[Owasp-board] FW: [Owasp-leaders] OWASP Asia

Dinis Cruz dinis at ddplus.net
Sun Aug 26 23:21:19 UTC 2007


Hi Justin (emailing you directly (with CC to Jeff, Dave and Andrew (the
OWASP board)))

Firstly I would like to personally thank you for your commitment and
willingness to make an effort to defend the OWASP principles.

Regarding the Tawain/Wayne case, I agree with you that some lines seems to
have been have been crossed (for example on the email below, the comment '
...Fortify is our primary competitor so I'm not that keen on personally
inviting Brian...' is way out of line, and the other examples your mentioned
earlier), BUT and this is a big but, in cases like these, we will need the
'smoking gun' (i.e. a real proof of abuse.). Note how Wayne followed is
comment on Fortify with '... but if his submission is accepted by the
reviewers of course I'll be fine with that...' which as long as the
reviewing process is independent, Wayne's comments are not as serious as
they might seem.

And in this case, the OWASP brand abuse will be visible (or not) at the
conference.

At the end of the day we are in some 'uncharted territory' here, since we
are talking about a major OWASP conference being organized by a non core
OWASP member (who might not fully understand what are the lines he should
not cross).

In situations like this, my instinct is to give the benefit of the doubt to
the accused and to see if the actions on the ground respect the OWASP
principles and brand usage guidelines.

But remember that we at the OWASP board will have no tolerance for glaring
abuses of the OWASP brand, specially for actions done under OWASP name by
OWASP members.

And in cases of abuse, what matters is HOW we deal with the issue, versus
WHAT the issue was. Due to the de-centralized nature of OWASP there will
always be people crossing the line, which as long as they are non-malicious
and done in ethical ways, should be easy to solve.

What I would like to ask you is to keep a very close eye on what is going on
at this conference and let us know ASAP of issues we (OWASP board) should be
acting on.

Thanks again for your efforts, and lets continue together to make OWASP even
better.

