Difference between revisions of "Industry:Minutes 2011-04-29"

From OWASP
Jump to: navigation, search
 
Line 1: Line 1:
==Agenda:Open GIC Action Items==
+
==Roll Call==
 +
Global Industry Committee Call: April 29, 2011 at 18:00 UTC/GMT
  
==Priority Items==
+
Present:
 +
*Joe Bernik (Chair)
 +
*Sarah Baso (Secretary)
 +
*Rex Booth
 +
*Mauro Flores
 +
*Kate Hartmann
 +
*Lorna Alamri
  
* Criteria and deliverables for those  we are funding to attend AppSec EU (ex: Agreement to host GIC session, take notes, report back to committee on information gathered)
 
*OWASP Awards for AppSec USA - what and who?
 
  
===General===
+
Absent:
These are not "tasked" to anyone but are open items from past meetings that we need to tackle as a committee asap.
+
*Georg Hess
 +
*Eoin Keary
 +
*Alexander Fry
 +
*Mateo Martinez
 +
*Colin Watson
 +
*David Campbell
 +
*Nishi Kumar
  
* Committee Governance Doc to a vote
+
== Open GIC Action Items==
* Come up with industry-related points for the OWASP Point's system - details and examples are on the project wiki page: https://www.owasp.org/index.php/OWASP_Points
+
* Review (if have not already) Lucas Ferreira's Open Letter to Brazilian Government- so GIC can decide on whether we can endorse doc as a committee or not
+
* Consider/come up with ideas what GIC or OWASP can offer as a ROI to potential corporate sponsors such as Google.
+
  
 +
===GIC Session at AppSec EU===
  
===Joe Bernik===
+
* How long should our session(s) be? 3 hours - with one for general GIC, one hour for NK's GIC outreach PPT, and one hour for RB's CISO survey?
 +
*RB - concerned that 3 hours is too long and too much time for attendees to be away from actual conference.  Instead only 1 hour – 10 min intro, 20 min on survey, 20 min on ppt, 10 min wrap up/general GIC comments.
 +
*SB will send out invites to attendees (selected by GIC from conference registration list) to attend the GIC session 2-3 weeks before the event. Although there will be targeted invites, will not be a closed-door session. 
 +
*RB to follow up with EK (and include NK) regarding how our GIC session would best fit into the AppSec EU conference plan.
 +
*RB will provide the GIC prior to session about his CISO survey: what information is he trying to elicit, some of the initial drafts of the question, are there things OWASP/GIC is not asking that we should be, are there things we should be aware of that we are not.
 +
*LA suggested that for AppSec USA, GIC have their session or track on the day before the conference
 +
 +
===OWASP Awards===
 +
Board has asked each global committee to discuss, define their vetting criteria and gather a list of 3 committee nomination that deserve an OWASP award based on criteria you as the committee define -- to be given out at AppSec USA in Sept.
  
* Where can we cut back on our budget?
+
*RB – awards should to active appsec people outside of OWASP
* Reach out to FS-ISAC regarding terms of engagement for membership agreement (and report back to GIC)
+
*JB - we need to better define criteria and what award is.  Theoretically, could be someone that made an impact in the application security space. Ex: CISO of large bank or software development space.
* Follow up with  Eoin re: availability and cost of rooms for GIC outreach session at AppSec EU -- He needs specifics on # of people, amount of time, what day and time, # of rooms, etc.
+
*MF– award to people adopting OWASP material (non-members but helping OWASP enter the corporate space). This is a way to draw people into the organization.  Heavily leveraging OWASP in their current role.
* Need to establish goals we want to accomplish at AppSec EU. How many people, what sectors? DC and JB to heads together and hit list on invites.
+
*JB – NK at Fidelity? MM at Tata Consulting adopting OWASP standards for development life cycle and trainings?
 +
*Action itme: Send an email out to the leaders/board for suggestion. Maybe different awards for different industry sectors.
 +
*MF– one of the criteria should be how public the company's use of the OWASP tools/standards is. More points if says so on website, etc.
 +
*JB to get feedback on possibilities at financial services conference
  
 +
===Lucas Ferreira Letter to Brazilian Govt===
 +
Letter has been emailed to everyone for comment. No objections, only positive feedback. Can GIC as a whole support this letter?
 +
*Email for a vote – if no contention go forward
 +
*MF– talked to Lucas about what kind of supporthe is looking for. Basically, Lucas is concerned about problem with OWASP support if letter sent to government.
  
