[Owasp-leaders] [Global_education_committee] Commercial delivery of courses based on OWASP materials

Mike Boberski mike.boberski at gmail.com
Sat May 22 15:05:05 EDT 2010


People of earth:

For your consideration:

* Drupal.org (non-profit)
* CC and FIPS (Governments)

Drupal is a worked example. It's quite the vibrant open source community who
has cracked the code of turning out a universe of open source code.

CC and FIPS, Governments have not fallen, and talk about legal and ethical
obligations! For those not fans of the US, look to Canada or other CCRA
member countries for example. Just informed purchasing decisions made
possible for the particular product types those programs cover. Note also
that Governments aren't the only ones who shop those lists.

OWASP's mission of making appsec visible and helping people make informed
decisions, this is 100% inline, and the ultimate culmination of OWASP's
activities, since ultimately people buy things in order to do things, we're
not quite to the point of a Star Trek-like world economy in that regard. If
you really want to talk about non-technical stuff, I would then argue that
ethically it is OWASP's responsibility to do this as no equivalent or
Government organization has done so, as it's our stated mission, as we are
in a position to act, plain and simple. I'd not go there for the legal
stuff, suggest leave that for the lawyers and not the lists, that just gets
people worked up.

This is no different than the jobs page, that didn't corrupt any aspect of
OWASP. Let's just run it that way initially and get on with this, too much
jibber jabber (sorry for the Mr. T ism, the "A-Team" movie trailer was just
on). I'll make tweaks as we go, e.g. right this moment I think we should
just put company names and ease back on the description of how services are
performed, and work with Tom to come up with further refined labels. Really
folks, we should be so lucky that there end up being such interest in this
that we have to put additional procedures and mechanisms in place. Let's
ease back on the rhetoric, let's keep in mind that there are OWASP sys
admins who can shut things down and turn permissions off with a single phone
call in case of real trouble and that the board will be actively involved in
oversight, see if we can even get it going. I'm willing to very actively
work this in order to make it work.

Let's get 'er done...

