[Owasp-leaders] For comment: OWASP references on SI's Press Release, Commercial Support of an OWASP project

Jason Taylor jason.taylor at owasp.org
Fri Apr 9 05:37:32 EDT 2004


Hi Jeff, I think I can answer some of your questions. The OWASP exams project <https://www.owasp.org/index.php/OWASP_Exams_Project> is a real project. The goal of the project is to support the OWASP Academies work while providing resources that could also be used in non-academic settings. Currently we have a set of exam questions in the wiki, the same exam questions in a SCORM format so that anyone can easily use it in a learning management system, an eLearning course, also in SCORM format for use in a learning management system, and a knowledge base of articles that can be used to help in preparation for the exams. The SCORM packages are hosted on the OWASP Academies moodle LMS so that anyone who wants to can take the course and try out the graded exam. There are quite a lot of useful resources already available and I have seen interest in what the proejct has to offer. For instance, the OWASP L.A. chapter is very interested to learn more and I am presenting details of the project to them on Wednesday.

I'm also happy to note that we have made some modest progress on the exam questions:
During the summit I received a lot of feedback that was used to improve the questions
We updated the wiki with the improved questions
We placed variations of some of the questions on the wiki so that people can determine if the multiple choice style or single select style of questions is more effective
We updated the SCORM package so that the graded exam also reflects the improvements made to the questions
There are now 65 individual who have created accounts Academies Moodle to use the exam. I think that's the start of a community right there!

That's not to say the questions are perfect, but I think they are making progress and I would welcome anyone who would like to help move the project forward and improve the exam. Anurag has already committed to help with this through the contribution of additional questions on the OWASP Top 10. Jeff, would you like to help review and improve the exam questions or contribute a new exam to the project?

I am a bit of an OWASP novice, so if there are things I've neglected to do as a leader, I appreciate your guidance in helping me improve. For instance I thought there was a mailing list already created with the project, is there something more I need to do? There is a wiki page, here: https://www.owasp.org/index.php/OWASP_Exams_Project. Is there something more I need to do in order to be a real OWASP project? 

As far as the model for engagement between SI and OWASP, I'd be happy to help. So far I've not seen how or where I could contribute to the conversation, what's the best way for me to engage?

Regarding your concerns around TeamMentor, I'd love to engage constructively with you and others in OWASP to figure out the right model. So far, we've had very little guidance to work from so we are trying to do our best to work with OWASP, contribute where we can, while cultivating working relationship with OWASP members such as Dinis, Sandra, Anurag and others. I'd like to lay out the model that we've hit upon and see what others think of it:
1) We created the OWASP eLearning course and exam and contributed them to OWASP inside the exams project. This actually could have been a big money maker for us, we've had many customers who would have paid and are happy to find it is instead quite free :).
2) We engaged the community at the summit to provide feedback on the exam and then spent the time required to analyze the feedback, improve the questions, and update the exams in the wiki.
3) We worked closely with others on the academies project to stand up a Moodle LMS and make scorm packages available for academic as well as non-academic use.
4) We pulled a big chunk of guidance articles our of our for-profit knowledge base, TeamMentor, and made them freely available through the OWASP exams project. There are 244 articles available via a number of channels:
	a) TeamMentor OWASP Edition, which is a free to use website for browsing the guidance
	b) A git hub repository that contains all of these articles in XML format under CC license
	c) Guidance Explorer, which is an open source thick client for browsing as well as editing the guidance

I think your concerns revolve around point 4a, since TeamMentor OWASP Edition is a tool that can be used to browse the articles but the tool code is not open source. In fact the TeamMentor OWASP web application is the exact same application as TeamMentor Enterprise that we sell to our customers. Our thinking is that free use of the tool to browse the articles is a value-add for people who want to take a look at the articles without going to the trouble of downloading and installing Guidance Explorer. For anyone who wants to re-use the articles, add to them, modify them, etc. then Guidance Explorer actually provides many more features than the TeamMentor web application. So we have not provided a crippled version, instead we gave access to the fully featured tooling that we use ourselves internally when working with the knowledge base.

I know this has gone rather long, so instead of continuing I'll stop here and see what you, and others in the community, think of what we've done so far. Primarily I'm interested in feedback on:
1) Is there value to OWASP in what we've done? If so, I'd love to see it continue and grow. If not, then it seems we need to change our approach.
2) Is there something more, or less, we should be doing in order to better fit into the OWASP model?

