[Owasp-board] [Global_conference_committee] Loss from AppSec Asia

Sarah Baso sarah.baso at owasp.org
Wed Dec 7 21:03:45 UTC 2011


Sorry - I have attached.

On Wed, Dec 7, 2011 at 3:00 PM, Mark Bristow <mark.bristow at owasp.org> wrote:

> I can't read google docs from here.
>
> On Wed, Dec 7, 2011 at 3:59 PM, Sarah Baso <sarah.baso at owasp.org> wrote:
> > Mark -
> > What about this agreement?
> >
> https://docs.google.com/a/owasp.org/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNNmNlNmUyMzMtZmYzNC00NWU3LWIyNzgtNzRlMTdlZGMxMTBj&hl=en
> >
> > Sarah
> >
> >
> > On Wed, Dec 7, 2011 at 2:53 PM, Mark Bristow <mark.bristow at owasp.org>
> wrote:
> >>
> >> Tin,
> >>
> >> This is how I also understand our relationship with one caveat.  I
> >> don't believe that there is a formal agreement between SecZone and
> >> OWASP for them to act as our representative.  Had this agreement been
> >> in place, we could have clearly defined how profit/loss would be
> >> shared for the event, as well as a bunch of other requirements that we
> >> impose on legal entities representing OWASP elsewhere in the world.
> >> This however is a larger question beyond this event, and is one the
> >> board has taken for action.
> >>
> >> There are a few points here:
> >> 1. In this case, it seems to that the OWASP foundation should realize
> >> a $5,500 loss for this event (The fact that this was not spelled out
> >> before hand is troubling)
> >> 2. We need to clarify and formalize our relationship with SecZone as
> >> it relates to OWASP in China (Board Action)
> >> 3. We need to better define and vett budgets and impose additional
> >> auditing requirements as event planning is in process
> >> 4. We need to be more dilligent in determining the exact composition
> >> of the on-site planning team earlier in the process to identify
> >> potential issues earlier in rather than ex-post facto.
> >>
> >> On Wed, Dec 7, 2011 at 3:38 PM, Tin Zaw <tin.zaw at owasp.org> wrote:
> >> > I am not sure if Mark's comments or understanding is in sync with what
> >> > conference organizers -- Rip, Ivy, Frank -- had told me.
> >> >
> >> > To me, it was 100% OWASP conference. OWASP, not SecZone or others, was
> >> > the name used, as you can see in the photos here.
> >> >
> >> >
> https://plus.google.com/photos/106576365897061578673/albums/5678655625299333025
> >> >
> >> > SecZone is listed as one of the supporters, just like Frank's company
> >> > and other supporters.
> >> >
> >> > OWASP does not have a legal entity in China and you need a legal
> >> > entity in China to do a conference like that. So SecZone (a registered
> >> > non-profit in China, that I was told) was used as a legal entity to
> >> > organize things for OWASP, on OWASP's behalf.
> >> >
> >> > On the bigger scope, OWASP China is "housed" inside SecZone. My
> >> > understanding is that this is not dissimilar to NASA JPL housed inside
> >> > Caltech.  SecZone/Caltech provides administrative support while the
> >> > housed organization carries out OWASP's/NASA's mission. The main
> >> > reason for this is that an organization in China needs to be a
> >> > registered legal entity with the government. (Let's not forget that
> >> > "Communist Party" still rules China). They also informed us that OWASP
> >> > is not the only organization housed inside SecZone. There are others
> >> > but OWASP is the major org supported by SecZone.
> >> >
> >> > I think it is correct to consider SecZone's and OWASP's budgets (for
> >> > conference and the chapter) separate. But we should understand the
> >> > nuances we face when we advance our mission in different cultural
> >> > contexts.
> >> >
> >> > On Wed, Dec 7, 2011 at 11:46 AM, Mark Bristow <mark.bristow at owasp.org
> >
