[Owasp-board] Update - CFT Issue re:PCI training via OWASP

Eoin Keary eoin.keary at owasp.org
Fri May 8 09:26:56 UTC 2015


Unless OWASP is getting its 60% cut, leaders can go free & OWASP contract is signed I don't believe it should be advertised on the leaders list as it is not OWASP endorsed training. 

Eoin Keary
BCC Risk Advisory - edgescan
CTO


> On 8 May 2015, at 02:05, Jim Manico <jim.manico at owasp.org> wrote:
> 
> OWASP does NOT endorse ANY commercial services EVEN OUR SPONSORS. This is part of our bylaws. I say we focus on open source, free material and community service as is our mission. Let's keep our nose out of the commercial sector as much as we can.
> 
> My 2 cents.
> --
> Jim Manico
> @Manicode
> (808) 652-3805
> 
>> On May 7, 2015, at 2:00 PM, Tom Brennan - OWASP <tomb at owasp.org> wrote:
>> 
>> IMHO its rather simple when staff are asked for who can they do a training class with.. the default answer should be "You should send your RFQ to the following list of OWASP aware and supporting  organizations" 
>> 
>> WHO?
>> 
>> These guys =  https://www.owasp.org/index.php/Corporate_Supporter_Bios
>> 
>> They can also suggest goto a local chapter and find locals as well hence introduce to local chapters
>> 
>> https://www.owasp.org/index.php/OWASP_Chapter#Joining_your_local_chapter 
>> (there are many local chapters that have local supporters that do not have a global market.... hence only support local or a region)
>> 
>> They can also recommend OWASP supporters at the next AppSec example:  https://2015.appsecusa.org/c/?page_id=77
>> 
>> That is the politically correct and neutral position + a motivator for corporate supporters
>> 
>>  ** Note this is NOT the same as a OWASP Conference managed by OWASP staff.. that follows the same model we have for years.
>> 
>> 2 cents; glad to see operations trying things..... but should be proposed to the Board as they ultimately work for in the hierarchy per bylaws.  THere should never be a after the fact discussion like this, that shows lack of process.  Why was it not discussed as new business at a documented and recorded board meeting. 
>> 
>> The onus is on the Board here not having a clear policy on this issued and then manage to the policy for the community.
>> 
>> See you all in Amsterdam
>> 
>> 
>> On Thu, May 7, 2015 at 4:36 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>> > I tend to agree with Jim, albeit for slightly different reasons and I'm not
>> > really sure it makes sense to shut it down if we've already agreed to terms
>> > on this.  I'm generally unconcerned about OWASP putting out a CFT for
>> > training as we do it all the time for conferences or other events like the
>> > one in NYC not too long ago.  The method of sending it out to all mailing
>> > lists was a bit unorthodox, but that's beside the point.  My concern is
>> > around the "openness" factor.  To me at least, having an open webinar does
>> > not equate to having access to training material content and a trainer.  The
>> > major difference is that this is NOT an open training.  We are not reserving
>> > a room someplace and putting out an open call for trainers based on
>> > addressing a desire from the community.  We have a private entity requesting
>> > a private training and are then trying to make up for that by having them
>> > offer a webinar as well.  It's not the same thing.  Not by a long shot.  If
>> > a training program like this were to succeed amongst the OWASP values then
>> > it should go something like this:
>> >
>> > 1) A set of training materials is donated to OWASP as part of a new project.
>> > Those materials are open source and open to community contribution.
>> >
>> > 2) OWASP sets a date and location for a training, perhaps based on a
>> > need/request, and puts out a public call for a trainer to facilitate using
>> > the training materials in #1.  Any supplemental materials the trainer would
>> > like to include would need to be contributed to the project for use by
>> > future trainers.
>> >
>> > 3) The selection of the trainer needs to happen via an impartial group of
>> > people using an unbiased methodology.
>> >
>> > 4) A public sign-up is initiated to fill slots for the training.
>> >
>> > This is ground that we need to tread very lightly as we run the risk of
>> > competing against the very companies that fund us, making us a security
>> > vendor as Jim pointed out, and putting us in the position where we can no
