Members Comments On OWASP membership

From OWASP
Revision as of 01:51, 24 December 2006 by Dinis.cruz (Talk | contribs)

Jump to: navigation, search

This page contains the feedback I received when I sent my {pt title and link here} email which you can find at the end of this page

Members response to Dinis Cruz email on OWASP Membership

"To cut the long short: It is not that expensive but it is hard to find too much added value."

....

"To be honest, $100/individual/year is too expensive! I pay $119/year for an IEEE membership, and get many tangible benefits (such as insurance group rates, etc) that OWASP can't (and IMO shouldn't) offer -- at near the same cost. Something like $25 or $35 per year would be far more appropriate (similar to SourceForge individual membership)."

....

"Has the steering council considered offering individual membership grades? And in particular, student memberships? I think that will be important for people enrolled in full-time academic programs, too."

.... "I'm replying to the list rather than posting this on the Wiki, as it's not a traditional means of promoting OWASP. If we were to develop a security standard for web applications, or call it a baseline or a benchmark, or best practice, or whatever, it would make a large impact on awareness as well. I know there have been some projects along this line, but hear me out on this one, have some ideas to overcome previous obstacles.

I think having the ears of so many security managers who are on the look out for just "what's required" is what we currently need. There has been growing awareness, although it's been painfully slow. I think the best thing to speed up the awareness at this point, is to make OWASP relevant and important to these managers. It's unfortunate, but it I see too many that once they are aware of the seriousness of web application vulnerabilities, continue to do nothing or next to nothing about them. We need to address this! Part of it may be numbness and unbelief due to too much F.U.D. and B.S. but I think the other part is having to leaning on regulation due to limited budget and even more limited expertise.

I understand we don't have any authority to make anything required, but there are plenty of organizations out there (like the PCI - Payment.Card Industry) that would quickly adopt a Web App Security Standard for their organization or for their jurisdiction if we were to build it and make it practical. To get more volunteers, and possibly even some funding we could team up with other organizations like the Center for Internet Security, SANS, and maybe others in this effort. I think it's shameful that security has to be promoted through requirements, but there's nothing I've seen that's been more effective in promoting what's right and what's good for businesses as well as customers, and the internet as a whole."

....

"I think "Is it because there is no perceived added value in joining in?". However, I am about to get my firm to join."

"Dinis - good luck with that and if you need help just ask! Here are a few comments that i have heard over the last 2+ years working the XYZ chapter in growing awareness

  1. If OWASP is a 501-3c non-profit, where is the end of year financial statement?
  2. If OWASP is a 501-3c non-profit, where is the non-conflicting board members, elections and votes to important issues?
  3. Suggestion : If there are local memberships to local chapters, then this is where OWASP should collect the fee from local membership based on the state. $100 annual membership for USA members with $25.00 remaining in the local chapter and similar concept depending on GDP worldwide rate chart to be developed. When you kick this off, make sure it is for 2 year membership to get the ball rolling and OWASP must issue membership cards.
  4. OWASP as a organization might consider to join forces with other events such as Shmoocon (www.shmoocon.org) Blackhat (www.blackhat.com) etc.. etc.. worldwide formally and utilize existing events as global forums for OWASP awareness and business.
  5. Work with existing framework such as with Peter Herzog http://www.isecom.org to integrate testing framework and testing guide.
  6. Work with existing colleges and univ. for FREE places for chapters to have meetings, gropw membership overnight with interested developers that are students that have time for research projects and to learn new techniques ;)
  7. Have local chapters open the doors a little and work WITH other groups such as the FBI/Infragard here in the USA, High Technology Crime Investigation Association (HTCIA), Forum for Incident Response and Security Teams (FIRST), local usersgroup BSD, Linux, etc... to raise awareness via good speakers and peer events to promote focus.'

"

"I'll ask some common folks what they think about membership. Personally, I didn't see the value and the company is very stingy that way. Also (a distant third), I need to know what the $$ are going for."

....

"One reason my own side-business has not joined OWASP is because well it is $3,000 and my side business is just that a side business. It takes awhile for $3,000 to be built up that I can spend towards membership. If you had one that was like $500 for small business (i.e. companies generating less than 30,000 annually) then I would jump on board ASAP. I will talk with my day time employer to see if they want to join. I know I can join as an individual but the only benefit I can see of that is helping OWASP and getting discounts on conferences, but the discount is less than $150 so..."

....

"your mail struck a chord

  • officially i cannot participate for various bureaucratic reasons, hence I am writing from my private, not the corporate email.
  • I am impartial and came out of quality engineering to IT systems management and later security, thus
    • I am dismayed at the level of defects in the "legacy" products currently deployed
    • I am confused by the various competing groups setting up standards - OWASP, SANS, WASC, OSSTMM, OASIS, IEEE, IETF, ITU (Voip) etc... for the increasingly converging communications and information systems market
    • I feel that there are too few engineers, not to mention too many customers who do not want to pay higher prices for better products
    • these customers are right - security and quality should long term reduce the cost of product not increase it
  • I feel that you are basically on the right track - the cure to good web applicaitns or indeed any applications is not in the defect detection and removal but in using the information about error frequency to improve the engineering standards (such as the Owasp guide) to prevent the errors from occurring - even when tired and inexperienced people are creating the system.

but please do not be offended if I do not join OWASP."

....

""

....

""

....

""

....

""

....

""