[Owasp-leaders] Secure Code Warrior Ltd

Vaibhav Gupta vaibhav.gupta at owasp.org
Wed Jul 13 06:09:57 UTC 2016


My two cents:

I attended 'Securing MEAN stack' training by SCW folks at OWASP AppSec EU.
IMHO, I did not find any vendor pitch, and they just used the tool to have
a small CTF type competition.

The trainer explicitly mentioned that attendees might use dummy emails to
register if they do not like to share their info with SCW.

As a caution, we need to make sure that these events do not have any vendor
related pitch, and we are just using the tool (like any other tool: Burp,
AppScan, etc) to supplement the intended idea of the session.

Thanks
Vaibhav

twitter.com/VaibhavGupta_1

On Wed, Jul 13, 2016 at 11:23 AM, Munir Njiru <munir.njiru at owasp.org> wrote:

> I would like to conquer with Johanna on this, look at it this way . OWASP
> is meant to serve the purpose of ensuring security the people already
> subscribed are a lucrative niche for a vendor like Secure Code Warrior,
> them offering you a "freebie" is technically them getting "free marketing"
> think about how much they save on marketing cost. A boost to the chapter
> for the numbers gathered should be in order at a small fee and a portion of
> that can go to OWASP.
> Another way to look at it is package it as a membership option that the
> vendor needs to be a premium member at an annual fee and part of the perks
> would be "present x number of times such items as their product" in
> chapters local to them.
>
> Kind Regards,
>
> Munir Njenga,
> OWASP Chapter Leader (Kenya) || Information Security Consultant ||
> Developer
> Mob   (KE) +254 (0) 734960670
>
> =============================
> Chapter Page: www.owasp.org/index.php/Kenya
> Project Site:
> http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/
> Email: munir.njiru at owasp.org
> Facebook: https://www.facebook.com/OWASP.Kenya
> Mailing List: https://lists.owasp.org/mailman/listinfo/owasp-Kenya
>
>
> On Wed, Jul 13, 2016 at 6:37 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> I think that we should also implement new policies such as if a vendor
>> wants to give a demo during a Chapter presentation, we should then charge a
>> fee that goes to the chapter .
>>
>> Example, Code Warrior wants to demo their product? That could be accepted
>> under another policy where they pay for the presentation (just a there are
>> booths selling products at the appsec conferences)
>>
>> Then it's clear to all coming to the talk that this is a vendor talk to
>> show case their product during the talk.
>>
>> I have actually no problem with that as long:
>> -Vendor pays a fee for presenting (they earn money and we are a
>> foundation that needs funds)
>> -It is clear to everyone coming that is a demo of their products
>> -They get potential leads from the Talk/Pitch
>>
>> If people find this OK we could submit this to a vote to adapt the
>> 'vendor neutrality' policies
>>
>> On Tue, Jul 12, 2016 at 11:27 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Serge
>>>
>>> I might look strictly to the policy, but a vendor should not use OWASP
>>> chapters as a platform to sell their products by explaining 'how you can
>>> code secure using Code Warrior platform' . BTW not cheap (USD55/month for
>>> one developer)
>>>
>>> I get it, the platform aligns very good with our goals (such as how to
>>> code secure) but if the talk is about how you can use Code Warrior to learn
>>> code securely... well sorry that is a vendor pitch in my opinion.
>>>
>>> Now if the talk focuses to explain the methodologies used to code secure
>>> (without going into their platform) then I can see how that aligns without
>>> issues to our 'vendor neutrality' principles.
>>>
>>> Cheers
>>>
>>>
>>>
>>> On Tue, Jul 12, 2016 at 10:29 PM, Serg B. <sergicles at gmail.com> wrote:
>>>
>>>> Johanna, why? By the way, I don't know them and have no opinion about
>>>> them in any way, so I am interested... If it's a good tool and has no
>>>> equivalent, why wouldn't we expose people to it, if the chapter leaders
>>>> find it acceptable for our individual chapters. We give away books that are
>>>> otherwise sold for money, how is this  different?
>>>>
>>>>
>>>> Cheers
>>>>     Serge
>>>>
>>>> On 13 Jul 2016 2:33 AM, "johanna curiel curiel" <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>>> >>Is there anything specific that we should take care before engaging
>>>>> with them?
>>>>>
>>>>> Their presentation should focused about coding secure but they should
>>>>> exclude using their platform in the presentation.
>>>>>
>>>>> On Tue, Jul 12, 2016 at 12:23 PM, Akash Mahajan <
