[OCC] [Global_education_committee] [Owasp-leaders] Commercial delivery of courses based on OWASP materials
Jim Manico
jim.manico at owasp.org
Sat May 22 15:35:04 EDT 2010
We are a charitable organization as our primary mission. Period. I
think a commercial services registry is on the edge of that
responsibility. Not over - just on.
You go for it, Mike - but I'll be watching you, dude. ;)
Jim Manico
On May 22, 2010, at 12:05 PM, Mike Boberski <mike.boberski at gmail.com>
wrote:
> People of earth:
>
> For your consideration:
>
> * Drupal.org (non-profit)
> * CC and FIPS (Governments)
>
> Drupal is a worked example. It's quite the vibrant open source
> community who has cracked the code of turning out a universe of open
> source code.
>
> CC and FIPS, Governments have not fallen, and talk about legal and
> ethical obligations! For those not fans of the US, look to Canada or
> other CCRA member countries for example. Just informed purchasing
> decisions made possible for the particular product types those
> programs cover. Note also that Governments aren't the only ones who
> shop those lists.
>
> OWASP's mission of making appsec visible and helping people make
> informed decisions, this is 100% inline, and the ultimate
> culmination of OWASP's activities, since ultimately people buy
> things in order to do things, we're not quite to the point of a Star
> Trek-like world economy in that regard. If you really want to talk
> about non-technical stuff, I would then argue that ethically it is
> OWASP's responsibility to do this as no equivalent or Government
> organization has done so, as it's our stated mission, as we are in a
> position to act, plain and simple. I'd not go there for the legal
> stuff, suggest leave that for the lawyers and not the lists, that
> just gets people worked up.
>
> This is no different than the jobs page, that didn't corrupt any
> aspect of OWASP. Let's just run it that way initially and get on
> with this, too much jibber jabber (sorry for the Mr. T ism, the "A-
> Team" movie trailer was just on). I'll make tweaks as we go, e.g.
> right this moment I think we should just put company names and ease
> back on the description of how services are performed, and work with
> Tom to come up with further refined labels. Really folks, we should
> be so lucky that there end up being such interest in this that we
> have to put additional procedures and mechanisms in place. Let's
> ease back on the rhetoric, let's keep in mind that there are OWASP
> sys admins who can shut things down and turn permissions off with a
> single phone call in case of real trouble and that the board will be
> actively involved in oversight, see if we can even get it going. I'm
> willing to very actively work this in order to make it work.
>
> Let's get 'er done...
>
> Mike
>
>
> On Sat, May 22, 2010 at 1:54 PM, Jim Manico <jim.manico at owasp.org>
> wrote:
> Dinis,
>
> Do we •really• need this? How is this inline with being a
> organization that has a legal and ethical obligation to focus on cha
> ritable activities?
>
> Jim Manico
>
> On May 22, 2010, at 9:56 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
>
>> "OWASP community supporters" would not be applicable on most
>> (probably all) of the proposed scenarios since the idea is to find
>> a way to connect the comercial services provided by core OWASP
>> Contributors/leaders/members with OWASP, in a way that is accepted
>> by the community and doesn't compromise OWASP independence.
>>
>> In fact that is sort of what we are currently trying to do at the http://www.owasp.org/index.php/OWASP_for_Charities
>> project (led by Daniel C)
>>
>> What we have to take into account is this "Who is doing Commercial
>> Services around OWASP" issue/discussion/problem s already happening
>> today (but there are no rules of engagement, abuses happen
>> occasionally and there is no way to leverage it in a way that is
>> beneficial to OWASP)
>>
>> Dinis Cruz
>>
>> Blog: http://diniscruz.blogspot.com
>> Twitter: http://twitter.com/DinisCruz
>> Web: http://www.owasp.org/index.php/O2
>>
>>
>> On 22 May 2010 01:47, Tom Brennan <tomb at owasp.org> wrote:
>>
>> Perhaps "OWASP community supporters" vs . "OWASP commercial service"
>>
>>
>>
>> On May 13, 2010, at 8:20 PM, Mike Boberski wrote:
>>
>>> There are a number of other comparable examples, ranging from
>>> Common Criteria, FIPS 140, to Drupal.
