[Owasp-leaders] OWASP and Vendor Neutrality

Bev Corwin bev.corwin at owasp.org
Sat Jan 31 21:49:23 UTC 2015

Hi Jim,

I support any good source of funding for OWASP and do not have any problems
with legal funding sources. I think that I understand what you are saying.
By WAF, do you mean Web Application Framework? I think that my general
point is being missed, to some extent, about the guidelines being written
with "vendors" more in mind, rather than other types of organizations. I
think that OWASP does a better job than most organizations at "vendor
neutrality" as well as a good ethics framework, in general. The "vendor"
guidelines are good for "vendors". However, I'm not sure that they are
equally as good for other types of organizations, and still working through
that concept a bit. Thanks for the explanations, they are useful and I
appreciate your time.

Best wishes,

On Sat, Jan 31, 2015 at 3:40 PM, Jim Manico <jim.manico at owasp.org> wrote:

>  Bev,
> I too want to see OWASP funded by non-commercial means. But right now we
> are heavily funded by vendors and that is not necessarily a bad thing. Keep
> in mind that vendor neutrality does not mean "do not work with vendors" in
> fact, quite the contrary. It says than when you DO work with vendors, do so
> in a neutral way that does not give preference to any one vendor.
> On this note, we want to make sure that OWASP does not get entangled in
> commercial relationships that damages our commitment to vendor neutral,
> unbiased opinions about technical matters in application security. I feel
> we have pretty clear rules of play for vendors (which I am one of myself).
> So while we do NOT allow ANY speakers to give direct vendor pitches, many
> speakers talk about the technology they work on commercially in a neutral
> non-commercial way using an open deck that is open source (creative
> commons).  For example, go ahead and talk about WAF technology, but don't
> talk about your specific product line.  We never offer vendors a chance to
> speak on commercial products, even if they pay. This is all all codified in
> our conference and speaker policy
> https://www.owasp.org/index.php/Speaker_Agreement . I have seen vendors
> give pitches at some chapter meetings, the do sneak in, but this is against
> OWASP chapter policy
> https://www.owasp.org/images/d/dc/OWASP_Chapter_Handbook_Ch_V2.pdf . I
> have also seen vendors tout their products at conferences as a speaker
> (they sneak in) and we have banned a few speakers for a limited time
> because of this.
> *The fact that our staff is expressing commitment to vendor neutrality
> while trying to tighten up those rules is very encouraging.* The fact
> that some are concerned about staffs work on vendor neutrality is very
> disconcerting to me as a board member with a fiduciary duty to protect the
> foundation.
> Bev, is this helpful?
> Aloha,
> Jim Manico
> OWASP Board Member
> On 1/30/15 5:35 PM, Bev Corwin wrote:
> Agreed, Time for an Financial Endowment:
> https://en.wikipedia.org/wiki/Financial_endowment
> On Fri, Jan 30, 2015 at 8:06 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> A compelling argument to fund security non-profits from (of all places)
>> Forbes.
>> http://www.forbes.com/sites/frontline/2015/01/25/cybersecurity-non-profits-should-be-americas-secret-weapon-in-obamas-cyberwar-plan/
>> If anyone has White House connections, can you please let them know that
>> a measly 10 mil would help us do a lot more to serve the mission of raising
>> application security awareness...
>> Aloha and Happy TLS Excellence Friday,
>> Jim Manico
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150131/f0c2c70f/attachment.html>

More information about the OWASP-Leaders mailing list