Thanks,
Jason

On Aug 18, 2011, at 3:49 PM, Jeff Williams wrote:

> Dinis,
>  
> Congrats on the move.  As you know, I’m concerned about commercial companies releasing ‘crippled’ versions of their tool at OWASP as an advertisement to buy the full version.  I think the current SI pages and app as released right now are over this line.  The product looks like an OWASP project, but is hosted on an SI domain and clearly advertises a commercial product.  I believe this is misleading.
>  
> I understand and appreciate that you are trying to find a model for commercial entities and OWASP to work together.  However, OWASP’s reputation depends on our independence and objectivity.  You have been the most staunch defender of this in the past.
>  
> I want OWASP to engage with commercial entities.  Particularly when multiple commercial entities all have the same need and want to collaborate through OWASP.  And I agree that we need to define some rules around this kind of commercial-OWASP partnership.  In fact that’s what I tried to do with John in the OWASP Partnership Model.  I’m not as sure about how to engage with security product vendors.
>  
> But I don’t believe that either TeamMentor or Exams are real OWASP projects.  To my knowledge there has been no effort to create a real project with mailing lists, wiki pages, community participation, and *most importantly* an open source repository of the code.  The TeamMentor code isn’t even open source.  Are there any other committers or participants?   The recent changes (now deleted) to Wikipedia’s OWASP article marketing the project are particularly concerning.
>  
> If the model is that the *content* is to be an OWASP maintained project, while the *tool* to use the content is to be an SI commercial product, then forget it.  I won’t spend my energy maintaining it.  And I don’t think OWASP should encourage this.  If there’s CC content on the OWASP wiki that SI wants to use in their product (with respect to the license) then great.
>  
> One model that does work is to actually open source the tool and then provide commercial support.
>  
> --Jeff
>  
>  
> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Dave Wichers
> Sent: Thursday, August 18, 2011 1:53 PM
> To: 'dinis cruz'; owasp-leaders at lists.owasp.org
> Cc: 'Maureen Robinson'; 'Tom Bain'
> Subject: Re: [Owasp-leaders] For comment: OWASP references on SI's Press Release, Commercial Support of an OWASP project
>  
> Regarding the proposed Press Release, I don’t see anything in it that I would consider abusing the OWASP brand.
>  
> Regarding OWASP O2 commercial services, I think if your website includes the points you have listed below, that this is an SI service, and NOT an OWASP provided or endorsed service, then that’s the main points to get across. And these points need to be clear and obvious, not buried in the fine print. Others may think of other things to mention, and documenting them in some kind of OWASP Code of Conduct page for how to represent commercial support around OWASP projects is a good idea, because I’m sure we will learn things and we can update this page with both expected behavior, and also list ‘examples’ of behavior that we don’t like (potentially taken from real world abuse cases, but sanitized to not reflect the real original offender).
>  
> My initial thoughts anyway.
>  
> -Dave
>  
> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of dinis cruz
> Sent: Thursday, August 18, 2011 1:26 PM
> To: owasp-leaders at lists.owasp.org
> Cc: Maureen Robinson; Tom Bain
> Subject: [Owasp-leaders] For comment: OWASP references on SI's Press Release, Commercial Support of an OWASP project
>  
> As some of might have noticed, I recently joined SI (Security  Innovation) as an Employee (for more details on why I did it, see this personal blog entryhttp://diniscruz.blogspot.com/2011/08/joining-security-innovation-si-as.html)
>  
> Due to the power of the OWASP brand, SI's marketing department wants to issue a Press Release (PR) with this bit of news. This has happen a number of times before for other OWASP leaders and products, and sometimes the fine line of 'marketing' and abusing the OWASP brand (or overstating particular facts) gets crossed. For example, SI did issue a Press Release a couple months ago that could had benefited from some OWASP peer review :).
>  
> Part of what I want to do at SI, is to create frame-of-references/examples for how commercial companies should behave around OWASP, and SI (so far) has tried very hard to play by OWASP rules (even when they don't exist or are not explicitly defined). Not to say that they haven't made mistakes in the past, but they are trying hard.
>  
> 
> So, the first part of this email is a question to you: "Is the PR included at the end of this email OK?'   Please be brutal in your feedback and if you fell changes should be made, please let us know (I'm CCing Tom and Maureen from SI marketing department, so if relevant, please include them on your replies (the cut-of-point is next Monday at 12pm EST, with a publishing date of Tuesday)). I made some changes to the original version, but remember that this is a Press Release :)
>  
> 
> The 2nd question on this email is related to the fact that SI is going to offer (i.e. sell) commercial Support for an OWASP project, in this case the OWASP O2 Platform. 
>  
> 
> The original focus is going to be on using O2 to customise existing AppSec tools in order to make them 'Framework Aware', and on the automation of AppSec security reviews (i.e. delivering of security findings as unit tests for developers). Btw, I'm still hurting from the fact that SI (due to market demand) wants to build training content on ESAPI and not on O2  :)
>  
> 
> The question is: "How can this type of services be represented at OWASP's website and to OWASP's community?" 
>  
> 
> For example what disclaimers should be make to make sure this is not perceived as an 'OWASP provided service'. Maybe we should create a Code of Conduct book for these cases?
>  
> 
> I believe this to be a really good development for OWASP, and I do wish that other companies provided commercial support/services on OWASP projects, for example: WebGoat, ESAPI, ASVS, WebScarab/Zap, Top 10, Legal, Encoding libraries, Testing/Code/Developer guides, Cheat-Sheets, etc...
>  
> 