>> > longer claim to be vendor-neutral.  At conferences, trainers propose the
>> > content and then the planners select what they think the attendees would
>> > like to attend.  It scares me that we equate that to a private company
>> > selecting the topic, filling up all slots, and then selecting a trainer to
>> > teach the content.
>> >
>> > ~josh
>> >
>> > On Thu, May 7, 2015 at 3:10 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> >>
>> >> Paul,
>> >>
>> >> I would like to shut this down because it makes us a security vendor. We
>> >> do not want to be that. We want to be an open source company where all of
>> >> our materials and projects are free. To support our strategic goal I suggest
>> >> we build free training materials for all to use.
>> >>
>> >> ••• I admit I am biased because I am a professional trainer and will
>> >> excuse myself from any vote on this or other training issues.
>> >>
>> >> Regards,
>> >> --
>> >> Jim Manico
>> >> @Manicode
>> >> (808) 652-3805
>> >>
>> >> On May 7, 2015, at 1:04 PM, Paul Ritchie <paul.ritchie at owasp.org> wrote:
>> >>
>> >> To OWASP Board Group List:
>> >>
>> >> I'm pleased to see a healthy discussion and strong viewpoints about
>> >> Training since this is one of our continuing Strategic Goals for 2015.  Let
>> >> me provide some 'first hand' information about this CFT.
>> >>
>> >> Specifically, this opportunity came from a company who 'knows about OWASP'
>> >> and knows and respects our 'quality & style' of training.
>> >>
>> >> They wanted some PCI training for their developers and their "end user
>> >> service reps" and they wanted OWASP to provide the training, not one of the
>> >> other commercial entities.
>> >>
>> >> As we evaluating this, we determined it met several of our key goals and
>> >> objectives, so we decided to run it as a pilot or trial to see how it worked
>> >> out for the Community and OWASP.  Does it meet our Core valules?   Open? -
>> >> check, Innovative? - check, Global? - check, Done w/Integrity? - check.
>> >>
>> >> 1.  It meets the Training goal, and more specifically it provides training
>> >> to ~125 Developers as well as ~1,000 customer service reps.
>> >> 2.  To keep opportunities 'open' we decided to make a broad Call For
>> >> Trainer, like we do at our AppSec Conferences.
>> >> 3.  To ensure the content was not exclusive, we required the open webinar
>> >> training to be produced
>> >> 4.  We are not providing any sort of "certification" for the training - it
>> >> is knowledge sharing only.
>> >> 5.  We have 3 submissions already under the CFT, and more than half a
>> >> dozen community members who volunteered to be on the content review team.
>> >>
>> >> 6.  Background -- There has been discussion for many years about
>> >> leveraging a paid training program that was modeled after the successful
>> >> conference style training, as a possible revenue stream for the Foundation.
>> >> Many leaders have supported this in the past.  The conference style model
>> >> was attempted in a couple of different places ( Denver and NY) with mixed
>> >> results.  This is a sort of hybrid - on a small scale - to see how it works.  
>> >>
>> >> Again, I'm encouraged by all the healthy discussion on Training, and I
>> >> acknowledge the strong opinions on this topic.  In summary, this opportunity
>> >> popped up, we were able to structure it to meet our goals, objectives &
>> >> policies, so we are investing time & resource to 'test' this new and
>> >> innovative approach.
>> >> You are welcome to reach out to me or Kate with questions.  Kate is
>> >> closest to this program and she can connect you with other leaders working
>> >> on this as needed.
>> >>
>> >> Best Regards, Paul Ritchie
>> >> OWASP Executive Director
>> >> paul.ritchie at owasp.org
>> >>
>> >> _______________________________________________
>> >> Owasp-board mailing list
>> >> Owasp-board at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-board
>> >>
>> >>
>> >> _______________________________________________
>> >> Owasp-board mailing list
>> >> Owasp-board at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-board
>> >>
>> >
>> >
>> > _______________________________________________
>> > Owasp-board mailing list
>> > Owasp-board at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-board
>> >
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150508/176dfb57/attachment-0001.html>


More information about the Owasp-board mailing list