[Owasp-leaders] [Global_education_committee] Commercial delivery of courses based on OWASP materials

Jim Manico jim.manico at owasp.org
Sat May 22 15:35:04 EDT 2010


We are a charitable organization as our primary mission. Period. I  
think a commercial services registry is on the edge of that  
responsibility. Not over - just on.

You go for it, Mike - but I'll be watching you, dude. ;)

Jim Manico

On May 22, 2010, at 12:05 PM, Mike Boberski <mike.boberski at gmail.com>  
wrote:

> People of earth:
>
> For your consideration:
>
> * Drupal.org (non-profit)
> * CC and FIPS (Governments)
>
> Drupal is a worked example. It's quite the vibrant open source  
> community who has cracked the code of turning out a universe of open  
> source code.
>
> CC and FIPS, Governments have not fallen, and talk about legal and  
> ethical obligations! For those not fans of the US, look to Canada or  
> other CCRA member countries for example. Just informed purchasing  
> decisions made possible for the particular product types those  
> programs cover. Note also that Governments aren't the only ones who  
> shop those lists.
>
> OWASP's mission of making appsec visible and helping people make  
> informed decisions, this is 100% inline, and the ultimate  
> culmination of OWASP's activities, since ultimately people buy  
> things in order to do things, we're not quite to the point of a Star  
> Trek-like world economy in that regard. If you really want to talk  
> about non-technical stuff, I would then argue that ethically it is  
> OWASP's responsibility to do this as no equivalent or Government  
> organization has done so, as it's our stated mission, as we are in a  
> position to act, plain and simple. I'd not go there for the legal  
> stuff, suggest leave that for the lawyers and not the lists, that  
> just gets people worked up.
>
> This is no different than the jobs page, that didn't corrupt any  
> aspect of OWASP. Let's just run it that way initially and get on  
> with this, too much jibber jabber (sorry for the Mr. T ism, the "A- 
> Team" movie trailer was just on). I'll make tweaks as we go, e.g.  
> right this moment I think we should just put company names and ease  
> back on the description of how services are performed, and work with  
> Tom to come up with further refined labels. Really folks, we should  
> be so lucky that there end up being such interest in this that we  
> have to put additional procedures and mechanisms in place. Let's  
> ease back on the rhetoric, let's keep in mind that there are OWASP  
> sys admins who can shut things down and turn permissions off with a  
> single phone call in case of real trouble and that the board will be  
> actively involved in oversight, see if we can even get it going. I'm  
> willing to very actively work this in order to make it work.
>
> Let's get 'er done...
>
> Mike
>
>
> On Sat, May 22, 2010 at 1:54 PM, Jim Manico <jim.manico at owasp.org>  
> wrote:
> Dinis,
>
> Do we •really• need this? How is this inline with being a  
> organization that has a legal and ethical obligation to focus on cha 
> ritable activities?
>
> Jim Manico
>
> On May 22, 2010, at 9:56 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
>
>> "OWASP community supporters" would not be applicable on most  
>> (probably all) of the proposed scenarios since the idea is to find  
>> a way to connect the comercial services provided by core OWASP  
>> Contributors/leaders/members with OWASP, in a way that is accepted  
>> by the community and doesn't compromise OWASP independence.
>>
>> In fact that is sort of what we are currently trying to do at the http://www.owasp.org/index.php/OWASP_for_Charities 
>>  project (led by Daniel C)
>>
>> What we have to take into account is this "Who is doing Commercial  
>> Services around OWASP" issue/discussion/problem s already happening  
>> today (but there are no rules of engagement, abuses happen  
>> occasionally and there is no way to leverage it in a way that is  
