Members Comments On OWASP membership

From OWASP
Revision as of 01:37, 24 December 2006 by Dinis.cruz (Talk | contribs)

Jump to: navigation, search

This page contains the feedback I received when I sent my {pt title and link here} email which you can find at the end of this page

Members response to Dinis Cruz email on OWASP Membership

"To cut the long short: It is not that expensive but it is hard to find too much added value."

....

"To be honest, $100/individual/year is too expensive! I pay $119/year for an IEEE membership, and get many tangible benefits (such as insurance group rates, etc) that OWASP can't (and IMO shouldn't) offer -- at near the same cost. Something like $25 or $35 per year would be far more appropriate (similar to SourceForge individual membership)."

....

"Has the steering council considered offering individual membership grades? And in particular, student memberships? I think that will be important for people enrolled in full-time academic programs, too."

....

"I'm replying to the list rather than posting this on the Wiki, as it's not a traditional means of promoting OWASP. If we were to develop a security standard for web applications, or call it a baseline or a benchmark, or best practice, or whatever, it would make a large impact on awareness as well. I know there have been some projects along this line, but hear me out on this one, have some ideas to overcome previous obstacles.

I think having the ears of so many security managers who are on the look out for just "what's required" is what we currently need. There has been growing awareness, although it's been painfully slow. I think the best thing to speed up the awareness at this point, is to make OWASP relevant and important to these managers. It's unfortunate, but it I see too many that once they are aware of the seriousness of web application vulnerabilities, continue to do nothing or next to nothing about them. We need to address this! Part of it may be numbness and unbelief due to too much F.U.D. and B.S. but I think the other part is having to leaning on regulation due to limited budget and even more limited expertise.

I understand we don't have any authority to make anything required, but there are plenty of organizations out there (like the PCI - Payment.Card Industry) that would quickly adopt a Web App Security Standard for their organization or for their jurisdiction if we were to build it and make it practical. To get more volunteers, and possibly even some funding we could team up with other organizations like the Center for Internet Security, SANS, and maybe others in this effort. I think it's shameful that security has to be promoted through requirements, but there's nothing I've seen that's been more effective in promoting what's right and what's good for businesses as well as customers, and the internet as a whole."

....

"I think "Is it because there is no perceived added value in joining in?". However, I am about to get my firm to join."

"Dinis - good luck with that and if you need help just ask! Here are a few comments that i have heard over the last 2+ years working the XYZ chapter in growing awareness

  1. If OWASP is a 501-3c non-profit, where is the end of year financial statement?
  2. If OWASP is a 501-3c non-profit, where is the non-conflicting board members, elections and votes to important issues?
  3. Suggestion : If there are local memberships to local chapters, then this is where OWASP should collect the fee from local membership based on the state. $100 annual membership for USA members with $25.00 remaining in the local chapter and similar concept depending on GDP worldwide rate chart to be developed. When you kick this off, make sure it is for 2 year membership to get the ball rolling and OWASP must issue membership cards.
  4. OWASP as a organization might consider to join forces with other events such as Shmoocon (www.shmoocon.org) Blackhat (www.blackhat.com) etc.. etc.. worldwide formally and utilize existing events as global forums for OWASP awareness and business.
  5. Work with existing framework such as with Peter Herzog http://www.isecom.org to integrate testing framework and testing guide.
  6. Work with existing colleges and univ. for FREE places for chapters to have meetings, gropw membership overnight with interested developers that are students that have time for research projects and to learn new techniques ;)
  7. Have local chapters open the doors a little and work WITH other groups such as the FBI/Infragard here in the USA, High Technology Crime Investigation Association (HTCIA), Forum for Incident Response and Security Teams (FIRST), local usersgroup BSD, Linux, etc... to raise awareness via good speakers and peer events to promote focus.'

"

""

....

""

....

""

....

""

....

""

....

""

....

""

....

""