[Owasp-leaders] Fortify hands-on demo/session at forthcoming OWASP Northern Virginia Chapter

Ofer Shezaf ofer at shezaf.com
Thu Sep 17 11:30:45 EDT 2009


Many wonderful people work for vendors and can and should speak in OWASP
meetings, I myself spoke numerous times in OWASP conferences and meetings on
the WAF space when working for a WAF vendor. However there is a huge
difference between that and presenting your products. There isn't event a
speaker name tied to this event.


The distance between this event and reselling the OWASP brand name for
vendor luncheons and webinars is tiny if it exists at all. Let's not become
a marketing channel, there are enough of those out there.


~ Ofer Shezaf

OWASP Israel chapter leader

Global Chpater Committee



From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Justin Clarke
Sent: Thursday, September 17, 2009 6:14 PM
To: owasp-leaders at lists.owasp.org
Cc: John Steven
Subject: Re: [Owasp-leaders] Fortify hands-on demo/session at forthcoming
OWASP Northern Virginia Chapter


I think vendor presentations should be encouraged - within limits. For
example, OWASP meetings should never be a sales pitch. However, the majority
of vendors will usually have someone who can talk to the landscape and
problem area that their product solves. The best are knowledgeable about
what everyone else is up to in the space, and can speak and discuss the
topic without needing to refer to what their product actually is or does. 

As its usually the problem space and potential solutions that we're
interested in - not the product itself, I imagine our membership is
intelligent enough to figure out that someone from a vendor probably has a
solution they are biased towards (if only because they know more about it).
And if they are interested in finding out more about that vendors solution -
that's why we usually have networking time after the meeting - they can go
ask the presenter for more information.

OWASP London cat herder

On 17/09/2009 14:53, "dinis cruz" <dinis.cruz at owasp.org> wrote:

OWASP is not Anti-Vendor! In fact most of OWASP members and users are either
direct connected to a vendor or use vendor's products/services (disclosure
one of my contacts is with Ounce labs (now IBM)). In fact vendor
presentations at OWASP happen ALL the time (see for example this
presentation delivered at the last OWASP London chapter Using Surrogates to
Protect from Application Data Breach
<http://www.owasp.org/images/b/b3/Dave_Marsh_Tokenisation.pdf>  ).

The issue is not IF OWASP should have 'vendor' presentations but HOW we do
them. My view is that as long as the 'snake oil & marketing' content is kept
under control, what is presented is an 'accurate' representation of that
technology and there is interest of the OWASP community in it, then it is

The fear is that OWASP become an 'vendor driven' organization and becomes
'infiltrated' with people who have direct & short-term commercial
priorities. The good news is that I think OWASP has a long and ingrained
tradition of 'keeping the vendors under control' and as we grow we need to
create 'environments' where the vendors can show where they add value in a
way that is compatible with OWASPs values and principle.

And in my view, John is trying to create this environment using a
'real-world' case study (btw, this is what I love about OWASP, our leaders
have the ability to be proactive and creative (we just need to make sure
they are going on the right direction :) )) 

So, back to the subject at hand, here are a couple points and ideas about
allowing vendors to provide 'hands-on sessions at OWASP Chapters and
conferences' (I would like to see at the end of this thread a nice list of
'rules of engagement' for other chapters/conferences that want to organize
similar events):

1) this is not a new idea, we have had many numerous talks in the past about
helping to create at OWASP conferences an 'open & independent lab
environment where people can try technology', and in fact I organized a
while back a bake-off between WAF vendors in London (see
<http://www.owasp.org/index.php/London_Chapter_WAF_event> ),
2) The vendor should provide unrestricted and uncontrolled access to the
technology to the participants,
3) On the other hand, since the value derived from these tools is usually
very dependent on them being used by 'experienced users' and the fact that
there is a section of the OWASP community that is very technical (&
historically very skeptical about the REAL value that these tools can
provide), the vendor (ideally) in partnership with an independent service
provider, should also show how their tool is used in real world scenarios by
its users,
4) The attendees should be allowed to take with them an evaluation version
of the product without having to provide any information in return (business
cards, names, mobile phones, social security numbers, bank account details,
etc... :)  )
5) Pending technologically or licensing problems, the vendor should provide
a VMWare/VirtualPC/XEN/OWASP_Live_CD image containing everything needed to
evaluate this technology (for windows, I think we could use 30/60/90 day
evaluation versions of the required OS)
6) Pending bandwidth or logistical issues the event should be broadcasted
live and remote users should be give access to virtual images
7) Pending technological or logistical issues the event should be recorded
in video/audio and made available to OWASP users
8) Final and very important, the final decision if one of these events is
'successful and respects OWASP's values and principle', should be made by
the local OWASP 'non-vendor' members (i.e. people from local companies that
are trying to buy, develop or maintain secure web applications). What I
found in the past, is that the threshold for 'vendor pitches' is very
dependent on geographical locations (i.e. the same presentation in NYC and
in Milan will have very different reviews (and sometimes the non-US chapters
tend to be much more 'vendor' friendly)). So I would look at the local
chapter (users and leader(s) ) for guidance about the event's outcomes.

If this is popular, we should make these activities/events into an 'OWASP
Project' since we will need to keep a tight control on these rules and
ensure that this doesn't get abused.

BUT, if we get this right, we will be able to leverage much more the
energy/motivation that the vendors have in promoting their products, with
the energy/motivation of the consulting companies that know how to use those
products, and (MORE IMPORTANTLY OF ALL) with the needs, requirements and
issues that the users/clients have.

What do you think? This is a though issue, but it is HAPPENING, so we might
as well agree on the 'rules of engagement'

>From the current description of the 'Fortify at Virgina chapter' event, I
think they meet just about all the items I propose. Any comments?

Dinis Cruz


OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090917/4b54d08e/attachment.html 

More information about the OWASP-Leaders mailing list