[Owasp-leaders] OWASP Branding & Twitter thread from Dinis

Josh Sokol josh.sokol at owasp.org
Fri Aug 14 15:40:21 UTC 2015


Dinis: Everyone works for someone.  It's how we pay the bills.  I don't
have the history with David, but a logo is a logo is a logo.

Tony: I agree.  I'm not saying invent more bureaucracy.  I'm saying that
everyone with a vested interest in this topic should come together and try
to figure out what the rules should be since it sounds like the current
rules aren't working.  This isn't a "Board" issue or a "Staff" issue.  It
is a community issue and my proposal was for the community to figure it out
in a constructive fashion.

~josh

On Fri, Aug 14, 2015 at 10:34 AM, Tony Turner <tony.turner at owasp.org> wrote:

> So what Josh is saying, is we need to invent more bureaucracy to deal with
> the bureaucracy...
>
> Just stop the madness already so we can get back to our mission. The logo
> requirement is dumb. I have never enforced it in Orlando chapter and I
> never will. As long as the content is useful and not salesy and furthers
> the OWASP mission I could give two carps whether your logo is on every
> slide. It's only vendor biased if you don't allow competing vendors to
> present as well, or the content clearly favors a vendor product. How does
> having a logo on a slide show vendor favortism? It doesn't, but some folks
> here want to cry foul every time someone glances at a pretty
> girl/boy/person. Leave our presenters alone, you are HINDERING the OWASP
> mission. Just stop it already!
>
> On Fri, Aug 14, 2015 at 11:22 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> I think I see both sides of this pretty well.  On one hand, you have
>> people contributing to the Foundation either through their work efforts or
>> with money and some recognition for their contributions is definitely
>> deserved.  On the other hand, vendor neutrality is a key part of OWASP's
>> mission so that the community can get unbiased content from a trusted
>> source.  There is no clear and easy answer, however.  What I would like to
>> propose is that those representing both sides of this critical issue form a
>> new committee to discuss OWASP branding policies and procedures and
>> ultimately generate a revised policy that hopefully addresses these
>> issues.  Our policies as they are today suggest that we err on the side of
>> vendor neutrality and the staff is only enforcing those policies that have
>> been laid out before them.  Please do not fault them for that.  Instead of
>> complaining about the policies that exist, it would be far more beneficial
>> for those involved in this discussion to put those efforts into coming up
>> with a compromise that ideally addresses the concerns of everybody in a
>> vendor neutral way.  Some ideas off the top of my head:
>>
>>    - Clear labeling of the contribution and what was received for the
>>    contribution in the spirit of transparency.
>>    - Disclaimers on any page with a corporate logo that OWASP does not
>>    endorse the vendor/product.
>>    - Descriptions of what types of logos are appropriate, sizes,
>>    locations, etc.
>>
>> Attribution is a good thing.  It encourages more participation by
>> rewarding those who put in the efforts.  Vendor neutrality is a good
>> thing.  It is the reason why the community trusts OWASP for tools and
>> documents.  Let's find the common ground and create a policy that finds the
>> right balance between the two.
>>
>> ~josh
>>
>> On Fri, Aug 14, 2015 at 9:47 AM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>
>>> It's not about time.....
>>> It's about the sea of red tape, focus on bullsh1t like updating policy
>>> documents, chasing people over email footers or logos on slides and the
>>> reason OWASP was formed was to fix software security. I'm not seeing so
>>> much of the software security aspect anymore.
>>> I love what OWASP stands for, many of the board I have vast amounts of
>>> respect for but the amount of energy and time consumed on stuff that simply
>>> has no impact if he state of software security is astounding. It's like the
>>> UN, lots of bark but little bite.
>>>
>>> Respect
>>>
>>> Eoin Keary
>>> OWASP Volunteer
>>> @eoinkeary
>>>
>>>
>>>
>>> On 14 Aug 2015, at 15:03, Azeddine Islam Mennouchi <
>>> azeddine.mennouchi at owasp.org> wrote:
>>>
>>> Johanna,
>>> what you are saying is almost like Saying : "I donate money to a
>>> childcare but I will take a chair as a souvenir" (if everyone took
>>> something from the childcare the donation will have no value)
