[Owasp-leaders] Commercial delivery of courses based on OWASP materials

Jim Manico jim.manico at owasp.org
Thu May 13 20:19:47 EDT 2010


This program (OWASP commercial services) totally freaks me out. It just 
doesn't seem right to me on a number of levels.

But, the core mission of OWASP is to make application security visible - 
and companies are needing deeper solutions that Open Source alone cannot 
provide today.

So even though I have personal/emotional reservations to this initiative 
- I do objectively support it and hope it stays something positive for 
our community.

- Jim


> We already have in place of course the brand usage policy.
>
> I think this is not so complicated as all that.
>
> This is no different than the jobs page. It is locked and administered 
> in the same way.
>
> All that we're shooting here for is a phone book, basically, with a 
> little bit of value add by compelling 1-2 sentence description of 
> approach.
>
> Mike
>
>
> On Thu, May 13, 2010 at 7:05 PM, dinis cruz <dinis.cruz at owasp.org 
> <mailto:dinis.cruz at owasp.org>> wrote:
>
>     Hi OWASP Leaders (CCing OWASP Global Education Committee, OWASP
>     Connections Committee and Mike Boberski (who is trying to figure
>     out the best way to implement the OWASP Commercial Services
>     <http://www.owasp.org/index.php/Commercial_Services> idea))
>
>     Question for you.
>
>     Given the following scenario:
>
>     "...
>     /Company XYZ is delivering commercially (i.e. paid for)  OWASP
>     related courses, such as for example: "OWASP Top 10", "Using OWASP
>     WebGoat", "Performing security assessments using the OWASP Testing
>     Guide" , "How to use OpenSAMM in your organization", "OWASP ESAPI"
>     , "OWASP ASVS", etc...
>
>     /
>     / - these courses are independently delivered at "NON
>     OWASP organized" events (for example a developer's Conference or
>     bespoke training sessions)/
>     / - attendees have to pay to attend (i.e. these are /NOT FREE or
>     'OWASP only' events like the one we organized and delivered at the
>     OWASP London Chapter
>     <http://www.owasp.org/index.php/London/Training/OWASP_projects_and_resources_you_can_use_TODAY> last
>     month) / ///
>     / - there is no mandatory direct financial return for OWASP (any
>     payments back to OWASP (/if any at all) /would have to be made at
>     the discretion of the organizing party)///
>     /
>     /
>     /..."/
>     /
>     /
>     /Given that a large part of the potential (paying) audience for
>     these courses is part of the /existing /OWASP community, namely
>     the OWASP Mailing lists and WIKI viewers, the organizing party
>     would be very interested to advertise to target OWASP project the
>     course details (curriculum, trainer, delivery date, price,
>     location, etc...)///
>     /
>     /
>     /Since this is a new area for OWASP, we have to make sure we
>     handle this in a way that is accepted/respected by our leaders and
>     community./
>     /
>     /
>     /So my question to you is: /*
>
>     What would anacceptable behaviour for the individuals or
>     companies organizing (and profiting) with these courses? (see
>     Variation+Options below)*//
>
>     /*Variation A: the course is delivered by the _Project's
>     Leader_ as an INDEPENDENT Trainer* (this could also be a respected
>     member of the OWASP Community who: is an active/past contributor;
>     is respected by its peers; and is known to be //very knowledgeable
>     on the course's topic))///
>     /
>     /
>     /Should he/she be able to: /
>     /
>     /
>     /*   Option 1: *Buy advertisement space on www.owasp.org
>     <http://www.owasp.org> (i.e. the banner that shows up at the top
>     of the home page and the local chapters)/
>     /* *//*Option*/* */*2:* Send an email with the course's details to
>     the respective OWASP mailing list (i.e. Top-10, WebGoat, Testing
>     Guide, openSamm, ESAPI, ASVS). Assume that this is done with 'good
