[Owasp-board] Update - CFT Issue re:PCI training via OWASP
jim.manico at owasp.org
Fri May 8 01:05:54 UTC 2015
OWASP does NOT endorse ANY commercial services EVEN OUR SPONSORS. This is
part of our bylaws. I say we focus on open source, free material and
community service as is our mission. Let's keep our nose out of the
commercial sector as much as we can.
My 2 cents.
On May 7, 2015, at 2:00 PM, Tom Brennan - OWASP <tomb at owasp.org> wrote:
IMHO its rather simple when staff are asked for who can they do a training
class with.. the default answer should be "You should send your RFQ to the
following list of OWASP aware and supporting organizations"
These guys = https://www.owasp.org/index.php/Corporate_Supporter_Bios
They can also suggest goto a local chapter and find locals as well hence
introduce to local chapters
(there are many local chapters that have local supporters that do not have
a global market.... hence only support local or a region)
They can also recommend OWASP supporters at the next AppSec example:
*That is the politically correct and neutral position + a motivator for
** Note this is NOT the same as a OWASP Conference managed by OWASP
staff.. that follows the same model we have for years.
2 cents; glad to see operations trying things..... but should be proposed
to the Board as they ultimately work for in the hierarchy per bylaws.
THere should never be a after the fact discussion like this, that shows
lack of process. Why was it not discussed as new business at a documented
and recorded board meeting.
The onus is on the Board here not having a clear policy on this issued and
then manage to the policy for the community.
See you all in Amsterdam
On Thu, May 7, 2015 at 4:36 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
> I tend to agree with Jim, albeit for slightly different reasons and I'm
> really sure it makes sense to shut it down if we've already agreed to
> on this. I'm generally unconcerned about OWASP putting out a CFT for
> training as we do it all the time for conferences or other events like the
> one in NYC not too long ago. The method of sending it out to all mailing
> lists was a bit unorthodox, but that's beside the point. My concern is
> around the "openness" factor. To me at least, having an open webinar does
> not equate to having access to training material content and a trainer.
> major difference is that this is NOT an open training. We are not
> a room someplace and putting out an open call for trainers based on
> addressing a desire from the community. We have a private entity
> a private training and are then trying to make up for that by having them
> offer a webinar as well. It's not the same thing. Not by a long shot.
> a training program like this were to succeed amongst the OWASP values then
> it should go something like this:
> 1) A set of training materials is donated to OWASP as part of a new
> Those materials are open source and open to community contribution.
> 2) OWASP sets a date and location for a training, perhaps based on a
> need/request, and puts out a public call for a trainer to facilitate using
> the training materials in #1. Any supplemental materials the trainer
> like to include would need to be contributed to the project for use by
> future trainers.
> 3) The selection of the trainer needs to happen via an impartial group of
> people using an unbiased methodology.
> 4) A public sign-up is initiated to fill slots for the training.
> This is ground that we need to tread very lightly as we run the risk of
> competing against the very companies that fund us, making us a security
> vendor as Jim pointed out, and putting us in the position where we can no
> longer claim to be vendor-neutral. At conferences, trainers propose the
> content and then the planners select what they think the attendees would
> like to attend. It scares me that we equate that to a private company
> selecting the topic, filling up all slots, and then selecting a trainer to
> teach the content.
> On Thu, May 7, 2015 at 3:10 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> I would like to shut this down because it makes us a security vendor. We
>> do not want to be that. We want to be an open source company where all of
>> our materials and projects are free. To support our strategic goal I
>> we build free training materials for all to use.
>> ••• I admit I am biased because I am a professional trainer and will
>> excuse myself from any vote on this or other training issues.
>> Jim Manico
>> (808) 652-3805
>> On May 7, 2015, at 1:04 PM, Paul Ritchie <paul.ritchie at owasp.org> wrote:
>> To OWASP Board Group List:
>> I'm pleased to see a healthy discussion and strong viewpoints about
>> Training since this is one of our continuing Strategic Goals for 2015.
>> me provide some 'first hand' information about this CFT.
>> Specifically, this opportunity came from a company who 'knows about
>> and knows and respects our 'quality & style' of training.
>> They wanted some PCI training for their developers and their "end user
>> service reps" and they wanted OWASP to provide the training, not one of
>> other commercial entities.
>> As we evaluating this, we determined it met several of our key goals and
>> objectives, so we decided to run it as a pilot or trial to see how it
>> out for the Community and OWASP. Does it meet our Core valules? Open?
>> check, Innovative? - check, Global? - check, Done w/Integrity? - check.
>> 1. It meets the Training goal, and more specifically it provides
>> to ~125 Developers as well as ~1,000 customer service reps.
>> 2. To keep opportunities 'open' we decided to make a broad Call For
>> Trainer, like we do at our AppSec Conferences.
>> 3. To ensure the content was not exclusive, we required the open webinar
>> training to be produced
>> 4. We are not providing any sort of "certification" for the training -
>> is knowledge sharing only.
>> 5. We have 3 submissions already under the CFT, and more than half a
>> dozen community members who volunteered to be on the content review team.
>> 6. Background -- There has been discussion for many years about
>> leveraging a paid training program that was modeled after the successful
>> conference style training, as a possible revenue stream for the
>> Many leaders have supported this in the past. The conference style model
>> was attempted in a couple of different places ( Denver and NY) with mixed
>> results. This is a sort of hybrid - on a small scale - to see how it
>> Again, I'm encouraged by all the healthy discussion on Training, and I
>> acknowledge the strong opinions on this topic. In summary, this
>> popped up, we were able to structure it to meet our goals, objectives &
>> policies, so we are investing time & resource to 'test' this new and
>> innovative approach.
>> You are welcome to reach out to me or Kate with questions. Kate is
>> closest to this program and she can connect you with other leaders
>> on this as needed.
>> Best Regards, Paul Ritchie
>> OWASP Executive Director
>> paul.ritchie at owasp.org
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board