[Owasp-leaders] Vendor Neutrality

Tom Brennan tomb at owasp.org
Thu Feb 14 16:16:30 UTC 2013


Happy to be the conduit to discussion; for those that know me i have a really have a thick skin and enjoy a good debate. Plus free speach is only valuable with actual free speech.  I prefer face to face debate myself.. But if this Internet thing ever catches on things may change ;)

So here's my 5 cents on the topic.

Business buyers buy based on knowing liking and in this business TRUST. Technologists don't buy they research, collaborate, recommend and produce.

Established TRUST 
https://www.owasp.org/index.php/Industry:Citations#National_.26_International_Legislation.2C_Standards.2C_Guidelines.2C_Committees_and_Industry_Codes_of_Practice

#OWASP for technologists (builders, breakers and defenders) is Switzerland and without NDA for any individuals at any stage in career no matter who they work for today, tomorrow or acquire a platform to help the awareness of the software issue, collaborative with the best minds in the world and with passion contribute tools, and lifelong marks from guides tools. This should be no surprise to anyone on this list.

I had replied privately to those persons directly associated with about whacking the WASP nest to save more inbox work.. However as this thread closes I wanted to be clear that every day in everything we do is about personal honor and integrity.

Look forward to the next big public session and for those planning on #RSA don't miss Eoin and Jim @ RSA (for those that don't know the largest commercial conference in the world that also has a co-marketing agreement with OWASP) 

http://www.rsaconference.com/events/2013/usa/agenda/monday-events.htm#owasp

As well as the Global AppSec ( https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference ) events to collaborate in person.

For those that like to poke the furry bear(s) Jim and I will get to spend a bunch of time together in Korea and I'm looking forward to it https://www.owasp.org/index.php/AppSecAsiaPac2013

Semper Fi
Tom Brennan

==== 
For the record here is the private response to connect a dot on philosophy from a more current post

> First my apologies to Ryan in getting pulled into this thread as he and the SpiderLabs R&D team is not even delivering the training class in this thread.
> 
>  
> 
> Second, the training initiative that is being offered in NYC is a pilot program that OWASP Foundation has approved as a “local event” and had entered into a contractual requirement for over 14k with a hotel to host the training. 
> 
>  
> 
> Third the CFT for the local effort was held by the chapter and the best candidates were selected in preparation for what will be 5+ 2 day training classes at AppSecUSA 2013. That also has local support including.  Both myself and Peter Dean (Aspect) removed ourselves from the process of selection and that was left to the committee
> 
>  
> 
> Forth, the goal of the local chapter training effort was revenue for the chapter.  In the spirit of the chapter split model, 60% of the profit of a training class goes to the trainer and 40% to the local chapter 10% of the 40% is collected by OWASP Foundation for shared services like people (staff) and technology (Cevent etc..)
> 
>  
> 
> Fifth, all three courses have had low amounts of students enroll.  Supporters were contacted and asked if they would be willing to offer a lower fee via discount code on their courses to raise the enrollment.  This discount (in this case the $500 would come from the PROFIT that the training would make NOT  OWASP.) they agreed.
> 
>  
> 
> Sixth, after conferencing with the OWASP staff, the hotel and involved parties we agreed to perform a campaign blitz that would include a OWASP Code of $100 off (the OWASP Profit) as well as the use of vendor discount codes.  This started on 13-Feb-2012 email, twitter etc.
> 
>  
> 
> Seventh, in line with the mission of OWASP rising visibility all parties have worked together in a very open way with a common goal and pilot program for AppSecUSA.
> 
>  
> 
> Eighth as noted on the second item. OWASP NYC and NOT OWASP FOUNDATION is on the hook for 14k in contracted fees.  If the training class fails to meet the revenue or costs associated with the large amount TIME of logistics or effort that will directly impact our chapter balance as posted here:https://www.owasp.org/index.php/Donation_Scoreboard
> 
>  
> 
> Ninth OWASP is about experimentation and in all places it has been very very clear about the course details I think you would agree if you have been following it on OWASP public board meetings status, news groups, discussion and even at the OWASP meeting in NYC that you presented at (Goldman Sacs) the approach mirrored of AppSec’s without the conference component and as experimented in 2012 see:https://www.owasp.org/index.php/OWASP_Training_Schedules
> 
>  
> 
> Tenth, there is no violation here in any way especially the chapter handbookhttps://www.owasp.org/index.php/Category:Chapter_Handbook and as a colleague in a very small industry that you TXT page when you can’t get into one of the NYC meetings as the RSVP is full and you need a favor to get in.. I guess I just don’t understand why a phone call to discuss your perception is out of the question so a discussion can happen.  Appears to me as a personal attack and frankly that’s not cool – you know me much better than that.
> 
>  
> 
> This is not a vendor neutrality issue – this is an experiment with many moving parts that directly benefits OWASP Foundation and chapter.  As an elected board member, chapter leader I work 3x harder to ensure socialization with peers to get it right to avoid exactly this to end up on an email rant or response.  A rant on a list of over 700 people around the world that have no context… I hope you have a little more context now as well..  but either way – really no phone call.
> 
>  
> 
> I am really happy to have a little stock equity in WHS since helping them come back to work with OWASP. Your growing the business over there for them with Jim as a evangelist that’s cool.. this is not about that. There are many many OTHER experiments that have failed almost failed and there have been many many home-runs at OWASP resulting in the clearly the largest most active group of volunteers in the world with the respect of our community for selfless investment of time.
> 
>  
> 
> For those I cc:ed (not the leaders list as did not want to add to the spam thread – however I believe the local chapter leaders and the board that I serve on should have the opportunity to review this thread – should a “special board meeting per the bylaws be requested you have a written summary” and I believe others would add comments too hence this is the reply-to-all thread that is more appropriate for that.
> 
>  
> 
> I would have pointed this request to a global committee to review your inquiry, but they have been decommissionedhttps://www.owasp.org/index.php/OWASP_Board_Votes
> 
>  
> 
> Finally for AppSecUSA 2013http://www.appsecusa.org the CFP and CFT opens April 1st where we get to do it all over again including provide discount codes that will be from the provider hence not effecting the 40% of the OWASP profit side of the equation.
> 
>  
> 