> Of course that since OWASP projects are all licensed with an OpenSource or CC license, it will not be possible for ONE company to be the ONLY provider of theses services. Ideally we should have multiple companies providing these commercial services (each with its own unique positioning, strengths and offerings). It would then be a case of the market deciding on which one they want to reward with their businesses.
>  
> 
> These are unchartered territories, but the good news is that finally (with SI's officially supporting O2) we have a real world scenario to deal with (in the past we spent too much time theorising about the multiple hypothetical scenarios and abuses)
>  
> 
> The best way to get things done at OWASP is to try new ideas, see how they go, listen to the feedback received, and improve on the next version.
>  
> 
> So me and SI are kickstarting this, and hopefully others will follow.
>  
> 
> (note: there is already an OWASP project that was going to try to get happen, but it had no energy, maybe now is the time to restart it)
>  
> 
> Dinis Cruz
>  
> (below is the full text of the PR that will be published next Tuesday)
>  
>  
> Security Innovation Announces the Hiring of Web Application Security Expert Dinis Cruz as
> Principal Security Engineer
>  
> Wilmington, Mass., August 22, 2011 – Security Innovation,a leading organization specializing in application security products and services, has announced that it has hired Dinis Cruz as Principal Security Engineer. This strategic appointment supports Security Innovation’s goal, which is to provide its customers with solutions designed to help protect their most coveted assets through securely developing applications.
>  
> Cruz will serve as a lead architect and visionary, driving the design and evolution of the company’s knowledgebase repository product, TeamMentor Enterprise Edition. Cruz will be responsible for re-architect the solution to better serve security and development  teams, with a particular focus on integration with other products, frameworks, and automatedassessment activities. He’ll also continue to lead the company’sstrategic initiatives with the open-source community.
>  
> “Dinis has been a part of our extended team, working on product development projects over the last several months. Now that he is officially joining us as an employee, we’re excited to have him fully engaged, enhancing our unique portfolio of application security-specific products and services,” said Jason Taylor, chief technology officer, Security Innovation. “We are focused on adding respected application security experts to our staff to enable our customers to build the most secure applications in the world.”
>  
> Cruz brings extensive Web application security experience to his role with Security Innovation. Previously, Cruz served as Director of Advanced Technology with Ounce Labs and specialized in code reviews, penetration testing, ASP.NETapplication security and security engineering. As an active OWASP leader and contributor, Cruz has been rewriting the Open Source OWASP O2 Platform. He served as an OWASP Board Member (2005 to 2011) and has lead important initiatives like the OWASP Seasons of Code, OWASP Summits (2008 and 2011), OWASP books, and a number of OWASP .NET projects. As the main developer of OWASP O2 Platform, Cruz’s vision is to automate application security knowledge and he has designed O2 to be an industry standard for data-sharing between WebAppSec tools, consultants and final users. He is also a regular industry speaker, having delivered technical presentations and training at numerous OWASP conferences and BlackHat.
>  
> Cruz will also work closely with SI’s Application Security services team delivering software and SDLC assessments and help to create Security Innovation supported versions of the OWASP O2 Platform, Specifically, this effort is designed to integrate and consolidate the data created by tools or services like IBM Rational AppScan, Veracode, WhiteHat, Microsoft CAT.NET, OWASP Zap Proxy, Burp Proxy, HP Fortify and other open source tools to make them ‘Framework Aware’ and connect them with existing SDLC tools and processes.
>  
> “What started as writing some code for TeamMentor a few months ago, turned into a longer-term project that really allowed me to get a feeling for what it’s like to work with Security Innovation,” said Cruz. “I was impressed by the company’s application security knowledge and there was an obvious synergy between us. We believe in the same best practices and methodologies for architecting secure software and making that knowledge broadly available.” he added.
> Cruz is an active blogger. His views on joining Security Innovation and other security-related topics can be found on theDinis Cruz Blog and on Security Innovation’s Application and Cyber Security blog.
>  
> About Security Innovation
> Security Innovation is an established leader in the application security and cryptography space. For over a decade the company has provided products, training and consulting services to help organizations build and deploy more secure systems and improve the process by which their applications are built. 
> Security Innovation built upon its core competencies in application security with the acquisition of NTRUCryptoSystems in 2009, a company that developed proprietary, standardized algorithms. This resulted in the strongest and fastest public key cryptography available and the means to overcome historical performance barriers that have plagued the encryption industry. With these core strengths intact, Security Innovation is in a position to help organizations protect their data at two critical points: while applications are accessing it and during transmission. The company’s flagship products include TeamProfessor, the industry’s largest library of application eLearning courses, and TeamMentor, a web-based secure development methodologies product. 
> 
> Security Innovation is privately held and is headquartered in Wilmington, MA USA.
> Note to Editors: Security Innovation, NTRUEncrypt,TeamMentor, TeamProfessor and the Security Innovation logo are trademarks of Security Innovation. All other brand names may be trademarks of their respective owners. 
> Contacts
> Maureen Robinson
> Security Innovation 
> (978) 694-1008 X21
> mrobinson at securityinnovation.com
> April Corso
> Lois Paul & Partners 
> (781) 782-5831
> april_corso at lpp.com
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20040409/9543f662/attachment.html 


More information about the OWASP-Leaders mailing list