[Owasp-leaders] Commercial Services Registry -- Live!

Paolo Perego thesp0nge at owasp.org
Mon May 17 05:46:26 EDT 2010

Hi Leaders.

I started this email thinking how important has become the "OWASP"
word in the ICT business world and it's great the work all of you have
done since 2001.
I started thinking that I saw a lot of companies saying "yeah, sure we
do Owasp", "yeah, sure we contribute in Owasp" and all the possible
Owasp-or-Something combinations.

I do think that this project can give companies spending energy in
Owasp the right visibility.
I do think this can be a really interesting change for Owasp to gain
widespread promotion.

End of preamble (necessary to avoid misunderstanding caused to my
limited dictionary :-))

On Fri, May 14, 2010 at 6:16 PM, Matteo Meucci <matteo.meucci at gmail.com> wrote:

> Now that is clear that not all the Information Security Companies all
> around the world could be listed in the registry, I think is important
> as you said to create a set of criteria.
Sure Matteo, we do set up some criteria.
For such a reason I think that the first criteria is that the Company
wanted to be listed in the registry must be Owasp member, so helping
the owasp organization from a material point of view. For the company
it's an investment due the visibility this issue can bring. So, it
could be a deal for both the parties. What do you think about it?

> Maybe for a Company a set of criteria could be a function of the
> following "OWASP argument":
> - a minimum of person that collaborates in OWASP (3p?)
This can cut off all the "Micro ISV" world. And it would be a pity.
Consider a "one man band", widespreading the Owasp voice, supporting
the organization but acting on the marketplace as selfemployed or in a
micro software companies formed by a bunch of fellows.

What about using the ratio as parameter?
people_that_collaborates/people_in_the_techie_area ? It does make
sense also for Micro ISV.

I see the danger that the "Big and Nasty" company can put 20 juniors
or recruits (I don't know if this fits "people just started working on
a place") just to be listed and gain visibility.

> - how many years the person collaborates in OWASP (3y?)
Sounds perfect!

> - how many OWASP projects he delivered in release quality as project
> leader? (at least 1 for Company?)
Uff... why not extending to Beta quality? :-)

> - other?
If the person in his Owasp profile say the noun of the Company he works for.
IMHO, this is the most important issue for that company to be listed.
Having people contributing to Owasp and proud to be part to that
Since we're community driven I think it's crucial that the owasp
contributor is proud working with Foo Company and he wants to say the
world Foo Company is "Owasp friendly".

Does it make sense?

> In that way OWASP will promote OWASP (or we have to find a way to
> reach this goal IMO).
IMO another and important way is to widespread promoting membership.

> In that way, listed companies will be more qualified than other and we
> can reasonable assume that they will reach the "OWASP Consultancy"
> that the market needs.
Here Matteo I slightly disagree. Also companies that don't do
consultancy can be listed, so it's better to talk that listed
companies are more "Owasp friendly" than other.


( no, I'm not launching a micro ISV company by now :-) )

Ps: Since all the support Owasp gave me in these years, I'd like to
announce here before blogs and linkedin. I'm living appsec
consultancy. Too buzzwords oriented in some places. I'm going to
switch back to web development, and I think this can allow me to do
even more evangelism about Owasp and webapp sec. This switch stole all
my last months energy, so I wasn't focused enough in Owasp, in Owasp
Orizon and stuff like that. Now I'm charging my batteries back :-)

"... static analysis is fun, again!"

OWASP Orizon project leader, http://orizon.sourceforge.net
Owasp Italy R&D director

More information about the OWASP-Leaders mailing list