>> beneficial to OWASP)
>>
>> Dinis Cruz
>>
>> Blog: http://diniscruz.blogspot.com
>> Twitter: http://twitter.com/DinisCruz
>> Web: http://www.owasp.org/index.php/O2
>>
>>
>> On 22 May 2010 01:47, Tom Brennan <tomb at owasp.org> wrote:
>>
>> Perhaps "OWASP community supporters"  vs . "OWASP commercial service"
>>
>>
>>
>> On May 13, 2010, at 8:20 PM, Mike Boberski wrote:
>>
>>> There are a number of other comparable examples, ranging from  
>>> Common Criteria, FIPS 140, to Drupal.
>>>
>>> There are NO mechanisms that allows a listed company to interfere  
>>> with any OWASP project or function, exactly as there are none for  
>>> job listings.
>>>
>>> The approach taken has been painstakingly designed to align with  
>>> OWASP's mission.
>>>
>>> Mike
>>>
>>>
>>> On Thu, May 13, 2010 at 8:19 PM, Jim Manico <jim.manico at owasp.org>  
>>> wrote:
>>> This program (OWASP commercial services) totally freaks me out. It  
>>> just doesn't seem right to me on a number of levels.
>>>
>>> But, the core mission of OWASP is to make application security  
>>> visible - and companies are needing deeper solutions that Open  
>>> Source alone cannot provide today.
>>>
>>> So even though I have personal/emotional reservations to this  
>>> initiative - I do objectively support it and hope it stays  
>>> something positive for our community.
>>>
>>> - Jim
>>>
>>>
>>>> We already have in place of course the brand usage policy.
>>>>
>>>> I think this is not so complicated as all that.
>>>>
>>>> This is no different than the jobs page. It is locked and  
>>>> administered in the same way.
>>>>
>>>> All that we're shooting here for is a phone book, basically, with  
>>>> a little bit of value add by compelling 1-2 sentence description  
>>>> of approach.
>>>>
>>>> Mike
>>>>
>>>>
>>>> On Thu, May 13, 2010 at 7:05 PM, dinis cruz  
>>>> <dinis.cruz at owasp.org> wrote:
>>>> Hi OWASP Leaders (CCing OWASP Global Education Committee, OWASP  
>>>> Connections Committee and Mike Boberski (who is trying to figure  
>>>> out the best way to implement the OWASP Commercial Services idea))
>>>>
>>>> Question for you.
>>>>
>>>> Given the following scenario:
>>>>
>>>> "...
>>>> Company XYZ is delivering commercially (i.e. paid for)  OWASP  
>>>> related courses, such as for example: "OWASP Top 10", "Using  
>>>> OWASP WebGoat", "Performing security assessments using the OWASP  
>>>> Testing Guide" , "How to use OpenSAMM in your organization",  
>>>> "OWASP ESAPI" , "OWASP ASVS", etc...
>>>>
>>>>  - these courses are independently delivered at "NON OWASP  
>>>> organized" events (for example a developer's Conference or  
>>>> bespoke training sessions)
>>>>  - attendees have to pay to attend (i.e. these are NOT FREE or  
>>>> 'OWASP only' events like the one we organized and delivered at  
>>>> the OWASP London Chapter last month)
>>>>  - there is no mandatory direct financial return for OWASP (any  
>>>> payments back to OWASP (if any at all) would have to be made at  
>>>> the discretion of the organizing party)
>>>>
>>>> ..."
>>>>
>>>> Given that a large part of the potential (paying) audience for  
>>>> these courses is part of the existing  OWASP community, namely  
>>>> the OWASP Mailing lists and WIKI viewers, the organizing party  
>>>> would be very interested to advertise to target OWASP project the  
>>>> course details (curriculum, trainer, delivery date, price,  
>>>> location, etc...)
>>>>
>>>> Since this is a new area for OWASP, we have to make sure we  
>>>> handle this in a way that is accepted/respected by our leaders  
>>>> and community.
>>>>
>>>> So my question to you is:
>>>>
>>>> What would anacceptable behaviour for the individuals or  
>>>> companies organizing (and profiting) with these courses? (see  
>>>> Variation+Options below)
>>>>
>>>> Variation A: the course is delivered by the Project's Leader as  
>>>> an INDEPENDENT Trainer (this could also be a respected member of  
>>>> the OWASP Community who: is an active/past contributor; is  
