[Owasp-board] [Global_conference_committee] Loss from AppSec Asia

Tin Zaw tin.zaw at owasp.org
Wed Dec 7 21:05:34 UTC 2011


As Mark pointed out, it is an issue with China. It is an issue because
they have different culture and it is in a country where bureaucracy
and red tapes are everywhere. But I can assure you that they -- people
behind this event -- really want to promote OWASP in China. You can
question their motives but their efforts and commitment are obvious.

We have a choice to be flexible and make it easier for them to promote
our mission, or we can stick to our rules and protect OWASP. I am sure
the board will give us direction.

On Wed, Dec 7, 2011 at 12:53 PM, Mark Bristow <mark.bristow at owasp.org> wrote:
> Tin,
>
> This is how I also understand our relationship with one caveat.  I
> don't believe that there is a formal agreement between SecZone and
> OWASP for them to act as our representative.  Had this agreement been
> in place, we could have clearly defined how profit/loss would be
> shared for the event, as well as a bunch of other requirements that we
> impose on legal entities representing OWASP elsewhere in the world.
> This however is a larger question beyond this event, and is one the
> board has taken for action.
>
> There are a few points here:
> 1. In this case, it seems to that the OWASP foundation should realize
> a $5,500 loss for this event (The fact that this was not spelled out
> before hand is troubling)
> 2. We need to clarify and formalize our relationship with SecZone as
> it relates to OWASP in China (Board Action)
> 3. We need to better define and vett budgets and impose additional
> auditing requirements as event planning is in process
> 4. We need to be more dilligent in determining the exact composition
> of the on-site planning team earlier in the process to identify
> potential issues earlier in rather than ex-post facto.
>
> On Wed, Dec 7, 2011 at 3:38 PM, Tin Zaw <tin.zaw at owasp.org> wrote:
>> I am not sure if Mark's comments or understanding is in sync with what
>> conference organizers -- Rip, Ivy, Frank -- had told me.
>>
>> To me, it was 100% OWASP conference. OWASP, not SecZone or others, was
>> the name used, as you can see in the photos here.
>> https://plus.google.com/photos/106576365897061578673/albums/5678655625299333025
>>
>> SecZone is listed as one of the supporters, just like Frank's company
>> and other supporters.
>>
>> OWASP does not have a legal entity in China and you need a legal
>> entity in China to do a conference like that. So SecZone (a registered
>> non-profit in China, that I was told) was used as a legal entity to
>> organize things for OWASP, on OWASP's behalf.
>>
>> On the bigger scope, OWASP China is "housed" inside SecZone. My
>> understanding is that this is not dissimilar to NASA JPL housed inside
>> Caltech.  SecZone/Caltech provides administrative support while the
>> housed organization carries out OWASP's/NASA's mission. The main
>> reason for this is that an organization in China needs to be a
>> registered legal entity with the government. (Let's not forget that
>> "Communist Party" still rules China). They also informed us that OWASP
>> is not the only organization housed inside SecZone. There are others
>> but OWASP is the major org supported by SecZone.
>>
>> I think it is correct to consider SecZone's and OWASP's budgets (for
>> conference and the chapter) separate. But we should understand the
>> nuances we face when we advance our mission in different cultural
>> contexts.
>>
>> On Wed, Dec 7, 2011 at 11:46 AM, Mark Bristow <mark.bristow at owasp.org> wrote:
>>> So before we get to far down this road.  AppSecASIAPAC was an anomoly.
>>>  GCC (at least I) was not aware that there was another organization
>>> involved until VERY late in the game (weeks before the event).
>>> Technically it should have been classified as a partner event, where a
>>> contract between our two organizations would have been signed (by the
>>> board) up front, clearly identifiying these issues.
>>>
>>> In this case, this was presented as a 100% OWASP event when it reality
>>> it was not.  That's the root of the problem here and unlike LATAM the
>>> other organization is more "partner" than "contractor".
>>>
>>> On Wed, Dec 7, 2011 at 1:50 PM, Sarah Baso <sarah.baso at owasp.org> wrote:
>>>> I agree with capping the loss. I also think we should have some more strict
>>>> budget requirements for global appsec conferences, especially when we have
>>>> 3rd parties handling the money.  If Alison is the one making payments and
