[Owasp-leaders] OWASP Guidelines Questions

Bev Corwin bev.corwin at owasp.org
Fri Jan 30 16:32:54 UTC 2015


Thanks for the perspective Seba, Very much appreciate them. However, in
that case, shouldn't we call it something different like perhaps something
like "participant neutral policy" instead of "vendor neutral policy"? I
agree that these organizations have marketing departments, too, but they
are not "vendors". OWASP's policies seem to be too "vendor" focused, IMHO.
Could we broaden the language to include all participants? Or, possibly
create separate policies for each case? I personally believe that due to US
law, in particular, that vendors have different legal issues than do other
non profits, for example, so maybe we should seek some form of legal
advisement on this? The US framework would not permit a non profit to
support a for profit entity, or appear to do so. However, there is not a
problem by US legal frameworks for profit entities to support non profits,
etc., the frameworks are different for different types of organizations,
etc. Guidelines would therefore, also expected to reflect this, and to be
different in different locals, as well, based on local legal frameworks,
for example.

Bev


On Fri, Jan 30, 2015 at 10:05 AM, Seba <seba at owasp.org> wrote:

> hi Bev,
>
> ah, now I understand your question (I think :-) )
> non profits, consortia, academic institutions, or agencies can indeed be
> commercial and "over sell" their solution / product.
> I think it is safe indeed to extend our vendor-neutral policy to a broader
> scope
>
> kind regards
>
> Seba
>
>
>
> On Fri Jan 30 2015 at 3:57:18 PM Bev Corwin <bev.corwin at owasp.org> wrote:
>
>> Thanks Noreen, Yes, something like that, and to add to that, what about
>> open source projects? Do we treat everyone like vendors? Or do we have a
>> way to include them as they are?
>>
>> On Fri, Jan 30, 2015 at 9:54 AM, Noreen Whysel <noreen.whysel at owasp.org>
>> wrote:
>>
>>> Seba, It was Bev who asked what if there are no vendors. I believe what
>>> she is asking is, are non-vendors supposed to refrain from promoting their
>>> cause, agency, etc. in presentations given at OWASP events? Ie., downplay
>>> or hide logos, services, etc.
>>>
>>> Noreen Whysel
>>> Community Manager
>>> OWASP Foundation
>>>
>>> On Jan 30, 2015, at 2:06 AM, Seba <seba at owasp.org> wrote:
>>>
>>> hi Jim,
>>>
>>> I was just wondering what Noreen means with "what if there are not any
>>> vendors".
>>> If there really were no vendors, OWASP would have to run on half its
>>> current budget as the majority of the foundation income is from "corporate"
>>> (ie vendor) membership (directly and through conference sponsoring).
>>>
>>> Besides that most of the people on this list do work for a vendor or
>>> appsec service provider (including myself).
>>>
>>> For the rest I am well aware of our vendor neutrality, and I fully
>>> support it.
>>>
>>> kind regards
>>>
>>> Seba
>>>
>>> On Fri Jan 30 2015 at 7:28:40 AM Jim Manico <jim.manico at owasp.org>
>>> wrote:
>>>
>>>> Seba,
>>>>
>>>> Vendor neutrality means we give no special treatment to any one
>>>> vendor.  Also, OWASP is vendor agnostic in that is does not endorse any
>>>> commercial product or service.
>>>>
>>>> Section 1.0.3 in the OWASP bylaws:
>>>>
>>>> INTEGRITY: OWASP is an honest and truthful, •••vendor agnostic•••,
>>>> global community
>>>>   Other phrases in OWASPs mission statements:
>>>>
>>>> "free from commercial pressures"
>>>>
>>>> "OWASP is not affiliated with any technology company"
>>>>
>>>> "All of our materials are under a free and open license"
>>>>
>>>> Chapter rules dictate "no vendor pitches" at chapter meetings.
>>>>
>>>> Our conference speaker agreements ban commercial/vendor talks.
>>>>
>>>> Thank you for following the spirit of our charity by focusing on free
>>>> and open application security material!
>>>>
>>>> Aloha,
>>>> --
>>>> Jim Manico
>>>> @Manicode
>>>> (808) 652-3805
>>>>
>>>> On Jan 29, 2015, at 9:49 PM, Seba <seba at owasp.org> wrote:
>>>>
>>>> hi,
>>>>
>>>> not sure where this is leading to, but being vendor neutral does not
>>>> mean there are no vendors.
>>>> we cannot just ignore them, and - on a positive note - push them to be
>>>> part of the solution
>>>>
>>>> regards
>>>>
>>>> Seba
>>>>
>>>> On Fri Jan 30 2015 at 2:21:20 AM Bev Corwin <bev.corwin at owasp.org>
>>>> wrote:
>>>>
>>>>> Thanks Noreen,
>>>>>
>>>>> And... what if there are not any vendors - All are non profits,
>>>>> consortia, academic institutions, or agencies? Not a vendor in sight.
>>>>> Thoughts?
>>>>>
>>>>> Best wishes,
>>>>> Bev
>>>>>
>>>>>
>>>>> On Thu, Jan 29, 2015 at 4:47 PM, Noreen Whysel <
>>>>> noreen.whysel at owasp.org> wrote:
>>>>>
>>>>>> Hi Bev,
>>>>>>
>>>>>> Thanks for bringing this up. Guidelines review is something I am
>>>>>> working on right now.
>>>>>>
>>>>>> Just to clarify to those on the list, I spoke to Bev just now and she
>>>>>> is asking specifically about presentation at events, not the projects
>>>>>> themselves or in the intended audience/users of OWASP tools.
>>>>>>
>>>>>> OWASP should be entirely vendor neutral and I believe the guidelines
>>>>>> reflect that, though I am only beginning my review and see places where
>>>>>> clarification would be helpful. We have presentation templates that can be
>>>>>> used for events in the Branding Resources section of the wiki. If there is
>>>>>> a concern that a presentation may not comply you can ask presenters to use
>>>>>> an OWASP template or you can always review presentations before the
>>>>>> date of the event.
>>>>>>
>>>>>> I certainly would like opinions, tips and tricks from everyone on
>>>>>> issues like this. How do you ensure vendor neutrality in projects and
>>>>>> meetings?
>>>>>>
>>>>>> Noreen Whysel
>>>>>> Community Manager
>>>>>> OWASP Foundation
>>>>>>
>>>>>> On Thu, Jan 29, 2015 at 3:52 PM, Bev Corwin <bev.corwin at owasp.org>
>>>>>> wrote:
>>>>>>
>>>>>>> Dear OWASP Leaders,
>>>>>>>
>>>>>>> Are the OWASP guidelines intended to be the same for other non
>>>>>>> profit organizations? What about agencies? What about consortia? What about
>>>>>>> Open Source Projects?
>>>>>>>
>>>>>>> I notice somewhat of a "commercial" focus in the guidelines. Are
>>>>>>> they intended mostly for commercial entities? Thank you in advance.
>>>>>>>
>>>>>>> Best wishes,
>>>>>>> Bev
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150130/d8f6db3a/attachment.html>


More information about the OWASP-Leaders mailing list