[Owasp-board] O'Reilly

Eoin Keary eoin.keary at owasp.org
Sat Mar 26 20:55:57 UTC 2016


+1

Eoin Keary
OWASP Volunteer
@eoinkeary



> On 24 Mar 2016, at 06:43, Timo Goosen <timo.goosen at owasp.org> wrote:
> 
> I think O'Reilly focusses much more on quality of content as opposed to OWASP, we are currently focussing on quantity not quality.
> 
> >>"We want content to be free, O'Reilly is a commercial publisher who believes the opposite."
> I don't 100% agree with this. O'Reilly often publishes books online for free for the first few versions in order to get people to peer review them before officially publishing them.  They also have an Open Book project: http://www.oreilly.com/openbook/
> 
> 
> We can learn a great deal from O'Reilly in terms of the quality of books that they produce.  This has to do with the very strict review process that they follow.
> 
> At the moment it feels to me that OWASP is producing lots of content, but with little or no review. We still have lots of outdated info on the wiki,empty projects etc.  It is good to produce open content, and producing open content should be encouraged, but having old ,incorrect or unmaintained content
> is very dangerous from a security point of view.
> 
> Also another thing we can learn from O'Reilly is that they really know how to attract good quality authors and I think this has allot to do with how they treat their authors not so much to do with how much the authors are getting paid.
> 
> I kind of agree on Matt with most points. If you can't beat them, join them.
> 
> Regards.
> Timo
> 
>> On Sat, Mar 19, 2016 at 9:02 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> Summary: I think exploring co-marketing with O'Reilly (like we do with other conferences) is a reasonable idea. But I have a few concerns to consider.
>> 
>> Details: 
>> 
>> 1) Number one, we want to support everyone leveraging OWASP materials. As an author I've referenced a lot of OWASP material in my book. Key word : reference. O'Reilly should be doing the same and we could help them with that.
>> 
>> 2) Next and more importantly, I would love to see O'Reilly actively help OWASP with open source content and projects. That's - by far - most inline with the mission and has the maximum reach. Imagine if O'Reilly authors and OWASP volunteers worked on maintaining content together? That would be powerful. While this is not likely to happen, it's a strong note regarding where our philosophies go in different directions. We want content to be free, O'Reilly is a commercial publisher who believes the opposite.
>> 
>> Matt, you mentioned about O'Reilly, "As we are, they are passionate about the editorial and commercial independence of their content." which I think of as a bit dangerous and trying to frame them as open content which they are not. They are a closed publisher who has a different mission that we do (ie make profit). So please when working with these folks use our mission of "commercial freedom" and "vendor neutral (ie: invite other publishers") and be careful about giving these folks any special treatment. Especially if they will not contribute open content to OWASP.
>> 
>> 3) Also, even though OWASP conferences are important to the foundation finances, when it comes to outreach they are minor compared to other resources. So conference partnerships - while interesting -  influences few compared to other OWASP resources, so it's less interesting in terms of scale. I would like us to focus on how do we reach 20 million developers, not how can we reach a few thousand folks who can afford to attend conferences.
>> 
>> *** Now with that in mind, I think explore co-marketing possibilities is a great idea - just like we do or have done with RSA, Blackhat and other conference circuits to help spread the OWASP word.
>> 
>> Aloha,
>> Jim
>> 
>> 
>> 
>>> On 3/18/16 11:35 PM, Matt Konda wrote:
>>> Hi.
>>> 
>>> As you may know, O'Reilly announced this week that they are running a new Security conference.
>>> 
>>> My initial take is that the emergence of a new security conference out of O'Reilly is "a good thing"™. I believe there is some risk but also some opportunity here since O'Reilly also hosts many key developer conferences and is a substantial communication platform with developers with their books and video training content.
>>> 
>>> The approach I would generally recommend and advocate for would be a "make people look and feel good by association with OWASP" and basically try to help and collaborate in a purely altruistic way aligned with OWASP's mission.  But I wanted to toss this by the broader board for input because there are obviously some risks and philosophical questions we want to be clear about if we do engage.
>>> 
>>> I know some people at O'Reilly so I navigated and talked with O'Reilly's VP of Conferences Friday to explore what they are doing.  The conference is definitely a general security conference not focused on AppSec - but it will likely include some AppSec content.  They are very interested in co-marketing possibilities.  They would be super interested in sponsors.  Obviously, their business model is to make profit from the conference, book and other content that they license. 
>>> 
>>> Undoubtedly they are responding to market opportunity.  One outcome would be to take this as a signal to run more AppSecs or really push more mid size regional events.  That could mean hiring more staff to help.  They are also expanding into Asia with local organizations on the ground to do that.
>>> 
>>> As we are, they are passionate about the editorial and commercial independence of their content. Within that constraint, there may be opportunities to assist as a resource to their conference chairs looking to inject some security talks into their events.  We already have a goal to get OWASP related content into their conferences such as Velocity, OSCON, Software Architecture, Strata etc. as a conscious and first class item.  Maybe we could suggest invited speakers and topics and help with talk selection.  Maybe we could even get our name on a track if we help their conference chairs?  Definitely idealistic and open ended at this point, but maybe interesting?  Probably depends a lot conference chair to conference chair.  This would require a sustained and organized effort specifically for this by a group of OWASP volunteers.
>>> 
>>> Just to be clear, I framed the discussion with O'Reilly as:  I'm gathering information and looking at ideas, there are operational processes and a bigger decision making process behind me at OWASP that would have to happen for any of these things, I just wanted to understand where O'Reilly were coming from and what the possible collaboration paths might be.
>>> 
>>> I think at the very least we should explore co-marketing possibilities - and as we do so, I would encourage us to value our brand and experience and also to think outside the box about what the most ambitious possibilities are for OWASP and make sure to push for deeper and meaningful commitments from them.  There may be ways that we can support them that dramatically change our communication strategy with developers - let's talk about those.
>>> 
>>> In any case, I think this raises some interesting possibilities and issues so I wanted to share the information I had gathered and give you all the opportunity to weigh in.
>>> 
>>> Best,
>>> Matt
>>> 
>>> 
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> 
>> 
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> 
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160326/ec24e6da/attachment.html>


More information about the Owasp-board mailing list