Members Comments On OWASP membership

This page contains the feedback I (Dinis Cruz) received following the "New Owasp Evangelist and OWASP membership" (on 16 Dec 2006) email (which you can find at the end of this page).

This was very good feedback, and I will be working on a document to address the issues raised

Members response to Dinis Cruz email on OWASP Membership
"There are two reason that I haven't joined. First, as many people already pointed out, $100 is too much money for no return. Feeling good about helping OWASP isn't enough. Second, how exactly does OWASP spend the money? Perhaps there is a detailed report, but it isn't easy to find. If I'm going to donate money to a charity (i.e. no return), I want specifics about how the money is used. I'm not suggesting anything improper is happening, but I still want to know."

....

"To cut the long short: It is not that expensive but it is hard to find too much added value."

....

"To be honest, $100/individual/year is too expensive! I pay $119/year for an IEEE membership, and get many tangible benefits (such as insurance group rates, etc) that OWASP can't (and IMO shouldn't) offer -- at near the same cost. Something like $25 or $35 per year would be far more appropriate (similar to SourceForge individual membership)."

....

"Has the steering council considered offering individual membership grades? And in particular, student memberships? I think that will be important for people enrolled in full-time academic programs, too."

.... "I'm replying to the list rather than posting this on the Wiki, as it's not a traditional means of promoting OWASP. If we were to develop a security standard for web applications, or call it a baseline or a benchmark, or best practice, or whatever, it would make a large impact on awareness as well. I know there have been some projects along this line, but hear me out on this one, have some ideas to overcome previous obstacles.

''I think having the ears of so many security managers who are on the look out for just "what's required" is what we currently need. There has been growing awareness, although it's been painfully slow. I think the best thing to speed up the awareness at this point, is to make OWASP relevant and important to these managers. It's unfortunate, but it I see too many that once they are aware of the seriousness of web application vulnerabilities, continue to do nothing or next to nothing about them. We need to address this! Part of it may be numbness and unbelief due to too much F.U.D. and B.S. but I think the other part is having to leaning on regulation due to limited budget and even more limited expertise. ''

''I understand we don't have any authority to make anything required, but there are plenty of organizations out there (like the PCI - Payment.Card Industry) that would quickly adopt a Web App Security Standard for their organization or for their jurisdiction if we were to build it and make it practical. To get more volunteers, and possibly even some funding we could team up with other organizations like the Center for Internet Security, SANS, and maybe others in this effort. I think it's shameful that security has to be promoted through requirements, but there's nothing I've seen that's been more effective in promoting what's right and what's good for businesses as well as customers, and the internet as a whole."''

....

"I think "Is it because there is no perceived added value in joining in?". However, I am about to get my firm to join."

''"Dinis - good luck with that and if you need help just ask! Here are a few comments that i have heard over the last 2+ years working the XYZ chapter in growing awareness

"''
 * 1) If OWASP is a 501-3c non-profit, where is the end of year financial statement?
 * 2) If OWASP is a 501-3c non-profit, where is the non-conflicting board members, elections and votes to important issues?
 * 3) Suggestion : If there are local memberships to local chapters, then this is where OWASP should collect the fee from local membership based on the state. $100 annual membership for USA members with $25.00 remaining in the local chapter and similar concept depending on GDP worldwide rate chart to be developed.  When you kick this off, make sure it is for 2 year membership to get the ball rolling and OWASP must issue membership cards.
 * 4) OWASP as a organization might consider to join forces with other events such as Shmoocon (www.shmoocon.org) Blackhat (www.blackhat.com) etc.. etc.. worldwide formally and utilize existing events as global forums for OWASP awareness and business.
 * 5) Work with existing framework such as with Peter Herzog http://www.isecom.org to integrate testing framework and testing guide.
 * 6) Work with existing colleges and univ. for FREE places for chapters to have meetings, gropw membership overnight with interested developers that are students that have time for research projects and to learn new techniques ;)
 * 7) Have local chapters open the doors a little and work WITH other groups such as the FBI/Infragard here in the USA, High Technology Crime Investigation Association (HTCIA), Forum for Incident Response and Security Teams (FIRST), local usersgroup BSD, Linux, etc... to raise awareness via good speakers and peer events to promote focus.'

"I'll ask some common folks what they think about membership. Personally, I didn't see the value and the company is very stingy that way. Also (a distant third), I need to know what the $$ are going for."

....