> >> > wrote:
> >> >> So before we get to far down this road.  AppSecASIAPAC was an
> anomoly.
> >> >>  GCC (at least I) was not aware that there was another organization
> >> >> involved until VERY late in the game (weeks before the event).
> >> >> Technically it should have been classified as a partner event, where
> a
> >> >> contract between our two organizations would have been signed (by the
> >> >> board) up front, clearly identifiying these issues.
> >> >>
> >> >> In this case, this was presented as a 100% OWASP event when it
> reality
> >> >> it was not.  That's the root of the problem here and unlike LATAM the
> >> >> other organization is more "partner" than "contractor".
> >> >>
> >> >> On Wed, Dec 7, 2011 at 1:50 PM, Sarah Baso <sarah.baso at owasp.org>
> >> >> wrote:
> >> >>> I agree with capping the loss. I also think we should have some more
> >> >>> strict
> >> >>> budget requirements for global appsec conferences, especially when
> we
> >> >>> have
> >> >>> 3rd parties handling the money.  If Alison is the one making
> payments
> >> >>> and
> >> >>> accepting money, we can check in with her at any point to find out
> the
> >> >>> status of an event; however, we don't have this
> >> >>> visibility/transparency
> >> >>> right now with the 3rd parties.
> >> >>>
> >> >>> I think before we go forward with signing contracts for 2012 events
> >> >>> (especially in Latin America and AsiaPac where they have not run the
> >> >>> money
> >> >>> through the Foundation), we should discuss and decide on  a policy
> for
> >> >>> this.
> >> >>>
> >> >>> Sarah
> >> >>>
> >> >>>
> >> >>> On Wed, Dec 7, 2011 at 12:45 PM, Eoin <eoin.keary at owasp.org> wrote:
> >> >>>>
> >> >>>> Matt ,
> >> >>>> As treasurer what are your thoughts on limiting liability for
> losses
> >> >>>> at
> >> >>>> global conferences. My view is If we don't do this we are leaving
> the
> >> >>>> foundation exposed. Such a cap should be in a contract signed by
> the
> >> >>>> conference organisers?? It can be a % or a figure, but right now
> are
> >> >>>> we in a
> >> >>>> position if unlimited liability??
> >> >>>> Anyone, thoughts??
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>> On 7 Dec 2011, at 18:19, Sarah Baso <sarah.baso at owasp.org> wrote:
> >> >>>>
> >> >>>> Alison -
> >> >>>> Can you find look to see (or maybe you know off the top of your
> head)
> >> >>>> if
> >> >>>> we sent any down payment or money (other than the approx. $3222
> sent
> >> >>>> recently to cover hotel costs) to China for this conference.  It
> >> >>>> probably
> >> >>>> would have been in late July or August of this year?
> >> >>>>
> >> >>>> They are currently at a $16,166.22 loss, but Frank Fan's company
> >> >>>> (DBAppSecurity) still owes $4742 and SecZone has said they can
> cover
> >> >>>> about
> >> >>>> $6,000 of the loss. The leaves about $5,500 for us to possibly
> cover.
> >> >>>>  I
> >> >>>> want to make sure we have a full financial picture of what we have
> >> >>>> paid
> >> >>>> before anything is decided though.
> >> >>>>
> >> >>>> Thanks,
> >> >>>> Sarah
> >> >>>>
> >> >>>> On Wed, Dec 7, 2011 at 9:41 AM, Mark Bristow <
> mark.bristow at owasp.org>
> >> >>>> wrote:
> >> >>>>>
> >> >>>>> I believe some of the loss will be realized by each party
> >> >>>>>
> >> >>>>> -Mark
> >> >>>>>
> >> >>>>> Sent from my wireless device
> >> >>>>>
> >> >>>>> On Dec 7, 2011, at 10:33 AM, "Kate Hartmann"
> >> >>>>> <kate.hartmann at owasp.org>
> >> >>>>> wrote:
> >> >>>>>
> >> >>>>> I know there is a documented loss for AppSec Asia for 2011.  Is
> the
> >> >>>>> foundation expected to reimburse SecZone for this loss?  What was
> >> >>>>> the
> >> >>>>> agreement for the financials for this event.  I know that much of
> >> >>>>> this has
