[Owasp-leaders] [Global_education_committee] Commercial delivery of courses based on OWASP materials

dinis cruz dinis.cruz at owasp.org
Sat May 22 12:56:37 EDT 2010


"OWASP community supporters" would not be applicable on most (probably all)
of the proposed scenarios since the idea is to find a way to connect the
comercial services provided by core OWASP Contributors/leaders/members with
OWASP, in a way that is accepted by the community and
doesn't compromise OWASP independence.

In fact that is sort of what we are currently trying to do at the
http://www.owasp.org/index.php/OWASP_for_Charities project (led by Daniel C)

What we have to take into account is this *"Who is doing Commercial Services
around OWASP"* issue/discussion/problem s already happening today (but there
are no rules of engagement, abuses happen occasionally and there is no way
to leverage it in a way that is beneficial to OWASP)

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2


On 22 May 2010 01:47, Tom Brennan <tomb at owasp.org> wrote:

>
> Perhaps "OWASP community supporters"  vs . "OWASP commercial service"
>
>
>
> On May 13, 2010, at 8:20 PM, Mike Boberski wrote:
>
> There are a number of other comparable examples, ranging from Common
> Criteria, FIPS 140, to Drupal.
>
> There are NO mechanisms that allows a listed company to interfere with any
> OWASP project or function, exactly as there are none for job listings.
>
> The approach taken has been painstakingly designed to align with OWASP's
> mission.
>
> Mike
>
>
> On Thu, May 13, 2010 at 8:19 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>>  This program (OWASP commercial services) totally freaks me out. It just
>> doesn't seem right to me on a number of levels.
>>
>> But, the core mission of OWASP is to make application security visible -
>> and companies are needing deeper solutions that Open Source alone cannot
>> provide today.
>>
>> So even though I have personal/emotional reservations to this initiative -
>> I do objectively support it and hope it stays something positive for our
>> community.
>>
>> - Jim
>>
>>
>> We already have in place of course the brand usage policy.
>>
>>  I think this is not so complicated as all that.
>>
>>  This is no different than the jobs page. It is locked and administered
>> in the same way.
>>
>>  All that we're shooting here for is a phone book, basically, with a
>> little bit of value add by compelling 1-2 sentence description of approach.
>>
>> Mike
>>
>>
>> On Thu, May 13, 2010 at 7:05 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
>>
>>> Hi OWASP Leaders (CCing OWASP Global Education Committee, OWASP
>>> Connections Committee and Mike Boberski (who is trying to figure out the
>>> best way to implement the OWASP Commercial Services<http://www.owasp.org/index.php/Commercial_Services>idea))
>>>
>>>  Question for you.
>>>
>>>  Given the following scenario:
>>>
>>>  "...
>>> *Company XYZ is delivering commercially (i.e. paid for)  OWASP related
>>> courses, such as for example: "OWASP Top 10", "Using OWASP WebGoat",
>>> "Performing security assessments using the OWASP Testing Guide" , "How to
>>> use OpenSAMM in your organization", "OWASP ESAPI" , "OWASP ASVS", etc...
>>>
>>> *
>>> * - these courses are independently delivered at "NON
>>> OWASP organized" events (for example a developer's Conference or bespoke
>>> training sessions)*
>>> * - attendees have to pay to attend (i.e. these are NOT FREE or 'OWASP
>>> only' events like the one we organized and delivered at the OWASP London
>>> Chapter<http://www.owasp.org/index.php/London/Training/OWASP_projects_and_resources_you_can_use_TODAY> last
>>> month)  *
>>> * - there is no mandatory direct financial return for OWASP (any
>>> payments back to OWASP (if any at all) would have to be made at
>>> the discretion of the organizing party)*
>>> *
>>> *
>>> *..."*
>>> *
>>> *
>>> *Given that a large part of the potential (paying) audience for these
>>> courses is part of the existing  OWASP community, namely the OWASP
>>> Mailing lists and WIKI viewers, the organizing party would be
>>> very interested to advertise to target OWASP project the course details
>>> (curriculum, trainer, delivery date, price, location, etc...)*
>>> *
>>> *
>>> *Since this is a new area for OWASP, we have to make sure we handle this
>>> in a way that is accepted/respected by our leaders and community.*
>>> *
>>> *
>>> *So my question to you is:
>>>
>>> What would anacceptable behaviour for the individuals or
>>> companies organizing (and profiting) with these courses? (see
>>> Variation+Options below)*
>>>
>>>  *Variation A: the course is delivered by the Project's Leader as an
>>> INDEPENDENT Trainer (this could also be a respected member of the OWASP
>>> Community who: is an active/past contributor; is respected by its peers; and
>>> is known to be very knowledgeable on the course's topic))*
>>> *
>>> *
>>> *Should he/she be able to: *
>>> *
>>> *
>>> *   Option 1: Buy advertisement space on www.owasp.org (i.e. the banner
>>> that shows up at the top of the home page and the local chapters)*
>>> *   Option 2: Send an email with the course's details to the respective
>>> OWASP mailing list (i.e. Top-10, WebGoat, Testing Guide, openSamm, ESAPI,
>>> ASVS). Assume that this is done with 'good taste' (i.e no  'snake oil' or
>>> super-sales pitch)*
>>> *   Option 3: Include a mention to it at the next OWASP Newsletter*
>>> *   Option 4: Put a direct link to it from the respective OWASP Project
>>> (maybe on a section dedicated to these type of events)*
>>> *   Option 5: Put a direct link from a Training page on the OWASP
>>> Commercial Services <http://www.owasp.org/index.php/Commercial_Services> section
>>> of the OWASP website*
>>> *
>>> *
>>> *
>>> *
>>> *Variation B: the course is delivered by the Project's Leader as a hired
>>> employee/contractor for a 3rd party company*
>>> *
>>> *
>>> *(same 5 Options from Variation A)*
>>> *
>>> *
>>> *
>>> *
>>> *Variation C: the course is delivered by an existing OWASP Corporate
>>> Member or Education Supporter<http://www.owasp.org/index.php/Membership#Current_OWASP_Organization_Supporters_.26_Individual_Members>
>>>  (Company, University, etc..)*
>>> *
>>> *
>>> *(same 5 Options from Variation A)*
>>> *
>>> *
>>> *
>>> *
>>> *Variation D: the course is delivered by an a Governmental Organization
>>> that is involved with OWASP (for example the Brazilian Government who
>>> sponsored last year's OWASP Conference in Brazil)*
>>> *
>>> *
>>> *(same 5 Options from Variation A)*
>>> *
>>>
>>>
>>>  Variation D: the course is delivered by an a Governmental Organization
>>> that is NOT part of the OWASP Community
>>>
>>>  (same 5 Options from Variation A)
>>>
>>>
>>>  Variation E: the course is delivered by an a Industry Body
>>>  that is NOT part of the OWASP Community (for example lets say that the
>>> PCI Council decided to sell (and profit) from the delivery of OWASP Top 10
>>> courses)
>>>
>>>  (same 5 Options from Variation A)
>>>
>>>
>>>  Variation F: the course is delivered by a company/individual that is
>>> NOT part of the OWASP Community (i.e. not a member, trainer is not an
>>> OWASP Leader, nobody has really heard of them before)
>>>
>>>  (same 5 Options from Variation A)
>>> *
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------------
>>>
>>>  Taking into account that we want as many people to be exposed to OWASP
>>> materials and that there should be a direct relationship between the success
>>> of these courses and the market penetration of the affected OWASP Projects
>>> .....  from your point of view, which Variation+Options listed above:
>>>
>>>     i) are compatible with OWASP's values/independence and SHOULD be
>>> allowed (but monitored to prevent abuses)
>>>    ii) are NOT compatible with OWASP's values and SHOULD NOT be allowed
>>>   iii) should only be allowed with 'somebody' (GEC, OWASP Board, Project
>>> leader) permission / validation
>>>   iv) should be allowed, BUT with the information located at a very
>>> specific locations (for example what happens with the the OWASP Job
>>> Board <http://www.owasp.org/index.php/OWASP_Jobs> or the OWASP
>>> Commercial Services <http://www.owasp.org/index.php/Commercial_Services>
>>> )
>>>
>>>  Looking forward to hearing your answers and points of view
>>>
>>> Dinis Cruz
>>>  OWASP Board Member
>>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>> --
>> Jim Manico
>> OWASP Podcast Host/Producer
>> OWASP ESAPI Project Managerhttp://www.manico.net
>>
>>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> Global_education_committee mailing list
> Global_education_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_education_committee
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100522/9a141f5a/attachment-0001.html 


More information about the OWASP-Leaders mailing list