"One reason my own side-business has not joined OWASP is because well it is $3,000 and my side business is just that a side business. It takes awhile for $3,000 to be built up that I can spend towards membership.  If you had one that was like $500 for small business (i.e. companies generating less than 30,000 annually) then I would jump on board ASAP. I will talk with my day time employer to see if they want to join. I know I can join as an individual but the only benefit I can see of that is helping OWASP and getting discounts on conferences, but the discount is less than $150 so..."

....

"your mail struck a chord
 * officially i cannot participate for various bureaucratic reasons, hence I am writing from my private, not the corporate email.
 * I am impartial and came out of quality engineering to IT systems management and later security, thus
 * I am dismayed at the level of defects in the "legacy" products currently deployed
 * I am confused by the various competing groups setting up standards - OWASP, SANS, WASC, OSSTMM, OASIS, IEEE, IETF, ITU (Voip) etc... for the increasingly converging communications and information systems market
 * I feel that there are too few engineers, not to mention too many customers who do not want to pay higher prices for better products
 * these customers are right - security and quality should long term reduce the cost of product not increase it
 * I feel that you are basically on the right track - the cure to good web applicaitns or indeed any applications is not in the defect detection and removal but in using the information about error frequency to improve the engineering standards (such as the Owasp guide) to prevent the errors from occurring - even when tired and inexperienced people are creating the system.

but please do not be offended if I do not join OWASP."

....

" "
 *  Is it because it is too expensive?
 * It seems very expensive compared the benefits I see. I joined this mailing list in order to see what kind of activity is going.  I have seen very little – maybe on the wrong list?
 * Is it because there is no perceived added value in joining in?
 * Most of what I have seen as far as white papers can be obtained for free. I also don’t have the feeling that the OWASP name and logo would be a great benefit to me – I don’t think that there is a lot of name recognition. I also had hoped for regular local meetings mostly to increase my number of contacts – I am pretty naïve about security stuff so far.  I think that there has been only one meeting in the XYZ area which I missed unfortunately.

....

"To cut the long short: It is not that expensive but it is hard to find too much added value."

....

"Personally I have not used any tool/material from OWASP. Nevertheless I know personally the founders of the XYZ chapter, so I largely know what OWASP is about. But when I forwarded an mail regarding/promoting OWASP throughout the company I am currently working (around 25 people, of which 20 are either technical IT people or IT consultants) only one person came back to me… this is were I largely based upon my answer the other time."

....

"My company is way too small to pay for any memberships into anything. But one of my clients is a 1300 employee insurance company and I would say that they fall under the no perceived value category. Unless you are a VAR and want to resell the owasp tools, why would they join unless they just really wanted to participate? You don't want to start charging for the owasp tools, so I don't know what owasp can do to add value. It's a tough one but I'll ask them about it next time we talk."

....

"Some quick observations that I have noticed about OWASP.

''# It is not really marketed that well, in as much as if you wish to raise the profile of an organisation that is aimed at application programmers rather than security professionals then you need to focus the marketing in that area. I only found out about OWASP from reading security related forums, it would be better to raise awareness via other areas such as submitting relevant articles to Slashdot etc. I actually found out about OWASP from links on the AusCert website, not really somewhere that application developers would visit.''


 * 1) The organisation as a whole focuses on application security, but reading between the lines, most activity on the mailing lists however seem to be for "outside in" tools and technologies. By this I mean for every Honeycomb project there seems to be 5 other projects along the lines of external analysis / fuzzers. As an application developer I want to know about things that I can apply or can help me on a day to day basis. Where for example is ANY tool that I can add to my build process that will automatically attempt some form of compliance (i.e. clover like analysis of source code) testing that would look for anything on this page: http://www.owasp.org/index.php/Category:Java.  My point here is that, not only should we focus on testing and scanning, but in reality the way to make things more secure is to also focus on doing things correct in the first place.''

''Personally I feel this is that status quo due to the focus of the actual members. Most members seem to work for companies that are either security consultants, or security tool vendors.''

This underlying bias shows in the content, as an evangelist I hope that you can encourage some balance, after all there is little left to gain from yet another Fuzzer/PenTest/AppFirewall.

If you asked me what was useful, then as an application developer I would love to know what sort of techniques are being used to attack my live website, i.e. security logging, and also what can I do that can do to assure that the security quality of my code is as high as it can be.

Kind regards,"

....