>     taste' (i.e no  'snake oil' or super-sales pitch)///
>     /* *//*Option*/* */*3:* Include a mention to it at the next OWASP
>     Newsletter///
>     /* */*Option 4:*/ Put a direct link to it from the respective
>     OWASP Project (maybe on a section dedicated to these type of events)/
>     /* */*Option 5:*/ Put a /direct link from a Training page on the
>     OWASP Commercial Services
>     <http://www.owasp.org/index.php/Commercial_Services> section of
>     the OWASP website////
>     //
>     //
>     */*
>     */*
>     */*Variation B: the course is delivered by the _Project's
>     Leader_ as a hired employee/contractor for a 3rd party company*/*
>     //
>     //
>     //(same 5 Options from Variation A)//
>     //
>     //
>     ///*
>     *///
>     ///*Variation C: the course is delivered by an existing OWASP
>     Corporate Member or Education Supporter
>     <http://www.owasp.org/index.php/Membership#Current_OWASP_Organization_Supporters_.26_Individual_Members>
>     *(Company, University, etc..)///
>     ///*
>     *///
>     ///*//(same 5 Options from Variation A)//*///
>     ///*//
>     //*///
>     ///*///*
>     *///*///
>     ///*///*Variation D: the course is delivered by an a
>     Governmental Organization that is involved with OWASP *(for
>     example the Brazilian Government who sponsored last year's OWASP
>     Conference in Brazil)///*///
>     ///*
>     *///
>     ///*//(same 5 Options from Variation A)//*///
>     ///*
>     ///*
>     *///
>     ///*
>     ///*///*
>     *///*///
>     ///*///*Variation D: the course is delivered by an a
>     Governmental Organization that is NOT part of the OWASP Community
>     *///*///
>     ///*
>     *///
>     ///*//(same 5 Options from Variation A)//*///
>     *///
>     ///*
>     *///
>     ///*///*
>     ///*
>     ///*///*
>     *///*///
>     ///*///*Variation E: the course is delivered by an a Industry Body
>     ///*
>     ///*///*
>     ///*///*
>     ///*
>     ///*///*that is NOT part of the OWASP Community *(for example lets
>     say that the PCI Council decided to sell (and profit) from the
>     delivery of OWASP Top 10 courses)///*///
>     *///
>     *///*///
>     *///*///
>     *///*///*///
>     ///*
>     *///
>     ///*//(same 5 Options from Variation A)//*///
>     ///*//
>     //*///
>     *///
>     *///*///
>     ///*
>     *///
>     ///*Variation F: the course is delivered by a company/individual
>     that is NOT part of the OWASP Community *(i.e. not a
>     member, trainer is not an OWASP Leader, nobody has really heard of
>     them before)///
>     ///*
>     *///
>     ///*//(same 5 Options from Variation A)//*///
>     *///
>
>
>     ------------------------------------------------------------------------------------
>
>     Taking into account that we want as many people to be exposed to
>     OWASP materials and that there should be a direct relationship
>     between the success of these courses and the market penetration of
>     the affected OWASP Projects .....  from your point of view, which
>     Variation+Options listed above:
>
>        i) are compatible with OWASP's values/independence and SHOULD
>     be allowed (but monitored to prevent abuses)
>        ii) are NOT compatible with OWASP's values and SHOULD NOT be
>     allowed
>       iii) should only be allowed with 'somebody' (GEC, OWASP Board,
>     Project leader) permission / validation
>       iv) should be allowed, BUT with the information located at a
>     very specific locations (for example what happens with the the
>     OWASP Job Board <http://www.owasp.org/index.php/OWASP_Jobs> or the
>     OWASP Commercial Services
>     <http://www.owasp.org/index.php/Commercial_Services>)
>
>     Looking forward to hearing your answers and points of view
>
>     Dinis Cruz
>     OWASP Board Member
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>    


-- 
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100513/8d2e463d/attachment-0001.html 


More information about the OWASP-Leaders mailing list