[Owasp-leaders] Vendor Neutrality

Josh Sokol josh.sokol at owasp.org
Fri Feb 22 16:40:31 UTC 2013


I guess I'm late to the party, but figured I'd chime in here as well.
While it can sometimes be uncomfortable when naming specific names in group
settings, it's these specific topics that enable us to define, as an
organization, what is and is not appropriate.  I, personally, applaud Jim
for bringing this issue to the attention of the leaders.  If we truly are
an "Open" organization as we say we are, then we should have no problems
with our activities being under the microscope.  Frankly, we should always
be acting as though our actions are under the scrutiny of others.  In this
case, I think we can all agree that this communication probably could have
been worded differently to show an OWASP event from the mouth of an OWASP
leader, but I see no intentional abuse in this.  It was a mistake.  One
which, now that it has been brought to light, we can all learn from and aim
to do better next time.

I've witnessed far more flagrant abuses since my involvement with OWASP.
For example, we made the mistake for LASCON 2011 to have an open speaker
selection process.  It was supposed to allow members to have a voice in the
topics selected.  It turns out that one company sent four people to that
meeting in an attempt to sway the results in their favor.  This was a
blatant abuse by a vendor and was disheartening to say the least.  We
learned our lesson and created an impartial selection committee separate
from our planning team for AppSec USA 2012.

Speaking of AppSec USA 2012, after making our CFT selections by committee
and being very confident in our selections, our team was approached by a
well-known member and participant in our community upset that his company's
training was not selected.  He stated that his company had a long-running
trend of trainings at AppSec and he thought they should have been
selected.  They had submitted what was effectively the same training as
another company and our committee decided on the other.  The fact that
there was some expectation that he would be selected because of his high
level involvement with OWASP or his company's sponsorship of OWASP
activities really rubbed me wrong because of this topic of vendor
neutrality.

I think that we can all agree that vendor neutrality is one of the key
things that makes OWASP what it is.  It's even highlighted in bold text on
the front page of owasp.org:

OWASP *does not endorse or recommend commercial products or services*,
> allowing our community to remain vendor neutral with the collective wisdom
> of the best minds in software security worldwide.
>

I don't think any of us can be so naive as to think that some people and/or
companies won't or don't use OWASP for personal gain.  For many, OWASP is a
means to some end and I'm generally OK with that if the relationship is
still mutually beneficial.  I think that Eric Sheridan said it well.
"People need the ability to promote themselves or their company to some
extent, as long as it is not "blatant abuse" of the brand which needs to be
defined if not done so already."  To me, this says that the Leaders and the
Board need to keep a watchful eye on what we all say and do to represent
the organization.  We should never be afraid to call someone (or a company)
out for their actions just as we should always give them the opportunity to
justify them.  With a community as small as ours, it's sometimes difficult
to do this knowing that its often a friend or respected peer that you're
calling out, but if we remain silent, then the abuses will continue.  Thank
you Jim for breaking the silence and bringing this to our attention.  Thank
you Tom for being thick-skinned enough to stand the scrutiny and explaining
the situation in a rational fashion.  And especially thank you leaders for
chiming in and voicing your opinions on this matter.  I'd encourage more
discussions like these as they eventually lead us toward positive change.
I just wish they could happen on a better suited forum like
http://my.owasp.org.  Just sayin'.  ;-)

~josh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130222/039c1b39/attachment.html>


More information about the OWASP-Leaders mailing list