[Owasp-leaders] Fortify hands-on demo/session at forthcoming OWASP Northern Virginia Chapter

dinis cruz dinis.cruz at owasp.org
Thu Sep 17 10:46:44 EDT 2009

yap, we'll update them :)

2009/9/17 Seba <seba at owasp.org>

> The current bottom line are the chapter rules online:
> http://www.owasp.org/index.php/Chapter_RulesDepending on the outcome of
> this discussion we might need to update them? or not?
> regards
> Seba
> On Thu, Sep 17, 2009 at 3:53 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
>> So, the adventurous OWASP Virgina Chapter (lead by the uncompromising John
>> Steven) are going into uncharted-OWASP waters in their next chapter meeting.
>> You can read more about it on the chapter home page<http://www.owasp.org/index.php/Virginia#tab=Schedule> on
>> their [Owasp-wash_dc_va] OWASP Session - Fortify 360 - Thursday,
>> September 17, 2009<https://lists.owasp.org/pipermail/owasp-wash_dc_va/2009-September/000236.html> mailing
>> list announcement or at the  Secure Coding Mailing list<http://krvw.com/pipermail/sc-l/2009/002080.html>
>> Basically what they are doing is allowing a vendor (Fortify) to come to an
>> OWASP meeting and present their product! Shock Horror!!! Doesn't this break
>> OWASP values, principles and independence!!!
>> Well, it depends :)
>> OWASP is not Anti-Vendor! In fact most of OWASP members and users are
>> either direct connected to a vendor or use vendor's products/services
>> (disclosure one of my contacts is with Ounce labs (now IBM)). In fact vendor
>> presentations at OWASP happen ALL the time (see for example this
>> presentation delivered at the last OWASP London chapter Using Surrogates
>> to Protect from Application Data Breach<http://www.owasp.org/images/b/b3/Dave_Marsh_Tokenisation.pdf>
>>  ).
>> The issue is not IF OWASP should have 'vendor' presentations but HOW we do
>> them. My view is that as long as the 'snake oil & marketing' content is kept
>> under control, what is presented is an 'accurate' representation of that
>> technology and there is interest of the OWASP community in it, then it is
>> OK.
>> The fear is that OWASP become an 'vendor driven' organization and becomes
>> 'infiltrated' with people who have direct & short-term commercial
>> priorities. The good news is that I think OWASP has a long and ingrained
>> tradition of 'keeping the vendors under control' and as we grow we need to
>> create 'environments' where the vendors can show where they add value in a
>> way that is compatible with OWASPs values and principle.
>> And in my view, John is trying to create this environment using a
>> 'real-world' case study (btw, this is what I love about OWASP, our leaders
>> have the ability to be proactive and creative (we just need to make sure
>> they are going on the right direction :) ))
>> So, back to the subject at hand, here are a couple points and ideas about
>> allowing vendors to provide 'hands-on sessions at OWASP Chapters and
>> conferences' (I would like to see at the end of this thread a nice list of
>> 'rules of engagement' for other chapters/conferences that want to organize
>> similar events):
>> 1) this is not a new idea, we have had many numerous talks in the past
>> about helping to create at OWASP conferences an 'open & independent lab
>> environment where people can try technology', and in fact I organized a
>> while back a bake-off between WAF vendors in London (see
>> London_Chapter_WAF_event<http://www.owasp.org/index.php/London_Chapter_WAF_event>
>> ),
>> 2) The vendor should provide unrestricted and uncontrolled access to the
>> technology to the participants,
>> 3) On the other hand, since the value derived from these tools is usually
>> very dependent on them being used by 'experienced users' and the fact that
>> there is a section of the OWASP community that is very technical (&
>> historically very skeptical about the REAL value that these tools can
>> provide), the vendor (ideally) in partnership with an independent service
>> provider, should also show how their tool is used in real world scenarios by
>> its users,
>> 4) The attendees should be allowed to take with them an evaluation version
>> of the product without having to provide any information in return (business
>> cards, names, mobile phones, social security numbers, bank account details,
>> etc... :)  )
>> 5) Pending technologically or licensing problems, the vendor should
>> provide a VMWare/VirtualPC/XEN/OWASP_Live_CD image containing everything
>> needed to evaluate this technology (for windows, I think we could use
>> 30/60/90 day evaluation versions of the required OS)
>> 6) Pending bandwidth or logistical issues the event should be broadcasted
>> live and remote users should be give access to virtual images
>> 7) Pending technological or logistical issues the event should be recorded
>> in video/audio and made available to OWASP users
>> 8) Final and very important, the final decision if one of these events is
>> 'successful and respects OWASP's values and principle', should be made by
>> the local OWASP 'non-vendor' members (i.e. people from local companies that
>> are trying to buy, develop or maintain secure web applications). What I
>> found in the past, is that the threshold for 'vendor pitches' is very
>> dependent on geographical locations (i.e. the same presentation in NYC and
>> in Milan will have very different reviews (and sometimes the non-US chapters
>> tend to be much more 'vendor' friendly)). So I would look at the local
>> chapter (users and leader(s) ) for guidance about the event's outcomes.
>> If this is popular, we should make these activities/events into an 'OWASP
>> Project' since we will need to keep a tight control on these rules and
>> ensure that this doesn't get abused.
>> BUT, if we get this right, we will be able to leverage much more the
>> energy/motivation that the vendors have in promoting their products, with
>> the energy/motivation of the consulting companies that know how to use those
>> products, and (MORE IMPORTANTLY OF ALL) with the needs, requirements and
>> issues that the users/clients have.
>> What do you think? This is a though issue, but it is HAPPENING, so we
>> might as well agree on the 'rules of engagement'
>> From the current description of the 'Fortify at Virgina chapter' event, I
>> think they meet just about all the items I propose. Any comments?
>> Dinis Cruz
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090917/2636987d/attachment.html 

More information about the OWASP-Leaders mailing list