[Owasp-leaders] Proposed model for SI to hire Sandra as an OWASP resource

Jerry Hoff jerry at jerryhoff.net
Mon Jan 31 13:24:15 EST 2011

Hi Dinis,

There are multiple CC licenses:


Can you be more specific as to the exact cc license these materials will
be released under? 


On 2/1/11 1:59 AM, dinis cruz wrote:
>     OWASP Leaders,
> I have been trying for a while to find a model that allows
> professional talent to work for OWASP, as externally-paid resources,
> by companies who have interested in the deliverables of that talent 
> ....  and .... I think that I finally found one (including two parties
> that want to 'try it out')
> This is the equivalent of an OWASP employee, where OWASP doesn't pay
> him/her, but instead the employee's time is donated to OWASP by a 3rd
> party company (who pays for the resource donated). Of course that
> there will be some requirements made by the entity paying the bill,
> but as long as everything is transparent and open, we should be fine.
> In this specific example, we are talking about a company (SI,
> http://www.securityinnovation.com) that has interest in
> working/developing/releasing CC (http://creativecommons.org) OWASP
> materials that can be used by:
>     * the entire OWASP community, and
>     * other application security services providers (like SI).
> During the Academies meeting, held in Lisbon on January, Security
> Innovation and Sandra Paiva became the two sides of a very interesting
> proposition. SI was interested in creating eLearning courses on OWASP
> materials. For that, they would need to find someone to prepare the
> necessary contents and create training decks of slides that could then
> be used for the production of their eLearning platforms (which SI owns
> and sells as a service (just like many others)). Sandra, on the other
> hand, was finishing her 3 months contract to operationalize the OWASP
> Academies/ OWASP Training and was available to continue her
> collaboration with OWASP.
> As you can see below, SI needs (for its own training business) to have
> access to high quality materials from OWASP Projects. SI has taken a
> view (correct in my point of view) that they have a lot to gain, if a
> number of their 'OWASP related activities' and investments are shared
> back to OWASP under a CC license.
> Since there are obvious synergies between SI and OWASP (all done under
> an CC/OpenSource umbrella) and because Sandra's current work for OWASP
> has been amazing (see the OWASP Training and Academies that she worked
> on), ** I suggested to both SI and Sandra that they worked together on
> the creation of (CC-released) training materials for OWASP projects.
> I'm happy to say that they both accepted, and if all goes well, SI is
> going to hire Sandra to work for OWASP !
> A significant part of Sandra's time will be spend talking/engaging
> with the multiple OWASP Projects. Her focus will be to transform the
> existing (or new) content into training slide-decks. In order to
> facilitate this (and to maximize Sandra's 'OWASP available' time),
> Sandra would work with Paulo Coimbra on his 'OWASP Projects
> normalization efforts' and help/facilitate the updating/organization
> of those project's content (which means that OWASP's benefits from
> Sandra's activities will be much greater than a set of Slide Decks)
> A critical part of this exercise, is the active involvement of the
> project leaders, namely how much they are able to support Sandra
> (remember that everything that Sandra is going to be working on, will
> be released under a CC license!   SI (and other companies) are then
> free to reuse it for their own commercial interests, just like they do
> it today
> As  you can see, your input and help (as project leaders) will be
> invaluable for the success of this engagement. In return, your
> projects will be improved and supported by new (high-quality) training
> decks. These slide-decks will be:
>     * spread around the entire OWASP community,
>     * delivered on OWASP Training events,
>     * incorporated inside University courses   :)
> Please take a good look at the section included at the end of this
> email, which contains:
>     * a general model/framework for this type of
>       collaboration/sponsorships with external parties
>     * the specific arrangement with Security Innovation and Sandra
>       (note that the financial value of this transaction is not
>       included since that is a matter between SI and Sanda (if you
>       want to know ask them :) )
> I believe that this is great development for OWASP, and one that
> should be used for finding more 'professionally paid resources' to
> work on OWASP projects (for example, Jim's idea for an ESAPI developer
> and ESAPI documentation-focused resource).
