[Owasp-leaders] Secure Code Warrior Ltd

johanna curiel curiel johanna.curiel at owasp.org
Wed Jul 13 13:35:05 UTC 2016


>>However, at least in our instance, in Melbourne, we invite a selected few
vendors (maybe once or twice per year) that we think are doing interesting
work in the field, to get everyone exposed to what's possible. I think
that's a good way to do it.

I'm with you on this Serg, I also kind of support some companies doing very
interesting products or research in our field, however, this could seem as
endorsement or favouritism from our side.Then you would need to argument
your support and why this X vendor gets a free marketing pitch, which is a
form of endorsement and we don't want to get into that as OWASP chapters.

We as chapter leaders should not influence with our opinions the selection
of vendors or companies.

Any vendor presenting their product or talking or showcase it should pay a
fee. If they come to talk about a research excluding any products, then I'm
with it. All except Open source projects , free of cost.
Now example, burp has 2 licenses.Imagine burp wants to give a demo, I'm
with it as long as it focuses on a security subject and they use the open
source version (not fair to present 'how to do things' with the pro one
which costs USD300 a year)

"In order to preserve OWASP’s non-profit status and open, non-commercial
principles it is important that no commercially-oriented “sales pitch”
talks are given at OWASP events, be it chapter meetings or conferences.
Such talks are not only against OWASP principles, they also blur the line
between OWASP and commercial entities, thus diluting the OWASP brand name
and agnostic status globally."

https://www.owasp.org/index.php/Chapter_Handbook/Chapter_2:_Mandatory_Chapter_Rules#Maintain_vendor_neutrality_.28act_independently.29

On Wed, Jul 13, 2016 at 9:01 AM, Serg B. <sergicles at gmail.com> wrote:

> Perhaps we could flip this on its head... If a vendor explicitly asks to
> do a talk or a presentation and it's about their product - I quite like
> Johanna's idea of a fee. It's a room packed with potential qualified leads.
> Absolutely support the idea of a fee. That said, we have knocked back all
> vendors trying to get a free marketing pass.
>
> However, at least in our instance, in Melbourne, we invite a selected few
> vendors (maybe once or twice per year) that we think are doing interesting
> work in the field, to get everyone exposed to what's possible. I think
> that's a good way to do it.
>
> :)
>
>
>
> On Wed, Jul 13, 2016 at 10:01 PM, Munir Njiru <munir.njiru at owasp.org>
> wrote:
>
>> :D true OWASP has the market ready people they just need to create an
>> appetite to these people :D
>>
>> Munir Njenga,
>> OWASP Chapter Leader (Kenya) || Information Security Consultant ||
>> Developer
>> Mob   (KE) +254 (0) 734960670
>>
>> =============================
>> Chapter Page: www.owasp.org/index.php/Kenya
>> Project Site:
>> http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/
>> Email: munir.njiru at owasp.org
>> Facebook: https://www.facebook.com/OWASP.Kenya
>> Mailing List: https://lists.owasp.org/mailman/listinfo/owasp-Kenya
>>
>>
>> On Wed, Jul 13, 2016 at 1:31 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> >>I did not find any vendor pitch, and they just used the tool to have a
>>> small CTF type competition.
>>>
>>> This is what I call smart marketing ;-).
>>>
>>> They don't need tell me 'buy it', but having the opportunity to showcase
>>> it is good enough as a marketing strategy
>>>
>>> Now a training in Appsec is a funding activity. In this case OWASP gets
>>> 60% of the trainer 40%.
>>>
>>>
>>>
>>> On Wed, Jul 13, 2016 at 2:09 AM, Vaibhav Gupta <vaibhav.gupta at owasp.org>
>>> wrote:
>>>
>>>> My two cents:
>>>>
>>>> I attended 'Securing MEAN stack' training by SCW folks at OWASP AppSec
>>>> EU. IMHO, I did not find any vendor pitch, and they just used the tool to
>>>> have a small CTF type competition.
>>>>
>>>> The trainer explicitly mentioned that attendees might use dummy emails
>>>> to register if they do not like to share their info with SCW.
>>>>
>>>> As a caution, we need to make sure that these events do not have any
>>>> vendor related pitch, and we are just using the tool (like any other tool:
>>>> Burp, AppScan, etc) to supplement the intended idea of the session.
>>>>
>>>> Thanks
>>>> Vaibhav
>>>>
>>>> twitter.com/VaibhavGupta_1
>>>>
>>>> On Wed, Jul 13, 2016 at 11:23 AM, Munir Njiru <munir.njiru at owasp.org>
>>>> wrote:
>>>>
>>>>> I would like to conquer with Johanna on this, look at it this way .
>>>>> OWASP is meant to serve the purpose of ensuring security the people already
>>>>> subscribed are a lucrative niche for a vendor like Secure Code Warrior,
>>>>> them offering you a "freebie" is technically them getting "free marketing"
>>>>> think about how much they save on marketing cost. A boost to the chapter
>>>>> for the numbers gathered should be in order at a small fee and a portion of
>>>>> that can go to OWASP.
>>>>> Another way to look at it is package it as a membership option that
>>>>> the vendor needs to be a premium member at an annual fee and part of the
>>>>> perks would be "present x number of times such items as their product" in
>>>>> chapters local to them.
>>>>>
>>>>> Kind Regards,
>>>>>
>>>>> Munir Njenga,
>>>>> OWASP Chapter Leader (Kenya) || Information Security Consultant ||
>>>>> Developer
>>>>> Mob   (KE) +254 (0) 734960670
>>>>>
>>>>> =============================
>>>>> Chapter Page: www.owasp.org/index.php/Kenya
>>>>> Project Site:
>>>>> http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/
>>>>> Email: munir.njiru at owasp.org
>>>>> Facebook: https://www.facebook.com/OWASP.Kenya
>>>>> Mailing List: https://lists.owasp.org/mailman/listinfo/owasp-Kenya
>>>>>
>>>>>
>>>>> On Wed, Jul 13, 2016 at 6:37 AM, johanna curiel curiel <
>>>>> johanna.curiel at owasp.org> wrote:
>>>>>
>>>>>> I think that we should also implement new policies such as if a
>>>>>> vendor wants to give a demo during a Chapter presentation, we should then
>>>>>> charge a fee that goes to the chapter .
>>>>>>
>>>>>> Example, Code Warrior wants to demo their product? That could be
>>>>>> accepted under another policy where they pay for the presentation (just a
>>>>>> there are booths selling products at the appsec conferences)
>>>>>>
>>>>>> Then it's clear to all coming to the talk that this is a vendor talk
>>>>>> to show case their product during the talk.
>>>>>>
>>>>>> I have actually no problem with that as long:
>>>>>> -Vendor pays a fee for presenting (they earn money and we are a
>>>>>> foundation that needs funds)
>>>>>> -It is clear to everyone coming that is a demo of their products
>>>>>> -They get potential leads from the Talk/Pitch
>>>>>>
>>>>>> If people find this OK we could submit this to a vote to adapt the
>>>>>> 'vendor neutrality' policies
>>>>>>
>>>>>> On Tue, Jul 12, 2016 at 11:27 PM, johanna curiel curiel <
>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>>> Serge
>>>>>>>
>>>>>>> I might look strictly to the policy, but a vendor should not use
>>>>>>> OWASP chapters as a platform to sell their products by explaining 'how you
>>>>>>> can code secure using Code Warrior platform' . BTW not cheap (USD55/month
>>>>>>> for one developer)
>>>>>>>
>>>>>>> I get it, the platform aligns very good with our goals (such as how
>>>>>>> to code secure) but if the talk is about how you can use Code Warrior to
>>>>>>> learn code securely... well sorry that is a vendor pitch in my opinion.
>>>>>>>
>>>>>>> Now if the talk focuses to explain the methodologies used to code
>>>>>>> secure (without going into their platform) then I can see how that aligns
>>>>>>> without issues to our 'vendor neutrality' principles.
>>>>>>>
>>>>>>> Cheers
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Jul 12, 2016 at 10:29 PM, Serg B. <sergicles at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Johanna, why? By the way, I don't know them and have no opinion