" "
 * Is it because it is too expensive?''
 * I think it is not too expensive as such, although the reward of becoming OWASP member is way to low.
 *  Is it because it is too complicated to join in?
 * No …. I took quite a while before I got the letter telling me I’d become OWASP member, but the process to become one was straight forward.
 *  Is it because there is no perceived added value in joining in?
 * Totally correct …. Up to now I had no advantage of joining
 * I think a listing and contact details of  all  individual members as well as companies (this is the case already it think) would be very rewarding… it could serve as some kind recognition and verification tool for customers and companies, as also a way that people can verify that a member has the right to use OWASP material … only this tool would surely make I joined OWASP as a member
 * '' Is it because you haven't had the time in the past to join? (see https://www.owasp.org/index.php/Membership for more details)
 * ''Nope

....

"I need more information to provide to management on Value Add for the cost of membership. When ever I talk about this I get the what do we get in return lecture. Note: mgmt likes slides."

....

"My answer to your question is simple - I didn't know there was a "join OWASP" beyond what we've done (show up to meetings and host them and get pressure to present at them :-). No one had ever mentioned it even as an option and whenever I've hit the OWASP Web site it's been for technical reasons and I never ran across anything there either.

I'd be happy to get my people to "join" given a basic understanding of how and what the benefits are.  Also, a side note is that the OWASP meetings have some overlap with local ISSA chapters; it would be nice to have some mutually beneficial relations between the two for cross-promotion, as they are complementary.

''Leveraging the mailing lists is a good idea; we get about one email a month on our list and it's about where the meeting is. This is the first OWASP-wide mailing I've ever recieved."''

....

"XYZ is strongly considering OWASP membership. Not sure what the holdups are. It's one level above my paygrade. I don't know if you are in contact with XYZ, but he is the person here who is pushing for the membership. I've also suggested contributing some of our materials to OWASP...again, it's now in political debate. I like the reuse for chapter presentations. Maybe a single repository just for that purpose...so when we're out of material, we don't have to hunt thru different chapters for something good...just look at the single repository. Of course this tool would need a feedback & rating system so the best, most re-usable presentations will be clearly evident. And, of course I'm not happy with the lack of top ten discussion and the way it was being handled in the past. Unless, I was removed from the top ten list, I can't understand the lack of discussion."

....

"The misison of OWASP is at times confusing. OWASP is hard to pin down, do you provide a site for sharing information, creating security tools, do you have certification?  What OWASP needs is a super-short and clear mission statement.  I may have missed it, but that is part of the issue.  We in tech securtity are SO overloaded with new hacks, viri, methods, OSes, and languages, we don't have time to scratch.  When a new organization that looks promising comes along, have a few capsules as to just what we get for our time spent in reading all this (the $100 is almost secondary)."

....

"I wanted to preface this email with it's great to here from someone high on the food chain looking out for general user consensus. To your questions though (short and sweet as I know your time is probably sliced pretty thin)

''As a developer currently buffing up for a future switch to info-security, I have yet to attend an OWASP meeting (but in reality only found out about the chapters earlier this month). I say this because I don't see a large path like development that leads you to a goal, or at least OWASP from other avenue's. How to solve that is outside the scope of this email... plus I haven't the foggiest.''

I don't feel the member due's are to harsh for an individual, and look forward to joining after attending January's meeting and validating my thoughts (XYZ Chapter).

I hope this helps, don't throw me under the bus, and I look forward to hearing from you again in the near future."

....

"Our company has joined OWASP and paid membership middle of this year 2006. The main issue was to find the budget owner for XYZ."

....

"Anyway, the reason I'm sending this mail, is that you wanted to know about why people do or do not become an OWASP member.

''I don't know if my company is an OWASP member or not. The company is not listed on URL https://www.owasp.org/index.php/Membership#Current_OWASP_Members but I don't know if that list is complete.''

''As for me personally, I don't see any benefits for me. On one of our local chapter meetings, someone once described us (the people being there) as motivated professionals who devote their own time and effort in promoting development of more secure web applications. As such, I fail to see why I should have to pay for the privilege to participate in those efforts?''

When I review the membership benefits that are mentioned on https://www.owasp.org/index.php/Membership then I must conclude that all benefits that might be of interest to me, already apply to me right now:


 *  "active voice in the development of OWASP Materials": what do you think we are discussing about on chapter meetings?
 * the electronic notification: you mean OWASP will start holding publications for non-members (sort of like privileged subscriptions on security bulletins or the downloads for pay like the ISO documents)?
 * ''the right to bragg about being an OWASP member: I fail to see the advantage in that (it's not like a certification that proves you have a basic understanding of the topic: anyone who pays gets this right)
 *  colaboration: I think we got this one covered nicely with the mailing lists, web sites and regular email?
 *  discounted fees: you want me to pay for discounts that my company will get?

