[Owasp-leaders] Vendor Neutrality

Tobias tobias.gondrom at owasp.org
Thu Feb 14 03:30:19 UTC 2013


Hey Jim,

thanks for bringing this up. In general I agree that we at OWASP need to
pay particular attention to vendor neutrality and avoid any
misinterpretation.

Summary: Overall, I do not see a big problem in this case, though maybe
a small point for improvement.

Before continuing, here are two of my underlying assumptions:
1. from the NYC chapter I read that this is an OWASP training day
(similar to AppSec training days) and OWASP will get a share of all
training revenue (in the range of 40-75%) with the share the same for
all three training courses.
2. All Training material will be branded in OWASP not the training
company (as to my understanding is the case with all our OWASP trainings).

Based on this, I would not see much of a problem.
Reading the NYC training program, I do not see a problem with the text
there.
And for a trainer to give a discount to the training course, is also ok.
We have done it in the past for some AppSecs - though personally I would
have serious doubts on the business effectiveness of discounts for
marketing purposes.... - but that is another topic...
(And e.g. in London in the past, we organized discounts for OWASP
members to e.g. ISC2 and other security industry events in the past,
which I believe is a bit similar, still I believe in the best interest
for OWASP chapter members.)

Two things that make this complicated are:
- (minor) The use of the vendor name in the discount code is not so good
as the course is in fact not provided by the vendor but by an individual
working for the vendor. (But I wouldn't feel strong about this.)

- The main issue is a potential conflict of interest of the chapter leader.
However, as we are all professionals here, I assume that he stayed away
from all decisions related to the course provided by his colleague (i.e.
took no vote or saying in its selection and pricing/discount). And to
avoid the perception of a conflict of interest, in this case it might
have been better if someone else would have posted the discount message
instead of him.

Just my 2 cents.

Best regards, Tobias



On 14/02/13 09:37, Jim Manico wrote:
> Hey folks,
>
> Please see the email at the bottom of this message.
>
> This email hit the NYC chapter list today and we discussed it through the board list earlier. I feel this is an abuse of the OWASP brand and vendor neutrality rules to some degree, but other board members politely disagreed with me. That's fair.
>
> Can you please chime in here? Am I off-base or do you feel this is OWASP brand or vendor neutrality abuse?
>
> I know this is a specific example, but I think it's very important to the organization. So far, I feel like I stand alone when complaining about these situations and I'd appreciate your feedback. If you have the time, please click deeper into the email below and investigate a bit. 
>
> I am happy to back away from the issue of vendor neutrality if you think I am off base.
>
> Thanks all,
> Jim Manico
> @Manicode
> (808) 652-3805
>
> ***********
>
>
> From: Tom Brennan <tomb at owasp.org>
> Date: Tuesday, February 12, 2013 6:56 PM
> To: "OWASPNYCMETRO-announce at meetup.com" <OWASPNYCMETRO-announce at meetup.com>
> Subject: [OWASPNYCMETRO] NYC March 13th Training
>
> Its coming....INSTRUCTOR LED TRAINING IN NYC
>
> Details: https://www.owasp.org/index.php/NYC
>
> As a special introduction to the SpiderLabs instructor led course I would like to extend to you a $500 discount code “TRUSTWAVE_500OFF” to be used during check-out.
>
> Hack Your Own Code: Advanced Training for Developers (2 Day Training Course)
> This class provides security developers an exciting chance to hone their programming skills while also learning to exploit common web vulnerabilities.
>
> For more information on the (3) training classes available visit:
>
> https://www.owasp.org/index.php/NYC
>  
>
> Have additional questions? 
>
> Call 973-202-0122 to discuss
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list