[Owasp-board] Update - CFT Issue re:PCI training via OWASP
josh.sokol at owasp.org
Fri May 8 12:21:56 UTC 2015
See my earlier e-mail about why this is very different from paid training
On Fri, May 8, 2015 at 4:28 AM, Eoin Keary <eoin.keary at owasp.org> wrote:
> We do this already for paid training at events.
> OWASP gets a fee etc etc
> Eoin Keary
> BCC Risk Advisory - edgescan
> On 8 May 2015, at 03:10, Andrew van der Stock <vanderaj at owasp.org> wrote:
> Let's put it on the agenda for Amsterdam as I am concerned that the
> quality of the open materials we have is not high. If we do a public
> private partnership, I am okay with this as long as it supports our open
> source mission.
> On Fri, May 8, 2015 at 11:08 AM, Jim Manico <jim.manico at owasp.org> wrote:
>> Well said Matt.
>> And Paul, unless the board votes on something, this is just discussion. I
>> look forward to further discussion in Amsterdam.
>> Jim Manico
>> (808) 652-3805
>> On May 7, 2015, at 2:39 PM, Matt Konda <matt.konda at owasp.org> wrote:
>> I think we may need to have a meeting to handle this question properly.
>> I need more context to understand how we got to the position we're in and
>> what our viable options are going forward. I think everyone is making good
>> points but I'm having trouble coming to any cohesive conclusions.
>> Can we agree not to do anything more than passive information collection
>> (gathering submitted RFPs say) on the current item and to put a review of
>> this specific instance of training on the agenda for Paul's next 1 on 1
>> call? We might need to extend the time for that call so that we don't
>> monopolize it completely.
>> I would further suggest that we make training strategy a major topic for
>> the board meeting at AppSecEU and work to have some sort of concrete
>> direction to vote on leading up to the meeting.
>> I see lots of potential opportunities and pitfalls ...
>> On Thu, May 7, 2015 at 4:04 PM, Paul Ritchie <paul.ritchie at owasp.org>
>>> Hi...I've worked with many organizations and I'm enjoying how passionate
>>> and engaged people are about OWASP.
>>> I see a missing link here in several of our recent email threads about
>>> Training, or Summer of Code, or Project Summit to name a few.
>>> How do we provide community oversight and consensus for various
>>> programs, specifically training?
>>> As an open community we strive to inform everyone about 'whats going on'
>>> and why. And then many have strong opinions about "I love it, or I hate
>>> it" or "Go, or Stop". My mandate is to use our people and resources to
>>> achieve the Goals & objectives of OWASP. I cannot change direction because
>>> 1 or 2 or 4 people proclaim what "should be done" on an email thread. I
>>> respect & listen to those opinions, and I may include that sage advice in
>>> our action plans, but I think we all know my objectives come from the
>>> Board, not from individuals.
>>> We need to move the healthy debate into a structured proposal for, or
>>> against something. That proposal process from the community, coupled with
>>> the decision process by OWASP leadership is an effective way to reach
>>> community consensus on programs & policies (i.e. recent funding approvals
>>> for SoC and Project Summit).
>>> So....perhaps the community could use the Committee 2.0 process to set
>>> up a 'Training Steering Committee' much like the Project Review Committee
>>> to help us stay true to our core values.
>>> I really think this will help ensure Community knowledge, history and
>>> expertise are included as we evaluate various training programs going
>>> forward. We have big goals this year, and our Operations staff could
>>> certainly benefit from your help & experience.
>>> I'll be in Amsterdam later this month and eager to brainstorm some of
>>> these ideas with others who are attending.
>>> Best Regards, Paul Ritchie
>>> OWASP Executive Director
>>> paul.ritchie at owasp.org
>>> On Thu, May 7, 2015 at 1:10 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>>> I would like to shut this down because it makes us a security vendor.
>>>> We do not want to be that. We want to be an open source company where all
>>>> of our materials and projects are free. To support our strategic goal I
>>>> suggest we build free training materials for all to use.
>>>> ••• I admit I am biased because I am a professional trainer and will
>>>> excuse myself from any vote on this or other training issues.
>>>> Jim Manico
>>>> (808) 652-3805
>>>> On May 7, 2015, at 1:04 PM, Paul Ritchie <paul.ritchie at owasp.org>
>>>> To OWASP Board Group List:
>>>> I'm pleased to see a healthy discussion and strong viewpoints about
>>>> Training since this is one of our continuing Strategic Goals for 2015. Let
>>>> me provide some 'first hand' information about this CFT.
>>>> Specifically, this opportunity came from a company who 'knows about
>>>> OWASP' and knows and respects our 'quality & style' of training.
>>>> They wanted some PCI training for their developers and their "end user
>>>> service reps" and they wanted OWASP to provide the training, not one of the
>>>> other commercial entities.
>>>> As we evaluating this, we determined it met several of our key goals
>>>> and objectives, so we decided to run it as a pilot or trial to see how it
>>>> worked out for the Community and OWASP. Does it meet our Core valules? Open?
>>>> - check, Innovative? - check, Global? - check, Done w/Integrity? - check.
>>>> 1. It meets the Training goal, and more specifically it provides
>>>> training to ~125 Developers as well as ~1,000 customer service reps.
>>>> 2. To keep opportunities 'open' we decided to make a broad Call For
>>>> Trainer, like we do at our AppSec Conferences.
>>>> 3. To ensure the content was not exclusive, we required the open
>>>> webinar training to be produced
>>>> 4. We are not providing any sort of "certification" for the training
>>>> - it is knowledge sharing only.
>>>> 5. We have 3 submissions already under the CFT, and more than half a
>>>> dozen community members who volunteered to be on the content review team.
>>>> 6. Background -- There has been discussion for many years about
>>>> leveraging a paid training program that was modeled after the successful
>>>> conference style training, as a possible revenue stream for the
>>>> Foundation. Many leaders have supported this in the past. The conference
>>>> style model was attempted in a couple of different places ( Denver and NY)
>>>> with mixed results. This is a sort of hybrid - on a small scale - to see
>>>> how it works.
>>>> Again, I'm encouraged by all the healthy discussion on Training, and I
>>>> acknowledge the strong opinions on this topic. In summary, this
>>>> opportunity popped up, we were able to structure it to meet our goals,
>>>> objectives & policies, so we are investing time & resource to 'test' this
>>>> new and innovative approach.
>>>> You are welcome to reach out to me or Kate with questions. Kate is
>>>> closest to this program and she can connect you with other leaders working
>>>> on this as needed.
>>>> Best Regards, Paul Ritchie
>>>> OWASP Executive Director
>>>> paul.ritchie at owasp.org
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board