Dinis Cruz
Chief OWASP Evangelist
http://www.owasp.org



On 8/25/07, Justin Derry <JDerry at b-sec.com> wrote:
>
>  Dinis,
> the email i spoke about in the previous email ?? Wierd statement.. Anyhow
> as you can say there is a  small hidden agenda..
> Cheers
> Justin
> P.S there is a few missing emails in the trail if you want them all i can
> send them through.
>
> ------------------------------
> *From:* Wayne Huang [mailto:wayne at armorize.com]
> *Sent:* Tue 8/21/2007 11:28 AM
> *To:* Justin Derry
> *Subject:* RE: [Owasp-leaders] OWASP Asia
>
>  Hi Justin,
>
> I'm sorry to hear that you can't come! We'll put up an official call for
> papers and formally invite whoever has time to fly over. Actually we already
> have a good lineup with ppl committed and their tickets booked, so I think
> the conference should go okay.
>
> I'll keep you updated. Fortify is our primary competitor so I'm not that
> keen on personally inviting Brian, but if his submission is accepted by the
> reviewers of course I'll be fine with that.
>
> Wayne
>
> > -----Original Message-----
> > From: Justin Derry [mailto:JDerry at b-sec.com <JDerry at b-sec.com>]
> > Sent: Tuesday, August 21, 2007 8:03 AM
> > To: Wayne Huang
> > Subject: RE: [Owasp-leaders] OWASP Asia
> >
> > Hi Wayne,
> > Just FYI, One of the Researchers from Fortify Software (Brian or Jacob)
> will be
> > willing to come and speak. These guys are rated as excellent speakers
> and i
> > would recommend either of them.
> > Please contact Rich Lord (rlord at fortifysoftware.com) to discuss
> > dates/speaking topics etc.
> > Let me know how you go.
> > Cheers
> > Justin
> >
> > -----Original Message-----
> > From: Wayne Huang [mailto:wayne at armorize.com <wayne at armorize.com>]
> > Sent: Tuesday, 21 August 2007 8:50 AM
> > To: Justin Derry
> > Subject: RE: [Owasp-leaders] OWASP Asia
> >
> > Hi Justin,
> >
> > Have you received my previous email, and will you have time to come and
> > give a talk on the 27th? I hope to have as many fixed speakers as
> possible, and
> > also flights may be hard to book. Please let me know your thoughts,
> thanks!
> >
> > Wayne
> >
> > > -----Original Message-----
> > > From: Justin Derry [mailto:JDerry at b-sec.com <JDerry at b-sec.com>]
> > > Sent: Monday, August 20, 2007 9:11 AM
> > > To: Dave Wichers; Wayne Huang; Jinxpuppy; Daniel Cuthbert; Jeff
> Williams;
> > > seba at deleersnyder.eu
> > > Cc: Benson Wu
> > > Subject: RE: [Owasp-leaders] OWASP Asia
> > >
> > > Awesome.
> > > Wayne and I are discussing how i could be involved with the Taiwan
> > > conference.
> > >
> > > We are still looking at scheduling a conference for ASIA-Pacific in
> February
> > > 2008 (probably last week).
> > >
> > > In light of the numbers with Taiwan, what does everyone think about an
> > > ASIA-Pacific (AUS based) conference in February 2008 with maybe
> another
> > one
> > > later in the year in Taiwan or Singapore.
> > > There seems to be enough swell in the area to maybe support two and
> also
> > > this would allow people to not travel as much?
> > >
> > > Just a food for thought? I would like to lock a venue and date for the
> > February
> > > 2008 conference in shortly.
> > >
> > > Cheers
> > > Justin
>
> > >
> > > -----Original Message-----
> > > From: Dave Wichers [mailto:dave.wichers at owasp.org<dave.wichers at owasp.org>
> ]
> > > Sent: Monday, 20 August 2007 10:35 AM
> > > To: 'Wayne Huang'; Justin Derry; 'Jinxpuppy'; 'Daniel Cuthbert'; Jeff
> Williams;
> > > seba at deleersnyder.eu
> > > Cc: 'Benson Wu'
> > > Subject: RE: [Owasp-leaders] OWASP Asia
> > >
> > > I think this is great, and since it doesn't preclude another
> conference next
> > year,
> > > then no harm to those working on planning something else in the
> spring.
> > >
> > > We need to coordinate getting all the presentations to be hosted at
> OWASP
> > > after the conference is complete.  I'll also send you the OWASP
> conference
> > > presentation template as it would be nice if the presenters could use
> that
> > > template as well.
> > >
> > > -Dave
> > >
> > > -----Original Message-----
> > > From: Wayne Huang [mailto:wayne at armorize.com <wayne at armorize.com>]
> > > Sent: Sunday, August 19, 2007 6:36 AM
> > > To: Justin Derry; Jinxpuppy; Daniel Cuthbert; Dave Wichers; Jeff
> Williams;
> > > seba at deleersnyder.eu
> > > Cc: Benson Wu
> > > Subject: RE: [Owasp-leaders] OWASP Asia
> > >
> > > Hi Guys,
> > >
> > > Attached please find the recent two events where we introduced OWASP.
> > The
> > > first was a island wide tour repeated eight times, each time with
> 400-600
> > > participants around the island. It's an official government training
> session, as
> > > Benson and I were made responsible for the government's Web
> application
> > > security best practices recommendation, which we finished and released
> > > earlier. The training was organized by the government afterwards in
> > different
> > > cities around the island. The photo was taken from the first training
> in
> > > KaoHsung city, a city in southern Taiwan. We had more than 400