>>>
>>> There are NO mechanisms that allows a listed company to interfere
>>> with any OWASP project or function, exactly as there are none for
>>> job listings.
>>>
>>> The approach taken has been painstakingly designed to align with
>>> OWASP's mission.
>>>
>>> Mike
>>>
>>>
>>> On Thu, May 13, 2010 at 8:19 PM, Jim Manico <jim.manico at owasp.org>
>>> wrote:
>>> This program (OWASP commercial services) totally freaks me out. It
>>> just doesn't seem right to me on a number of levels.
>>>
>>> But, the core mission of OWASP is to make application security
>>> visible - and companies are needing deeper solutions that Open
>>> Source alone cannot provide today.
>>>
>>> So even though I have personal/emotional reservations to this
>>> initiative - I do objectively support it and hope it stays
>>> something positive for our community.
>>>
>>> - Jim
>>>
>>>
>>>> We already have in place of course the brand usage policy.
>>>>
>>>> I think this is not so complicated as all that.
>>>>
>>>> This is no different than the jobs page. It is locked and
>>>> administered in the same way.
>>>>
>>>> All that we're shooting here for is a phone book, basically, with
>>>> a little bit of value add by compelling 1-2 sentence description
>>>> of approach.
>>>>
>>>> Mike
>>>>
>>>>
>>>> On Thu, May 13, 2010 at 7:05 PM, dinis cruz
>>>> <dinis.cruz at owasp.org> wrote:
>>>> Hi OWASP Leaders (CCing OWASP Global Education Committee, OWASP
>>>> Connections Committee and Mike Boberski (who is trying to figure
>>>> out the best way to implement the OWASP Commercial Services idea))
>>>>
>>>> Question for you.
>>>>
>>>> Given the following scenario:
>>>>
>>>> "...
>>>> Company XYZ is delivering commercially (i.e. paid for) OWASP
>>>> related courses, such as for example: "OWASP Top 10", "Using
>>>> OWASP WebGoat", "Performing security assessments using the OWASP
>>>> Testing Guide" , "How to use OpenSAMM in your organization",
>>>> "OWASP ESAPI" , "OWASP ASVS", etc...
>>>>
>>>> - these courses are independently delivered at "NON OWASP
>>>> organized" events (for example a developer's Conference or
>>>> bespoke training sessions)
>>>> - attendees have to pay to attend (i.e. these are NOT FREE or
>>>> 'OWASP only' events like the one we organized and delivered at
>>>> the OWASP London Chapter last month)
>>>> - there is no mandatory direct financial return for OWASP (any
>>>> payments back to OWASP (if any at all) would have to be made at
>>>> the discretion of the organizing party)
>>>>
>>>> ..."
>>>>
>>>> Given that a large part of the potential (paying) audience for
>>>> these courses is part of the existing OWASP community, namely
>>>> the OWASP Mailing lists and WIKI viewers, the organizing party
>>>> would be very interested to advertise to target OWASP project the
>>>> course details (curriculum, trainer, delivery date, price,
>>>> location, etc...)
>>>>
>>>> Since this is a new area for OWASP, we have to make sure we
>>>> handle this in a way that is accepted/respected by our leaders
>>>> and community.
