[Owasp-leaders] [Global_education_committee] Commercial delivery of courses based on OWASP materials

Jim Manico jim.manico at owasp.org
Sat May 22 13:54:08 EDT 2010


Dinis,

Do we •really• need this? How is this inline with being a  
organization that has a legal and ethical obligation to focus on  
charitable activities?

Jim Manico

On May 22, 2010, at 9:56 AM, dinis cruz <dinis.cruz at owasp.org> wrote:

> "OWASP community supporters" would not be applicable on most  
> (probably all) of the proposed scenarios since the idea is to find a  
> way to connect the comercial services provided by core OWASP  
> Contributors/leaders/members with OWASP, in a way that is accepted  
> by the community and doesn't compromise OWASP independence.
>
> In fact that is sort of what we are currently trying to do at the http://www.owasp.org/index.php/OWASP_for_Charities 
>  project (led by Daniel C)
>
> What we have to take into account is this "Who is doing Commercial  
> Services around OWASP" issue/discussion/problem s already happening  
> today (but there are no rules of engagement, abuses happen  
> occasionally and there is no way to leverage it in a way that is  
> beneficial to OWASP)
>
> Dinis Cruz
>
> Blog: http://diniscruz.blogspot.com
> Twitter: http://twitter.com/DinisCruz
> Web: http://www.owasp.org/index.php/O2
>
>
> On 22 May 2010 01:47, Tom Brennan <tomb at owasp.org> wrote:
>
> Perhaps "OWASP community supporters"  vs . "OWASP commercial service"
>
>
>
> On May 13, 2010, at 8:20 PM, Mike Boberski wrote:
>
>> There are a number of other comparable examples, ranging from  
>> Common Criteria, FIPS 140, to Drupal.
>>
>> There are NO mechanisms that allows a listed company to interfere  
>> with any OWASP project or function, exactly as there are none for  
>> job listings.
>>
>> The approach taken has been painstakingly designed to align with  
>> OWASP's mission.
>>
>> Mike
>>
>>
>> On Thu, May 13, 2010 at 8:19 PM, Jim Manico <jim.manico at owasp.org>  
>> wrote:
>> This program (OWASP commercial services) totally freaks me out. It  
>> just doesn't seem right to me on a number of levels.
>>
>> But, the core mission of OWASP is to make application security  
>> visible - and companies are needing deeper solutions that Open  
>> Source alone cannot provide today.
>>
>> So even though I have personal/emotional reservations to this  
>> initiative - I do objectively support it and hope it stays  
>> something positive for our community.
>>
>> - Jim
>>
>>
>>> We already have in place of course the brand usage policy.
>>>
>>> I think this is not so complicated as all that.
>>>
>>> This is no different than the jobs page. It is locked and  
>>> administered in the same way.
>>>
>>> All that we're shooting here for is a phone book, basically, with  
>>> a little bit of value add by compelling 1-2 sentence description  
>>> of approach.
>>>
>>> Mike
>>>
>>>
>>> On Thu, May 13, 2010 at 7:05 PM, dinis cruz <dinis.cruz at owasp.org>  
>>> wrote:
>>> Hi OWASP Leaders (CCing OWASP Global Education Committee, OWASP  
>>> Connections Committee and Mike Boberski (who is trying to figure  
>>> out the best way to implement the OWASP Commercial Services idea))
>>>
>>> Question for you.
>>>
>>> Given the following scenario:
>>>
>>> "...
>>> Company XYZ is delivering commercially (i.e. paid for)  OWASP  
>>> related courses, such as for example: "OWASP Top 10", "Using OWASP  
>>> WebGoat", "Performing security assessments using the OWASP Testing  
>>> Guide" , "How to use OpenSAMM in your organization", "OWASP  
>>> ESAPI" , "OWASP ASVS", etc...
>>>
>>>  - these courses are independently delivered at "NON OWASP  
>>> organized" events (for example a developer's Conference or bespoke  
>>> training sessions)
>>>  - attendees have to pay to attend (i.e. these are NOT FREE or  
>>> 'OWASP only' events like the one we organized and delivered at the  
>>> OWASP London Chapter last month)
>>>  - there is no mandatory direct financial return for OWASP (any  
>>> payments back to OWASP (if any at all) would have to be made at  
>>> the discretion of the organizing party)
>>>
>>> ..."
>>>
>>> Given that a large part of the potential (paying) audience for  
>>> these courses is part of the existing  OWASP community, namely the  
>>> OWASP Mailing lists and WIKI viewers, the organizing party would  
>>> be very interested to advertise to target OWASP project the course  
