[Owasp-leaders] For comment: OWASP references on SI's Press Release, Commercial Support of an OWASP project

Michael Coates michael.coates at owasp.org
Thu Aug 18 18:24:19 EDT 2011


A few comments and two questions:

1. We need to continue looking for ways to involve OWASP with organizations that will spread the word of application security. I strongly support efforts to make OWASP materials available and usable to more people through these relationships.

2. We must continue to protect the quality and "openness" of our resources through these relationships.

3. Sometimes we have to dive into the water and feel things out. I'm glad we have this opportunity to work towards a mutually beneficial model.  (We can theorize and "what if" ourselves to death when we don't have concrete situations.)

Questions:

An important component of this relationship with OWASP is the licensing of the developed material.  As you know, many organizations donate time/resources to OWASP to further a particular project and the output is released back into the primary project with the same licensing.  

1. What is the intended licensing for the "Security Innovation supported versions of the OWASP O2 Platform"? 

2. Will the SI version be open source and donated back to OWASP via the O2 project?  

(Quote snippet)
"Cruz will also work closely with SI’s Application Security services team delivering software and SDLC assessments and help to create Security Innovation supported versions of the OWASP O2 Platform, Specifically, this effort is designed to integrate and consolidate the data created by tools or services like IBM Rational AppScan, Veracode, WhiteHat, Microsoft CAT.NET, OWASP Zap Proxy, Burp Proxy, HP Fortify and other open source tools to make them ‘Framework Aware’ and connect them with existing SDLC tools and processes."


Thanks,

Michael Coates
OWASP




On Aug 18, 2011, at 10:25 AM, dinis cruz wrote:

> As some of might have noticed, I recently joined SI (Security  Innovation) as an Employee (for more details on why I did it, see this personal blog entry http://diniscruz.blogspot.com/2011/08/joining-security-innovation-si-as.html)
> 
> Due to the power of the OWASP brand, SI's marketing department wants to issue a Press Release (PR) with this bit of news. This has happen a number of times before for other OWASP leaders and products, and sometimes the fine line of 'marketing' and abusing the OWASP brand (or overstating particular facts) gets crossed. For example, SI did issue a Press Release a couple months ago that could had benefited from some OWASP peer review :).
> 
> Part of what I want to do at SI, is to create frame-of-references/examples for how commercial companies should behave around OWASP, and SI (so far) has tried very hard to play by OWASP rules (even when they don't exist or are not explicitly defined). Not to say that they haven't made mistakes in the past, but they are trying hard.
> 
> So, the first part of this email is a question to you: "Is the PR included at the end of this email OK?'   Please be brutal in your feedback and if you fell changes should be made, please let us know (I'm CCing Tom and Maureen from SI marketing department, so if relevant, please include them on your replies (the cut-of-point is next Monday at 12pm EST, with a publishing date of Tuesday)). I made some changes to the original version, but remember that this is a Press Release :)
> 
> The 2nd question on this email is related to the fact that SI is going to offer (i.e. sell) commercial Support for an OWASP project, in this case the OWASP O2 Platform. 
> 
> The original focus is going to be on using O2 to customise existing AppSec tools in order to make them 'Framework Aware', and on the automation of AppSec security reviews (i.e. delivering of security findings as unit tests for developers). Btw, I'm still hurting from the fact that SI (due to market demand) wants to build training content on ESAPI and not on O2  :)
> 
> The question is: "How can this type of services be represented at OWASP's website and to OWASP's community?" 
> 
> For example what disclaimers should be make to make sure this is not perceived as an 'OWASP provided service'. Maybe we should create a Code of Conduct book for these cases?
> 
> I believe this to be a really good development for OWASP, and I do wish that other companies provided commercial support/services on OWASP projects, for example: WebGoat, ESAPI, ASVS, WebScarab/Zap, Top 10, Legal, Encoding libraries, Testing/Code/Developer guides, Cheat-Sheets, etc...
> 
> Of course that since OWASP projects are all licensed with an OpenSource or CC license, it will not be possible for ONE company to be the ONLY provider of theses services. Ideally we should have multiple companies providing these commercial services (each with its own unique positioning, strengths and offerings). It would then be a case of the market deciding on which one they want to reward with their businesses.
> 
> These are unchartered territories, but the good news is that finally (with SI's officially supporting O2) we have a real world scenario to deal with (in the past we spent too much time theorising about the multiple hypothetical scenarios and abuses)
> 
> The best way to get things done at OWASP is to try new ideas, see how they go, listen to the feedback received, and improve on the next version.
> 
> So me and SI are kickstarting this, and hopefully others will follow.
> 
> (note: there is already an OWASP project that was going to try to get happen, but it had no energy, maybe now is the time to restart it)
> 
> Dinis Cruz
> 
> (below is the full text of the PR that will be published next Tuesday)
> 
>  
> Security Innovation Announces the Hiring of Web Application Security Expert Dinis Cruz as
> Principal Security Engineer
>  
> Wilmington, Mass., August 22, 2011 – Security Innovation,a leading organization specializing in application security products and services, has announced that it has hired Dinis Cruz as Principal Security Engineer. This strategic appointment supports Security Innovation’s goal, which is to provide its customers with solutions designed to help protect their most coveted assets through securely developing applications.
> 
> Cruz will serve as a lead architect and visionary, driving the design and evolution of the company’s knowledgebase repository product, TeamMentor Enterprise Edition. Cruz will be responsible for re-architect the solution to better serve security and development  teams, with a particular focus on integration with other products, frameworks, and automatedassessment activities. He’ll also continue to lead the company’sstrategic initiatives with the open-source community.
> 
> “Dinis has been a part of our extended team, working on product development projects over the last several months. Now that he is officially joining us as an employee, we’re excited to have him fully engaged, enhancing our unique portfolio of application security-specific products and services,” said Jason Taylor, chief technology officer, Security Innovation. “We are focused on adding respected application security experts to our staff to enable our customers to build the most secure applications in the world.”
> 
> Cruz brings extensive Web application security experience to his role with Security Innovation. Previously, Cruz served as Director of Advanced Technology with Ounce Labs and specialized in code reviews, penetration testing, ASP.NETapplication security and security engineering. As an active OWASP leader and contributor, Cruz has been rewriting the Open Source OWASP O2 Platform. He served as an OWASP Board Member (2005 to 2011) and has lead important initiatives like the OWASP Seasons of Code, OWASP Summits (2008 and 2011), OWASP books, and a number of OWASP .NET projects. As the main developer of OWASP O2 Platform, Cruz’s vision is to automate application security knowledge and he has designed O2 to be an industry standard for data-sharing between WebAppSec tools, consultants and final users. He is also a regular industry speaker, having delivered technical presentations and training at numerous OWASP conferences and BlackHat.
> 
> Cruz will also work closely with SI’s Application Security services team delivering software and SDLC assessments and help to create Security Innovation supported versions of the OWASP O2 Platform, Specifically, this effort is designed to integrate and consolidate the data created by tools or services like IBM Rational AppScan, Veracode, WhiteHat, Microsoft CAT.NET, OWASP Zap Proxy, Burp Proxy, HP Fortify and other open source tools to make them ‘Framework Aware’ and connect them with existing SDLC tools and processes.
> 
> “What started as writing some code for TeamMentor a few months ago, turned into a longer-term project that really allowed me to get a feeling for what it’s like to work with Security Innovation,” said Cruz. “I was impressed by the company’s application security knowledge and there was an obvious synergy between us. We believe in the same best practices and methodologies for architecting secure software and making that knowledge broadly available.” he added.
> Cruz is an active blogger. His views on joining Security Innovation and other security-related topics can be found on theDinis Cruz Blog and on Security Innovation’s Application and Cyber Security blog.
> 
> About Security Innovation
> Security Innovation is an established leader in the application security and cryptography space. For over a decade the company has provided products, training and consulting services to help organizations build and deploy more secure systems and improve the process by which their applications are built. 
> Security Innovation built upon its core competencies in application security with the acquisition of NTRUCryptoSystems in 2009, a company that developed proprietary, standardized algorithms. This resulted in the strongest and fastest public key cryptography available and the means to overcome historical performance barriers that have plagued the encryption industry. With these core strengths intact, Security Innovation is in a position to help organizations protect their data at two critical points: while applications are accessing it and during transmission. The company’s flagship products include TeamProfessor, the industry’s largest library of application eLearning courses, and TeamMentor, a web-based secure development methodologies product. 
> 
> Security Innovation is privately held and is headquartered in Wilmington, MA USA.
> Note to Editors: Security Innovation, NTRUEncrypt,TeamMentor, TeamProfessor and the Security Innovation logo are trademarks of Security Innovation. All other brand names may be trademarks of their respective owners. 
> Contacts
> Maureen Robinson
> Security Innovation 
> (978) 694-1008 X21
> mrobinson at securityinnovation.com
> April Corso
> Lois Paul & Partners 
> (781) 782-5831
> april_corso at lpp.com
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110818/25db6413/attachment-0001.html 


More information about the OWASP-Leaders mailing list