[Owasp-leaders] Vendor Neutrality

Victor Chapela victor at sm4rt.com
Tue Feb 19 15:55:56 UTC 2013


I believe the most important (and difficult) achievement at OWASP has been to integrate a widespread membership and the support of thousands od individuals. Even though we would like everyone of them to give their time and efforts in a completely selfless way and with a greater good in mind, my experience is that there is not such thing as a free lunch.

We have to allow different levels of gain by individuals and companies, while at the same time limiting abuse. There are very few pure altruistic persons with deep knowledge, economic freedom and enough spare time to make significant contributions. But if we add all those that would do it for some kind of public recognition the base broadens. The spectrum of expected outcomes from involvement with OWASP range from the completely altruistic to the completely selfish. And all of them can contribute to OWASP. I do not believe it is ment for selfish individuals, but at the same time I cannot see how focusing on giving nothing back to those who contribute could possibly increase our ability to make the world a better place.

We should strive to align incentives and find ways to recognize the efforts of all stakeholders within OWASP, while at the same time limiting abuse. And I only believe abuse should be limited because this in turn reduces the incentives of other stakeholders to continue contributing. If we change the question we may add more value. How can we properly align incentives to help more individuals and companies contribute with OWASP?


From: Tony UV [mailto:tonyuv at owasp.org]
Sent: Tuesday, February 19, 2013 09:39 AM
To: Jim Manico <jim.manico at owasp.org>
Cc: owasp-leaders at lists.owasp.org <owasp-leaders at lists.owasp.org>
Subject: Re: [Owasp-leaders] Vendor Neutrality


Glad to see you admit that your email and pursuit extends beyond *an* email. I value you bringing things like this to light to the worldwide leaders list, but think that there is a better way for the board to handle the misrepresentation of anyone affiliated with OWASP.

You being on the board, perhaps you sense that this is worth more time than I’m perceiving, and for that you are more entitled to since you’re far more involved than I.  From my meager corner, I see other things that stall our progress.  Related to your point on ‘folks trusting us’, I don’t disagree that they do, but more so think its due to the OWASP organization cranking out great projects for mass consumption.  That being said, I think beyond *trust* is the issue of awareness.  I think your efforts around vendor neutrality is critical at any stage of OWASP’s maturity as an organization - that I’m not disputing.  I’m just contesting that there may be other pressing issues, namely brand recognition.  I’m still appalled at how many blank looks people give in response to the mentioning of OWASP.  Is it getting better.  Yes.  Are we all involved in project/ organization development?  Yes. But more can still be done and I just think that the time focused on these exchanges could be applied to other efforts as such.

By the way, I’m all for making lyrical references that get the point across.  That counter was a bit off-center to my original point, but that’s cool.  I also want to say that you can keep on ‘bringing it’ as much as you want; I think the global org appreciates the passion.  I just think that before you run onstage to belt out some Tom Petty & the Heartbreakers, reform-like messaging, be wary that there may be only 100s in the stands that seats 1000s in the stadium.  Point is that before we put on the rock festival, lets make sure that people know we’re playing.

Tony UV

Sent from tablet device - please excuse any typos

From: Jim Manico <jim.manico at owasp.org<mailto:jim.manico at owasp.org>>
Sent: February 19, 2013 8:43 AM
To: Tony UV <tonyuv at owasp.org<mailto:tonyuv at owasp.org>>
CC: John Wilander <john.wilander at owasp.org<mailto:john.wilander at owasp.org>>,owasp-leaders at lists.owasp.org<mailto:owasp-leaders at lists.owasp.org>
Subject: Re: [Owasp-leaders] Vendor Neutrality


While I disagree with your position here, I value your opinion and appreciate your volunteerism. I also feel you have a strong sense of ethics and treat OWASP vendor neutrality very well from what I have seen from you over the years.

I agree this is a polarizing issue, but I disagree this is low priority. Folks trust us because of our apparent objective nature. If they wanted a vendor parade there are many commercial outlets for that need.

Also, this thread is not about corporate names appearing on email lists. It's about a board member who I feel has a long history of abusing the OWASP name. I brought this up because several members from the NYC chapter sent me email complaining about this marketing, asking me to do something about it. I've also witnessed what I feel is a pattern of abuse. I am not happy with this thread; it's not fun wading into this debate. But I made a promise when I ran for the board and I feel it's my duty to the 100's of selfless volunteers I work with every week at OWASP.

I admit, this is not "Darth Vader destroying planets with a death star”
evil, it's more like "mini-me kicking you in the shin" evil (ie: a minor infraction).

But as I join the board and see activities behind the scenes, more and more I think Tom is constantly in the "gray" of what is reasonable as a board member in terms of ethics in general.

I also tried to discuss vendor neutrality and what it means to the board and was largely shot down. The board does not seem interested in discussing vendor neutrality right now.

I'm just getting started, Tony. I know you're not a fan of music compilations on the leaders list, but let me leave you with some lyrics to consider.