>>>> accepting money, we can check in with her at any point to find out the
>>>> status of an event; however, we don't have this visibility/transparency
>>>> right now with the 3rd parties.
>>>>
>>>> I think before we go forward with signing contracts for 2012 events
>>>> (especially in Latin America and AsiaPac where they have not run the money
>>>> through the Foundation), we should discuss and decide on  a policy for this.
>>>>
>>>> Sarah
>>>>
>>>>
>>>> On Wed, Dec 7, 2011 at 12:45 PM, Eoin <eoin.keary at owasp.org> wrote:
>>>>>
>>>>> Matt ,
>>>>> As treasurer what are your thoughts on limiting liability for losses at
>>>>> global conferences. My view is If we don't do this we are leaving the
>>>>> foundation exposed. Such a cap should be in a contract signed by the
>>>>> conference organisers?? It can be a % or a figure, but right now are we in a
>>>>> position if unlimited liability??
>>>>> Anyone, thoughts??
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 7 Dec 2011, at 18:19, Sarah Baso <sarah.baso at owasp.org> wrote:
>>>>>
>>>>> Alison -
>>>>> Can you find look to see (or maybe you know off the top of your head) if
>>>>> we sent any down payment or money (other than the approx. $3222 sent
>>>>> recently to cover hotel costs) to China for this conference.  It probably
>>>>> would have been in late July or August of this year?
>>>>>
>>>>> They are currently at a $16,166.22 loss, but Frank Fan's company
>>>>> (DBAppSecurity) still owes $4742 and SecZone has said they can cover about
>>>>> $6,000 of the loss. The leaves about $5,500 for us to possibly cover.  I
>>>>> want to make sure we have a full financial picture of what we have paid
>>>>> before anything is decided though.
>>>>>
>>>>> Thanks,
>>>>> Sarah
>>>>>
>>>>> On Wed, Dec 7, 2011 at 9:41 AM, Mark Bristow <mark.bristow at owasp.org>
>>>>> wrote:
>>>>>>
>>>>>> I believe some of the loss will be realized by each party
>>>>>>
>>>>>> -Mark
>>>>>>
>>>>>> Sent from my wireless device
>>>>>>
>>>>>> On Dec 7, 2011, at 10:33 AM, "Kate Hartmann" <kate.hartmann at owasp.org>
>>>>>> wrote:
>>>>>>
>>>>>> I know there is a documented loss for AppSec Asia for 2011.  Is the
>>>>>> foundation expected to reimburse SecZone for this loss?  What was the
>>>>>> agreement for the financials for this event.  I know that much of this has
>>>>>> come from Rip’s personal account.
>>>>>>
>>>>>>
>>>>>>
>>>>>> We need to clear this up before the end of the year.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Kate Hartmann
>>>>>>
>>>>>> Operations Director
>>>>>>
>>>>>> 301-275-9403
>>>>>>
>>>>>> www.owasp.org
>>>>>>
>>>>>> Skype:  Kate.hartmann1
>>>>>>
>>>>>>
>>>>>>
>>>>>> <Copy of OWASP 2011 Appsec Asia cost-1128.xlsx>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Global_conference_committee mailing list
>>>>>> Global_conference_committee at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/global_conference_committee
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Global_conference_committee mailing list
>>>>>> Global_conference_committee at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/global_conference_committee
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Administrator for
>>>>> OWASP Global Conference Committee
>>>>> OWASP Global Chapter Committee
>>>>>
>>>>> Dir: 312-869-2779
>>>>> skype: sarah.baso
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Administrator for
>>>> OWASP Global Conference Committee
>>>> OWASP Global Chapter Committee
>>>>
>>>> Dir: 312-869-2779
>>>> skype: sarah.baso
>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>
>>>
>>>
>>> --
>>> Mark Bristow
>>> (703) 596-5175
>>> mark.bristow at owasp.org
>>>
>>> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
>>> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
>>> AppSec DC Organizer - https://www.appsecdc.org
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>
>> --
>> Tin Zaw, CISSP, CSSLP
>> Chapter Leader and President, OWASP Los Angeles Chapter
>> Chair, OWASP Global Chapter Committee
>> Google Voice: (213) 973-9295
>> LinkedIn: http://www.linkedin.com/in/tinzaw
>
>
>
> --
> Mark Bristow
> (703) 596-5175
> mark.bristow at owasp.org
>
> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
> AppSec DC Organizer - https://www.appsecdc.org



-- 
Tin Zaw, CISSP, CSSLP
Chapter Leader and President, OWASP Los Angeles Chapter
Chair, OWASP Global Chapter Committee
Google Voice: (213) 973-9295
LinkedIn: http://www.linkedin.com/in/tinzaw



More information about the Owasp-board mailing list