[Owasp-leaders] [Global_education_committee] Commercial delivery of courses based on OWASP materials

Mike Boberski mike.boberski at gmail.com
Sat May 22 16:17:14 EDT 2010


Um, ok

On 5/22/10, Jim Manico <jim.manico at owasp.org> wrote:
> We are a charitable organization as our primary mission. Period. I
> think a commercial services registry is on the edge of that
> responsibility. Not over - just on.
>
> You go for it, Mike - but I'll be watching you, dude. ;)
>
> Jim Manico
>
> On May 22, 2010, at 12:05 PM, Mike Boberski <mike.boberski at gmail.com>
> wrote:
>
>> People of earth:
>>
>> For your consideration:
>>
>> * Drupal.org (non-profit)
>> * CC and FIPS (Governments)
>>
>> Drupal is a worked example. It's quite the vibrant open source
>> community who has cracked the code of turning out a universe of open
>> source code.
>>
>> CC and FIPS, Governments have not fallen, and talk about legal and
>> ethical obligations! For those not fans of the US, look to Canada or
>> other CCRA member countries for example. Just informed purchasing
>> decisions made possible for the particular product types those
>> programs cover. Note also that Governments aren't the only ones who
>> shop those lists.
>>
>> OWASP's mission of making appsec visible and helping people make
>> informed decisions, this is 100% inline, and the ultimate
>> culmination of OWASP's activities, since ultimately people buy
>> things in order to do things, we're not quite to the point of a Star
>> Trek-like world economy in that regard. If you really want to talk
>> about non-technical stuff, I would then argue that ethically it is
>> OWASP's responsibility to do this as no equivalent or Government
>> organization has done so, as it's our stated mission, as we are in a
>> position to act, plain and simple. I'd not go there for the legal
>> stuff, suggest leave that for the lawyers and not the lists, that
>> just gets people worked up.
>>
>> This is no different than the jobs page, that didn't corrupt any
>> aspect of OWASP. Let's just run it that way initially and get on
>> with this, too much jibber jabber (sorry for the Mr. T ism, the "A-
>> Team" movie trailer was just on). I'll make tweaks as we go, e.g.
>> right this moment I think we should just put company names and ease
>> back on the description of how services are performed, and work with
>> Tom to come up with further refined labels. Really folks, we should
>> be so lucky that there end up being such interest in this that we
>> have to put additional procedures and mechanisms in place. Let's
>> ease back on the rhetoric, let's keep in mind that there are OWASP
>> sys admins who can shut things down and turn permissions off with a
>> single phone call in case of real trouble and that the board will be
>> actively involved in oversight, see if we can even get it going. I'm
>> willing to very actively work this in order to make it work.
>>
>> Let's get 'er done...
>>
>> Mike
>>
>>
>> On Sat, May 22, 2010 at 1:54 PM, Jim Manico <jim.manico at owasp.org>
>> wrote:
>> Dinis,
>>
>> Do we •really• need this? How is this inline with being a
>> organization that has a legal and ethical obligation to focus on cha
>> ritable activities?
>>
>> Jim Manico
>>
>> On May 22, 2010, at 9:56 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
>>
>>> "OWASP community supporters" would not be applicable on most
>>> (probably all) of the proposed scenarios since the idea is to find
>>> a way to connect the comercial services provided by core OWASP
>>> Contributors/leaders/members with OWASP, in a way that is accepted
>>> by the community and doesn't compromise OWASP independence.
>>>
>>> In fact that is sort of what we are currently trying to do at the
>>> http://www.owasp.org/index.php/OWASP_for_Charities
>>>  project (led by Daniel C)
>>>
>>> What we have to take into account is this "Who is doing Commercial
>>> Services around OWASP" issue/discussion/problem s already happening
>>> today (but there are no rules of engagement, abuses happen