===Nishi Kumar===
 
  
* Slide show for GIC outreach -- has been posted to GIC wiki page and she is currently seeking feedback from committee members
+
===Committee Governance===
 +
* Vote via email/doodle
 +
* Should not include rules on speaking on behalf of OWASP – this is for a larger organization document
  
  
===David Campbell===
+
===OWASP Points System===
 +
GIC needs to come up with industry-related points for the OWASP Point's system - details and examples are on the project wiki page: https://www.owasp.org/index.php/OWASP_Points
  
* Need to establish goals we want to accomplish at AppSec EU. How many people, what sectors? DC and JB to heads together and hit list on invites.
+
*JB and RB not in agreement with system and will follow up with Mark Bristow individually regarding their concerns.
  
  
===Rex Booth===
+
===Discussion re: what can GIC and OWASP offer as ROI to sponsors===
 +
* Reduced rates at vendor areas at conference, reduced rate of conference attendance, printed versions of documentation put together
 +
*MF– OWASP community building a lot of stuff and this is free regardless of whether sponsor or not. However sponsors should realize this and chip in.
 +
*JB– companies are less likely to pay if no ROI, not necessarily altruistic-- more capitalistic (in private sector at least)
 +
*RB –we need business case for why a corporate sponsor… what other advantages, basis for other business. Maybe CISO survey will be an opportunity to model this.
 +
*LA– need to find out what would they find valuable.  In her experience – licensing has been an issue.  Non-vendors are interested but not necessarily traditional returns such as booths.
 +
*JB– we need an incentive model that works… controversial, but maybe we should put together a rating scale for appsec tools… for commercial products from an application security or browsers.  Published rating system assess – with defined criteria.  We are looking to better the market… empirical, objective analysis. Maybe a browser analysis.
 +
*Potential conflict with certification process.
 +
*MF – if you sponsor we can give you a presentation with a leader of x to speak with your people (video chat)
 +
*LA – build industry awareness… unknown tools… go out and inform companies.
 +
* Ask industry what tools they would find of value. Differentiation about what’s valuable from one vertical to another.
 +
* Post inquiry to leader's list?
  
* Email GIC with GT annual survey results (example/model for GIC metrics collection?)
 
* Send out Survey Project Plan to GIC in the next couple weeks.
 
  
 
+
==Next Meeting==
===Mauro Flores===
+
Friday, 13 May 2011 at 18:00 UTC/GMT
 
+
* +1 877 534 8500 or International +1 513 534 8500
* Ongoing communication with AppSec SA - Brazil planners regarding industry outreach at conference
+
* Passcode 410105 #
 
+
 
+
===Mateo Martinez===
+
 
+
* Ongoing communication with AppSec SA - Brazil planners regarding industry outreach at conference
+
 
+
 
+
===Eoin Keary===
+
 
+
* Approval and plan of action for moving forward with survey on survey monkey
+
* Level of involvement in GIC outreach initiatives at AppSec EU in Dublin?
+
 
+
===Colin Watson===
+
 
+
* Level of involvement in GIC outreach initiatives at AppSec EU in Dublin?
+
 
+
 
+
===Lorna Alamri===
+
 
+
* ?
+
 
+
 
+
===Sarah Baso===
+
 
+
* Create standard comprehensive list of industry verticals - draft dine, what are we going to do with it now?
+
* Create spreadsheet with industry verticals and people/emails listed for outreach in each vertical
+
* Create list of non-traditional conferences to target for GIC outreach
+
* GIC invites to AppSec EU --> need a list of who to send to and info on when session will occur and what topic(s) of discussion will be
+

Latest revision as of 22:25, 2 May 2011

Contents

Roll Call

Global Industry Committee Call: April 29, 2011 at 18:00 UTC/GMT

Present:

  • Joe Bernik (Chair)
  • Sarah Baso (Secretary)
  • Rex Booth
  • Mauro Flores
  • Kate Hartmann
  • Lorna Alamri


Absent:

  • Georg Hess
  • Eoin Keary
  • Alexander Fry
  • Mateo Martinez
  • Colin Watson
  • David Campbell
  • Nishi Kumar

Open GIC Action Items

GIC Session at AppSec EU

  • How long should our session(s) be? 3 hours - with one for general GIC, one hour for NK's GIC outreach PPT, and one hour for RB's CISO survey?
  • RB - concerned that 3 hours is too long and too much time for attendees to be away from actual conference. Instead only 1 hour – 10 min intro, 20 min on survey, 20 min on ppt, 10 min wrap up/general GIC comments.
  • SB will send out invites to attendees (selected by GIC from conference registration list) to attend the GIC session 2-3 weeks before the event. Although there will be targeted invites, will not be a closed-door session.
  • RB to follow up with EK (and include NK) regarding how our GIC session would best fit into the AppSec EU conference plan.
  • RB will provide the GIC prior to session about his CISO survey: what information is he trying to elicit, some of the initial drafts of the question, are there things OWASP/GIC is not asking that we should be, are there things we should be aware of that we are not.
  • LA suggested that for AppSec USA, GIC have their session or track on the day before the conference

OWASP Awards

Board has asked each global committee to discuss, define their vetting criteria and gather a list of 3 committee nomination that deserve an OWASP award based on criteria you as the committee define -- to be given out at AppSec USA in Sept.

  • RB – awards should to active appsec people outside of OWASP
  • JB - we need to better define criteria and what award is. Theoretically, could be someone that made an impact in the application security space. Ex: CISO of large bank or software development space.
  • MF– award to people adopting OWASP material (non-members but helping OWASP enter the corporate space). This is a way to draw people into the organization. Heavily leveraging OWASP in their current role.
  • JB – NK at Fidelity? MM at Tata Consulting adopting OWASP standards for development life cycle and trainings?
  • Action itme: Send an email out to the leaders/board for suggestion. Maybe different awards for different industry sectors.
  • MF– one of the criteria should be how public the company's use of the OWASP tools/standards is. More points if says so on website, etc.
  • JB to get feedback on possibilities at financial services conference

Lucas Ferreira Letter to Brazilian Govt

Letter has been emailed to everyone for comment. No objections, only positive feedback. Can GIC as a whole support this letter?

  • Email for a vote – if no contention go forward
  • MF– talked to Lucas about what kind of supporthe is looking for. Basically, Lucas is concerned about problem with OWASP support if letter sent to government.


Committee Governance

  • Vote via email/doodle
  • Should not include rules on speaking on behalf of OWASP – this is for a larger organization document


OWASP Points System

GIC needs to come up with industry-related points for the OWASP Point's system - details and examples are on the project wiki page: https://www.owasp.org/index.php/OWASP_Points

  • JB and RB not in agreement with system and will follow up with Mark Bristow individually regarding their concerns.


Discussion re: what can GIC and OWASP offer as ROI to sponsors

  • Reduced rates at vendor areas at conference, reduced rate of conference attendance, printed versions of documentation put together
  • MF– OWASP community building a lot of stuff and this is free regardless of whether sponsor or not. However sponsors should realize this and chip in.
  • JB– companies are less likely to pay if no ROI, not necessarily altruistic-- more capitalistic (in private sector at least)
  • RB –we need business case for why a corporate sponsor… what other advantages, basis for other business. Maybe CISO survey will be an opportunity to model this.
  • LA– need to find out what would they find valuable. In her experience – licensing has been an issue. Non-vendors are interested but not necessarily traditional returns such as booths.
  • JB– we need an incentive model that works… controversial, but maybe we should put together a rating scale for appsec tools… for commercial products from an application security or browsers. Published rating system assess – with defined criteria. We are looking to better the market… empirical, objective analysis. Maybe a browser analysis.
  • Potential conflict with certification process.
  • MF – if you sponsor we can give you a presentation with a leader of x to speak with your people (video chat)
  • LA – build industry awareness… unknown tools… go out and inform companies.
  • Ask industry what tools they would find of value. Differentiation about what’s valuable from one vertical to another.
  • Post inquiry to leader's list?


Next Meeting

Friday, 13 May 2011 at 18:00 UTC/GMT

  • +1 877 534 8500 or International +1 513 534 8500
  • Passcode 410105 #