Well I won't back down
No I won't back down
You can stand me up at the gates of hell
But I won't back down

No I'll stand my ground, won't be turned around
And I'll keep this world from draggin me down
gonna stand my ground
... and I won't back down

(I won't back down...)
Hey baby, there ain't no easy way out
(and I won't back down...)
hey I will stand my ground
and I won't back down.

Jim Manico
(808) 652-3805

On Feb 19, 2013, at 9:17 PM, Tony UV <tonyuv at owasp.org<mailto:tonyuv at owasp.org>> wrote:

I just had a chance to read this thread.  At first take, I didn’t see anything wrong with Tom’s email.  It didn’t scream ’shameless plug’ in my mind.  Then I read John’s email response about how this would be blocked in Sweden and I had to slowly read the company references that didn’t initially stand out.  It could be that (a) I don’t care about what is referenced or (b) the initial impression that I got was not that I was being solicited to, either consciously or subconsciously.  I think a more likely option is that no clear intent was apparent to me in reading this original email that represented misuse of vendor mentioning, while masquerading as an OWASP email.

If mailing list moderation is to perform a type of regex on simply company names w/o considering the intent of a volunteer OWASP member who doesn't have time to weigh every choice word on a training announcement where some cost savings were being shared, then we should extend that sort of moderation to other types of non-topical areas.  Now, I’m not naive on the way coupon codes work and presuming that contact info would be required, the email still didn’t spell ’subtle solicitation’ for me, but as we all know, these things are relative, which really undermines this whole back and forth on the thread, b/c it’ll still be a polarizing, although low priority topic.

Overall, if company names are to be excluded completely from within email posts b/c they are non-germane to the OWASP mission, I’d like to add that we include personal posturing as well b/c just like most of us don’t care where most of us work, I personally don’t care about seeing references to blogs, twitter sites, musical compilations, online CVs, or anything in-between.  This is of course if we want to exclude reason and the ability to decipher context and intent of what is being said, for which I still think is the most reasonable way to approach apparent violations of company plugging.  Where there is pattern, we can question intent and then raise individually and thereafter in small circles, with the offender.

Tony UV
Atlanta Chapter Leader

Sent from tablet device - please excuse any typos

From: John Wilander <john.wilander at owasp.org<mailto:john.wilander at owasp.org>>
Sent: February 15, 2013 11:14 AM
To: Jim Manico <jim.manico at owasp.org<mailto:jim.manico at owasp.org>>
CC: owasp-leaders at lists.owasp.org<mailto:owasp-leaders at lists.owasp.org>
Subject: Re: [Owasp-leaders] Vendor Neutrality

Tom's email in its form below would have been rejected by the moderators of the OWASP Sweden mailing list. We would have suggested a rephrasing to make it more about OWASP and the class, and less about SpiderLabs and Trustwave.

I suggest OWASP leaders refrain from emailing about our own businesses or employers to lists that we moderate ourselves. Instead we should ask a co-moderator to review the text and send it. Simple.

   Regards, John

My music http://www.johnwilander.com
Twitter https://twitter.com/johnwilander
CV or Résumé http://johnwilander.se

14 feb 2013 kl. 02:37 skrev Jim Manico <jim.manico at owasp.org<mailto:jim.manico at owasp.org>>:

> Hey folks,
> Please see the email at the bottom of this message.
> This email hit the NYC chapter list today and we discussed it through the board list earlier. I feel this is an abuse of the OWASP brand and vendor neutrality rules to some degree, but other board members politely disagreed with me. That's fair.
> Can you please chime in here? Am I off-base or do you feel this is OWASP brand or vendor neutrality abuse?
> I know this is a specific example, but I think it's very important to the organization. So far, I feel like I stand alone when complaining about these situations and I'd appreciate your feedback. If you have the time, please click deeper into the email below and investigate a bit.
> I am happy to back away from the issue of vendor neutrality if you think I am off base.
> Thanks all,
> Jim Manico
> @Manicode
> (808) 652-3805<tel:%28808%29%20652-3805>
> ***********
> From: Tom Brennan <tomb at owasp.org<mailto:tomb at owasp.org>>
> Date: Tuesday, February 12, 2013 6:56 PM
> To: "OWASPNYCMETRO-announce at meetup.com<mailto:OWASPNYCMETRO-announce at meetup.com>" <OWASPNYCMETRO-announce at meetup.com<mailto:OWASPNYCMETRO-announce at meetup.com>>
> Subject: [OWASPNYCMETRO] NYC March 13th Training
> Details: https://www.owasp.org/index.php/NYC
> As a special introduction to the SpiderLabs instructor led course I would like to extend to you a $500 discount code “TRUSTWAVE_500OFF” to be used during check-out.
> Hack Your Own Code: Advanced Training for Developers (2 Day Training Course)
> This class provides security developers an exciting chance to hone their programming skills while also learning to exploit common web vulnerabilities.
> For more information on the (3) training classes available visit:
> https://www.owasp.org/index.php/NYC
> Have additional questions?
> Call 973-202-0122<tel:973-202-0122> to discuss
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130219/e7d213e8/attachment-0001.html>

More information about the OWASP-Leaders mailing list