Hi folks, I note that Christian again brings me up as some sort of evidence against Aspect or someone or some company doing something I really don't understand or care about. I don't know why there is such a focus on this stuff and the past, but it's just absolute rubbish. Christian, please stop referring to me in your mails about OWASP. There's no conspiracy here when everything you posit is more easily explained by changes in personal lives (like my daughter being born, moving countries, marital situation associated with a health issue I'm not going to disclose on a public mailing list, personal interests changing, and when the personal itch to do something evaporates.) Folks come and go from all vibrant open source projects. That is expected and natural. What is not expected is that I would be brought up as some sort of evidence of I don't know what on a project I have nothing really to do with, but wish only the best for. I bet this noise is a distraction that the WAFEC contributors could easily do without. Jeff and Dave from Aspect contributed greatly to the formation and early years of OWASP, contributing many of their own materials that are the basis of what most of you consider to be OWASP materials as if these came unbidden from whole cloth. We all stand on the shoulders of giants, including one 6'7" tall giant. I consider them friends, and I had a great time living in the US whilst working for them. Does this make me biased? You betchya. Correlation is not causation. You can't hire secure coding ninjas without hiring someone who has a longish history with OWASP even if that history is not precisely with OWASP. Christian correctly points out that Trustwave has this exalted position right now because they've been hiring anyone with a pulse who can spell "code review", and guess what, they hired OWASP project leads and other ninjas, too. And accidentally a few zombies, because they forgot to take their pulse before doing reference checks on Linked In but not noticing their interest in brains along with a mandatory lolcats quota. It's not surprising that at least a few long term project leaders / contributors would be involved in committees or the board. Does this mean OWASP is a stooge to vested interests? No one bothered to send me the memo for sure. Not then, not now. The idea is ludicrous. I had to register as an honorary member three times just so I could vote. Organizations who can't keep a good record of project leads have no chance of being led successfully by an underground secret cabal. The very idea of a secret cabal leading OWASP (or this project!) makes me smile a big broad grin whilst feeling sad for those who think there is such a thing. Cat herding at its finest. If Mark Curphey couldn't do it three times, what chance has anyone else got? Seriously, firms are encouraged to make fees from performing services based off freely available OWASP materials. This is the services model that underpins the open source community. No one is forced to buy from you, and if someone else does a better job, then they get the work. Many DAST tools offer "OWASP Top 10" scans. Does anyone ping IBM or HP or ... or ... for making money off OWASP materials? No, of course not. Would I like to see IBM or HP offer to help WASC or OWASP more in terms of contributing people to projects like Aspect or Trustwave do? You betchya. People use open source licensed OWASP materials in a way that constantly surprises and amazes me. As a content creator who gives away his effort in the hope it will be used, there's no higher reward. Why the double standard for Aspect or Trustwave? I don't think it really matters. Those who contribute are feted and promoted as per every other open source project. I bet WASC is no different. I wish the WASC guys and the WAFEC effort all the very best. They do good work on an important topic, and those who do stuff ... win. I look forward to seeing it finished and widely adopted. Good luck folks! thanks, Andrew