> >> >>>>> come from Rip’s personal account.
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>> We need to clear this up before the end of the year.
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>> Kate Hartmann
> >> >>>>>
> >> >>>>> Operations Director
> >> >>>>>
> >> >>>>> 301-275-9403
> >> >>>>>
> >> >>>>> www.owasp.org
> >> >>>>>
> >> >>>>> Skype:  Kate.hartmann1
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>> <Copy of OWASP 2011 Appsec Asia cost-1128.xlsx>
> >> >>>>>
> >> >>>>> _______________________________________________
> >> >>>>> Global_conference_committee mailing list
> >> >>>>> Global_conference_committee at lists.owasp.org
> >> >>>>>
> https://lists.owasp.org/mailman/listinfo/global_conference_committee
> >> >>>>>
> >> >>>>>
> >> >>>>> _______________________________________________
> >> >>>>> Global_conference_committee mailing list
> >> >>>>> Global_conference_committee at lists.owasp.org
> >> >>>>>
> https://lists.owasp.org/mailman/listinfo/global_conference_committee
> >> >>>>>
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>> --
> >> >>>> Administrator for
> >> >>>> OWASP Global Conference Committee
> >> >>>> OWASP Global Chapter Committee
> >> >>>>
> >> >>>> Dir: 312-869-2779
> >> >>>> skype: sarah.baso
> >> >>>>
> >> >>>> _______________________________________________
> >> >>>> Owasp-board mailing list
> >> >>>> Owasp-board at lists.owasp.org
> >> >>>> https://lists.owasp.org/mailman/listinfo/owasp-board
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>> --
> >> >>> Administrator for
> >> >>> OWASP Global Conference Committee
> >> >>> OWASP Global Chapter Committee
> >> >>>
> >> >>> Dir: 312-869-2779
> >> >>> skype: sarah.baso
> >> >>>
> >> >>>
> >> >>> _______________________________________________
> >> >>> Owasp-board mailing list
> >> >>> Owasp-board at lists.owasp.org
> >> >>> https://lists.owasp.org/mailman/listinfo/owasp-board
> >> >>>
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Mark Bristow
> >> >> (703) 596-5175
> >> >> mark.bristow at owasp.org
> >> >>
> >> >> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
> >> >> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
> >> >> AppSec DC Organizer - https://www.appsecdc.org
> >> >> _______________________________________________
> >> >> Owasp-board mailing list
> >> >> Owasp-board at lists.owasp.org
> >> >> https://lists.owasp.org/mailman/listinfo/owasp-board
> >> >
> >> >
> >> >
> >> > --
> >> > Tin Zaw, CISSP, CSSLP
> >> > Chapter Leader and President, OWASP Los Angeles Chapter
> >> > Chair, OWASP Global Chapter Committee
> >> > Google Voice: (213) 973-9295
> >> > LinkedIn: http://www.linkedin.com/in/tinzaw
> >>
> >>
> >>
> >> --
> >> Mark Bristow
> >> (703) 596-5175
> >> mark.bristow at owasp.org
> >>
> >> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
> >> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
> >> AppSec DC Organizer - https://www.appsecdc.org
> >
> >
> >
> >
> > --
> > Administrator for
> > OWASP Global Conference Committee
> > OWASP Global Chapter Committee
> >
> > Dir: 312-869-2779
> > skype: sarah.baso
> >
>
>
>
> --
> Mark Bristow
> (703) 596-5175
> mark.bristow at owasp.org
>
> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
> AppSec DC Organizer - https://www.appsecdc.org
>



-- 
Administrator for
OWASP Global Conference Committee
OWASP Global Chapter Committee

Dir: 312-869-2779
skype: sarah.baso
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20111207/d2ce231a/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: AppSec.China.agreement (1).pdf
Type: application/pdf
Size: 236394 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20111207/d2ce231a/attachment-0002.pdf>


More information about the Owasp-board mailing list