[Owasp-leaders] Vendor Neutrality

Jim Manico jim.manico at owasp.org
Tue Feb 19 23:11:41 UTC 2013

+1 Wise words that I shall reflect on, Victor. Thanks for jumping into this


Jim Manico
(808) 652-3805

On Feb 20, 2013, at 12:55 AM, Victor Chapela <victor at sm4rt.com> wrote:


I believe the most important (and difficult) achievement at OWASP has been
to integrate a widespread membership and the support of thousands od
individuals. Even though we would like everyone of them to give their time
and efforts in a completely selfless way and with a greater good in mind,
my experience is that there is not such thing as a free lunch.

We have to allow different levels of gain by individuals and companies,
while at the same time limiting abuse. There are very few pure altruistic
persons with deep knowledge, economic freedom and enough spare time to make
significant contributions. But if we add all those that would do it for
some kind of public recognition the base broadens. The spectrum of expected
outcomes from involvement with OWASP range from the completely altruistic
to the completely selfish. And all of them can contribute to OWASP. I do
not believe it is ment for selfish individuals, but at the same time I
cannot see how focusing on giving nothing back to those who contribute
could possibly increase our ability to make the world a better place.

We should strive to align incentives and find ways to recognize the efforts
of all stakeholders within OWASP, while at the same time limiting abuse.
And I only believe abuse should be limited because this in turn reduces the
incentives of other stakeholders to continue contributing. If we change the
question we may add more value. How can we properly align incentives to
help more individuals and companies contribute with OWASP?


 *From*: Tony UV [mailto:tonyuv at owasp.org <tonyuv at owasp.org>]
*Sent*: Tuesday, February 19, 2013 09:39 AM
*To*: Jim Manico <jim.manico at owasp.org>
*Cc*: owasp-leaders at lists.owasp.org <owasp-leaders at lists.owasp.org>
*Subject*: Re: [Owasp-leaders] Vendor Neutrality


Glad to see you admit that your email and pursuit extends beyond *an*
email. I value you bringing things like this to light to the worldwide
leaders list, but think that there is a better way for the board to handle
the misrepresentation of anyone affiliated with OWASP.

You being on the board, perhaps you sense that this is worth more time than
I’m perceiving, and for that you are more entitled to since you’re far more
involved than I.  From my meager corner, I see other things that stall our
progress.  Related to your point on ‘folks trusting us’, I don’t disagree
that they do, but more so think its due to the OWASP organization cranking
out great projects for mass consumption.  That being said, I think beyond
*trust* is the issue of awareness.  I think your efforts around vendor
neutrality is critical at any stage of OWASP’s maturity as an organization
- that I’m not disputing.  I’m just contesting that there may be other
pressing issues, namely brand recognition.  I’m still appalled at how many
blank looks people give in response to the mentioning of OWASP.  Is it
getting better.  Yes.  Are we all involved in project/ organization
development?  Yes. But more can still be done and I just think that the
time focused on these exchanges could be applied to other efforts as such.

By the way, I’m all for making lyrical references that get the point
across.  That counter was a bit off-center to my original point, but that’s
cool.  I also want to say that you can keep on ‘bringing it’ as much as you
want; I think the global org appreciates the passion.  I just think that
before you run onstage to belt out some Tom Petty & the Heartbreakers,
reform-like messaging, be wary that there may be only 100s in the stands
that seats 1000s in the stadium.  Point is that before we put on the rock
festival, lets make sure that people know we’re playing.

Tony UV

Sent from tablet device - please excuse any typos

 *From:* Jim Manico <jim.manico at owasp.org>
*Sent:* February 19, 2013 8:43 AM
*To:* Tony UV <tonyuv at owasp.org>
*CC:* John Wilander <john.wilander at owasp.org>,owasp-leaders at lists.owasp.org
*Subject:* Re: [Owasp-leaders] Vendor Neutrality


While I disagree with your position here, I value your opinion and
appreciate your volunteerism. I also feel you have a strong sense of ethics
and treat OWASP vendor neutrality very well from what I have seen from you
over the years.

I agree this is a polarizing issue, but I disagree this is low priority.
Folks trust us because of our apparent objective nature. If they wanted a
vendor parade there are many commercial outlets for that need.

Also, this thread is not about corporate names appearing on email lists.
It's about a board member who I feel has a long history of abusing the
OWASP name. I brought this up because several members from the NYC chapter
sent me email complaining about this marketing, asking me to do something
about it. I've also witnessed what I feel is a pattern of abuse. I am not
happy with this thread; it's not fun wading into this debate. But I made a
promise when I ran for the board and I feel it's my duty to the 100's of
selfless volunteers I work with every week at OWASP.

I admit, this is not "Darth Vader destroying planets with a death star”
evil, it's more like "mini-me kicking you in the shin" evil (ie: a minor

But as I join the board and see activities behind the scenes, more and more
I think Tom is constantly in the "gray" of what is reasonable as a board
member in terms of ethics in general.

