[Owasp-leaders] Proposed model for SI to hire Sandra as an OWASP resource

Jerry Hoff jerry at jerryhoff.net
Mon Jan 31 15:06:34 EST 2011


Hi Dinis,

>>But we are still in time to make changes, so Jerry what would be your
preferred license?

That's totally up to SI since they are paying to develop the courseware!
:)  However, if the materials were released under the CC SA-BY license,
I don't think anyone besides SI would use it commercially:

>>- SI (and others) can use the CC materials produced to create
proprietary e-learning content or other materials at their discretion.


IANAL (But Jeff is so hopefully he'll chime in soon), but the way I read
it under CC SA-BY, ONLY SI could create a proprietary e-learning
platform based on the materials.  Anyone else who used it would have to
distribute it under the CC SA-BY, therefore by definition it would not
be proprietary. SI obviously would not have that restriction since they
would be the copyright holder.  Under CC BY, it appears it could be used
in other proprietary platforms.

-------

Outside of copyright issues - I'm quite cautious of the proposal below. 
It seems to tie OWASP education materials a bit too closely with a
single commercial company.  For example - I don't mind that ESAPI has a
little "sponsored by" logo next to it one bit - but if the OWASP
developers guide had "sponsored by COMPANYX" - i'd be MUCH less likely
to download it / read it / recommend it.  This is why wikipedia doesn't
take advertisers - it would damage the perception their impartiality. 


Education is different - it has to be neutral to be legitimate in my
opinion.  SI's intentions are most likely 100% honorable in this case -
but once this door is open, it will be open to other companies to come
in and propose similar things, right?


Consider these clauses:

>>The Corporation may specify relative priority of deliverables vs.
OWASP project leader direction at their discretion.
and
>> SI will provide priorities and a roadmap that can be used to flesh
out training deck content. While these will be based on SI priorities
and customer feedback, they also can provide a valuable starting point
for OWASP to work from.


Again - I'm not saying SI has *any* bad intentions at all - but a less
scrupulous company under similar provisos could use this to direct
training materials to fit with their business model.  And then it
appears to be under the collective endorsement of all of OWASP.  This
can happen completely innocently - i'm sure a WAF company, a scanner
company and a manual pentesting company would all come up with very
different roadmaps based on their different business experiences.


I think if OWASP wants professional, open source, cc training materials
it should hire sandra directly (via fundraising, etc), *especially* if
these are the materials that will be used at OWASP conferences and OWASP
academies.


