[Owasp-leaders] Vendor Neutrality

mparsons at parsonsisconsulting.com mparsons at parsonsisconsulting.com
Fri Feb 15 03:36:11 UTC 2013


I see both sides of this argument.   I make six figures but wouldn't mind making seven, eight or even nine figured protecting the companies I work for against hackers and cyber terrorism.   I am good at what I do and OWASP, paid training from all of you guys in the industry and hours of blood sweat, diet Mountain Dew and perseverance to become the application security engineer I am today.  I am constantly learning and never feel like I am complete in my journey to be a better security engineer.   I do paid training and my clients pay me but I do give 10 percent of my time back to Owasp as a chapter lead and presenter at Dallas OWASP.  I think we must not be divided as capitalists and altruistic communists at OWASP.  I would hope we could vote on this matter and let the members decide how it is handled.  I believe the chapter by laws is our constitution, but as a global democracy we can amend it.   Once we put our differences aside we need to come to together to secure our world from hackers and attackers.  I feel it is our duty; but I do not have a problem getting compensated along the way.  I will always give back to OWASP.   

Sent from my iPhone please excuse typos...
Matt Parsons, CISSP, MSM, CWASE 


On Feb 14, 2013, at 6:00 PM, Eoin <eoin.keary at owasp.org> wrote:

> Nice :)
> 
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
> 
> 
> On 14 Feb 2013, at 21:04, Andre Gironda <andreg at gmail.com> wrote:
> 
>> >> OWASP is an idea, we all have tons of them but we will never make you pay for them.
>> >
>> > Thank you, this statement means a lot to me as well. I have my personal limits of what I can handle commercially at OWASP. In the spirit of the mission, I have been delivering free developer security training at different OWASP events. I think this is directly in line with our mission.
>> 
>> Free training, available in handicap-friendly and public-transportation-friendly locations. If somebody has a "special request" for a local chapter: we need to be able to fulfill that request, as OWASP leaders and in the spirit of the OWASP community.
>> 
>> Speaking specifically to BSides, in my area we have decided not to pursue using the BSides name in order to run our own "free" (funded through KickStarter) conference called CactusCon. BSidesPHX, run for only one year, was a huge success, but we (the planners) didn't feel that even their platform was free and transparent enough. It's no surprise that the planning committees for CactusCon and BSidesPHX were all leaders I met through the OWASP Phoenix chapter.
>> 
>> If you really feel, as an infosec professional or app developer/tester involved with OWASP, that you aren't able to support my concepts of "transparency" and "free, accessible events", then you do not understand what it is like to be an at-risk member of our modern worldwide cities, towns, and communities. There are many people coming from "hardship situations" who have paved the way to their first non-poverty-level job via OWASP -- which has had significant positive impact on their quality of life and to those around them.
>> 
>> What does it take to run a local OWASP chapter event? Does it take $20 or $100 per head? $500 per head per event? No, it costs nothing. So stop pretending like you are the at-risk individual in a hardship situation. You're fine. You make like 6 figures. Shut up and put out.
>> 
>> -Andre
>> 
>> On Thu, Feb 14, 2013 at 9:36 AM, Jim Manico <jim.manico at owasp.org> wrote:
>>> Thank you Jason.
>>> 
>>> > OWASP is an idea, we all have tons of them but we will never make you pay for them.
>>> 
>>> Thank you, this statement means a lot to me as well. I have my personal limits of what I can handle commercially at OWASP. In the spirit of the mission, I have been delivering free developer security training at different OWASP events. I think this is directly in line with our mission.
>>> 
>>> I've been told that I might be restricted from doing this moving forward, because it marginalizes our paid-for training.
>>> 
>>> If my hand is forced to stop doing this free training, I will have deemed OWASP to have jumped the shark and I will move on and throw my energy into BSides or the like.
>>> 
>>> We are starting to worry about money, vendor relations and commercialization to much as a non profit, in my opinion. I think we all need to be reminded on a regular basis that OWASP is ethically and legally a non-for-profit organization whose is legally bound to serve the community before personal or organizational gain.
>>> 
>>> Aloha,
>>> Jim
>>> 
>>> 
>>> 
>>> > Dear Dear OWASP
>>> >
>>> > I'm new as a chapter leader for the okc chapter. What I LOVE about this
>>> > foundation is the passion and help people want to give to the community.
>>> > People ask me how secure am I at home when I'm online or doing website work
>>> > on my daughters computer. This is what lead me to owasp to fix up Oklahoma
>>> > to swim in this huge knowledge pool. I love owasp and will defend its right
>>> > to be open and free to learn, free to play hacker, cracker whatever. Above
>>> > all for myself and others to see how passionate we are about securing our
>>> > schools, businesses and lifestyles. I believe OWASP to be an attitude.
>>> > Joining this foundation of 3weeks has changed my outlook on security. I can
>>> > relate to the OWASP value statement. Shame on us the moment we use this for
>>> > personal gain in any form.
>>> >
>>> > If you want to come to a meeting and see energy and have some fun looking
>>> > at funny code or breaking my computer. Ultimately maybe learn something and
>>> > pledge some extra bucks to the foundation, thats solid.
>>> >
>>> > OWASP is an idea, we all have tons of them but we will never make you pay
>>> > for them.
>>> >
>>> > Love the idea
>>> >
>>> > Jason
>>> > On Feb 14, 2013 9:56 AM, "Dennis Groves" <dennis.groves at owasp.org> wrote:
>>> >
>>> >> On 14 Feb 2013, at 15:19, Paolo Perego wrote:
>>> >>
>>> >> I'm pretty sure that Tom would explain his point of view but
>>> >> the philosophy "let all of us use the brand Owasp in the way we love most
>>> >> since we must pay bills" is something I don't think is in the original idea
>>> >> of the Owasp itself.
>>> >>
>>> >> I can confirm your belief Paolo. From the beginning:
>>> >> OWASP Mission:
>>> >>
>>> >> Application security is still relatively immature and there is significant
>>> >> FUD (Fear, Uncertainty and Doubt) being purveyed by the industry. This
>>> >> project aims to be an open source reference point for system architects,
>>> >> developers, vendors, consumers and security professionals involved in the
>>> >> Design, Development, Deployment and Testing the security of web
>>> >> applications and web services. Security professionals will be able to use
>>> >> the work to incorporate in their work. Security vendors will be able to
>>> >> base services and software on this project and consumers will be able to
>>> >> baseline and test applications or services they receive.
>>> >> OWASP Founders:
>>> >>
>>> >> OWASP is a community effort where work is contributed by *volunteers*. We
>>> >> are currently in the process of registering OWASP as a charitable
>>> >> foundation and have recently engaged a funding company to lobby for
>>> >> appropriate funding to further the work.
>>> >>
>>> >>    - The Chair of the project is Mark Curphey who moderates the webappsec
>>> >>    mailing list at securityfocus.com.
>>> >>    - The Vice Chair of the project is Dennis Groves who is currently
>>> >>    engaged in developing public speaking material and presentations for OWASP.
>>> >>    - The web site and content manager is Kevin Jeong who is responsible
>>> >>    for all web site development as well as editing and publishing all content.
>>> >>    - The Industry Robert "Bob" Rodger runs the Industry Advisor panel
>>> >>    - The OWASP foundation and all business administration are managed by
>>> >>    Tim Smith
>>> >>
>>> >> OWASP Values
>>> >>
>>> >> I can thus speak with some authority on this subject.
>>> >>
>>> >> OWASP was started because my employer at the time fired me for not
>>> >> participating in crimes. My employer wanted me to hack potential sales
>>> >> clients and then teach the sales people what I had done to break into the
>>> >> client without obtaining the clients permission. This way the sales people
>>> >> could tell the potential clients that their websites were so insecure that
>>> >> even a sales guy could hack it. I declined to participate; stating that
>>> >> this was a crime in the united states and was fired on the spot.
>>> >>
>>> >> OWASP began as a direct result of that event. The purpose was a moral
>>> >> obligation to stop such companies from exploiting their asymmetrical
>>> >> knowledge. We (the founders) were very jaded about the security industry
>>> >> and the vast number of snake-oil salesmen in the industry.
>>> >>
>>> >> OWASP from the beginning was an altruistic effort to make the world a
>>> >> better place through education, and I feel it still is.
>>> >>
>>> >> I also believe that the rewards come from the respect, influence and
>>> >> opportunities gained directly from making the world a better place. I think
>>> >> that is as true 13 years later as it was when we started OWASP.
>>> >>
>>> >> Dennis
>>> >> ------------------------------
>>> >>
>>> >> Dennis Groves <http://about.me/dennis.groves>, MSc
>>> >> Email me <dennis.groves at owasp.org> or schedule a meeting<http://goo.gl/8sPIy>
>>> >> .
>>> >>
>>> >> *This email is licensed under a CC BY-ND 3.0<http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB>license.
>>> >> *
>>> >>
>>> >> *Please do not send me Microsoft Office/Apple iWork documents.*
>>> >> Send OpenDocument <http://fsf.org/campaigns/opendocument/> instead!
>>> >> Stand up for your freedom to install free software<http://www.fsf.org/campaigns/secure-boot/statement>
>>> >> .
>>> >>
>>> >> The idea that some lives matter less is the root of all that’s wrong with
>>> >> the world. -- Paul Farmer
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> OWASP-Leaders mailing list
>>> >> OWASP-Leaders at lists.owasp.org
>>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> >>
>>> >>
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > OWASP-Leaders mailing list
>>> > OWASP-Leaders at lists.owasp.org
>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> >
>>> 
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130214/5c520896/attachment.html>


More information about the OWASP-Leaders mailing list