>>> details (curriculum, trainer, delivery date, price, location,  
>>> etc...)
>>>
>>> Since this is a new area for OWASP, we have to make sure we handle  
>>> this in a way that is accepted/respected by our leaders and  
>>> community.
>>>
>>> So my question to you is:
>>>
>>> What would anacceptable behaviour for the individuals or companies  
>>> organizing (and profiting) with these courses? (see Variation 
>>> +Options below)
>>>
>>> Variation A: the course is delivered by the Project's Leader as an  
>>> INDEPENDENT Trainer (this could also be a respected member of the  
>>> OWASP Community who: is an active/past contributor; is respected  
>>> by its peers; and is known to be very knowledgeable on the  
>>> course's topic))
>>>
>>> Should he/she be able to:
>>>
>>>    Option 1: Buy advertisement space on www.owasp.org (i.e. the  
>>> banner that shows up at the top of the home page and the local  
>>> chapters)
>>>    Option 2: Send an email with the course's details to the  
>>> respective OWASP mailing list (i.e. Top-10, WebGoat, Testing  
>>> Guide, openSamm, ESAPI, ASVS). Assume that this is done with 'good  
>>> taste' (i.e no  'snake oil' or super-sales pitch)
>>>    Option 3: Include a mention to it at the next OWASP Newsletter
>>>    Option 4: Put a direct link to it from the respective OWASP  
>>> Project (maybe on a section dedicated to these type of events)
>>>    Option 5: Put a direct link from a Training page on the OWASP  
>>> Commercial Services section of the OWASP website
>>>
>>>
>>> Variation B: the course is delivered by the Project's Leader as a  
>>> hired employee/contractor for a 3rd party company
>>>
>>> (same 5 Options from Variation A)
>>>
>>>
>>> Variation C: the course is delivered by an existing OWASP  
>>> Corporate Member or Education Supporter (Company, University, etc..)
>>>
>>> (same 5 Options from Variation A)
>>>
>>>
>>> Variation D: the course is delivered by an a Governmental  
>>> Organization that is involved with OWASP (for example the  
>>> Brazilian Government who sponsored last year's OWASP Conference in  
>>> Brazil)
>>>
>>> (same 5 Options from Variation A)
>>>
>>>
>>> Variation D: the course is delivered by an a Governmental  
>>> Organization that is NOT part of the OWASP Community
>>>
>>> (same 5 Options from Variation A)
>>>
>>>
>>> Variation E: the course is delivered by an a Industry Body  that  
>>> is NOT part of the OWASP Community (for example lets say that the  
>>> PCI Council decided to sell (and profit) from the delivery of  
>>> OWASP Top 10 courses)
>>>
>>> (same 5 Options from Variation A)
>>>
>>>
>>> Variation F: the course is delivered by a company/individual that  
>>> is NOT part of the OWASP Community (i.e. not a member, trainer is  
>>> not an OWASP Leader, nobody has really heard of them before)
>>>
>>> (same 5 Options from Variation A)
>>>
>>>
>>> --- 
>>> --- 
>>> --- 
>>> --- 
>>> --- 
>>> --- 
>>> ------------------------------------------------------------------
>>>
>>> Taking into account that we want as many people to be exposed to  
>>> OWASP materials and that there should be a direct relationship  
>>> between the success of these courses and the market penetration of  
>>> the affected OWASP Projects .....  from your point of view, which  
>>> Variation+Options listed above:
>>>
>>>    i) are compatible with OWASP's values/independence and SHOULD  
>>> be allowed (but monitored to prevent abuses)
>>>    ii) are NOT compatible with OWASP's values and SHOULD NOT be  
>>> allowed
>>>   iii) should only be allowed with 'somebody' (GEC, OWASP Board,  
>>> Project leader) permission / validation
>>>   iv) should be allowed, BUT with the information located at a  
>>> very specific locations (for example what happens with the the  
>>> OWASP Job Board or the OWASP Commercial Services)
>>>
>>> Looking forward to hearing your answers and points of view
>>>
>>> Dinis Cruz
>>> OWASP Board Member
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>
>>
>> -- 
>> Jim Manico
>> OWASP Podcast Host/Producer
>> OWASP ESAPI Project Manager
>> http://www.manico.net
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> Global_education_committee mailing list
> Global_education_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_education_committee
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100522/e985f10b/attachment-0001.html 


More information about the OWASP-Leaders mailing list