[Owasp-leaders] Vendor Neutrality

Jim Manico jim.manico at owasp.org
Tue Feb 19 14:51:49 UTC 2013


Tony,

The music dig was meant to make you grin my friend.

I think you are expressing wise words below, Tony. I'll take them to heart.

I'd rather focus my limited time on the various projects I support, but
after discussing vendor neutrality with the board, staff and many community
members and chapters, I feel I have no choice at this point but to continue
this thread on leaders. I'll aim for a better way as soon as I can.

--
Jim Manico
@Manicode
(808) 652-3805

On Feb 19, 2013, at 11:39 PM, Tony UV <tonyuv at owasp.org> wrote:

Jim,

Glad to see you admit that your email and pursuit extends beyond *an*
email. I value you bringing things like this to light to the worldwide
leaders list, but think that there is a better way for the board to handle
the misrepresentation of anyone affiliated with OWASP.

You being on the board, perhaps you sense that this is worth more time than
I’m perceiving, and for that you are more entitled to since you’re far more
involved than I.  From my meager corner, I see other things that stall our
progress.  Related to your point on ‘folks trusting us’, I don’t disagree
that they do, but more so think its due to the OWASP organization cranking
out great projects for mass consumption.  That being said, I think beyond
*trust* is the issue of awareness.  I think your efforts around vendor
neutrality is critical at any stage of OWASP’s maturity as an organization
- that I’m not disputing.  I’m just contesting that there may be other
pressing issues, namely brand recognition.  I’m still appalled at how many
blank looks people give in response to the mentioning of OWASP.  Is it
getting better.  Yes.  Are we all involved in project/ organization
development?  Yes. But more can still be done and I just think that the
time focused on these exchanges could be applied to other efforts as such.

By the way, I’m all for making lyrical references that get the point
across.  That counter was a bit off-center to my original point, but that’s
cool.  I also want to say that you can keep on ‘bringing it’ as much as you
want; I think the global org appreciates the passion.  I just think that
before you run onstage to belt out some Tom Petty & the Heartbreakers,
reform-like messaging, be wary that there may be only 100s in the stands
that seats 1000s in the stadium.  Point is that before we put on the rock
festival, lets make sure that people know we’re playing.

Tony UV



Sent from tablet device - please excuse any typos

 *From:* Jim Manico <jim.manico at owasp.org>
*Sent:* February 19, 2013 8:43 AM
*To:* Tony UV <tonyuv at owasp.org>
*CC:* John Wilander <john.wilander at owasp.org>,owasp-leaders at lists.owasp.org
*Subject:* Re: [Owasp-leaders] Vendor Neutrality

Tony,

While I disagree with your position here, I value your opinion and
appreciate your volunteerism. I also feel you have a strong sense of ethics
and treat OWASP vendor neutrality very well from what I have seen from you
over the years.

I agree this is a polarizing issue, but I disagree this is low priority.
Folks trust us because of our apparent objective nature. If they wanted a
vendor parade there are many commercial outlets for that need.

Also, this thread is not about corporate names appearing on email lists.
It's about a board member who I feel has a long history of abusing the
OWASP name. I brought this up because several members from the NYC chapter
sent me email complaining about this marketing, asking me to do something
about it. I've also witnessed what I feel is a pattern of abuse. I am not
happy with this thread; it's not fun wading into this debate. But I made a
promise when I ran for the board and I feel it's my duty to the 100's of
selfless volunteers I work with every week at OWASP.

I admit, this is not "Darth Vader destroying planets with a death star”
evil, it's more like "mini-me kicking you in the shin" evil (ie: a minor
infraction).

But as I join the board and see activities behind the scenes, more and more
I think Tom is constantly in the "gray" of what is reasonable as a board
member in terms of ethics in general.

I also tried to discuss vendor neutrality and what it means to the board
and was largely shot down. The board does not seem interested in discussing
vendor neutrality right now.

I'm just getting started, Tony. I know you're not a fan of music
compilations on the leaders list, but let me leave you with some lyrics to
consider.

Well I won't back down
No I won't back down
You can stand me up at the gates of hell
But I won't back down

No I'll stand my ground, won't be turned around
And I'll keep this world from draggin me down
gonna stand my ground
... and I won't back down

Chorus:
(I won't back down...)
Hey baby, there ain't no easy way out
(and I won't back down...)
hey I will stand my ground
and I won't back down.