>>> if you don't have the time to volunteer just don't it is as simple as
>>> this
>>> let's not redefine the Volunteering concept here please
>>>
>>> Regards Islam,
>>>
>>> On Fri, Aug 14, 2015 at 6:54 AM, Eoin Keary <eoin.keary at owasp.org>
>>> wrote:
>>>
>>>> I'm behind you 100%
>>>> I received a negative email after delivering a free class to 80 people
>>>> and raising €3k for Owasp. All time and slides donated by me.
>>>> I posted the slides to an alternative site after.
>>>>
>>>> Eoin Keary
>>>> OWASP Volunteer
>>>> @eoinkeary
>>>>
>>>>
>>>>
>>>> On 14 Aug 2015, at 13:14, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>> I just think the whole logo and branding rule are hypocritical rules.
>>>>
>>>> When OWASP does a conference, logos from sponsors can be placed loud
>>>> and clear on the APPSEC page. Is that vendor neutral?
>>>>
>>>> When a speaker that gets no money and no coverage for his/her traveling
>>>> cost does the same on their slides then 'we are non-profit' and cannot be
>>>> done.,,
>>>>
>>>>  The sole purpose of OWASP events is to pay operations but operations
>>>> is not the mission of owasp right?
>>>>
>>>> Keep the core mission insight. I don't care which logo is displaying or
>>>> not on those slides as long as the content is valuable and the speaker is
>>>> worth of listening.
>>>>
>>>> If OWASP wants no logos and has all these rules then I think , pay the
>>>> speaker & his time to set that presentation in that format.
>>>>
>>>> Sometimes volunteers are treated like we should be happy we work for
>>>> nothing.
>>>>
>>>> We should be happy to have Dave Rook present for free and not the other
>>>> way around and explain that awesome experience implementing security where
>>>> he is working. Love those slides they rock & they are cool.A lot of time
>>>> when into making those slides and we should respect that.
>>>>
>>>> Volunteers have bills to pay and mouths too feed too.
>>>>
>>>> Regards
>>>>
>>>> Johanna
>>>>
>>>>
>>>>
>>>> On Fri, Aug 14, 2015 at 7:25 AM, Tom Brennan <tomb at proactiverisk.com>
>>>> wrote:
>>>>
>>>>> AppSecUSA should have sessions for collaboration of people on top
>>>>> issues of projects, chapters and events.  in addition to fantastic
>>>>> presentations as always.  Blog posts like this should be reviewed as they
>>>>> have merit and I support covering a honorarium for speakers as they are the
>>>>> product.
>>>>>
>>>>> http://www.alba13.com/2014/10/free-its-just-costing-too-much.html?m=1
>>>>>
>>>>> As well as top community issues that are bubbling up not always
>>>>> addressed at the monthly board meetings.
>>>>>
>>>>> I submitted my recommendations for  several sessions for the community
>>>>> evolution aspect of the global event including these and by who... I hope
>>>>> some of these suggestions are incorporated and resonate with leaders to
>>>>> attend.
>>>>>
>>>>>  *#1 OWASP State of the Union (30)*
>>>>> * Paul CEO / Board of Directors
>>>>> - State of the Union address and kickoff - Annual report and YTD update
>>>>> - Mission, Metrics and Finances
>>>>> - kick off the event hand off to conference staffer (Laura) and
>>>>> conference chair (Michael)
>>>>>
>>>>> *AppSecUSA leader workshops *- join us for a important updates,
>>>>> debate and collaboration for FUTURE and current leadership of OWASP
>>>>> members. If you want to unlock valuable information don't miss these (3)
>>>>> sessions
>>>>>
>>>>> ** record these sessions video and get them online for the world to
>>>>> see and listen to just like any other session.
>>>>>
>>>>>
>>>>> *How to start or grow a OWASP Chapter in your region (45 mins)*
>>>>> * Paul, Noreen, Kelly
>>>>> - metrics that matter
>>>>> - requirements defined 15 mins
>>>>> - tips form out chapter leaders (panel) 30 mins
>>>>> -- growing attendance
>>>>> -- vendor relationships/sponsors
>>>>> -- regional events
>>>>> -- how OWASP employees help
>>>>> -- money in/out other
>>>>> -- secrets to success
>>>>> -- WASPY awards
>>>>>
>>>>> *2016 services and resources for OWASP chapter and project leaders
>>>>> (45mins)*
>>>>> * Paul, Noreen, Claudia
>>>>> -- metrics that matter
>>>>> -- annual report review
>>>>> -- general membership
>>>>> -- projects
>>>>> -- chapters
>>>>> --WASPY awards
>>>>> -- what can we do better discussion
>>>>>
>>>>> *2016 + Summits Conferences Events (45 mins)*
>>>>> ** Laura, Noreen, Claudia, Kelly
>>>>> -- metrics that matter
>>>>> -- motivation why do it?
>>>>> -- the new definition(s), money splits etc.
>>>>> -- expectations and current policy
