[Owasp-cert] Deadlines for August

Matthew Chalmers matthew.chalmers at owasp.org
Mon Jul 28 15:57:24 EDT 2008

Ah, that makes more sense now, thanks for clarifying. There might be some
problems, though.

1. Some people will decline to submit exam content--possibly content which
could be great for the exam--because they're required to provide their
company name but can't (some people will ask their company and the company
will say no) or don't want to, for whatever reason, valid or no. This also
makes OWASP appear not as "free and open." The only way I see around this is
to have everyone who submits content sign or agree to some kind of waiver
which states they created what they are submitting and can be held
personally responsible if otherwise, however, this will still cause some
people to decline to submit content.

2. Some companies that are surprised to find their name associated with this
project or OWASP may attempt to take action against OWASP or the individual
from the company. It may be as simple as asking us to remove their name but
it could be worse, for OWASP or the individual who had the best intentions
and was just doing what OWASP said.

3. We may need our own privacy policy for this project. No other OWASP
project I'm aware of requires volunteers to give their company name because
it's irrelevant. Sure OWASP in general would like to have respected company
names associated with its work, as you indicated, but it's never been
compulsory. If we require content submitters to submit anything--at
all--other than the exam content they've come up with, that we intend to use
somehow other than perhaps storing away in a database (which has its own
concerns), we may need to have a disclosure statement about how we intend to
use that info. So this is legal document/contract number 2, or maybe 3 (see
#1 above). And we know you really, really, really, really, really, hate
NDAs. ;-)

There may be other problems I haven't thought of...


On Mon, Jul 28, 2008 at 5:41 AM, <james at architectbook.com> wrote:

> Matt, one of the things that we are responsible for checking is the actual
> ownership of content. Imagine a scenario where someone who was employed by
> Microsoft contributed questions that came from one of the MCSD exams and
> then MS approached us claiming plagiarism or even saying that OWASP
> compromised the security of their exam. The need to know the employer helps
> us protect the integrity of the exam. This however doesn't mean that just
> because we know it, that we will publish it. In fact, we should have
> specific permission in order to do so.
> In terms of the marketing aspects, it helps OWASP market the exam if they
> see it has marquee names on it. Consider the scenario a person named Celia
> Cruz who has 15 years of software security background. Which would be more
> credible from a marketing perspective, Celia Cruz of anonymous employer or
> Celia Cruz of Department of Homeland Security.
> At some level, some folks contribute to OWASP without their employer's
> involvement while others do with the full blessing of their employers. Of
> course the later is better than the former...
>  -------- Original Message --------
> Subject: Re: [Owasp-cert] Deadlines for August
> From: "Matthew Chalmers" <matthew.chalmers at owasp.org>
> Date: Sun, July 27, 2008 10:49 pm
> To: owasp-cert at lists.owasp.org
>  I'm afraid I don't understand. I work for Rockwell Automation. I don't
> speak for them and I don't want anyone to assume I am speaking for them if I
> don't explicitly say so. I don't have any problem with anybody in OWASP
> refraining from volunteering their employer's name. I don't see what benefit
> there is in requiring everyone on this project, or everyone who submits exam
> content for consideration, to give their employer's name. Some people might
> not even have one, and that shouldn't mean they can't help.
> Whether my company gives, or companies in general give, permission to use
> the name associated with submitting exam content for this cert, or for any
> other reason in connection with OWASP, doesn't mean I want to or have to. My
> ideas and opinions are my own when it comes to volunteering with OWASP and
> my employer has nothing to do with it. Your point #4 below makes no sense to
> me.
> Matt
> _______________________________________________
> Owasp-cert mailing list
> Owasp-cert at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-cert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cert/attachments/20080728/ffa6f792/attachment.html 

More information about the Owasp-cert mailing list