>>> occasionally and there is no way to leverage it in a way that is
>>> beneficial to OWASP)
>>>
>>> Dinis Cruz
>>>
>>> Blog: http://diniscruz.blogspot.com
>>> Twitter: http://twitter.com/DinisCruz
>>> Web: http://www.owasp.org/index.php/O2
>>>
>>>
>>> On 22 May 2010 01:47, Tom Brennan <tomb at owasp.org> wrote:
>>>
>>> Perhaps "OWASP community supporters"  vs . "OWASP commercial service"
>>>
>>>
>>>
>>> On May 13, 2010, at 8:20 PM, Mike Boberski wrote:
>>>
>>>> There are a number of other comparable examples, ranging from
>>>> Common Criteria, FIPS 140, to Drupal.
>>>>
>>>> There are NO mechanisms that allows a listed company to interfere
>>>> with any OWASP project or function, exactly as there are none for
>>>> job listings.
>>>>
>>>> The approach taken has been painstakingly designed to align with
>>>> OWASP's mission.
>>>>
>>>> Mike
>>>>
>>>>
>>>> On Thu, May 13, 2010 at 8:19 PM, Jim Manico <jim.manico at owasp.org>
>>>> wrote:
>>>> This program (OWASP commercial services) totally freaks me out. It
>>>> just doesn't seem right to me on a number of levels.
>>>>
>>>> But, the core mission of OWASP is to make application security
>>>> visible - and companies are needing deeper solutions that Open
>>>> Source alone cannot provide today.
>>>>
>>>> So even though I have personal/emotional reservations to this
>>>> initiative - I do objectively support it and hope it stays
>>>> something positive for our community.
>>>>
>>>> - Jim
>>>>
>>>>
>>>>> We already have in place of course the brand usage policy.
>>>>>
>>>>> I think this is not so complicated as all that.
>>>>>
>>>>> This is no different than the jobs page. It is locked and
>>>>> administered in the same way.
>>>>>
>>>>> All that we're shooting here for is a phone book, basically, with
>>>>> a little bit of value add by compelling 1-2 sentence description
>>>>> of approach.
>>>>>
>>>>> Mike
>>>>>
>>>>>
>>>>> On Thu, May 13, 2010 at 7:05 PM, dinis cruz
>>>>> <dinis.cruz at owasp.org> wrote:
>>>>> Hi OWASP Leaders (CCing OWASP Global Education Committee, OWASP
>>>>> Connections Committee and Mike Boberski (who is trying to figure
>>>>> out the best way to implement the OWASP Commercial Services idea))
>>>>>
>>>>> Question for you.
>>>>>
>>>>> Given the following scenario:
>>>>>
>>>>> "...
>>>>> Company XYZ is delivering commercially (i.e. paid for)  OWASP
>>>>> related courses, such as for example: "OWASP Top 10", "Using
>>>>> OWASP WebGoat", "Performing security assessments using the OWASP
>>>>> Testing Guide" , "How to use OpenSAMM in your organization",
>>>>> "OWASP ESAPI" , "OWASP ASVS", etc...
>>>>>
>>>>>  - these courses are independently delivered at "NON OWASP
>>>>> organized" events (for example a developer's Conference or
>>>>> bespoke training sessions)
>>>>>  - attendees have to pay to attend (i.e. these are NOT FREE or
>>>>> 'OWASP only' events like the one we organized and delivered at
>>>>> the OWASP London Chapter last month)
>>>>>  - there is no mandatory direct financial return for OWASP (any
>>>>> payments back to OWASP (if any at all) would have to be made at
>>>>> the discretion of the organizing party)
>>>>>
>>>>> ..."
>>>>>
>>>>> Given that a large part of the potential (paying) audience for
>>>>> these courses is part of the existing  OWASP community, namely
>>>>> the OWASP Mailing lists and WIKI viewers, the organizing party
>>>>> would be very interested to advertise to target OWASP project the
>>>>> course details (curriculum, trainer, delivery date, price,
>>>>> location, etc...)
>>>>>
>>>>> Since this is a new area for OWASP, we have to make sure we
>>>>> handle this in a way that is accepted/respected by our leaders
>>>>> and community.
>>>>>
>>>>> So my question to you is:
>>>>>
>>>>> What would anacceptable behaviour for the individuals or
>>>>> companies organizing (and profiting) with these courses? (see
>>>>> Variation+Options below)
>>>>>
>>>>> Variation A: the course is delivered by the Project's Leader as
>>>>> an INDEPENDENT Trainer (this could also be a respected member of
