[Owasp-board] Update - CFT Issue re:PCI training via OWASP

Tobias tobias.gondrom at owasp.org
Thu May 7 21:08:51 UTC 2015

I tend to agree with Josh, that this is a sensitive situation and we 
should be careful.

Maybe to give another comparison that came to my mind:
You could see it as if we were to help a company hire a contractor. That 
this person is training OWASP materials is nice, but does not get us 
away from the fact that we do recruiting for one company.
Normally we would not use our global "catch-all"-list for such a 
feature, even for money. This is pretty powerful. We would probably 
delegate this to individual chapters to decide. And even in case of a 
chapter, we would IMHO treat this carefully to avoid favouritism or 
abuse of the community. In this case, this could probably also have just 
been sent to the community list instead of to all.
I think an email to "all OWASP" should only be used for major and pure 
OWASP communication and not lightly.

Please note, that I am not saying categorically "no", but I am feeling 
sensitive about how things have happened in this case and how our 
organisation might be perceived or misperceived here.

Just my 2cents.


On 07/05/15 22:36, Josh Sokol wrote:
> I tend to agree with Jim, albeit for slightly different reasons and 
> I'm not really sure it makes sense to shut it down if we've already 
> agreed to terms on this.  I'm generally unconcerned about OWASP 
> putting out a CFT for training as we do it all the time for 
> conferences or other events like the one in NYC not too long ago.  The 
> method of sending it out to all mailing lists was a bit unorthodox, 
> but that's beside the point.  My concern is around the "openness" 
> factor.  To me at least, having an open webinar does not equate to 
> having access to training material content and a trainer.  The major 
> difference is that this is NOT an open training.  We are not reserving 
> a room someplace and putting out an open call for trainers based on 
> addressing a desire from the community.  We have a private entity 
> requesting a private training and are then trying to make up for that 
> by having them offer a webinar as well.  It's not the same thing.  Not 
> by a long shot.  If a training program like this were to succeed 
> amongst the OWASP values then it should go something like this:
> 1) A set of training materials is donated to OWASP as part of a new 
> project.  Those materials are open source and open to community 
> contribution.
> 2) OWASP sets a date and location for a training, perhaps based on a 
> need/request, and puts out a public call for a trainer to facilitate 
> using the training materials in #1. Any supplemental materials the 
> trainer would like to include would need to be contributed to the 
> project for use by future trainers.
> 3) The selection of the trainer needs to happen via an impartial group 
> of people using an unbiased methodology.
> 4) A public sign-up is initiated to fill slots for the training.
> This is ground that we need to tread very lightly as we run the risk 
> of competing against the very companies that fund us, making us a 
> security vendor as Jim pointed out, and putting us in the position 
> where we can no longer claim to be vendor-neutral.  At conferences, 
> trainers propose the content and then the planners select what they 
> think the attendees would like to attend.  It scares me that we equate 
> that to a private company selecting the topic, filling up all slots, 
> and then selecting a trainer to teach the content.
> ~josh
> On Thu, May 7, 2015 at 3:10 PM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>     Paul,
>     I would like to shut this down because it makes us a security
>     vendor. We do not want to be that. We want to be an open source
>     company where all of our materials and projects are free. To
>     support our strategic goal I suggest we build free training
>     materials for all to use.
>     ••• I admit I am biased because I am a professional trainer and
>     will excuse myself from any vote on this or other training issues.
>     Regards,
>     --
>     Jim Manico
>     @Manicode
>     (808) 652-3805 <tel:%28808%29%20652-3805>
>     On May 7, 2015, at 1:04 PM, Paul Ritchie <paul.ritchie at owasp.org
>     <mailto:paul.ritchie at owasp.org>> wrote:
>>     To OWASP Board Group List:
>>     I'm pleased to see a healthy discussion and strong viewpoints
>>     about Training since this is one of our continuing Strategic
>>     Goals for 2015.  Let me provide some 'first hand' information
>>     about this CFT.
>>     Specifically, this opportunity came from a company who 'knows
>>     about OWASP' and knows and respects our 'quality & style' of
>>     training.
>>     They wanted some PCI training for their developers and their "end
>>     user service reps" and they wanted OWASP to provide the training,
>>     not one of the other commercial entities.
>>     As we evaluating this, we determined it met several of our key
>>     goals and objectives, so we decided to run it as a pilot or trial
>>     to see how it worked out for the Community and OWASP.  Does it
>>     meet our Core valules? Open? - check, Innovative? - check,
>>     Global? - check, Done w/Integrity? - check.
>>     1.  It meets the Training goal, and more specifically it provides
>>     training to ~125 Developers as well as ~1,000 customer service reps.
>>     2.  To keep opportunities 'open' we decided to make a broad Call
>>     For Trainer, like we do at our AppSec Conferences.
>>     3.  To ensure the content was not exclusive, we required the open
>>     webinar training to be produced
>>     4. We are not providing any sort of "certification" for the
>>     training - it is knowledge sharing only.
>>     5. We have 3 submissions already under the CFT, and more than
>>     half a dozen community members who volunteered to be on the
>>     content review team.
>>     6. Background -- There has been discussion for many years about
>>     leveraging a paid training program that was modeled after the
>>     successful conference style training, as a possible revenue
>>     stream for the Foundation.  Many leaders have supported this in
>>     the past.  The conference style model was attempted in a couple
>>     of different places ( Denver and NY) with mixed results.  This is
>>     a sort of hybrid - on a small scale - to see how it works.
>>     Again, I'm encouraged by all the healthy discussion on Training,
>>     and I acknowledge the strong opinions on this topic.  In summary,
>>     this opportunity popped up, we were able to structure it to meet
>>     our goals, objectives & policies, so we are investing time &
>>     resource to 'test' this new and innovative approach.
>>     You are welcome to reach out to me or Kate with questions.  Kate
>>     is closest to this program and she can connect you with other
>>     leaders working on this as needed.
>>     Best Regards, Paul Ritchie
>>     OWASP Executive Director
>>     paul.ritchie at owasp.org <mailto:paul.ritchie at owasp.org>
>>     _______________________________________________
>>     Owasp-board mailing list
>>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-board
>     _______________________________________________
>     Owasp-board mailing list
>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150507/cb36751f/attachment-0001.html>

More information about the Owasp-board mailing list