Jerry








On 2/1/11 3:10 AM, dinis cruz wrote:
> OWASP currently uses CC-SA-BY
> (http://creativecommons.org/licenses/by-sa/3.0/) as you can see on the
> bottom of all pages at owasp.org <http://owasp.org>.
>
> I would actually prefer this to be released under a more flexible
> CC-BY license (see http://creativecommons.org/licenses/by/3.0/) since
> the point is to encourage the wide use of these materials.
>
> But we are still in time to make changes, so Jerry what would be
> your preferred license? 
>
> Dinis Cruz
>
> On 31 January 2011 18:24, Jerry Hoff <jerry at jerryhoff.net
> <mailto:jerry at jerryhoff.net>> wrote:
>
>     Hi Dinis,
>
>     There are multiple CC licenses:
>
>         http://creativecommons.org/licenses/
>
>     Can you be more specific as to the exact cc license these
>     materials will be released under? 
>
>     -Jerry
>
>
>     On 2/1/11 1:59 AM, dinis cruz wrote:
>>
>>         OWASP Leaders,
>>
>>      
>>
>>     I have been trying for a while to find a model that allows
>>     professional talent to work for OWASP, as externally-paid
>>     resources, by companies who have interested in the deliverables
>>     of that talent  ....  and .... I think that I finally found one
>>     (including two parties that want to 'try it out')
>>
>>
>>     This is the equivalent of an OWASP employee, where OWASP doesn't
>>     pay him/her, but instead the employee's time is donated to OWASP
>>     by a 3rd party company (who pays for the resource donated). Of
>>     course that there will be some requirements made by the entity
>>     paying the bill, but as long as everything is transparent and
>>     open, we should be fine.
>>
>>
>>     In this specific example, we are talking about a company (SI,
>>     http://www.securityinnovation.com) that has interest in
>>     working/developing/releasing CC (http://creativecommons.org)
>>     OWASP materials that can be used by:
>>
>>         * the entire OWASP community, and
>>         * other application security services providers (like SI).
>>
>>     During the Academies meeting, held in Lisbon on January, Security
>>     Innovation and Sandra Paiva became the two sides of a very
>>     interesting proposition. SI was interested in creating eLearning
>>     courses on OWASP materials. For that, they would need to find
>>     someone to prepare the necessary contents and create training
>>     decks of slides that could then be used for the production of
>>     their eLearning platforms (which SI owns and sells as a service
>>     (just like many others)). Sandra, on the other hand, was
>>     finishing her 3 months contract to operationalize the OWASP
>>     Academies/ OWASP Training and was available to continue her
>>     collaboration with OWASP.
>>
>>      
>>
>>     As you can see below, SI needs (for its own training business) to
>>     have access to high quality materials from OWASP Projects. SI has
>>     taken a view (correct in my point of view) that they have a lot
>>     to gain, if a number of their 'OWASP related activities' and
>>     investments are shared back to OWASP under a CC license.
>>
>>
>>     Since there are obvious synergies between SI and OWASP (all done
>>     under an CC/OpenSource umbrella) and because Sandra's current
>>     work for OWASP has been amazing (see the OWASP Training and
>>     Academies that she worked on), ** I suggested to both SI and
>>     Sandra that they worked together on the creation of (CC-released)
>>     training materials for OWASP projects. I'm happy to say that they
>>     both accepted, and if all goes well, SI is going to hire Sandra
>>     to work for OWASP !
>>
>>      
>>
>>     A significant part of Sandra's time will be spend
>>     talking/engaging with the multiple OWASP Projects. Her focus will
>>     be to transform the existing (or new) content into training
>>     slide-decks. In order to facilitate this (and to maximize
>>     Sandra's 'OWASP available' time), Sandra would work with Paulo
>>     Coimbra on his 'OWASP Projects normalization efforts' and
>>     help/facilitate the updating/organization of those project's
>>     content (which means that OWASP's benefits from Sandra's
>>     activities will be much greater than a set of Slide Decks)
>>
>>
>>     A critical part of this exercise, is the active involvement of
>>     the project leaders, namely how much they are able to support
>>     Sandra (remember that everything that Sandra is going to be
>>     working on, will be released under a CC license!   SI (and other
>>     companies) are then free to reuse it for their own commercial
>>     interests, just like they do it today
>>
>>      
>>
>>     As  you can see, your input and help (as project leaders) will be
>>     invaluable for the success of this engagement. In return, your
>>     projects will be improved and supported by new (high-quality)
>>     training decks. These slide-decks will be:
>>
>>         * spread around the entire OWASP community,
>>         * delivered on OWASP Training events,
>>         * incorporated inside University courses   :)
>>
>>     Please take a good look at the section included at the end of
>>     this email, which contains:
>>
>>         * a general model/framework for this type of
>>           collaboration/sponsorships with external parties
>>         * the specific arrangement with Security Innovation and
>>           Sandra (note that the financial value of this transaction
>>           is not included since that is a matter between SI and Sanda
>>           (if you want to know ask them :) )
>>
>>     I believe that this is great development for OWASP, and one that