--
Jim Manico
@Manicode
(808) 652-3805

On Feb 19, 2013, at 9:17 PM, Tony UV <tonyuv at owasp.org> wrote:

I just had a chance to read this thread.  At first take, I didn’t see
anything wrong with Tom’s email.  It didn’t scream ’shameless plug’ in my
mind.  Then I read John’s email response about how this would be blocked in
Sweden and I had to slowly read the company references that didn’t
initially stand out.  It could be that (a) I don’t care about what is
referenced or (b) the initial impression that I got was not that I was
being solicited to, either consciously or subconsciously.  I think a more
likely option is that no clear intent was apparent to me in reading this
original email that represented misuse of vendor mentioning, while
masquerading as an OWASP email.

If mailing list moderation is to perform a type of regex on simply company
names w/o considering the intent of a volunteer OWASP member who doesn't
have time to weigh every choice word on a training announcement where some
cost savings were being shared, then we should extend that sort of
moderation to other types of non-topical areas.  Now, I’m not naive on the
way coupon codes work and presuming that contact info would be required,
the email still didn’t spell ’subtle solicitation’ for me, but as we all
know, these things are relative, which really undermines this whole back
and forth on the thread, b/c it’ll still be a polarizing, although low
priority topic.

Overall, if company names are to be excluded completely from within email
posts b/c they are non-germane to the OWASP mission, I’d like to add that
we include personal posturing as well b/c just like most of us don’t care
where most of us work, I personally don’t care about seeing references to
blogs, twitter sites, musical compilations, online CVs, or anything
in-between.  This is of course if we want to exclude reason and the ability
to decipher context and intent of what is being said, for which I still
think is the most reasonable way to approach apparent violations of company
plugging.  Where there is pattern, we can question intent and then raise
individually and thereafter in small circles, with the offender.

Tony UV
Atlanta Chapter Leader

Sent from tablet device - please excuse any typos

 *From:* John Wilander <john.wilander at owasp.org>
*Sent:* February 15, 2013 11:14 AM
*To:* Jim Manico <jim.manico at owasp.org>
*CC:* owasp-leaders at lists.owasp.org
*Subject:* Re: [Owasp-leaders] Vendor Neutrality

Tom's email in its form below would have been rejected by the moderators of
the OWASP Sweden mailing list. We would have suggested a rephrasing to make
it more about OWASP and the class, and less about SpiderLabs and Trustwave.

I suggest OWASP leaders refrain from emailing about our own businesses or
employers to lists that we moderate ourselves. Instead we should ask a
co-moderator to review the text and send it. Simple.

   Regards, John

--
My music http://www.johnwilander.com
Twitter https://twitter.com/johnwilander
CV or Résumé http://johnwilander.se

14 feb 2013 kl. 02:37 skrev Jim Manico <jim.manico at owasp.org>:

> Hey folks,
>
> Please see the email at the bottom of this message.
>
> This email hit the NYC chapter list today and we discussed it through the
board list earlier. I feel this is an abuse of the OWASP brand and vendor
neutrality rules to some degree, but other board members politely disagreed
with me. That's fair.
>
> Can you please chime in here? Am I off-base or do you feel this is OWASP
brand or vendor neutrality abuse?
>
> I know this is a specific example, but I think it's very important to the
organization. So far, I feel like I stand alone when complaining about
these situations and I'd appreciate your feedback. If you have the time,
please click deeper into the email below and investigate a bit.
>
> I am happy to back away from the issue of vendor neutrality if you think
I am off base.
>
> Thanks all,
> Jim Manico
> @Manicode
> (808) 652-3805
>
> ***********
>
>
> From: Tom Brennan <tomb at owasp.org>
> Date: Tuesday, February 12, 2013 6:56 PM
> To: "OWASPNYCMETRO-announce at meetup.com" <OWASPNYCMETRO-announce at meetup.com
>
> Subject: [OWASPNYCMETRO] NYC March 13th Training
>
> Its coming....INSTRUCTOR LED TRAINING IN NYC
>
> Details: https://www.owasp.org/index.php/NYC
>
> As a special introduction to the SpiderLabs instructor led course I would
like to extend to you a $500 discount code “TRUSTWAVE_500OFF” to be used
during check-out.
>
> Hack Your Own Code: Advanced Training for Developers (2 Day Training
Course)
> This class provides security developers an exciting chance to hone their
programming skills while also learning to exploit common web
vulnerabilities.
>
> For more information on the (3) training classes available visit:
>
> https://www.owasp.org/index.php/NYC
>
>
> Have additional questions?
>
> Call 973-202-0122 to discuss
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130219/f7431731/attachment-0001.html>


More information about the OWASP-Leaders mailing list