[Owasp-leaders] OWASP and Vendor Neutrality

Jim Manico jim.manico at owasp.org
Sat Jan 31 23:31:23 UTC 2015


Bev,

We •encourage• speakers to talk about open source solutions in our speakers
guidelines sent to you earlier, which I support. I don't think including
other open source organizations and projects under the vendor banner is
appropriate.

What other guidance are you looking for? Anyone may participate so long as
they help drive open source tools and open source content that is
application security centric. Here are the specific open source guidelines
for OWASP projects and documentation:
https://www.owasp.org/index.php/OWASP_Licenses

PS: WAF stands for Web Application Firewall and is a common term for both
open source and commercial web firewalls.

--
Jim Manico
@Manicode
(808) 652-3805

On Jan 31, 2015, at 1:49 PM, Bev Corwin <bev.corwin at owasp.org> wrote:

Hi Jim,

I support any good source of funding for OWASP and do not have any problems
with legal funding sources. I think that I understand what you are saying.
By WAF, do you mean Web Application Framework? I think that my general
point is being missed, to some extent, about the guidelines being written
with "vendors" more in mind, rather than other types of organizations. I
think that OWASP does a better job than most organizations at "vendor
neutrality" as well as a good ethics framework, in general. The "vendor"
guidelines are good for "vendors". However, I'm not sure that they are
equally as good for other types of organizations, and still working through
that concept a bit. Thanks for the explanations, they are useful and I
appreciate your time.

Best wishes,
Bev


On Sat, Jan 31, 2015 at 3:40 PM, Jim Manico <jim.manico at owasp.org> wrote:

>  Bev,
>
> I too want to see OWASP funded by non-commercial means. But right now we
> are heavily funded by vendors and that is not necessarily a bad thing. Keep
> in mind that vendor neutrality does not mean "do not work with vendors" in
> fact, quite the contrary. It says than when you DO work with vendors, do so
> in a neutral way that does not give preference to any one vendor.
>
> On this note, we want to make sure that OWASP does not get entangled in
> commercial relationships that damages our commitment to vendor neutral,
> unbiased opinions about technical matters in application security. I feel
> we have pretty clear rules of play for vendors (which I am one of myself).
>
> So while we do NOT allow ANY speakers to give direct vendor pitches, many
> speakers talk about the technology they work on commercially in a neutral
> non-commercial way using an open deck that is open source (creative
> commons).  For example, go ahead and talk about WAF technology, but don't
> talk about your specific product line.  We never offer vendors a chance to
> speak on commercial products, even if they pay. This is all all codified in
> our conference and speaker policy
> https://www.owasp.org/index.php/Speaker_Agreement . I have seen vendors
> give pitches at some chapter meetings, the do sneak in, but this is against
> OWASP chapter policy
> https://www.owasp.org/images/d/dc/OWASP_Chapter_Handbook_Ch_V2.pdf . I
> have also seen vendors tout their products at conferences as a speaker
> (they sneak in) and we have banned a few speakers for a limited time
> because of this.
>
> *The fact that our staff is expressing commitment to vendor neutrality
> while trying to tighten up those rules is very encouraging.* The fact
> that some are concerned about staffs work on vendor neutrality is very
> disconcerting to me as a board member with a fiduciary duty to protect the
> foundation.
>
> Bev, is this helpful?
>
> Aloha,
> Jim Manico
> OWASP Board Member
>
>
>
>
> On 1/30/15 5:35 PM, Bev Corwin wrote:
>
> Agreed, Time for an Financial Endowment:
> https://en.wikipedia.org/wiki/Financial_endowment
>
> On Fri, Jan 30, 2015 at 8:06 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> A compelling argument to fund security non-profits from (of all places)
>> Forbes.
>>
>>
>> http://www.forbes.com/sites/frontline/2015/01/25/cybersecurity-non-profits-should-be-americas-secret-weapon-in-obamas-cyberwar-plan/
>>
>> If anyone has White House connections, can you please let them know that
>> a measly 10 mil would help us do a lot more to serve the mission of raising
>> application security awareness...
>>
>> Aloha and Happy TLS Excellence Friday,
>> Jim Manico
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150131/5d807b34/attachment-0001.html>


More information about the OWASP-Leaders mailing list