[Owasp-leaders] Secure Code Warrior Ltd

Arthur Hedge ahedge at castleventures.com
Wed Jul 13 15:17:23 UTC 2016


In my opinion, letting vendors do a product pitch, whether they pay or not, is not in the spirit of OWASP.  In the New York/ NJ area in the US, vendors can sponsor events and have a table in the facility to show their products, but they are not presenting demos of their products to the group.

Arthur Hedge

From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of johanna curiel curiel
Sent: Wednesday, July 13, 2016 10:55 AM
To: Azzeddine Ramrami <azzeddine.ramrami at owasp.org>
Cc: owasp-leaders at lists.owasp.org; Serg B. <sergicles at gmail.com>
Subject: Re: [Owasp-leaders] Secure Code Warrior Ltd

>>I agree we must push OWASP project,docs, etc.

+Azzeddine

Our chapter meetings should focus on promoting what we produce and not vendor products, now if we charge them and the audience is clear what they will get into... (a sales pitch) then I think is a win-win situation, for the chapters to get sponsors and fund activities and the vendor to make his marketing

There ain't not such a thing as a free lunch<https://en.wikipedia.org/wiki/There_ain%27t_no_such_thing_as_a_free_lunch>

On Wed, Jul 13, 2016 at 10:46 AM, Azzeddine Ramrami <azzeddine.ramrami at owasp.org<mailto:azzeddine.ramrami at owasp.org>> wrote:
In all my talks and my professional projects I push ZAP because it is better or equivalent to Burp Pro (depending on the options).
I agree we must push OWASP project,docs, etc.
Azzeddine

On Wed, Jul 13, 2016 at 4:42 PM, johanna curiel curiel <johanna.curiel at owasp.org<mailto:johanna.curiel at owasp.org>> wrote:
>>I agree but if the attendees during the talk ask questions about commercial or free and limited commercial products we must be able to answer.
So we must knew the competion and there offers.

Answering related questions regarding commercial products, I would always begin a sentence "in my opinion..."

I might find Burp better that ZAP at reporting, but referring to it during chapter presentation could be seen as endorsement .

I would say in that case

I"n my opinion and base on my experience , I like Burp pro versions reporting module and thats the reason I used it instead of ZAP..bla bla.."

But I don't feel like an authority to provide accurate answers about vendors based on my opinion and experience and I will make sure the audience is clear on this if they ask questions regarding comparison between products

Thats is not our mission peeps and I would avoid any talks that compares products where you need to provide our opinion. In the end is your opinion.

... coming back to the Security Warrior question raised by Mike, I would say , that I think is OK as long as they don't talk how to do things with their platform, otherwise, we might start charging these kind of marketing sneaky pitches ;-)


On Wed, Jul 13, 2016 at 10:25 AM, Azzeddine Ramrami <azzeddine.ramrami at owasp.org<mailto:azzeddine.ramrami at owasp.org>> wrote:
I agree but if the attendees during the talk ask questions about commercial or free and limited commercial products we must be able to answer.
So we must knew the competion and there offers.
Azzeddine

On Wed, Jul 13, 2016 at 4:16 PM, johanna curiel curiel <johanna.curiel at owasp.org<mailto:johanna.curiel at owasp.org>> wrote:
>>There is no open source version of Burp - this seems to be a common misconception. There is a _free_ version of Burp, but the source code is NOT available and therefore it is not open source.

Simon, thx for clarifying.

In that case Burp should be banned ;-P

Only ZAP allowed (hey, we must encourage our 'products'  not the competitors, ehh... I mean our Open source projects) :D

On Wed, Jul 13, 2016 at 9:43 AM, psiinon <psiinon at gmail.com<mailto:psiinon at gmail.com>> wrote:

On Wed, Jul 13, 2016 at 3:35 PM, johanna curiel curiel <johanna.curiel at owasp.org<mailto:johanna.curiel at owasp.org>> wrote:
Now example, burp has 2 licenses.Imagine burp wants to give a demo, I'm with it as long as it focuses on a security subject and they use the open source version (not fair to present 'how to do things' with the pro one which costs USD300 a year)

There is no open source version of Burp - this seems to be a common misconception.
There is a _free_ version of Burp, but the source code is NOT available and therefore it is not open source.
Cheers,
Simon



--
Johanna Curiel
OWASP Volunteer

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-leaders



--
Azzeddine RAMRAMI
+33 6 65 48 90 04<tel:%2B33%206%2065%2048%2090%2004>.
Enterprise Security Architect
OWASP Leader (Morocco Chapter)
Mozilla Security Projects Mentor



--
Johanna Curiel
OWASP Volunteer



--
Azzeddine RAMRAMI
+33 6 65 48 90 04<tel:%2B33%206%2065%2048%2090%2004>.
Enterprise Security Architect
OWASP Leader (Morocco Chapter)
Mozilla Security Projects Mentor



--
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160713/07ca27e9/attachment-0001.html>


More information about the OWASP-Leaders mailing list