>>>>> the OWASP Community who: is an active/past contributor; is
>>>>> respected by its peers; and is known to be very knowledgeable on
>>>>> the course's topic))
>>>>>
>>>>> Should he/she be able to:
>>>>>
>>>>>    Option 1: Buy advertisement space on www.owasp.org (i.e. the
>>>>> banner that shows up at the top of the home page and the local
>>>>> chapters)
>>>>>    Option 2: Send an email with the course's details to the
>>>>> respective OWASP mailing list (i.e. Top-10, WebGoat, Testing
>>>>> Guide, openSamm, ESAPI, ASVS). Assume that this is done with
>>>>> 'good taste' (i.e no  'snake oil' or super-sales pitch)
>>>>>    Option 3: Include a mention to it at the next OWASP Newsletter
>>>>>    Option 4: Put a direct link to it from the respective OWASP
>>>>> Project (maybe on a section dedicated to these type of events)
>>>>>    Option 5: Put a direct link from a Training page on the OWASP
>>>>> Commercial Services section of the OWASP website
>>>>>
>>>>>
>>>>> Variation B: the course is delivered by the Project's Leader as a
>>>>> hired employee/contractor for a 3rd party company
>>>>>
>>>>> (same 5 Options from Variation A)
>>>>>
>>>>>
>>>>> Variation C: the course is delivered by an existing OWASP
>>>>> Corporate Member or Education Supporter (Company, University,
>>>>> etc..)
>>>>>
>>>>> (same 5 Options from Variation A)
>>>>>
>>>>>
>>>>> Variation D: the course is delivered by an a Governmental
>>>>> Organization that is involved with OWASP (for example the
>>>>> Brazilian Government who sponsored last year's OWASP Conference
>>>>> in Brazil)
>>>>>
>>>>> (same 5 Options from Variation A)
>>>>>
>>>>>
>>>>> Variation D: the course is delivered by an a Governmental
>>>>> Organization that is NOT part of the OWASP Community
>>>>>
>>>>> (same 5 Options from Variation A)
>>>>>
>>>>>
>>>>> Variation E: the course is delivered by an a Industry Body  that
>>>>> is NOT part of the OWASP Community (for example lets say that the
>>>>> PCI Council decided to sell (and profit) from the delivery of
>>>>> OWASP Top 10 courses)
>>>>>
>>>>> (same 5 Options from Variation A)
>>>>>
>>>>>
>>>>> Variation F: the course is delivered by a company/individual that
>>>>> is NOT part of the OWASP Community (i.e. not a member, trainer is
>>>>> not an OWASP Leader, nobody has really heard of them before)
>>>>>
>>>>> (same 5 Options from Variation A)
>>>>>
>>>>>
>>>>> ---
>>>>> ---
>>>>> ---
>>>>> ---
>>>>> ---
>>>>> ---
>>>>> ------------------------------------------------------------------
>>>>>
>>>>> Taking into account that we want as many people to be exposed to
>>>>> OWASP materials and that there should be a direct relationship
>>>>> between the success of these courses and the market penetration
>>>>> of the affected OWASP Projects .....  from your point of view,
>>>>> which Variation+Options listed above:
>>>>>
>>>>>    i) are compatible with OWASP's values/independence and SHOULD
>>>>> be allowed (but monitored to prevent abuses)
>>>>>    ii) are NOT compatible with OWASP's values and SHOULD NOT be
>>>>> allowed
>>>>>   iii) should only be allowed with 'somebody' (GEC, OWASP Board,
>>>>> Project leader) permission / validation
>>>>>   iv) should be allowed, BUT with the information located at a
>>>>> very specific locations (for example what happens with the the
>>>>> OWASP Job Board or the OWASP Commercial Services)
>>>>>
>>>>> Looking forward to hearing your answers and points of view
>>>>>
>>>>> Dinis Cruz
>>>>> OWASP Board Member
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>
>>>>
>>>> --
>>>> Jim Manico
>>>> OWASP Podcast Host/Producer
>>>> OWASP ESAPI Project Manager
>>>> http://www.manico.net
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>> _______________________________________________
>>> Global_education_committee mailing list
>>> Global_education_committee at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/global_education_committee
>>>
>>>
>>
>


-- 
Mike


More information about the OWASP-Leaders mailing list