'd like how OWASP presents itself outward be
>>> very clean in branding and project quality definition similar to the Apache
>>> model. We are already moving in that direction with changes made in the
>>> last year.
>>> But I think we should be more tolerant of how others discuss OWASP
>>> external to our organization.
>>> Vendor neutrality is the core of why OWASP is so valuable to the
>>> community.
>>> If we really want to focus on propping up the Application Security
>>> industry, then we should change status away from a open-source charity and
>>> instead be a non-profit trade association.
>>> No, a project is not only on the wiki. That is just todays reality. We
>>> failed to build a real project infrastructure (for software projects) and
>>> instead depend on Google Code, github and other places outside of OWASP
>>> with minimal OWASP branding. But I think we should continue to enforce at
>>> least some branding standards here. The wiki provides history and
>>> accountability that external tools do not.
>>> > 2. Can a company push forward with an owasp project and promote that
>>> project on their website too?
>>> Only if out project branding and sponsorship standards are followed.
>>> This is a bad path to go down because it will break all the work that was
>>> done to build a new sponsorship model.
>>> > 3. Do questions 1 and 2 matter provided the company/person acts per
>>> our brand usage
>>> The moment someone starts hosting major aspects of a project on a
>>> commercial website, the mixed branding breaks our new sponsorship model.
>>> I'm not a fan. We are paying a lot for the staff. Perhaps if we get better
>>> funding we can hire more technical resources to build real project
>>> infrastructure so external hosting is not necessary.
>>> Last, for technical projects where someone is really working hard on a
>>> valuable project, we could be more lenient.
>>> For marketing endeavors where someone is sort of a spokesperson or
>>> setting a standard for the organization (podcast, top 10, etc) I think more
>>> OWASP centric branding is necessary.
>>> Sonotype and the trusted software alliance are both for profit
>>> companies. Mark does not post on the OWASP blog and makes money that goes
>>> in his pocket because he advertises Sonotype on our OWASP podcast and posts
>>> updates on his commercial website. I spent years being super clean in the
>>> podcast representing OWASP with honor at my own expense. I could have
>>> monetized it in many ways but I did not. To see someone take the work that
>>> I did and immediately "cash in" for their personal profit is absolutely
>>> upsetting and against everything we stand for as a vendor neutral charity.
>>> I used to end the podcast with the OWASP mission statement and a call
>>> for those to volunteer and donate. Now it ends with a damn advertisement
>>> that a non-OWASP commercial entity makes money from. Fuck. That.
>>> --
>>> Jim Manico
>>> @Manicode
>>> (808) 652-3805
>>> On Feb 19, 2014, at 11:15 PM, Michael Coates <michael.coates at owasp.org>
>>> wrote:
>>> Board,
>>> I'd like to understand everyone's thoughts on promotion of OWASP from
>>> other entities - specifically those that are either corporations, private
>>> entities and generally companies with different motives then us and a
>>> non-profit.
>>> More specifically, what expectations to do you feel should be placed on
>>> a company that wants to promote an owasp project or contribute time and
>>> resources to the betterment of owasp that of course also benefit themselves
>>> too (e.g. being a good person has tangential benefits for the person and
>>> those associated with the person)?
>>> A few questions for consideration
>>> 1. Does an owasp project or initiative need to live only on the owasp
>>> wiki?
>>> 2. Can a company push forward with an owasp project and promote that
>>> project on their website too?
>>> 3. Do questions 1 and 2 matter provided the company/person acts per our
>>> brand usage
>>> ://www.owasp.org/index.php/Category:OWASP_Project#tab=Brand_Resources<https://www.owasp.org/index.php/Category:OWASP_Project#tab=Brand_Resources>
>>> I certainly have my opinions but want to open up the discussion.
>>> I ask these larger questions because the overall issue is more
>>> important. However, we can also later dive into this idea with a concrete
>>> example. We have a great scenario where someone is funded by a company to
>>> do things that benefit OWASP - the podcast series. If we have concerns
>>> about any aspect of that situation, I'd like to understand them in the
>>> overall context of how we encourage company participation.
>>> Also, if our expectations don't match our stated guidance we need to
>>> quickly update our guidance. It's hard for us to expect people to follow
>>> rules if we don't publish them :)
>>> Thanks!
>>> --
>>> Michael Coates
>>> @_mwc
>>>  _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> --
> Dennis Groves <http://about.me/dennis.groves>, MSc
> Email me, <dennis.groves at owasp.org> or schedule a meeting<http://goo.gl/8sPIy>
> .
> *This email is licensed under a CC BY-ND 3.0
> <http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB> license.*
> Stand up for your freedom to install free software.<http://www.fsf.org/campaigns/secure-boot/statement>
> Please do not send me Microsoft Office/Apple iWork documents.
> Send OpenDocument <http://fsf.org/campaigns/opendocument/> instead!
> <http://www.owasp.org/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140220/4b77bdff/attachment-0001.html>

More information about the Owasp-board mailing list