>>>>> -- resources (budgets, templates, process) review of successful and
>>>>> failure events
>>>>> -- WASPY awards
>>>>>
>>>>> The organization is an interesting position for evolution.  With
>>>>> professional discussion and debate we can set the agenda moving forward
>>>>> with swift adjustments where needed by rough consensus.
>>>>>
>>>>> Tom Brennan
>>>>> 9732020122
>>>>>
>>>>> Need to book a meeting for a new or existing project?
>>>>> http://www.proactiverisk.com/book-meeting/
>>>>>
>>>>>
>>>>> On Aug 14, 2015, at 6:36 AM, Dinis Cruz <dinis.cruz at owasp.org> wrote:
>>>>>
>>>>> Sorry if I gave the impression that this is urgent, it is not
>>>>>
>>>>> I'm just trying to raise a concern that was raised to me
>>>>> On 14 Aug 2015 10:36, "Jim Manico" <jim.manico at owasp.org> wrote:
>>>>>
>>>>>> Dinis,
>>>>>>
>>>>>> Two points.
>>>>>>
>>>>>> 1) Mr Rook is on vacation. I do not agree with your sense of urgency.
>>>>>> We hired a full time staff, lets please use them first as opposed to heated
>>>>>> conversations over Twitter.
>>>>>>
>>>>>> 2) Dinis, I am just one of several board members. Please just email
>>>>>> the board list if you think this is a board level issue (as opposed to just
>>>>>> calling me out over Twitter, I am just one board member).
>>>>>>
>>>>>> So Dinis, I asked you politely to first talk to staff about this, and
>>>>>> if you did not find that satisfactory, then to email the board list so the
>>>>>> full board can weigh in.
>>>>>>
>>>>>> And I suggested these things to minimize stress and get more
>>>>>> leadership to look at this - as opposed to having a Twitter argument over
>>>>>> this.
>>>>>>
>>>>>> Dinis, I am trying to take the adult and calm path here. Please join
>>>>>> me in that pursuit.
>>>>>>
>>>>>> Aloha,
>>>>>> Jim
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 8/13/15 10:04 PM, Dinis Cruz wrote:
>>>>>>
>>>>>> CCing owasp leaders list in order to get 'feedback' from the community
>>>>>>
>>>>>> And Jim come on, owasp is not a Fortune 100 company with high levels
>>>>>> of processes and bureaucracy, the problem is pretty obvious on the
>>>>>> https://twitter.com/davidrook/status/631699570603462656 thread (and
>>>>>> a couple other similar threads)
>>>>>>
>>>>>> This is a case of common sense.
>>>>>>
>>>>>> The focus of owasp needs to be on application security (for example
>>>>>> sharing knowledge), not in blindly following rules
>>>>>>
>>>>>> Yes we need to have rules in place to prevent abuse (in this case
>>>>>> vendor pitches), but if those rules start to affect high value owasp
>>>>>> contributors, then there is something wrong with the rules
>>>>>> On 13 Aug 2015 21:11, "Jim Manico" < <jim.manico at owasp.org>
>>>>>> jim.manico at owasp.org> wrote:
>>>>>>
>>>>>>> > So what happens when the content is not from a 'vendor'
>>>>>>>
>>>>>>> Our guidelines do not differentiate that right now. So what Paul is
>>>>>>> doing is following the current policy that was created by input from a
>>>>>>> large number of people from our community.
>>>>>>>
>>>>>>> Dinis, if you think this needs to be changed then I believe your
>>>>>>> next step is to petition the board to change policy. Even better, before
>>>>>>> talking to the board, consider taking this conversation to the governance
>>>>>>> list and get feedback from those members of our community.
>>>>>>>
>>>>>>> Aloha,
>>>>>>> Jim
>>>>>>>
>>>>>>> On 8/13/15 9:42 AM, Dinis Cruz wrote:
>>>>>>>
>>>>>>> So what happens when the content is not from a 'vendor'?
>>>>>>>
>>>>>>> Which is David's case
>>>>>>> On 13 Aug 2015 20:26, "Paul Ritchie" <paul.ritchie at owasp.org> wrote:
>>>>>>>
>>>>>>>> Hi Dinis:    I wanted to follow up on your email from yesterday as
>>>>>>>> well as your posting of a "case" or customer service ticket #  06774.
>>>>>>>> Long answer.....explaining the OWASP position and our actions, and we have
>>>>>>>> communicated this a couple times to the community, but obviously need to do
>>>>>>>> more......
>>>>>>>>
>>>>>>>> *Big Issue* is our effort from the Foundation to "remind and
>>>>>>>> encourage" Chapter leaders to follow the Branding Guidelines, Code of
>>>>>>>> Ethics and Speaker Agreement as defined in the Chapter Leaders Handbook.
>>>>>>>>  The more support we can get from leaders like you and Jim and BoD, then
>>>>>>>> the less 'pushback' we will see from individuals who are uncomfortable
>>>>>>>> being reminded of the policy.
>>>>>>>>
>>>>>>>> 1.  We noticed the adherence to the policy was getting a little
>>>>>>>> weak, based on several examples where policy wasn't followed.  Examples