On Feb 14, 2013, at 9:56 AM, Eric Sheridan <eric.sheridan at owasp.org> wrote:

> I'm fairly certain everybody (no exclusions) uses OWASP to promote their
> own agenda, whether it be to sell a product, sell a service, push a
> topic, enforce some sexy new attack name or yet another taxonomy... or
> even sell yourself. OWASP is a huge marketing platform for large(r)
> companies or individual consultants. Even folks on this list who give
> away "free" classes are simply obtaining contacts for consultancy and
> product sales down the road.
> 
> Nobody works for free. People need the ability to promote themselves or
> their company to some extent, as long as it is not "blatant abuse" of
> the brand which needs to be defined if not done so already.
> 
> Accept this and move on...
> 
> Sincerely,
> Eric Sheridan
> (twitter) @eric_sheridan
> (blog) http://ericsheridan.blogspot.com
> 
> On 2/14/13 3:39 AM, Eoin wrote:
>> This seems like using owasp as a vehicle to promote trustwave.
>> Tut tut
>> 
>> 
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>> 
>> 
>> On 14 Feb 2013, at 01:37, Jim Manico <jim.manico at owasp.org> wrote:
>> 
>>> Hey folks,
>>> 
>>> Please see the email at the bottom of this message.
>>> 
>>> This email hit the NYC chapter list today and we discussed it through the board list earlier. I feel this is an abuse of the OWASP brand and vendor neutrality rules to some degree, but other board members politely disagreed with me. That's fair.
>>> 
>>> Can you please chime in here? Am I off-base or do you feel this is OWASP brand or vendor neutrality abuse?
>>> 
>>> I know this is a specific example, but I think it's very important to the organization. So far, I feel like I stand alone when complaining about these situations and I'd appreciate your feedback. If you have the time, please click deeper into the email below and investigate a bit. 
>>> 
>>> I am happy to back away from the issue of vendor neutrality if you think I am off base.
>>> 
>>> Thanks all,
>>> Jim Manico
>>> @Manicode
>>> (808) 652-3805
>>> 
>>> ***********
>>> 
>>> 
>>> From: Tom Brennan <tomb at owasp.org>
>>> Date: Tuesday, February 12, 2013 6:56 PM
>>> To: "OWASPNYCMETRO-announce at meetup.com" <OWASPNYCMETRO-announce at meetup.com>
>>> Subject: [OWASPNYCMETRO] NYC March 13th Training
>>> 
>>> Its coming....INSTRUCTOR LED TRAINING IN NYC
>>> 
>>> Details: https://www.owasp.org/index.php/NYC
>>> 
>>> As a special introduction to the SpiderLabs instructor led course I would like to extend to you a $500 discount code “TRUSTWAVE_500OFF” to be used during check-out.
>>> 
>>> Hack Your Own Code: Advanced Training for Developers (2 Day Training Course)
>>> This class provides security developers an exciting chance to hone their programming skills while also learning to exploit common web vulnerabilities.
>>> 
>>> For more information on the (3) training classes available visit:
>>> 
>>> https://www.owasp.org/index.php/NYC
>>> 
>>> 
>>> Have additional questions? 
>>> 
>>> Call 973-202-0122 to discuss
>>> 
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130214/756aec75/attachment-0001.html>


More information about the OWASP-Leaders mailing list