Wednesday, 30 January 2013

Why NDAs have no place at OWASP

I was looking for a place to link why it is such a bad idea for OWASP to consider or accept the idea of signing NDA's with 3rd parties, and since I couldn't find it on the OWASP Wiki, I'm reposting here what I wrote in June 2011:

I don't buy the argument that there is a ton of opportunities that OWASP is
missing because we don't have this 'save harbour' locations to talk.

The other key concept that you guys are missing is that the 'no
NDA everything is public' is actually the best way for *OWASP to control
OWASP* and to prevent the existence of 'pockets of knowledge' or 'groups
that know more than others' inside OWASP (just try to image how this would
work in practice and you will see how impractical this would be).

If we want to preserve our community and open spirit we need to have
an uncompromising Open environment.

I would also argue that a big problem in our industry (and software
development/apps in general) is the excessive use of NDA and lack of
information sharing. So if any thing, OWASP should be pushing the other
direction and be actively promoting dialog and 'conversations'

For example look at how we were able at the last OWASP Summit to get
directly competing companies to sit on the same table and talk 'openly'.
THAT is what we need to. Create the time and place, and the dialog with
OWASP will come.

You can read the rest of the threat at: No i will not sign your NDA but...

A good example of the mess created by providing 'secret data' to an OWASP leaders (with the promisse the it wont be disclosed) if what has happened with the OWASP Top 10 data. See this post: Stats used to support OWASP Top 10 entries (next version must publish them) for more details.