>>>>
>>>> So my question to you is:
>>>>
>>>> What would anacceptable behaviour for the individuals or
>>>> companies organizing (and profiting) with these courses? (see
>>>> Variation+Options below)
>>>>
>>>> Variation A: the course is delivered by the Project's Leader as
>>>> an INDEPENDENT Trainer (this could also be a respected member of
>>>> the OWASP Community who: is an active/past contributor; is
>>>> respected by its peers; and is known to be very knowledgeable on
>>>> the course's topic))
>>>>
>>>> Should he/she be able to:
>>>>
>>>> Option 1: Buy advertisement space on www.owasp.org (i.e. the
>>>> banner that shows up at the top of the home page and the local
>>>> chapters)
>>>> Option 2: Send an email with the course's details to the
>>>> respective OWASP mailing list (i.e. Top-10, WebGoat, Testing
>>>> Guide, openSamm, ESAPI, ASVS). Assume that this is done with
>>>> 'good taste' (i.e no 'snake oil' or super-sales pitch)
>>>> Option 3: Include a mention to it at the next OWASP Newsletter
>>>> Option 4: Put a direct link to it from the respective OWASP
>>>> Project (maybe on a section dedicated to these type of events)
>>>> Option 5: Put a direct link from a Training page on the OWASP
>>>> Commercial Services section of the OWASP website
>>>>
>>>>
>>>> Variation B: the course is delivered by the Project's Leader as a
>>>> hired employee/contractor for a 3rd party company
>>>>
>>>> (same 5 Options from Variation A)
>>>>
>>>>
>>>> Variation C: the course is delivered by an existing OWASP
>>>> Corporate Member or Education Supporter (Company, University,
>>>> etc..)
>>>>
>>>> (same 5 Options from Variation A)
>>>>
>>>>
>>>> Variation D: the course is delivered by an a Governmental
>>>> Organization that is involved with OWASP (for example the
>>>> Brazilian Government who sponsored last year's OWASP Conference
>>>> in Brazil)
>>>>
>>>> (same 5 Options from Variation A)
>>>>
>>>>
>>>> Variation D: the course is delivered by an a Governmental
>>>> Organization that is NOT part of the OWASP Community
>>>>
>>>> (same 5 Options from Variation A)
>>>>
>>>>
>>>> Variation E: the course is delivered by an a Industry Body that
>>>> is NOT part of the OWASP Community (for example lets say that the
>>>> PCI Council decided to sell (and profit) from the delivery of
>>>> OWASP Top 10 courses)
>>>>
>>>> (same 5 Options from Variation A)
>>>>
>>>>
>>>> Variation F: the course is delivered by a company/individual that
>>>> is NOT part of the OWASP Community (i.e. not a member, trainer is
>>>> not an OWASP Leader, nobody has really heard of them before)
>>>>
>>>> (same 5 Options from Variation A)
>>>>
>>>>
>>>> ---
>>>> ---
>>>> ---
>>>> ---
>>>> ---
>>>> ---
>>>> ------------------------------------------------------------------
>>>>
>>>> Taking into account that we want as many people to be exposed to
>>>> OWASP materials and that there should be a direct relationship
>>>> between the success of these courses and the market penetration
>>>> of the affected OWASP Projects ..... from your point of view,
>>>> which Variation+Options listed above:
>>>>
>>>> i) are compatible with OWASP's values/independence and SHOULD
>>>> be allowed (but monitored to prevent abuses)
>>>> ii) are NOT compatible with OWASP's values and SHOULD NOT be
>>>> allowed
>>>> iii) should only be allowed with 'somebody' (GEC, OWASP Board,
>>>> Project leader) permission / validation
>>>> iv) should be allowed, BUT with the information located at a
>>>> very specific locations (for example what happens with the the
>>>> OWASP Job Board or the OWASP Commercial Services)
>>>>
>>>> Looking forward to hearing your answers and points of view
>>>>
>>>> Dinis Cruz
>>>> OWASP Board Member
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>
>>>
>>> --
>>> Jim Manico
>>> OWASP Podcast Host/Producer
>>> OWASP ESAPI Project Manager
>>> http://www.manico.net
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> _______________________________________________
>> Global_education_committee mailing list
>> Global_education_committee at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/global_education_committee
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/owasp-connections-committee/attachments/20100522/fa0047ca/attachment-0001.html
More information about the Owasp-connections-committee
mailing list