[Owasp-board] Update - CFT Issue re:PCI training via OWASP

Bev Corwin bev.corwin at owasp.org
Sun May 10 14:16:42 UTC 2015


On Thu, May 7, 2015 at 9:06 PM, Jim Manico <jim.manico at owasp.org> wrote:

> +1
> --
> Jim Manico
> @Manicode
> (808) 652-3805
> On May 7, 2015, at 2:08 PM, Tobias <tobias.gondrom at owasp.org> wrote:
> I tend to agree with Josh, that this is a sensitive situation and we
> should be careful.
> Maybe to give another comparison that came to my mind:
> You could see it as if we were to help a company hire a contractor. That
> this person is training OWASP materials is nice, but does not get us away
> from the fact that we do recruiting for one company.
> Normally we would not use our global "catch-all"-list for such a feature,
> even for money. This is pretty powerful. We would probably delegate this to
> individual chapters to decide. And even in case of a chapter, we would IMHO
> treat this carefully to avoid favouritism or abuse of the community. In
> this case, this could probably also have just been sent to the community
> list instead of to all.
> I think an email to "all OWASP" should only be used for major and pure
> OWASP communication and not lightly.
> Please note, that I am not saying categorically "no", but I am feeling
> sensitive about how things have happened in this case and how our
> organisation might be perceived or misperceived here.
> Just my 2cents.
> Tobias
> On 07/05/15 22:36, Josh Sokol wrote:
>    I tend to agree with Jim, albeit for slightly different reasons and
> I'm not really sure it makes sense to shut it down if we've already agreed
> to terms on this.  I'm generally unconcerned about OWASP putting out a CFT
> for training as we do it all the time for conferences or other events like
> the one in NYC not too long ago.  The method of sending it out to all
> mailing lists was a bit unorthodox, but that's beside the point.  My
> concern is around the "openness" factor.  To me at least, having an open
> webinar does not equate to having access to training material content and a
> trainer.  The major difference is that this is NOT an open training.  We
> are not reserving a room someplace and putting out an open call for
> trainers based on addressing a desire from the community.  We have a
> private entity requesting a private training and are then trying to make up
> for that by having them offer a webinar as well.  It's not the same thing.
> Not by a long shot.  If a training program like this were to succeed
> amongst the OWASP values then it should go something like this:
>  1) A set of training materials is donated to OWASP as part of a new
> project.  Those materials are open source and open to community
> contribution.
>  2) OWASP sets a date and location for a training, perhaps based on a
> need/request, and puts out a public call for a trainer to facilitate using
> the training materials in #1.  Any supplemental materials the trainer would
> like to include would need to be contributed to the project for use by
> future trainers.
>  3) The selection of the trainer needs to happen via an impartial group
> of people using an unbiased methodology.
>  4) A public sign-up is initiated to fill slots for the training.
>  This is ground that we need to tread very lightly as we run the risk of
> competing against the very companies that fund us, making us a security
> vendor as Jim pointed out, and putting us in the position where we can no
> longer claim to be vendor-neutral.  At conferences, trainers propose the
> content and then the planners select what they think the attendees would
> like to attend.  It scares me that we equate that to a private company
> selecting the topic, filling up all slots, and then selecting a trainer to
> teach the content.
>  ~josh
> On Thu, May 7, 2015 at 3:10 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>  Paul,
>>  I would like to shut this down because it makes us a security vendor.
>> We do not want to be that. We want to be an open source company where all
>> of our materials and projects are free. To support our strategic goal I
>> suggest we build free training materials for all to use.
>>  ••• I admit I am biased because I am a professional trainer and will
>> excuse myself from any vote on this or other training issues.
>> Regards,
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>> On May 7, 2015, at 1:04 PM, Paul Ritchie <paul.ritchie at owasp.org> wrote:
>>   To OWASP Board Group List:
>>  I'm pleased to see a healthy discussion and strong viewpoints about
>> Training since this is one of our continuing Strategic Goals for 2015.  Let
>> me provide some 'first hand' information about this CFT.
>>  Specifically, this opportunity came from a company who 'knows about
>> OWASP' and knows and respects our 'quality & style' of training.
>>   They wanted some PCI training for their developers and their "end user
>> service reps" and they wanted OWASP to provide the training, not one of the
>> other commercial entities.
>>  As we evaluating this, we determined it met several of our key goals
>> and objectives, so we decided to run it as a pilot or trial to see how it
>> worked out for the Community and OWASP.  Does it meet our Core valules?   Open?
>> - check, Innovative? - check, Global? - check, Done w/Integrity? - check.
>>  1.  It meets the Training goal, and more specifically it provides
>> training to ~125 Developers as well as ~1,000 customer service reps.
>> 2.  To keep opportunities 'open' we decided to make a broad Call For
>> Trainer, like we do at our AppSec Conferences.
>> 3.  To ensure the content was not exclusive, we required the open webinar
>> training to be produced
>> 4.  We are not providing any sort of "certification" for the training -
>> it is knowledge sharing only.
>> 5.  We have 3 submissions already under the CFT, and more than half a
>> dozen community members who volunteered to be on the content review team.
>>  6.  Background -- There has been discussion for many years about
>> leveraging a paid training program that was modeled after the successful
>> conference style training, as a possible revenue stream for the
>> Foundation.  Many leaders have supported this in the past.  The conference
>> style model was attempted in a couple of different places ( Denver and NY)
>> with mixed results.  This is a sort of hybrid - on a small scale - to see
>> how it works.
>>  Again, I'm encouraged by all the healthy discussion on Training, and I
>> acknowledge the strong opinions on this topic.  In summary, this
>> opportunity popped up, we were able to structure it to meet our goals,
>> objectives & policies, so we are investing time & resource to 'test' this
>> new and innovative approach.
>>  You are welcome to reach out to me or Kate with questions.  Kate is
>> closest to this program and she can connect you with other leaders working
>> on this as needed.
>>    Best Regards, Paul Ritchie
>> OWASP Executive Director
>> paul.ritchie at owasp.org
>>       _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150510/03c9a86d/attachment-0001.html>

More information about the Owasp-board mailing list