[Owasp-board] Update - CFT Issue re:PCI training via OWASP

Andrew van der Stock vanderaj at owasp.org
Fri May 8 02:10:50 UTC 2015

Let's put it on the agenda for Amsterdam as I am concerned that the quality
of the open materials we have is not high. If we do a  public private
partnership, I am okay with this as long as it supports our open source


On Fri, May 8, 2015 at 11:08 AM, Jim Manico <jim.manico at owasp.org> wrote:

> Well said Matt.
> And Paul, unless the board votes on something, this is just discussion. I
> look forward to further discussion in Amsterdam.
> Aloha,
> --
> Jim Manico
> @Manicode
> (808) 652-3805
> On May 7, 2015, at 2:39 PM, Matt Konda <matt.konda at owasp.org> wrote:
> I think we may need to have a meeting to handle this question properly.
> I need more context to understand how we got to the position we're in and
> what our viable options are going forward.  I think everyone is making good
> points but I'm having trouble coming to any cohesive conclusions.
> Can we agree not to do anything more than passive information collection
> (gathering submitted RFPs say) on the current item and to put a review of
> this specific instance of training on the agenda for Paul's next 1 on 1
> call?  We might need to extend the time for that call so that we don't
> monopolize it completely.
> I would further suggest that we make training strategy a major topic for
> the board meeting at AppSecEU and work to have some sort of concrete
> direction to vote on leading up to the meeting.
> I see lots of potential opportunities and pitfalls ...
> Matt
> On Thu, May 7, 2015 at 4:04 PM, Paul Ritchie <paul.ritchie at owasp.org>
> wrote:
>> Hi...I've worked with many organizations and I'm enjoying how passionate
>> and engaged people are about OWASP.
>> I see a missing link here in several of our recent email threads about
>> Training, or Summer of Code, or Project Summit to name a few.
>> How do we provide community oversight and consensus for various programs,
>> specifically training?
>> As an open community we strive to inform everyone about 'whats going on'
>> and why.  And then many have strong opinions about "I love it, or I hate
>> it" or "Go, or Stop".  My mandate is to use our people and resources to
>> achieve the Goals & objectives of OWASP.  I cannot change direction because
>> 1 or 2 or 4 people proclaim what "should be done" on an email thread.  I
>> respect & listen to those opinions, and I may include that sage advice in
>> our action plans, but I think we all know my objectives come from the
>> Board, not from individuals.
>> We need to move the healthy debate into a structured proposal for, or
>> against something.  That proposal process from the community, coupled with
>> the decision process by OWASP leadership is an effective way to reach
>> community consensus on programs & policies (i.e. recent funding approvals
>> for SoC and Project Summit).
>> So....perhaps the community could use the Committee 2.0 process to set up
>> a 'Training Steering Committee' much like the Project Review Committee to
>> help us stay true to our core values.
>> I really think this will help ensure Community knowledge, history and
>> expertise are included as we evaluate various training programs going
>> forward.  We have big goals this year, and our Operations staff could
>> certainly benefit from your help & experience.
>> I'll be in Amsterdam later this month and eager to brainstorm some of
>> these ideas with others who are attending.
>> Paul
>> Best Regards, Paul Ritchie
>> OWASP Executive Director
>> paul.ritchie at owasp.org
>> On Thu, May 7, 2015 at 1:10 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>> Paul,
>>> I would like to shut this down because it makes us a security vendor. We
>>> do not want to be that. We want to be an open source company where all of
>>> our materials and projects are free. To support our strategic goal I
>>> suggest we build free training materials for all to use.
>>> ••• I admit I am biased because I am a professional trainer and will
>>> excuse myself from any vote on this or other training issues.
>>> Regards,
>>> --
>>> Jim Manico
>>> @Manicode
>>> (808) 652-3805
>>> On May 7, 2015, at 1:04 PM, Paul Ritchie <paul.ritchie at owasp.org> wrote:
>>> To OWASP Board Group List:
>>> I'm pleased to see a healthy discussion and strong viewpoints about
>>> Training since this is one of our continuing Strategic Goals for 2015.  Let
>>> me provide some 'first hand' information about this CFT.
>>> Specifically, this opportunity came from a company who 'knows about
>>> OWASP' and knows and respects our 'quality & style' of training.
>>> They wanted some PCI training for their developers and their "end user
>>> service reps" and they wanted OWASP to provide the training, not one of the
>>> other commercial entities.
>>> As we evaluating this, we determined it met several of our key goals and
>>> objectives, so we decided to run it as a pilot or trial to see how it
>>> worked out for the Community and OWASP.  Does it meet our Core valules?   Open?
>>> - check, Innovative? - check, Global? - check, Done w/Integrity? - check.
>>> 1.  It meets the Training goal, and more specifically it provides
>>> training to ~125 Developers as well as ~1,000 customer service reps.
>>> 2.  To keep opportunities 'open' we decided to make a broad Call For
>>> Trainer, like we do at our AppSec Conferences.
>>> 3.  To ensure the content was not exclusive, we required the open
>>> webinar training to be produced
>>> 4.  We are not providing any sort of "certification" for the training -
>>> it is knowledge sharing only.
>>> 5.  We have 3 submissions already under the CFT, and more than half a
>>> dozen community members who volunteered to be on the content review team.
>>> 6.  Background -- There has been discussion for many years about
>>> leveraging a paid training program that was modeled after the successful
>>> conference style training, as a possible revenue stream for the
>>> Foundation.  Many leaders have supported this in the past.  The conference
>>> style model was attempted in a couple of different places ( Denver and NY)
>>> with mixed results.  This is a sort of hybrid - on a small scale - to see
>>> how it works.
>>> Again, I'm encouraged by all the healthy discussion on Training, and I
>>> acknowledge the strong opinions on this topic.  In summary, this
>>> opportunity popped up, we were able to structure it to meet our goals,
>>> objectives & policies, so we are investing time & resource to 'test' this
>>> new and innovative approach.
>>> You are welcome to reach out to me or Kate with questions.  Kate is
>>> closest to this program and she can connect you with other leaders working
>>> on this as needed.
>>> Best Regards, Paul Ritchie
>>> OWASP Executive Director
>>> paul.ritchie at owasp.org
>>>  _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150508/5f691866/attachment.html>

More information about the Owasp-board mailing list