>>     should be used for finding more 'professionally paid resources'
>>     to work on OWASP projects (for example, Jim's idea for an ESAPI
>>     developer and ESAPI documentation-focused resource).
>>
>>
>>     Since OWASP can't really pay its leaders (where would it start?
>>     and how could it chose who to pay?), I think this solution
>>     presents a perfect compromise.
>>
>>
>>     Note that an 'undocumented' variation of this model is already
>>     happening in large quantities at OWASP, this is just a way to
>>     formalize that model (see
>>     http://www.owasp.org/index.php/Summit_2011_Attendee for a list of
>>     companies that are paying their employees to work on 'OWASP
>>     related' activities)
>>
>>
>>     What do you think?
>>
>>
>>     Dinis Cruz
>>
>>
>>
>>     _PROPOSED MODEL FOR SI + SANDRA (this was created by SI with
>>     input from me and Sandra and is designed to be posted on the
>>     OWASP WIKI)_
>>
>>
>>     *General working model:*
>>
>>     - A Corporation hires an OWASP resource to develop a project of
>>     mutual interest. The negotiation of duration and payment are
>>     between the corporation and the resource.
>>     - The Corporation may contractually oblige the OWASP resource to
>>     one or more deliverables during the time of service. These
>>     deliverables may be specified to an OWASP project, to the
>>     Corporation or both.
>>     - The Corporation donates the resource to the OWASP project. The
>>     contractual relationship between the resource and corporation
>>     includes clause that the resource will do work for OWASP based on
>>     OWASP priorities as specified by the organization.
>>     - The Corporation may specify relative priority of deliverables
>>     vs. OWASP project leader direction at their discretion.
>>
>>      
>>
>>     *Specific arrangement with SI:
>>     *- Security Innovation (SI) will hire Sandra Paiva for 6 months
>>     at a daily rate to be negotiated between SI and Sandra.
>>     - SI will specify a set of training deck deliverables, along with
>>     a delivery schedule, in the contract with Sandra. These
>>     deliverables will specify a set of topics and/or projects that
>>     should be covered by training slides as well as the minimum
>>     quality bar and format that must be met. It will be up to
>>     Sandra's discretion regarding how these are created and
>>     delivered. There will be some flexibility in the deliverables to
>>     account for the unpredictability of working with volunteer
>>     project leaders. These training deck deliverables will be given
>>     to OWASP Academies project as well as to SI.
>>
>>     - SI will contractually specify that these training deck
>>     deliverables are Sandra's first priority, however she may use
>>     additional time in her schedule to work on additional priorities
>>     as stated by Dinis and these will be for her to work with the
>>     OWASP Project Manager, Paulo, to spread the GPC template for as
>>     much projects as possible. 
>>
>>     - All materials covered in the contract with Sandra will be
>>     released under a CC license and put available on the OWASP wiki.
>>
>>     - SI (and others) can use the CC materials produced to
>>     create proprietary e-learning content or other materials at their
>>     discretion.
>>
>>     - SI will provide priorities and a roadmap that can be used to
>>     flesh out training deck content. While these will be based on SI
>>     priorities and customer feedback, they also can provide a
>>     valuable starting point for OWASP to work from.
>>
>>      
>>
>>     *As for SI's motivation, please read below the paragraph writen
>>     by them in the process of discussing this matter:
>>     *
>>
>>
>>     **
>>
>>     //*/Why is SI doing this?/*
>>
>>     *//*In their own words:*//*/"//...Security Innovation is in the
>>     business of creating world class training for our customers. We
>>     have a very good process for turning training material into app
>>     security focused eLearning classes that appeal to practitioners.
>>     One of our challenges is keeping our 'pipe' of incoming
>>     high-quality training content full. We have a great team of
>>     internal SMEs and a network of external contractors that we can
>>     source training content from. However, none of these people have
>>     a full time responsibility for content generation and so the
>>     stream of content can become unpredictable at times. This
>>     arrangement with OWASP can not only provide value to the OWASP
>>     community as a whole but will also provide a predictable stream
>>     of high quality content to SI for the next few months. We've
>>     determined that for a similar amount of money we could hire a
>>     contractor to organize OWASP content and training content for us,
>>     however we feel that cooperating with OWASP in this manner
>>     improves our connection with the OWASP community while providing
>>     value to both OWASP and SI simultaneously. What we lose in the
>>     process is full control over the slide decks and sole-ownership
>>     of their content. We feel that we will be able to differentiate
>>     enough through our eLearning development process that this risk
>>     is mitigated and offset by the relationship we will be building
>>     with the community at large..."/
>>
>>
>>
>>     _______________________________________________
>>     OWASP-Leaders mailing list
>>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110201/8547e361/attachment-0001.html 


More information about the OWASP-Leaders mailing list