[Owasp-leaders] OWASP "Certification"

Tobias Glemser tobias.glemser at owasp.org
Wed Jul 3 08:27:01 UTC 2013

Hi Dennis,

first of all thanks for your detailed answer.

Of course OWASP needs money to be able to move on. If we have a money problem, we have to address the issue. I expect the criticality has never been that obvious (at least to me). 

> As a community I believe we need to accept the fact that when OWASP
> profits, we are all in a much better position to pursue our altruistic mission.
We do, it's just the question how. I don't think this is a TRUE/FALSE decision on the question if licensing is the right way, there has to be a discussion and I'm happy we have this discussion now. I see the risk we lose the brands integrity aka value if we start licensing it. If we lose the brands value, we've lost everything. 

I'd be happy if we address this risk and start making an opinion. 


P.S.: Congrats to Josh for raising this huge amount of money. Our chapter raised ~30k EUR last year by our conference so yes: All chapters can learn from each other so maybe we should check the chapter handbook if we can improve.

> -----Ursprüngliche Nachricht-----
> Von: Dennis Groves [mailto:dennis.groves at owasp.org]
> Gesendet: Mittwoch, 3. Juli 2013 10:04
> An: Tobias Glemser
> Cc: owasp-leaders at lists.owasp.org; Josh Sokol; Dinis Cruz; Jim Manico; John
> Wilander; Jerry Hoff
> Betreff: Re: [Owasp-leaders] OWASP "Certification" [ Z1 UNGESICHERT ]
> On 3 Jul 2013, at 0:12, Tobias Glemser wrote:
> > Dennis,
> >
> > what is our goal? Make money or keep up the fantastic work of
> > volunteers which made the brand what it is today.
> I believe our goal is very clear, it is definitely a machine to enable volunteers!
> And in a perfect world we could pursue our altruism exclusively.
> Unfortunately, we live in a world that requires money to pursue our mission.
> They say you have to be able to help yourself before you can help another
> person.
> Warren Buffet and Bill Gates are arguably able to help more people than you
> and I through their notorious charities, which are enabled a result of their
> wealth.
> Similarly for a non-profit like OWASP; if we do not pay the bills - we are not
> going to be able to help anybody for very long. Therefore, I do not see the
> question as an XOR as you described above; I see it as AND - how do we
> marry our mission and money?
> Let me ask you another question - do you think we should fire the
> employee's or do you think they create value for the organisation? Do you
> think things like AppSec conferences are valuable to the community or
> should we abandon them? What about having world class speakers, speak at
> your local chapter like Jim Manico, Dinis Cruz, John Wilander or Jerry Hoff
> through 'OWASP on the move'??
> Did you know that our 'sponsorships and memberships' are not paying the
> bills? Did you know we finance OWASP entirely through the AppSec
> conferences? Did you know that if we loose money at any AppSec event,
> OWASP faces bankruptcy and may fail to exist entirely?
> All that stuff costs money, and there is so much, much more we could do if
> we had more money! Currently, OWASP operates on a very nearly break
> even basis. If we want to do more, we need more money! Licensing the
> brand is one very obvious and low maintenance way to provide that revenue
> so we can do more awesome stuff at OWASP!
> Did you know that we pay Matt only $12k per year to maintain the entire IT
> operations of OWASP? Matt works a full-time job elsewhere and takes his
> personal holidays to volunteer for OWASP. This time belongs to him and his
> family, not to OWASP! While I am very grateful for his service, Matt totally
> deserves a living wage, and OWASP should be providing him time with his
> family on his holidays not taking it from him! In fact he really should have
> enough money to hire some relief! While Matt does an incredible job for the
> community, I think that OWASP can and should be doing much better than
> this.
> And, that is a single example, I could go on for days… And I have no doubt
> that I am not alone in how money can be used to make OWASP better.
> Josh Sokol, for example has one of the most successful and profitable
> OWASP chapters in the United States, and he very definitely knows how his
> chapter benefits from money, but he also knows how to make those
> investments support OWASP. His chapter recently provided $150k to the
> OWASP foundation, which is being used to enable AppSec New York.
> Without Josh, OWASP would be much poorer indeed. Josh is a chapter leader
> we can all learn from, and I bet he runs his chapter like a business.
> As a community I believe we need to accept the fact that when OWASP
> profits, we are all in a much better position to pursue our altruistic mission.
> Dennis
> >> -----Ursprüngliche Nachricht-----
> >> Von: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-
> >> bounces at lists.owasp.org] Im Auftrag von Dennis Groves
> >> Gesendet: Dienstag, 2. Juli 2013 23:03
> >> An: Dirk Wetter
> >> Cc: owasp-leaders at lists.owasp.org
> >> Betreff: Re: [Owasp-leaders] OWASP "Certification" [ Z1 UNGESICHERT ]
> >>
> >> This is really great, it is essentially free marketing for OWASP.
> >>
> >> However, this is an example of how we fail to capture value. What is
> >> lost
> > is an
> >> opportunity to license the use of the 'OWASP' brand - which is one
> >> way we have historically left money on the table. (Samantha's
> >> Idea...)
> >>
> >> A non-profit can not exist on handouts alone; that is we will be
> >> bankrupt before long if we keep asking for sponsorships. This is why
> >> it is
> > **critical**
> >> we start acting like a proper business, and move to profit generating
> > revenue
> >> models.
> >>
> >> Cheers,
> >> Dennis
> >>
> >>
> >>
> >> On 2 Jul 2013, at 13:48, Dirk Wetter wrote:
> >>
> >>> Am 07/02/2013 04:22 PM, schrieb Owasp:
> >>>> I believe the board is aware and we reached out. How great are we
> >>>> that people want to rip off our brand, congrats all :) I'd probably
> >>>> expect more of this to come from countries which do not respect
> >>>> intellectual property or tradark rights.
> >>>
> >>> e.g. Qualys.https://www.qualys.com/forms/freescan/owasp/
> >>>
> >>> Dear board: pls set up a plan how to deal with those case
> >>> appropriately and then just do it.
> >>>
> >>> Cheers,
> >>>
> >>> Dirk
> --
> [Dennis Groves](http://about.me/dennis.groves), MSc [Email
> me](mailto:dennis.groves at owasp.org) or [schedule a
> meeting](http://goo.gl/8sPIy).
> > "Unless someone like you...cares a whole awful lot...nothing is going
> > to get better...It's not." -- The Lorax

More information about the OWASP-Leaders mailing list