> Since OWASP can't really pay its leaders (where would it start? and
> how could it chose who to pay?), I think this solution presents a
> perfect compromise.
> Note that an 'undocumented' variation of this model is already
> happening in large quantities at OWASP, this is just a way to
> formalize that model (see
> http://www.owasp.org/index.php/Summit_2011_Attendee for a list of
> companies that are paying their employees to work on 'OWASP related'
> activities)
> What do you think?
> Dinis Cruz
> _PROPOSED MODEL FOR SI + SANDRA (this was created by SI with input
> from me and Sandra and is designed to be posted on the OWASP WIKI)_
> *General working model:*
> - A Corporation hires an OWASP resource to develop a project of mutual
> interest. The negotiation of duration and payment are between the
> corporation and the resource.
> - The Corporation may contractually oblige the OWASP resource to one
> or more deliverables during the time of service. These deliverables
> may be specified to an OWASP project, to the Corporation or both.
> - The Corporation donates the resource to the OWASP project. The
> contractual relationship between the resource and corporation includes
> clause that the resource will do work for OWASP based on OWASP
> priorities as specified by the organization.
> - The Corporation may specify relative priority of deliverables vs.
> OWASP project leader direction at their discretion.
> *Specific arrangement with SI:
> *- Security Innovation (SI) will hire Sandra Paiva for 6 months at a
> daily rate to be negotiated between SI and Sandra.
> - SI will specify a set of training deck deliverables, along with a
> delivery schedule, in the contract with Sandra. These deliverables
> will specify a set of topics and/or projects that should be covered by
> training slides as well as the minimum quality bar and format that
> must be met. It will be up to Sandra's discretion regarding how these
> are created and delivered. There will be some flexibility in the
> deliverables to account for the unpredictability of working with
> volunteer project leaders. These training deck deliverables will be
> given to OWASP Academies project as well as to SI.
> - SI will contractually specify that these training deck deliverables
> are Sandra's first priority, however she may use additional time in
> her schedule to work on additional priorities as stated by Dinis and
> these will be for her to work with the OWASP Project Manager, Paulo,
> to spread the GPC template for as much projects as possible. 
> - All materials covered in the contract with Sandra will be released
> under a CC license and put available on the OWASP wiki.
> - SI (and others) can use the CC materials produced to
> create proprietary e-learning content or other materials at their
> discretion.
> - SI will provide priorities and a roadmap that can be used to flesh
> out training deck content. While these will be based on SI priorities
> and customer feedback, they also can provide a valuable starting point
> for OWASP to work from.
> *As for SI's motivation, please read below the paragraph writen by
> them in the process of discussing this matter:
> *
> **
> //*/Why is SI doing this?/*
> *//*In their own words:*//*/"//...Security Innovation is in the
> business of creating world class training for our customers. We have a
> very good process for turning training material into app security
> focused eLearning classes that appeal to practitioners. One of our
> challenges is keeping our 'pipe' of incoming high-quality training
> content full. We have a great team of internal SMEs and a network of
> external contractors that we can source training content from.
> However, none of these people have a full time responsibility for
> content generation and so the stream of content can become
> unpredictable at times. This arrangement with OWASP can not only
> provide value to the OWASP community as a whole but will also provide
> a predictable stream of high quality content to SI for the next few
> months. We've determined that for a similar amount of money we could
> hire a contractor to organize OWASP content and training content for
> us, however we feel that cooperating with OWASP in this manner
> improves our connection with the OWASP community while providing value
> to both OWASP and SI simultaneously. What we lose in the process is
> full control over the slide decks and sole-ownership of their content.
> We feel that we will be able to differentiate enough through our
> eLearning development process that this risk is mitigated and offset
> by the relationship we will be building with the community at large..."/
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110201/27f8806d/attachment-0001.html 

More information about the OWASP-Leaders mailing list