[Owasp-leaders] Fortify hands-on demo/session at forthcoming OWASP Northern Virginia Chapter

Stephen Craig Evans stephencraig.evans at gmail.com
Thu Sep 17 10:49:27 EDT 2009


Hi Dinis,

That was a very timely email by you... Last night I had written up
something a little less diplomatic but at the last minute saved it as
a draft :-)

My little comment is that I am wondering why Eric Dalci used his Yahoo
email address yesterday to announce the event on the Secure Code
Mailing List (SC-L) while previously he has used his Cigital email
address on the Virginia chapter mail list (e.g.
https://lists.owasp.org/pipermail/owasp-wash_dc_va/2009-September/000236.html).
Perhaps splitting hairs but some might perceive it to be sneaky.

Stephen

On Thu, Sep 17, 2009 at 8:53 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
> So, the adventurous OWASP Virgina Chapter (lead by the uncompromising John
> Steven) are going into uncharted-OWASP waters in their next chapter meeting.
> You can read more about it on the chapter home page on
> their [Owasp-wash_dc_va] OWASP Session - Fortify 360 - Thursday, September
> 17, 2009 mailing list announcement or at the  Secure Coding Mailing list
> Basically what they are doing is allowing a vendor (Fortify) to come to an
> OWASP meeting and present their product! Shock Horror!!! Doesn't this break
> OWASP values, principles and independence!!!
> Well, it depends :)
> OWASP is not Anti-Vendor! In fact most of OWASP members and users are either
> direct connected to a vendor or use vendor's products/services (disclosure
> one of my contacts is with Ounce labs (now IBM)). In fact vendor
> presentations at OWASP happen ALL the time (see for example this
> presentation delivered at the last OWASP London chapter Using Surrogates to
> Protect from Application Data Breach ).
> The issue is not IF OWASP should have 'vendor' presentations but HOW we do
> them. My view is that as long as the 'snake oil & marketing' content is kept
> under control, what is presented is an 'accurate' representation of that
> technology and there is interest of the OWASP community in it, then it is
> OK.
> The fear is that OWASP become an 'vendor driven' organization and becomes
> 'infiltrated' with people who have direct & short-term commercial
> priorities. The good news is that I think OWASP has a long and ingrained
> tradition of 'keeping the vendors under control' and as we grow we need to
> create 'environments' where the vendors can show where they add value in a
> way that is compatible with OWASPs values and principle.
> And in my view, John is trying to create this environment using a
> 'real-world' case study (btw, this is what I love about OWASP, our leaders
> have the ability to be proactive and creative (we just need to make sure
> they are going on the right direction :) ))
> So, back to the subject at hand, here are a couple points and ideas about
> allowing vendors to provide 'hands-on sessions at OWASP Chapters and
> conferences' (I would like to see at the end of this thread a nice list of
> 'rules of engagement' for other chapters/conferences that want to organize
> similar events):
> 1) this is not a new idea, we have had many numerous talks in the past about
> helping to create at OWASP conferences an 'open & independent lab
> environment where people can try technology', and in fact I organized a
> while back a bake-off between WAF vendors in London (see
> London_Chapter_WAF_event),
> 2) The vendor should provide unrestricted and uncontrolled access to the
> technology to the participants,
> 3) On the other hand, since the value derived from these tools is usually
> very dependent on them being used by 'experienced users' and the fact that
> there is a section of the OWASP community that is very technical (&
> historically very skeptical about the REAL value that these tools can
> provide), the vendor (ideally) in partnership with an independent service
> provider, should also show how their tool is used in real world scenarios by
> its users,
> 4) The attendees should be allowed to take with them an evaluation version
> of the product without having to provide any information in return (business
> cards, names, mobile phones, social security numbers, bank account details,
> etc... :)  )
> 5) Pending technologically or licensing problems, the vendor should provide
> a VMWare/VirtualPC/XEN/OWASP_Live_CD image containing everything needed to
> evaluate this technology (for windows, I think we could use 30/60/90 day
> evaluation versions of the required OS)
> 6) Pending bandwidth or logistical issues the event should be broadcasted
> live and remote users should be give access to virtual images
> 7) Pending technological or logistical issues the event should be recorded
> in video/audio and made available to OWASP users
> 8) Final and very important, the final decision if one of these events is
> 'successful and respects OWASP's values and principle', should be made by
> the local OWASP 'non-vendor' members (i.e. people from local companies that
> are trying to buy, develop or maintain secure web applications). What I
> found in the past, is that the threshold for 'vendor pitches' is very
> dependent on geographical locations (i.e. the same presentation in NYC and
> in Milan will have very different reviews (and sometimes the non-US chapters
> tend to be much more 'vendor' friendly)). So I would look at the local
> chapter (users and leader(s) ) for guidance about the event's outcomes.
> If this is popular, we should make these activities/events into an 'OWASP
> Project' since we will need to keep a tight control on these rules and
> ensure that this doesn't get abused.
> BUT, if we get this right, we will be able to leverage much more the
> energy/motivation that the vendors have in promoting their products, with
> the energy/motivation of the consulting companies that know how to use those
> products, and (MORE IMPORTANTLY OF ALL) with the needs, requirements and
> issues that the users/clients have.
> What do you think? This is a though issue, but it is HAPPENING, so we might
> as well agree on the 'rules of engagement'
> From the current description of the 'Fortify at Virgina chapter' event, I
> think they meet just about all the items I propose. Any comments?
> Dinis Cruz
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>



-- 
http://www.linkedin.com/in/stephencraigevans


More information about the OWASP-Leaders mailing list