>>>>> akash.mahajan at owasp.org> wrote:
>>>>>
>>>>>> Hi Folks,
>>>>>>
>>>>>> We have been in touch with them as well at Bangalore. It looks like a
>>>>>> good fit for the kind of audience we get in our meets.
>>>>>> Is there anything specific that we should take care before engaging
>>>>>> with them?
>>>>>>
>>>>>> Thank you.
>>>>>>
>>>>>> On 12 July 2016 at 21:16, Sandeep Singh <sandeep.singh at owasp.org>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Mike,
>>>>>>>
>>>>>>> We were recently approached by pieter danhieux from Secure Code
>>>>>>> Warriors and he has offered to do a 3 hour secure coding workshop for OWASP
>>>>>>> Delhi on 30th July when he will be here in Delhi
>>>>>>>
>>>>>>> Here is the abstract of the session he has sent to us.
>>>>>>>
>>>>>>> Do you think you can code securely? During this 3 hour workshop, the
>>>>>>> Secure Code Warrior team is going to brief you about the most common Web
>>>>>>> App weaknesses before letting you go nuts on the Secure Code Warrior
>>>>>>> platform. Whether you are a junior developer in JAVA Spring or C#
>>>>>>> MVC/WebForms, application security professional, RoR or Python geek, senior
>>>>>>> software engineer or penetration tester ... this platform will challenge
>>>>>>> your skills and provide you with an overview of your strengths and
>>>>>>> weaknesses in secure coding.
>>>>>>>
>>>>>>> As per our understanding it seems SCW is just a platform that they
>>>>>>> will be using for hosting the challenges and scoring purposes.
>>>>>>>
>>>>>>> thanks
>>>>>>> Sandeep
>>>>>>> @OWASPDelhi
>>>>>>>
>>>>>>> On Tue, Jul 12, 2016 at 9:05 PM, Serg B. <serg at owasp.org> wrote:
>>>>>>>
>>>>>>>> Mike, we haven't done any OWASP sessions with them specifically,
>>>>>>>> yet. I am actually catching up with them in professional capacity soon and
>>>>>>>> the other chapter co-lead (Julian) already has.
>>>>>>>>
>>>>>>>> We had couple vendors present. As far as I see it, nothing wrong
>>>>>>>> with that - as long as it is indeed a useful presentation and not a pitch,
>>>>>>>> I say go for it. As long as it's about technology or a product if it's
>>>>>>>> something really interesting, I don't see any issues with that, because
>>>>>>>> sometimes it's actually really hard to get exposure to some tools unless
>>>>>>>> you are in a well funded company. I think Codewarrior qualifies here, looks
>>>>>>>> very interesting and useful from what I hear (direct feedback from unbiased
>>>>>>>> user). We do however request full presentation deck well before the meeting
>>>>>>>> to make sure it is on topic and doesn't turn into a marketing pitch.
>>>>>>>>
>>>>>>>>
>>>>>>>> cheers
>>>>>>>>    Serge
>>>>>>>>
>>>>>>>> On Wed, Jul 13, 2016 at 1:24 AM, Mike Goodwin <
>>>>>>>> mike.goodwin at owasp.org> wrote:
>>>>>>>>
>>>>>>>>> Hello Chapter Leaders,
>>>>>>>>>
>>>>>>>>> I was approached by Secure Code Warrior Ltd who were offering to
>>>>>>>>> do a secure coding demo/challenge at our chapter meeting.
>>>>>>>>>
>>>>>>>>> Their website is:
>>>>>>>>>
>>>>>>>>> https://www.securecodewarrior.com/
>>>>>>>>>
>>>>>>>>> It sounded very interesting, but I was a bit concerned that it
>>>>>>>>> would not conform to our vendor neutrality, given their companies offering.
>>>>>>>>>
>>>>>>>>> They mentioned that they have already done sessions in Australia
>>>>>>>>> and India.
>>>>>>>>>
>>>>>>>>> @Aussie/Indian leaders: Have you have this company at your
>>>>>>>>> meetings? Was it OK from a vendor neutrality point of view?
>>>>>>>>>
>>>>>>>>> Best regards,
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> *Mike Goodwin*
>>>>>>>>> OWASP Newcastle UK Chapter Leader
>>>>>>>>> <https://www.owasp.org/index.php/Newcastle>
>>>>>>>>> OWASP Threat Dragon Project Leader
>>>>>>>>> <https://github.com/mike-goodwin/owasp-threat-dragon>
>>>>>>>>> @theblacklabguy
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Serg
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> OWASP-Leaders mailing list
>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Warm regards,
>>>>>> Akash Mahajan
>>>>>>
>>>>>> *That Web Application Security Guy* | +91 99 805 271 82
>>>>>> akashm.com | *@makash* on twitter | linkd.in/webappsecguy
>>>>>> *OWASP Bangalore Chapter Lead | null Community Manager*
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Johanna Curiel
>>>>> OWASP Volunteer
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>
>>
>>
>> --
>> Johanna Curiel
>> OWASP Volunteer
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160713/556b8c4d/attachment-0001.html>


More information about the OWASP-Leaders mailing list