''Please don't get me wrong: I fully support the notion of corporate sponsoring through memberships, but, like I said, I do not want to pay extra in addition to sacrificing my personal time to the good cause. I don't think that the individual memberships, as they are offered today, are a good thing.''

I hope I did not spoil your mood too much, but I think that the fact that I'm sending this message at all, already indicates that I do care about OWASP, and that you will keep on trying to convert us into a flock of devote believers? " ....

"Your message about OWASP membership couldn't have come at a better time. 

''I'm the Technical Lead for XYZ's ABC product. I'm trying to help convince upper management that XYZ should join OWASP.''

So far the reaction has been cool to the idea with a request for more information as to what the business benefits would be.

''So could you help sum up why you think XYZ should join? What could we really get out of membership? I read the "Benefits of Membership" of the web site and while they are all good things, their value is hard to judge."''

....

''"I would like to see more local events where knowledge can be collaboratively created and shared. Certainly the product of the local events can and should be aggregated up to the full membership body, and rareified in the lists and best practices documented here. However, I would like to point to another Silicon Valley professional group whose model and value proposition I prefer: SDForum. They hold dozens of informational sessions locally and always offer 2 methods of attendance: free for members, pay $10-25 at the door for non-members. For very special keynote events, they charge members a nominal $10-25 and non-members the full $30-50. This puts the membership benefit in sharp relief, at every event. Of course, the underlying value proposition to both options is the quality of the events themselves.  I find myself opting to subscribe to an annual membership when several of the speakers/events are compelling. And opting out when they seem superfluous. To this end, they publish a calendar of events well in advance. To be fair, they have been around for years, so they have the infrastructure and cash flow to manage all this. Finally, I would second the suggestion above that those who contribute time and energy should have a reduced or free membership to recognize their valuable contributions."''

email sent: "New Owasp Evangelist and OWASP membership"
(note: this is a variation of the email sent a couple days to the owasp-leaders mailing list (for reference the owasp-leaders mailing list contains all OWASP projects leaders and all local OWASP chapters leaders))

Hello, Dinis Cruz here from OWASP (some of you will know me from the OWASP .Net Project, from the OWASP Autumn of Code 2006 or of from one of my presentations at an OWASP conference)

After much internal debate I decided to agree with Jeff's idea for my official OWASP title: Chief OWASP Evangelist.

I don't like the religious connotations of that title, but technology evangelism does have a somewhat different meaning, and looking at the other 'technical evangelists' out there (and in the past) I do feel that I am following the footsteps of giants :).

What I want to do with this first email is to say Hi, and to offer my services to you as a point of contact for OWASP related activities. One of my main objectives is to maximize the potential of OWASP and its community, so anything that I can do to help, just let me know.

I also want ALL of you and your companies to become OWASP members.

OWASP membership numbers are still ridiculously low, and I want to know why!


 * Is it because it is too expensive?
 * Is it because it is too complicated to join in?
 * Is it because there is no perceived added value in joining in?
 * Is it because you haven't had the time in the past to join? (see https://www.owasp.org/index.php/Membership for more details)

Please let me know why you and your company haven't join as OWASP members (and for the ones that have joined, let me know why you joined).

A couple other objectives for me:


 * Promote OWASP to OWASP (the reality is that most of us have no idea of what projects there are at OWASP and what they have already created / delivered (see for example the list of current projects https://www.owasp.org/index.php/Category:OWASP_Project))
 * Promote collaboration and integration between OWASP projects (there are tons of potential synergies between OWASP projects out there)
 * Promote OWASP to the world, and let them know the great stuff that we are doing
 * Work with the OWASP chapters, so that what happens locally is exposed to the rest of us (I also would like to see collaboration between chapters, and the re-use of its materials)
 * Review the current OWASP tools and content and work with its creators to make it even better
 * Follow the final stages of the "OWASP Autumn of Code" sponsorships https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Selection and start working on the OWASP Spring of Code :)

I will also increase the number of emails sent to the owasp-leaders list and to the owasp-all list, so let me know when the volume is too high :)

And remember, I am here to help. If I don't respond to your email in a couple days, just keep resending it until you get an answer (my inbox sometimes behaves like a black hole: "the email goes in and never returns" :) )

Talk to you soon,