Mike


On Sat, May 22, 2010 at 1:54 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Dinis,
>
> Do we •really• need this? How is this inline with being a organization that
> has a legal and ethical obligation to focus on charitable activities?
>
> Jim Manico
>
> On May 22, 2010, at 9:56 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
>
> "OWASP community supporters" would not be applicable on most (probably all)
> of the proposed scenarios since the idea is to find a way to connect the
> comercial services provided by core OWASP Contributors/leaders/members with
> OWASP, in a way that is accepted by the community and
> doesn't compromise OWASP independence.
>
> In fact that is sort of what we are currently trying to do at the <http://www.owasp.org/index.php/OWASP_for_Charities>
> http://www.owasp.org/index.php/OWASP_for_Charities project (led by Daniel
> C)
>
> What we have to take into account is this *"Who is doing Commercial
> Services around OWASP"* issue/discussion/problem s already happening today
> (but there are no rules of engagement, abuses happen occasionally and there
> is no way to leverage it in a way that is beneficial to OWASP)
>
> Dinis Cruz
>
> Blog: <http://diniscruz.blogspot.com>http://diniscruz.blogspot.com
> Twitter: <http://twitter.com/DinisCruz>http://twitter.com/DinisCruz
> Web: <http://www.owasp.org/index.php/O2>http://www.owasp.org/index.php/O2
>
>
> On 22 May 2010 01:47, Tom Brennan < <tomb at owasp.org>tomb at owasp.org> wrote:
>
>>
>> Perhaps "OWASP community supporters"  vs . "OWASP commercial service"
>>
>>
>>
>> On May 13, 2010, at 8:20 PM, Mike Boberski wrote:
>>
>> There are a number of other comparable examples, ranging from Common
>> Criteria, FIPS 140, to Drupal.
>>
>> There are NO mechanisms that allows a listed company to interfere with any
>> OWASP project or function, exactly as there are none for job listings.
>>
>> The approach taken has been painstakingly designed to align with OWASP's
>> mission.
>>
>> Mike
>>
>>
>> On Thu, May 13, 2010 at 8:19 PM, Jim Manico < <jim.manico at owasp.org>
>> jim.manico at owasp.org> wrote:
>>
>>>  This program (OWASP commercial services) totally freaks me out. It just
>>> doesn't seem right to me on a number of levels.
>>>
>>> But, the core mission of OWASP is to make application security visible -
>>> and companies are needing deeper solutions that Open Source alone cannot
>>> provide today.
>>>
>>> So even though I have personal/emotional reservations to this initiative
>>> - I do objectively support it and hope it stays something positive for our
>>> community.
>>>
>>> - Jim
>>>
>>>
>>> We already have in place of course the brand usage policy.
>>>
>>>  I think this is not so complicated as all that.
>>>
>>>  This is no different than the jobs page. It is locked and administered
>>> in the same way.
>>>
>>>  All that we're shooting here for is a phone book, basically, with a
>>> little bit of value add by compelling 1-2 sentence description of approach.
>>>
>>> Mike
>>>
>>>
>>> On Thu, May 13, 2010 at 7:05 PM, dinis cruz < <dinis.cruz at owasp.org>
>>> dinis.cruz at owasp.org> wrote:
>>>
>>>> Hi OWASP Leaders (CCing OWASP Global Education Committee, OWASP
>>>> Connections Committee and Mike Boberski (who is trying to figure out the
>>>> best way to implement the OWASP Commercial Services<http://www.owasp.org/index.php/Commercial_Services>idea))
>>>>
>>>>  Question for you.
>>>>
>>>>  Given the following scenario:
>>>>
>>>>  "...
>>>> *Company XYZ is delivering commercially (i.e. paid for)  OWASP related
>>>> courses, such as for example: "OWASP Top 10", "Using OWASP WebGoat",
>>>> "Performing security assessments using the OWASP Testing Guide" , "How to
>>>> use OpenSAMM in your organization", "OWASP ESAPI" , "OWASP ASVS", etc...
>>>>
>>>> *
>>>> * - these courses are independently delivered at "NON
>>>> OWASP organized" events (for example a developer's Conference or bespoke
>>>> training sessions)*
>>>> * - attendees have to pay to attend (i.e. these are NOT FREE or 'OWASP
>>>> only' events like the one we organized and delivered at the OWASP
>>>> London Chapter<http://www.owasp.org/index.php/London/Training/OWASP_projects_and_resources_you_can_use_TODAY> last
>>>> month)  *
>>>> * - there is no mandatory direct financial return for OWASP (any
>>>> payments back to OWASP (if any at all) would have to be made at
>>>> the discretion of the organizing party)*
>>>> *
>>>> *
>>>> *..."*
>>>> *
>>>> *
>>>> *Given that a large part of the potential (paying) audience for these
>>>> courses is part of the existing  OWASP community, namely the OWASP
>>>> Mailing lists and WIKI viewers, the organizing party would be
>>>> very interested to advertise to target OWASP project the course details
>>>> (curriculum, trainer, delivery date, price, location, etc...)*
>>>> *
>>>> *
>>>> *Since this is a new area for OWASP, we have to make sure we handle
>>>> this in a way that is accepted/respected by our leaders and community.*
>>>> *
>>>> *
>>>> *So my question to you is:
>>>>
