OWASP, our community, and vendors: a healthy and vendor neutral approach

Andrew van der Stock

Thursday, December 17, 2020

OWASP is vendor-neutral

OWASP is renowned for being vendor-neutral. It’s a key part of our four core values:

• Open: Everything at OWASP is radically transparent, from our finances to our code.
• Innovative: We encourage and support innovation and experiments for solutions to software security challenges.
• Global: Anyone around the world is encouraged to participate in the OWASP community.
• Integrity: Our community is respectful, supportive, truthful, and vendor-neutral

That doesn’t mean we are vendor hostile, no vendors allowed, no vendor germs, or anything like that. If you are interested in vendor neutrality, either as an OWASP community member or as a vendor, please read on.

Our community has historically had a rough relationship with vendors because both the vendors’ and the communities’ expectations were different and weren’t being met. As a community, we are absolutely every app sec vendor’s desired and qualified target market. Our community dislikes certain marketing and promotional behaviors, and things have often gone quite south from there.

Our community should expect that we will always be vendor-neutral, but this doesn’t mean no vendors and no advertising. Much of the Foundation’s financial support is from our corporate supporters, sponsors and members, and for that, we are forever grateful. Without their support, the Foundation would not be able to continue to thrive. Together, both vendors and the OWASP Community need a healthy working relationship if we want to see our mission, our projects, and our chapters excel. That means setting expectations for our community and vendors alike and staying true to that vision and expectations.

Learning Platform

Recently, as a member benefit, we announced the global availability of Secure Flag, which has an open source OWASP project and a commercial version. Secure Flag Ltd is hosting the full Enterprise version for OWASP members. Allowing a commercial product as a member benefit brought up some healthy discussion about OWASP’s prime directive on vendor neutrality. The way I see vendor neutrality is simple:

OWASP is vendor-neutral, which doesn’t mean no vendors; it means non-exclusive fair and reasonable terms for a level playing field for all vendors.

Any vendor who wishes to participate in the OWASP Learning Platform can easily do so. We will be continually adding to the Learning Platform and many other member benefits.

Vendor Neutrality and specific use cases

I will never sign an exclusive vendor contract or one that locks out other vendors. I encourage all open-source projects and vendors to work with us, especially if you’ve had a rough time in the past.

In the coming months, we will be working with the community to clarify rules around vendor captured projects and chapters. Vendor captured projects and chapters are clearly against our core mission. That doesn’t mean there is no role for vendors in projects or chapters. There absolutely is. Let’s go through some use cases.

Corporate supporters and sponsors

Suppose you are a corporate supporter or sponsor of an event. In that case, the OWASP community should be friendly, welcoming, and easy to deal with. I know this hasn’t always been true. Still, our community and vendors need to get along by having the same expectations regarding vendor neutrality and how our community engages with vendors. I will encourage you to reach out to me or Kelly Santalucia if you’re having issues in the past or think the OWASP Foundation is not being vendor-neutral. I’ve already had meetings with a few vendors, and I’m happy to take more.

One of the easiest ways to get involved with us is to become a corporate supporter. We have Corporate Supporter start-up pricing, regional pricing, regular pricing, with monthly, quarterly, and annual payment options. It has never been easier to be a part of our community.

I will be starting a Corporate Advisory Committee shortly. I encourage our existing corporate supporters to form that committee to help OWASP improve our commercial relationships and value.

Please join here:

• https://owasp.org/supporters/

We also welcome bartering partnerships, and I want to recognize otherwise high-value bartering as full corporate sponsors. Please work with Kelly Santalucia about bartering to obtain your corporate supporter benefits.

Partnerships

I have signed several partnerships for the common good of OWASP and our members and community. Secure Flag is just one. I am actively pursuing partnerships as we go along. If you have a partnership offer for our members, please set up an appointment with me to discuss:

• My Calendly

Speakers working for a vendor

If a chapter, event, or training requires a standard template to be used, please use it. I have approved exemptions to use our standard first and last slides, so there’s some continuity in thumbnails, and then left you to your own devices. Some folks have extensive slides, and reformatting them for just one event doesn’t make sense. Still, please work with us on templates to avoid issues with vendor pitches/marketing.

We strongly discourage marketing when speaking at our events. Our members are usually keen to have hands-on time with your product or service. It’s best to demonstrate your product or service in an online hands-on environment, and take questions, don’t just talk to the audience. We will be experimenting with “lightning labs” throughout 2021 to see if we can make this a reality.

Doing the standard marketing pitch or spiel just doesn’t work, and please don’t do that. This is almost certainly the main reason our community gets a bad reputation for being vendor hostile. Still, it’s also incumbent on speakers spruiking a product or service to address our highly technical market a LOT differently than a typical marketing push.

Training providers

We will be running a lot of virtual training events in 2021. Obviously, once we go back to in-person events, these have been highly profitable for both OWASP and training providers. I want to work with training providers to address splits if the training provider is doing all or most production. Still, we can also bring you many clients, so we need to work that out.

If you are regularly giving commercial training that deals with OWASP topics in the title, please be aware that we have registered trademarks, and you should read the trademark section below.

Shared Member and back of house services

Shared services for members, such as Secure Flag, are designed to maximize member benefits and minimize costs to the Foundation. None of these shared services have an exclusive contract with us. I will never sign such a thing. If you are a vendor and want to offer our members your service, even if we have one very similar, we will work with you to get you into our learning platform. This goes doubly for our own projects. I would love to host a community SKF instance and any other of our leading projects or platforms that could be used by our members. Please contact Harold Blankenship or me for more details.

We use several shared services that help run OWASP, notably Google, GitHub, Meetup, Stripe, and Zoom. I have been eliminating duplicates for COVID funding purposes, which might seem anti-vendor neutral. We need to have platforms to do what we do. I am working on moving away from some of the more proprietary cloud services to open source alternatives. An example is looking into replacing Meetup, which is extremely expensive and highly restrictive. As an open-source community, we need to invest in all open-source communities, similar to my statement on SKF above. We need to live and breathe open source wherever we can. If you can assist with this, please contact Harold Blankenship.

Trademarks and fair use

OWASP® has several registered trademarks, and to keep them, we must enforce their fair use. Folks can always use OWASP about us as fair use. We will be working with firms to become either a licensee of our trademarks, or preferably joining as a corporate supporter when our marks become a regular commercial endeavor or line of business. Corporate Supporters will have a license to use OWASP® in their marketing materials and commercial purposes for as long as they are members, and they don’t imply that OWASP supports or warrants their product or service.

OWASP Projects and Chapters are not their own legal entities, but the primary lifeblood of OWASP. As such, any official OWASP project, chapter, event, committee, or meeting is always free to use our name. OWASP members are free to promote OWASP as they see fit. Still, if they are regularly using our trademarks for commercial purposes, they should become a corporate supporter.

We have not worked out the full details of the trademark licensing program as yet. I would love to have security consulting firms, large enterprises, and those using our marks for commercial training to discuss how best to make this work for them and us. I am loathed to become litigious over this. I like the Linux Foundation’s approach to their trademarks. Still, just like the Linux Foundation, Mozilla, and Gnome Foundation, we also have to protect OWASP’s marks. I would prefer a consistent approach amongst many open source communities to this challenging topic.