>>>>>>>> about them in any way, so I am interested... If it's a good tool and has no
>>>>>>>> equivalent, why wouldn't we expose people to it, if the chapter leaders
>>>>>>>> find it acceptable for our individual chapters. We give away books that are
>>>>>>>> otherwise sold for money, how is this  different?
>>>>>>>>
>>>>>>>>
>>>>>>>> Cheers
>>>>>>>>     Serge
>>>>>>>>
>>>>>>>> On 13 Jul 2016 2:33 AM, "johanna curiel curiel" <
>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>
>>>>>>>>> >>Is there anything specific that we should take care before
>>>>>>>>> engaging with them?
>>>>>>>>>
>>>>>>>>> Their presentation should focused about coding secure but they
>>>>>>>>> should exclude using their platform in the presentation.
>>>>>>>>>
>>>>>>>>> On Tue, Jul 12, 2016 at 12:23 PM, Akash Mahajan <
>>>>>>>>> akash.mahajan at owasp.org> wrote:
>>>>>>>>>
>>>>>>>>>> Hi Folks,
>>>>>>>>>>
>>>>>>>>>> We have been in touch with them as well at Bangalore. It looks
>>>>>>>>>> like a good fit for the kind of audience we get in our meets.
>>>>>>>>>> Is there anything specific that we should take care before
>>>>>>>>>> engaging with them?
>>>>>>>>>>
>>>>>>>>>> Thank you.
>>>>>>>>>>
>>>>>>>>>> On 12 July 2016 at 21:16, Sandeep Singh <sandeep.singh at owasp.org>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi Mike,
>>>>>>>>>>>
>>>>>>>>>>> We were recently approached by pieter danhieux from Secure Code
>>>>>>>>>>> Warriors and he has offered to do a 3 hour secure coding workshop for OWASP
>>>>>>>>>>> Delhi on 30th July when he will be here in Delhi
>>>>>>>>>>>
>>>>>>>>>>> Here is the abstract of the session he has sent to us.
>>>>>>>>>>>
>>>>>>>>>>> Do you think you can code securely? During this 3 hour workshop,
>>>>>>>>>>> the Secure Code Warrior team is going to brief you about the most common
>>>>>>>>>>> Web App weaknesses before letting you go nuts on the Secure Code Warrior
>>>>>>>>>>> platform. Whether you are a junior developer in JAVA Spring or C#
>>>>>>>>>>> MVC/WebForms, application security professional, RoR or Python geek, senior
>>>>>>>>>>> software engineer or penetration tester ... this platform will challenge
>>>>>>>>>>> your skills and provide you with an overview of your strengths and
>>>>>>>>>>> weaknesses in secure coding.
>>>>>>>>>>>
>>>>>>>>>>> As per our understanding it seems SCW is just a platform that
>>>>>>>>>>> they will be using for hosting the challenges and scoring purposes.
>>>>>>>>>>>
>>>>>>>>>>> thanks
>>>>>>>>>>> Sandeep
>>>>>>>>>>> @OWASPDelhi
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Jul 12, 2016 at 9:05 PM, Serg B. <serg at owasp.org> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Mike, we haven't done any OWASP sessions with them
>>>>>>>>>>>> specifically, yet. I am actually catching up with them in professional
>>>>>>>>>>>> capacity soon and the other chapter co-lead (Julian) already has.
>>>>>>>>>>>>
>>>>>>>>>>>> We had couple vendors present. As far as I see it, nothing
>>>>>>>>>>>> wrong with that - as long as it is indeed a useful presentation and not a
>>>>>>>>>>>> pitch, I say go for it. As long as it's about technology or a product if
>>>>>>>>>>>> it's something really interesting, I don't see any issues with that,
>>>>>>>>>>>> because sometimes it's actually really hard to get exposure to some tools
>>>>>>>>>>>> unless you are in a well funded company. I think Codewarrior qualifies
>>>>>>>>>>>> here, looks very interesting and useful from what I hear (direct feedback
>>>>>>>>>>>> from unbiased user). We do however request full presentation deck well
>>>>>>>>>>>> before the meeting to make sure it is on topic and doesn't turn into a
>>>>>>>>>>>> marketing pitch.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> cheers
>>>>>>>>>>>>    Serge
>>>>>>>>>>>>
>>>>>>>>>>>> On Wed, Jul 13, 2016 at 1:24 AM, Mike Goodwin <
>>>>>>>>>>>> mike.goodwin at owasp.org> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hello Chapter Leaders,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I was approached by Secure Code Warrior Ltd who were offering
>>>>>>>>>>>>> to do a secure coding demo/challenge at our chapter meeting.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Their website is:
>>>>>>>>>>>>>
>>>>>>>>>>>>> https://www.securecodewarrior.com/
>>>>>>>>>>>>>
>>>>>>>>>>>>> It sounded very interesting, but I was a bit concerned that it
>>>>>>>>>>>>> would not conform to our vendor neutrality, given their companies offering.
>>>>>>>>>>>>>
>>>>>>>>>>>>> They mentioned that they have already done sessions in
>>>>>>>>>>>>> Australia and India.
>>>>>>>>>>>>>
>>>>>>>>>>>>> @Aussie/Indian leaders: Have you have this company at your
>>>>>>>>>>>>> meetings? Was it OK from a vendor neutrality point of view?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Best regards,
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> *Mike Goodwin*
>>>>>>>>>>>>> OWASP Newcastle UK Chapter Leader
>>>>>>>>>>>>> <https://www.owasp.org/index.php/Newcastle>
>>>>>>>>>>>>> OWASP Threat Dragon Project Leader
>>>>>>>>>>>>> <https://github.com/mike-goodwin/owasp-threat-dragon>
>>>>>>>>>>>>> @theblacklabguy
>>>>>>>>>>>>>
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Serg
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Warm regards,
>>>>>>>>>> Akash Mahajan
>>>>>>>>>>
>>>>>>>>>> *That Web Application Security Guy* | +91 99 805 271 82
>>>>>>>>>> akashm.com | *@makash* on twitter | linkd.in/webappsecguy
>>>>>>>>>> *OWASP Bangalore Chapter Lead | null Community Manager*
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Johanna Curiel
>>>>>>>>> OWASP Volunteer
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Johanna Curiel
>>>>>>> OWASP Volunteer
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Johanna Curiel
>>>>>> OWASP Volunteer
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>
>>
>
>
> --
> Cheers
>    Serg
>
>    Mobile: +61 401 533 999
>    Skype: sergbskype
>
>
>



-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160713/85f91db1/attachment-0001.html>


More information about the OWASP-Leaders mailing list