>>>> respected by its peers; and is known to be very knowledgeable on  
>>>> the course's topic))
>>>>
>>>> Should he/she be able to:
>>>>
>>>>    Option 1: Buy advertisement space on www.owasp.org (i.e. the  
>>>> banner that shows up at the top of the home page and the local  
>>>> chapters)
>>>>    Option 2: Send an email with the course's details to the  
>>>> respective OWASP mailing list (i.e. Top-10, WebGoat, Testing  
>>>> Guide, openSamm, ESAPI, ASVS). Assume that this is done with  
>>>> 'good taste' (i.e no  'snake oil' or super-sales pitch)
>>>>    Option 3: Include a mention to it at the next OWASP Newsletter
>>>>    Option 4: Put a direct link to it from the respective OWASP  
>>>> Project (maybe on a section dedicated to these type of events)
>>>>    Option 5: Put a direct link from a Training page on the OWASP  
>>>> Commercial Services section of the OWASP website
>>>>
>>>>
>>>> Variation B: the course is delivered by the Project's Leader as a  
>>>> hired employee/contractor for a 3rd party company
>>>>
>>>> (same 5 Options from Variation A)
>>>>
>>>>
>>>> Variation C: the course is delivered by an existing OWASP  
>>>> Corporate Member or Education Supporter (Company, University,  
>>>> etc..)
>>>>
>>>> (same 5 Options from Variation A)
>>>>
>>>>
>>>> Variation D: the course is delivered by an a Governmental  
>>>> Organization that is involved with OWASP (for example the  
>>>> Brazilian Government who sponsored last year's OWASP Conference  
>>>> in Brazil)
>>>>
>>>> (same 5 Options from Variation A)
>>>>
>>>>
>>>> Variation D: the course is delivered by an a Governmental  
>>>> Organization that is NOT part of the OWASP Community
>>>>
>>>> (same 5 Options from Variation A)
>>>>
>>>>
>>>> Variation E: the course is delivered by an a Industry Body  that  
>>>> is NOT part of the OWASP Community (for example lets say that the  
>>>> PCI Council decided to sell (and profit) from the delivery of  
>>>> OWASP Top 10 courses)
>>>>
>>>> (same 5 Options from Variation A)
>>>>
>>>>
>>>> Variation F: the course is delivered by a company/individual that  
>>>> is NOT part of the OWASP Community (i.e. not a member, trainer is  
>>>> not an OWASP Leader, nobody has really heard of them before)
>>>>
>>>> (same 5 Options from Variation A)
>>>>
>>>>
>>>> --- 
>>>> --- 
>>>> --- 
>>>> --- 
>>>> --- 
>>>> --- 
>>>> ------------------------------------------------------------------
>>>>
>>>> Taking into account that we want as many people to be exposed to  
>>>> OWASP materials and that there should be a direct relationship  
>>>> between the success of these courses and the market penetration  
>>>> of the affected OWASP Projects .....  from your point of view,  
>>>> which Variation+Options listed above:
>>>>
>>>>    i) are compatible with OWASP's values/independence and SHOULD  
>>>> be allowed (but monitored to prevent abuses)
>>>>    ii) are NOT compatible with OWASP's values and SHOULD NOT be  
>>>> allowed
>>>>   iii) should only be allowed with 'somebody' (GEC, OWASP Board,  
>>>> Project leader) permission / validation
>>>>   iv) should be allowed, BUT with the information located at a  
>>>> very specific locations (for example what happens with the the  
>>>> OWASP Job Board or the OWASP Commercial Services)
>>>>
>>>> Looking forward to hearing your answers and points of view
>>>>
>>>> Dinis Cruz
>>>> OWASP Board Member
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>
>>>
>>> -- 
>>> Jim Manico
>>> OWASP Podcast Host/Producer
>>> OWASP ESAPI Project Manager
>>> http://www.manico.net
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> _______________________________________________
>> Global_education_committee mailing list
>> Global_education_committee at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/global_education_committee
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100522/fa0047ca/attachment-0001.html 


More information about the OWASP-Leaders mailing list