[Owasp-leaders] Commercial delivery of courses based onOWASPmaterials

Brian Bertacini brian at appsecconsulting.com
Thu May 13 20:19:20 EDT 2010


Thanks for clarifying.  I would like to see OWASP avoid the PCI-type
criticism. 
 
Brian
 

Brian Bertacini, CISA, PCI-QSA
AppSec Consulting, Inc.
ph:   408-723-1960
cell: 408-771-8638
email: brian at appsecconsulting.com

 

  _____  

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of dinis cruz
Sent: Thursday, May 13, 2010 5:16 PM
To: mike.boberski at gmail.com; owasp-leaders at lists.owasp.org
Cc: owasp-connections-committee; global_education_committee at lists.owasp.org
Subject: Re: [Owasp-leaders] Commercial delivery of courses based
onOWASPmaterials


I would like to ask that this thread stays on the original 'Commercial
delivery of courses based on OWASPmaterials' topic and on the question I
asked. 

There is another thread (started by Mike) which can be used for the
http://www.owasp.org/index.php/Commercial_Services idea

Dinis Cruz



On 14 May 2010 01:12, Mike Boberski <mike.boberski at gmail.com> wrote:


Each tab (all five) include in bold italic at the top of each tab that OWASP
does not endorse and so on. 

This is exactly inline with OWASP's mission to help people do informed
things.


Mike



On Thu, May 13, 2010 at 8:10 PM, Brian Bertacini
<brian at appsecconsulting.com> wrote:


Hi Dinis,
 
Some of the scenarios below create an appearance where OWASP will be viewed
as a commercial organization (just look at the name).  
 
Your proposal sounds like the PCI-SSC; collecting money to manage and
certify service providers.  The PCI-SSC has implemented a quality assurance
program and places service providers in a "Remediation Status" for failing
to meet defined quality standards.  Will OWASP be ready to hire full time QA
Analysts to police the Commercial Services program?  This might be necessary
to ensure consistent and high-quality service delivery to protect the OWASP
brand.  If I understand most of the scenarios below, there is a requirement
for commercial organizations to pay OWASP an annual sponsorship/membership
fee.  Like PCI, the annual fee is a bigger burden for smaller service
providers.  I could go on but I think you get the point.  
 
Personally I like the concept of OWASP Commercial Services.  As a risk
management and information security professional I'm concerned about risk
this introduces to the OWASP brand.  
 
My $.02,
Brian Bertacini    
Bay Area OWASP Chapter

  _____  

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of dinis cruz
Sent: Thursday, May 13, 2010 4:06 PM
To: owasp-leaders at lists.owasp.org
Cc: owasp-connections-committee; global_education_committee at lists.owasp.org
Subject: [Owasp-leaders] Commercial delivery of courses based on
OWASPmaterials


Hi OWASP Leaders (CCing OWASP Global Education Committee, OWASP Connections
Committee and Mike Boberski (who is trying to figure out the best way to
implement the OWASP Commercial Services
<http://www.owasp.org/index.php/Commercial_Services>  idea)) 

Question for you. 

Given the following scenario: 

"...
Company XYZ is delivering commercially (i.e. paid for)  OWASP related
courses, such as for example: "OWASP Top 10", "Using OWASP WebGoat",
"Performing security assessments using the OWASP Testing Guide" , "How to
use OpenSAMM in your organization", "OWASP ESAPI" , "OWASP ASVS", etc...   


 - these courses are independently delivered at "NON OWASP organized" events
(for example a developer's Conference or bespoke training sessions)
 - attendees have to pay to attend (i.e. these are NOT FREE or 'OWASP only'
events like the one we organized and delivered at the OWASP London
<http://www.owasp.org/index.php/London/Training/OWASP_projects_and_resources
_you_can_use_TODAY> Chapter last month)  
 - there is no mandatory direct financial return for OWASP (any payments
back to OWASP (if any at all) would have to be made at the discretion of the
organizing party)


..."


Given that a large part of the potential (paying) audience for these courses
is part of the existing  OWASP community, namely the OWASP Mailing lists and
WIKI viewers, the organizing party would be very interested to advertise to
target OWASP project the course details (curriculum, trainer, delivery date,
price, location, etc...)


Since this is a new area for OWASP, we have to make sure we handle this in a
way that is accepted/respected by our leaders and community.


So my question to you is:  

What would anacceptable behaviour for the individuals or companies
organizing (and profiting) with these courses? (see Variation+Options below)

Variation A: the course is delivered by the Project's Leader as an
INDEPENDENT Trainer (this could also be a respected member of the OWASP
Community who: is an active/past contributor; is respected by its peers; and
is known to be very knowledgeable on the course's topic))


Should he/she be able to: 


   Option 1: Buy advertisement space on www.owasp.org (i.e. the banner that
shows up at the top of the home page and the local chapters)
   Option 2: Send an email with the course's details to the respective OWASP
mailing list (i.e. Top-10, WebGoat, Testing Guide, openSamm, ESAPI, ASVS).
Assume that this is done with 'good taste' (i.e no  'snake oil' or
super-sales pitch)
   Option 3: Include a mention to it at the next OWASP Newsletter
   Option 4: Put a direct link to it from the respective OWASP Project
(maybe on a section dedicated to these type of events)
   Option 5: Put a direct link from a Training page on the OWASP Commercial
Services <http://www.owasp.org/index.php/Commercial_Services>  section of
the OWASP website




Variation B: the course is delivered by the Project's Leader as a hired
employee/contractor for a 3rd party company


(same 5 Options from Variation A)




Variation C: the course is delivered by an existing OWASP Corporate Member
or Education
<http://www.owasp.org/index.php/Membership#Current_OWASP_Organization_Suppor
ters_.26_Individual_Members> Supporter (Company, University, etc..)


(same 5 Options from Variation A)




Variation D: the course is delivered by an a Governmental Organization that
is involved with OWASP (for example the Brazilian Government who sponsored
last year's OWASP Conference in Brazil)


(same 5 Options from Variation A)






Variation D: the course is delivered by an a Governmental Organization that
is NOT part of the OWASP Community 


(same 5 Options from Variation A)






Variation E: the course is delivered by an a Industry Body  



that is NOT part of the OWASP Community (for example lets say that the PCI
Council decided to sell (and profit) from the delivery of OWASP Top 10
courses)


(same 5 Options from Variation A)




Variation F: the course is delivered by a company/individual that is NOT
part of the OWASP Community (i.e. not a member, trainer is not an OWASP
Leader, nobody has really heard of them before)


(same 5 Options from Variation A)


----------------------------------------------------------------------------
--------

Taking into account that we want as many people to be exposed to OWASP
materials and that there should be a direct relationship between the success
of these courses and the market penetration of the affected OWASP Projects
.....  from your point of view, which Variation+Options listed above:

   i) are compatible with OWASP's values/independence and SHOULD be allowed
(but monitored to prevent abuses)
   ii) are NOT compatible with OWASP's values and SHOULD NOT be allowed
  iii) should only be allowed with 'somebody' (GEC, OWASP Board, Project
leader) permission / validation
  iv) should be allowed, BUT with the information located at a very specific
locations (for example what happens with the the OWASP Job Board
<http://www.owasp.org/index.php/OWASP_Jobs>  or the OWASP Commercial
Services <http://www.owasp.org/index.php/Commercial_Services> )

Looking forward to hearing your answers and points of view

Dinis Cruz

OWASP Board Member

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders





_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders




-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100513/8e998f25/attachment-0001.html 


More information about the OWASP-Leaders mailing list