[Owasp-leaders] Auditors Require Bank Security Folks to Attend OWASP Chapter Meetings

Rex Booth, OWASP rex.booth at owasp.org
Sat May 30 15:04:42 EDT 2009 

Speaking as an auditor, this isn't going to happen.

1) I'm really surprised OWASP was specifically mentioned in any 
remediation recommendations. I suspect it may not have been, and the 
recommendation was more general (i.e. - have bank staff attend 
security-specific training and conferences).

2) While an audit firm may sponsor OWASP on their own accord, there's 
not a chance in hell they're going to tie their fees to the sponsorship. 
That's a pretty blatant violation of independence on behalf of the firm 
and could potentially get them into trouble.

3) Our attendance logs are already open and free.

All that said, I think we should track down who the auditors were if 
possible and strengthen our relationship with them. The more awareness, 
the better.

Rex



Marco M. Morana wrote:
> Checked with a trusted source: could have been either VISA auditors or 
> FEDs (e.g. OCC, SEC). sorry could not be more precise.
> Maybe we should talk to VISA, OCC, SEC auditors and ask if a part of 
> the audit fine fees they collect from customers can be allocated 
> toward OWASP sponsorship.
> In return we can provide local chapter meeting attendance logs to the 
> auditors. I would think this will be fair.
> Regards
> Marco M
> OWASP Cincinnati Chapter Lead
>
>     ----- Original Message -----
>     *From:* Justin Clarke <mailto:justin.clarke at owasp.org>
>     *To:* owasp-leaders at lists.owasp.org
>     <mailto:owasp-leaders at lists.owasp.org>
>     *Sent:* Friday, May 29, 2009 6:20 AM
>     *Subject:* Re: [Owasp-leaders] Auditors Require Bank Security
>     Folks to Attend OWASP Chapter Meetings
>
>     I’d be interested who their auditors were as well...
>
>     Justin
>     OWASP Chapter Lead, London
>
>
>     On 29/05/2009 01:21, "Marco M. Morana" <marco.m.morana at gmail.com
>     <mailto:marco.m.morana at gmail.com>> wrote:
>
>         I thought interesting to note what I heard today. A bank (no
>         names) had a bad security audit so one of the requirements was
>         for the security team to attend the OWASP local chapter meetings.
>
>         Regards
>
>         Marco M
>         OWASP Chapter Lead, Cincinnati
>
>         ------------------------------------------------------------------------
>         _______________________________________________
>         OWASP-Leaders mailing list
>         OWASP-Leaders at lists.owasp.org
>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>     ------------------------------------------------------------------------
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>

More information about the OWASP-Leaders mailing list