Industry:Minutes 2011-04-29

Roll Call
Global Industry Committee Call: April 29, 2011 at 18:00 UTC/GMT

Present:
 * Joe Bernik (Chair)
 * Sarah Baso (Secretary)
 * Rex Booth
 * Mauro Flores
 * Kate Hartmann
 * Lorna Alamri

Absent:
 * Georg Hess
 * Eoin Keary
 * Alexander Fry
 * Mateo Martinez
 * Colin Watson
 * David Campbell
 * Nishi Kumar

GIC Session at AppSec EU

 * How long should our session(s) be? 3 hours - with one for general GIC, one hour for NK's GIC outreach PPT, and one hour for RB's CISO survey?
 * RB - concerned that 3 hours is too long and too much time for attendees to be away from actual conference. Instead only 1 hour – 10 min intro, 20 min on survey, 20 min on ppt, 10 min wrap up/general GIC comments.
 * SB will send out invites to attendees (selected by GIC from conference registration list) to attend the GIC session 2-3 weeks before the event. Although there will be targeted invites, will not be a closed-door session.
 * RB to follow up with EK (and include NK) regarding how our GIC session would best fit into the AppSec EU conference plan.
 * RB will provide the GIC prior to session about his CISO survey: what information is he trying to elicit, some of the initial drafts of the question, are there things OWASP/GIC is not asking that we should be, are there things we should be aware of that we are not.
 * LA suggested that for AppSec USA, GIC have their session or track on the day before the conference

OWASP Awards
Board has asked each global committee to discuss, define their vetting criteria and gather a list of 3 committee nomination that deserve an OWASP award based on criteria you as the committee define -- to be given out at AppSec USA in Sept.


 * RB – awards should to active appsec people outside of OWASP
 * JB - we need to better define criteria and what award is. Theoretically, could be someone that made an impact in the application security space. Ex: CISO of large bank or software development space.
 * MF– award to people adopting OWASP material (non-members but helping OWASP enter the corporate space). This is a way to draw people into the organization. Heavily leveraging OWASP in their current role.
 * JB – NK at Fidelity? MM at Tata Consulting adopting OWASP standards for development life cycle and trainings?
 * Action itme: Send an email out to the leaders/board for suggestion. Maybe different awards for different industry sectors.
 * MF– one of the criteria should be how public the company's use of the OWASP tools/standards is. More points if says so on website, etc.
 * JB to get feedback on possibilities at financial services conference

Lucas Ferreira Letter to Brazilian Govt
Letter has been emailed to everyone for comment. No objections, only positive feedback. Can GIC as a whole support this letter?
 * Email for a vote – if no contention go forward
 * MF– talked to Lucas about what kind of supporthe is looking for. Basically, Lucas is concerned about problem with OWASP support if letter sent to government.

Committee Governance

 * Vote via email/doodle
 * Should not include rules on speaking on behalf of OWASP – this is for a larger organization document

OWASP Points System
GIC needs to come up with industry-related points for the OWASP Point's system - details and examples are on the project wiki page: https://www.owasp.org/index.php/OWASP_Points


 * JB and RB not in agreement with system and will follow up with Mark Bristow individually regarding their concerns.

Discussion re: what can GIC and OWASP offer as ROI to sponsors

 * Reduced rates at vendor areas at conference, reduced rate of conference attendance, printed versions of documentation put together
 * MF– OWASP community building a lot of stuff and this is free regardless of whether sponsor or not. However sponsors should realize this and chip in.
 * JB– companies are less likely to pay if no ROI, not necessarily altruistic-- more capitalistic (in private sector at least)
 * RB –we need business case for why a corporate sponsor… what other advantages, basis for other business. Maybe CISO survey will be an opportunity to model this.
 * LA– need to find out what would they find valuable. In her experience – licensing has been an issue.  Non-vendors are interested but not necessarily traditional returns such as booths.
 * JB– we need an incentive model that works… controversial, but maybe we should put together a rating scale for appsec tools… for commercial products from an application security or browsers. Published rating system assess – with defined criteria.  We are looking to better the market… empirical, objective analysis. Maybe a browser analysis.
 * Potential conflict with certification process.
 * MF – if you sponsor we can give you a presentation with a leader of x to speak with your people (video chat)
 * LA – build industry awareness… unknown tools… go out and inform companies.
 * Ask industry what tools they would find of value. Differentiation about what’s valuable from one vertical to another.
 * Post inquiry to leader's list?

Next Meeting
Friday, 13 May 2011 at 18:00 UTC/GMT
 * +1 877 534 8500 or International +1 513 534 8500
 * Passcode 410105 #