>>>> What would anacceptable behaviour for the individuals or
>>>> companies organizing (and profiting) with these courses? (see
>>>> Variation+Options below)*
>>>>
>>>>  *Variation A: the course is delivered by the Project's Leader as an
>>>> INDEPENDENT Trainer (this could also be a respected member of the OWASP
>>>> Community who: is an active/past contributor; is respected by its peers; and
>>>> is known to be very knowledgeable on the course's topic))*
>>>> *
>>>> *
>>>> *Should he/she be able to: *
>>>> *
>>>> *
>>>> *   Option 1: Buy advertisement space on <http://www.owasp.org/>
>>>> www.owasp.org (i.e. the banner that shows up at the top of the home
>>>> page and the local chapters)*
>>>> *   Option 2: Send an email with the course's details to the respective
>>>> OWASP mailing list (i.e. Top-10, WebGoat, Testing Guide, openSamm, ESAPI,
>>>> ASVS). Assume that this is done with 'good taste' (i.e no  'snake oil' or
>>>> super-sales pitch)*
>>>> *   Option 3: Include a mention to it at the next OWASP Newsletter*
>>>> *   Option 4: Put a direct link to it from the respective OWASP Project
>>>> (maybe on a section dedicated to these type of events)*
>>>> *   Option 5: Put a direct link from a Training page on the OWASP
>>>> Commercial Services<http://www.owasp.org/index.php/Commercial_Services> section
>>>> of the OWASP website*
>>>> *
>>>> *
>>>> *
>>>> *
>>>> *Variation B: the course is delivered by the Project's Leader as a
>>>> hired employee/contractor for a 3rd party company*
>>>> *
>>>> *
>>>> *(same 5 Options from Variation A)*
>>>> *
>>>> *
>>>> *
>>>> *
>>>> *Variation C: the course is delivered by an existing OWASP Corporate
>>>> Member or Education Supporter<http://www.owasp.org/index.php/Membership#Current_OWASP_Organization_Supporters_.26_Individual_Members>
>>>>  (Company, University, etc..)*
>>>> *
>>>> *
>>>> *(same 5 Options from Variation A)*
>>>> *
>>>> *
>>>> *
>>>> *
>>>> *Variation D: the course is delivered by an a Governmental Organization
>>>> that is involved with OWASP (for example the Brazilian Government who
>>>> sponsored last year's OWASP Conference in Brazil)*
>>>> *
>>>> *
>>>> *(same 5 Options from Variation A)*
>>>> *
>>>>
>>>>
>>>>  Variation D: the course is delivered by an a Governmental Organization
>>>> that is NOT part of the OWASP Community
>>>>
>>>>  (same 5 Options from Variation A)
>>>>
>>>>
>>>>  Variation E: the course is delivered by an a Industry Body
>>>>  that is NOT part of the OWASP Community (for example lets say that the
>>>> PCI Council decided to sell (and profit) from the delivery of OWASP Top 10
>>>> courses)
>>>>
>>>>  (same 5 Options from Variation A)
>>>>
>>>>
>>>>  Variation F: the course is delivered by a company/individual that is
>>>> NOT part of the OWASP Community (i.e. not a member, trainer is not an
>>>> OWASP Leader, nobody has really heard of them before)
>>>>
>>>>  (same 5 Options from Variation A)
>>>> *
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------------
>>>>
>>>>  Taking into account that we want as many people to be exposed to OWASP
>>>> materials and that there should be a direct relationship between the success
>>>> of these courses and the market penetration of the affected OWASP Projects
>>>> .....  from your point of view, which Variation+Options listed above:
>>>>
>>>>     i) are compatible with OWASP's values/independence and SHOULD be
>>>> allowed (but monitored to prevent abuses)
>>>>    ii) are NOT compatible with OWASP's values and SHOULD NOT be allowed
>>>>   iii) should only be allowed with 'somebody' (GEC, OWASP Board, Project
>>>> leader) permission / validation
>>>>   iv) should be allowed, BUT with the information located at a very
>>>> specific locations (for example what happens with the the OWASP Job
>>>> Board <http://www.owasp.org/index.php/OWASP_Jobs> or the OWASP
>>>> Commercial Services<http://www.owasp.org/index.php/Commercial_Services>
>>>> )
>>>>
>>>>  Looking forward to hearing your answers and points of view
>>>>
>>>> Dinis Cruz
>>>>  OWASP Board Member
>>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>>  <OWASP-Leaders at lists.owasp.org>OWASP-Leaders at lists.owasp.org <https://lists.owasp.org/mailman/listinfo/owasp-leaders>https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>> --
>>> Jim Manico
>>> OWASP Podcast Host/Producer
>>> OWASP ESAPI Project Manager <http://www.manico.net/>http://www.manico.net
>>>
>>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> <OWASP-Leaders at lists.owasp.org>OWASP-Leaders at lists.owasp.org
>>  <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>> _______________________________________________
>> Global_education_committee mailing list
>>  <Global_education_committee at lists.owasp.org>
>> Global_education_committee at lists.owasp.org
>>  <https://lists.owasp.org/mailman/listinfo/global_education_committee>
>> https://lists.owasp.org/mailman/listinfo/global_education_committee
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100522/793d1d63/attachment-0001.html 


More information about the OWASP-Leaders mailing list