>>>>>>>> included leaders and past BoD members too.
>>>>>>>>
>>>>>>>> 2.  Once we pointed out the policy, several of the key leaders,
>>>>>>>> like Eoin & now David were "surprised" that we were serious, and actually
>>>>>>>> gave us some push back.
>>>>>>>>
>>>>>>>> 3.  Bottom line, I understand the pushback, but we really "must"
>>>>>>>> ask OWASP Leaders to follow the policy.
>>>>>>>>
>>>>>>>> 4.  As a Charitable, nonprofit organization,* we have an
>>>>>>>> obligation to follow our Code of Conduct* concerning vendor
>>>>>>>> neutrality and non-endorsement of commercial products or services.
>>>>>>>>
>>>>>>>> Our Code of Conduct policies are* well documented and were created
>>>>>>>> by our community*, to provide clarity as we grow globally.  They
>>>>>>>> apply to many areas including Trade organizations, Government bodies,
>>>>>>>> Standards groups and Certifying Bodies.
>>>>>>>>
>>>>>>>> https://www.owasp.org/index.php/OWASP_Codes_of_Conduct
>>>>>>>>
>>>>>>>> 5.  Also, For speakers at events AND at Chapter Meetings, the
>>>>>>>> Speakers agreement does apply, and it is noted in the Chapters Leaders
>>>>>>>> Handbook.
>>>>>>>>
>>>>>>>> Speakers Agreement
>>>>>>>> *CONTENT - Speakers are encouraged to include their contact
>>>>>>>> information when introducing themselves, but may NOT include their logo on
>>>>>>>> any visual and handout materials. Speakers are to avoid any appearance of
>>>>>>>> commercialism in their session and presentations are to be of a technical
>>>>>>>> or solutions emphasis. Further, I understand that the program tracks of the
>>>>>>>> conference/event/chapter are an educational event, not a sales or marketing
>>>>>>>> platform. I agree that my presentation(s) will be an objective review of
>>>>>>>> the topic on which I am presenting, and will not contain any content that
>>>>>>>> is a sales or promotional pitch for any specific product(s) or
>>>>>>>> company(ies). My materials will also be reflective of the current status of
>>>>>>>> the topic(s) I am addressing.*
>>>>>>>>
>>>>>>>> 6.  So, Net, net.   We are reaching out to a number of chapters
>>>>>>>> who have posted presentations to the OWASP wiki that appear to violate our
>>>>>>>> branding rules. All presentations given at chapter meetings or at
>>>>>>>> conferences when representing OWASP, and those posted to wiki pages must be
>>>>>>>> vendor neutral. This includes the content of the presentation as well as
>>>>>>>> the graphics used in the presentation layout.
>>>>>>>>
>>>>>>>> Any non-OWASP branded material, such as a speaker's corporate
>>>>>>>> logo, must be removed from the presentation. Exceptions may exist
>>>>>>>> such as when the context of a slide calls for a logo as an illustration.
>>>>>>>> And, we am happy to review anything that might be questionable.
>>>>>>>>
>>>>>>>> So, @Jim and @Dinis - Is there something we need to do to reach out
>>>>>>>> directly to any individuals like David Rook?
>>>>>>>>
>>>>>>>> Best Regards, Paul Ritchie
>>>>>>>> OWASP Executive Director
>>>>>>>> paul.ritchie at owasp.org
>>>>>>>>
>>>>>>>>
>>>>>>> --
>>>>>>> Jim Manico
>>>>>>> Global Board Member
>>>>>>> OWASP Foundationhttps://www.owasp.org
>>>>>>> Join me at AppSecUSA 2015!
>>>>>>>
>>>>>>>
>>>>>> --
>>>>>> Jim Manico
>>>>>> Global Board Member
>>>>>> OWASP Foundationhttps://www.owasp.org
>>>>>> Join me at AppSecUSA 2015!
>>>>>>
>>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>> WARNING: E-mail transmission cannot be guaranteed to be secure or
>>>>> error-free as information could be intercepted, corrupted, lost, destroyed,
>>>>> arrive late or incomplete, or contain viruses. The sender therefore does
>>>>> not accept liability for any errors or omissions in the contents of this
>>>>> message, which arise as a result of e-mail transmission. No employee
>>>>> or agent is authorized to conclude any binding agreement on behalf of
>>>>> ProactiveRISK with another party by email.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>>
>>> --
>>> Islam Azeddine Mennouchi
>>> Consultant at ITS
>>> http://www.infotoolssolutions.dz/
>>> OWASP ALGERIA Chapter Leader
>>> phone n°: +213658227651
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> --
> Tony Turner
> OWASP Orlando Chapter Founder/Co-Leader
> WAFEC Project Leader
> STING Game Project Leader
> tony.turner at owasp.org
> https://www.owasp.org/index.php/Orlando
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150814/02b2b188/attachment-0001.html>


More information about the OWASP-Leaders mailing list