I also tried to discuss vendor neutrality and what it means to the board
and was largely shot down. The board does not seem interested in discussing
vendor neutrality right now.

I'm just getting started, Tony. I know you're not a fan of music
compilations on the leaders list, but let me leave you with some lyrics to

Well I won't back down
No I won't back down
You can stand me up at the gates of hell
But I won't back down

No I'll stand my ground, won't be turned around
And I'll keep this world from draggin me down
gonna stand my ground
... and I won't back down

(I won't back down...)
Hey baby, there ain't no easy way out
(and I won't back down...)
hey I will stand my ground
and I won't back down.

Jim Manico
(808) 652-3805

On Feb 19, 2013, at 9:17 PM, Tony UV <tonyuv at owasp.org> wrote:

I just had a chance to read this thread.  At first take, I didn’t see
anything wrong with Tom’s email.  It didn’t scream ’shameless plug’ in my
mind.  Then I read John’s email response about how this would be blocked in
Sweden and I had to slowly read the company references that didn’t
initially stand out.  It could be that (a) I don’t care about what is
referenced or (b) the initial impression that I got was not that I was
being solicited to, either consciously or subconsciously.  I think a more
likely option is that no clear intent was apparent to me in reading this
original email that represented misuse of vendor mentioning, while
masquerading as an OWASP email.

If mailing list moderation is to perform a type of regex on simply company
names w/o considering the intent of a volunteer OWASP member who doesn't
have time to weigh every choice word on a training announcement where some
cost savings were being shared, then we should extend that sort of
moderation to other types of non-topical areas.  Now, I’m not naive on the
way coupon codes work and presuming that contact info would be required,
the email still didn’t spell ’subtle solicitation’ for me, but as we all
know, these things are relative, which really undermines this whole back
and forth on the thread, b/c it’ll still be a polarizing, although low
priority topic.

Overall, if company names are to be excluded completely from within email
posts b/c they are non-germane to the OWASP mission, I’d like to add that
we include personal posturing as well b/c just like most of us don’t care
where most of us work, I personally don’t care about seeing references to
blogs, twitter sites, musical compilations, online CVs, or anything
in-between.  This is of course if we want to exclude reason and the ability
to decipher context and intent of what is being said, for which I still
think is the most reasonable way to approach apparent violations of company
plugging.  Where there is pattern, we can question intent and then raise
individually and thereafter in small circles, with the offender.

Tony UV
Atlanta Chapter Leader

Sent from tablet device - please excuse any typos

 *From:* John Wilander <john.wilander at owasp.org>
*Sent:* February 15, 2013 11:14 AM
*To:* Jim Manico <jim.manico at owasp.org>
*CC:* owasp-leaders at lists.owasp.org
*Subject:* Re: [Owasp-leaders] Vendor Neutrality

Tom's email in its form below would have been rejected by the moderators of
the OWASP Sweden mailing list. We would have suggested a rephrasing to make
it more about OWASP and the class, and less about SpiderLabs and Trustwave.

I suggest OWASP leaders refrain from emailing about our own businesses or
employers to lists that we moderate ourselves. Instead we should ask a
co-moderator to review the text and send it. Simple.

   Regards, John

My music http://www.johnwilander.com
Twitter https://twitter.com/johnwilander
CV or Résumé http://johnwilander.se

14 feb 2013 kl. 02:37 skrev Jim Manico <jim.manico at owasp.org>:

> Hey folks,
> Please see the email at the bottom of this message.
> This email hit the NYC chapter list today and we discussed it through the
board list earlier. I feel this is an abuse of the OWASP brand and vendor
neutrality rules to some degree, but other board members politely disagreed
with me. That's fair.
> Can you please chime in here? Am I off-base or do you feel this is OWASP
brand or vendor neutrality abuse?
> I know this is a specific example, but I think it's very important to the
organization. So far, I feel like I stand alone when complaining about
these situations and I'd appreciate your feedback. If you have the time,
please click deeper into the email below and investigate a bit.
> I am happy to back away from the issue of vendor neutrality if you think
I am off base.
> Thanks all,
> Jim Manico
> @Manicode
> (808) 652-3805
> ***********
> From: Tom Brennan <tomb at owasp.org>
> Date: Tuesday, February 12, 2013 6:56 PM
> To: "OWASPNYCMETRO-announce at meetup.com" <OWASPNYCMETRO-announce at meetup.com
> Subject: [OWASPNYCMETRO] NYC March 13th Training
> Details: https://www.owasp.org/index.php/NYC
> As a special introduction to the SpiderLabs instructor led course I would
like to extend to you a $500 discount code “TRUSTWAVE_500OFF” to be used
during check-out.
> Hack Your Own Code: Advanced Training for Developers (2 Day Training
> This class provides security developers an exciting chance to hone their
programming skills while also learning to exploit common web
> For more information on the (3) training classes available visit:
> https://www.owasp.org/index.php/NYC
> Have additional questions?
> Call 973-202-0122 to discuss
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130220/3704d86b/attachment-0001.html>

More information about the OWASP-Leaders mailing list