> > participants.
> > > The training was free of charge, but strictly limited to
> security-related
> > > professionals working for the Taiwan government. The one on stage is
> > Benson.
> > > Originally we prepared the OWASP intro section of the training using
> > OWASP's
> > > templates, but the government modified it to their template without
> > informing
> > > us, sigh.
> > >
> > > The second one is me giving my opening keynote for Hacks in Taiwan
> > (HITCon).
> > > HITCon is a paid conference and had 250 attendants this year. I also
> > introduced
> > > OWASP during my keynote.
> > >
> > > The OWASP Conference in Taiwan is scheduled to take place Sep 27th,
> we've
> > > already paid for the venue. Right now there are around 350 ppl
> registering
> > > without any advertisement, but I will send out mass emails to announce
> the
> > > conference once the program is set. The media here will also help to
> > promote
> > > the event so we are estimating an audience of 500 people. Actually
> that is
> > the
> > > limit of the venue.
> > >
> > > Taiwan has a dense population and a great security community. Because
> the
> > > island is small and with the highspeed rail it takes only 90 minutes
> from top
> > to
> > > bottom, if there is a good security conference you would expect a
> large
> > > audience. Another reason is, as Justin mentioned, Taiwan has not yet
> had a
> > > good security conference like OWASP, so everyone is looking forward to
> it,
> > > including not only the working professionals at governments and
> enterprises,
> > > but also the many security vendors here. Hichannel, Taiwan's largest
> Web
> > TV,
> > > has offered to endorse the event by live broadcasting the entire
> event, as
> > well
> > > as putting it in its archive so it can be played freely by anyone
> later.
> > >
> > > Since it looks like there will be no other possible OWASP Asia for
> this year, I
> > > would propose making this the official OWASP Asia Conference 2007. I'm
> > sure
> > > it would be good to host OWASP Asia next year in Australia or
> Singapore, but
> > > for this year maybe we can pilot run it in Taipei and see how it goes.
> Of
> > course
> > > Taiwan's security community would also really appreciate OWASP giving
> us
> > > the opportunity to host the Asia conference for this year, I'm sure
> everyone
> > > will be very excited.
> > >
> > > As for how much branding has gone to OWASP, I must say the Taiwan
> > Chapter
> > > has done a very good job. Since its establishment people here know
> OWASP
> > > much better, and we've been constantly publishing articles on OWASP,
> for
> > > example, with the release of the new OWASP Top 10, we had the article
> > > published in two of Taiwan's major security and IT magazines. As
> mentioned
> > > previously, we've also included OWASP into the government's standard
> > > recommendation for Web application security.
> > >
> > > So let me know what you think!
> > >
> > > Wayne
> > >
> > > > The memberships on list are split between OZ/Asia. So honestly i
> don't
> > > > know the best location, i would like to also here from Daniel on
> this...
> > > >
> > > > Australia currently hosts a few of the larger conferences (other
> then
> > > > RSA) most Asian countries don't mind the trip down to OZ. We can
> also
> > > > get cheap venues and we have a good visa program for the other
> > > > countries (including NZ). Also the benefit is obviously if i am
> going
> > > > to chair this thing then OZ is the better place. (I don't necessary
> > > > have to fill this role though but happy to help out and devote some
> > > > business hrs time to it.)
> > > >
> > > > Someone also asked about helping out, I have hinted around today
> about
> > > > sponsorship and I know Microsoft will seriously consider it, (we
> know
> > > > the Senior Security guy here in OZ) and Fortify Software (with our
> > > > relationship) would pitch in also. So i think finding a serious
> > > > sponsor as such would not be an issue.
> > > >
> > > > In the other countries do we have anyone willing to put their hand
> up
> > > > to help find a conference facility/hotels etc. I will still assist
> > > > with the organisation etc, and Daniel may also help, just a little
> unsure
> > how
> > > much he is able to help?
> > > >
> > > > Cheers
> > > > Justin
> > > >
> > > > -----Original Message-----
> > > > From: Jinxpuppy [mailto:jinxpuppy at gmail.com <jinxpuppy at gmail.com>]
> > > > Sent: Wednesday, 8 August 2007 3:48 AM
> > > > To: Daniel Cuthbert; owasp-leaders-bounces at lists.owasp.org; Dave
> > > > Wichers
> > > > Cc: 'OWASP Leaders'; Justin Derry
> > > > Subject: Re: [Owasp-leaders] OWASP Asia
> > > >
> > > >
> > > > OWASP Bangkok ?
> > > >
> > > > Sent from my Verizon Wireless BlackBerry. To contact the sender,
> > > > please call 973-202-0122.
> > > >
> > > > -----Original Message-----
> > > > From: Daniel Cuthbert <daniel.cuthbert at owasp.org>
> > > >
> > > > Date: Wed, 8 Aug 2007 00:46:05
> > > > To:Dave Wichers <dave.wichers at owasp.org> Cc:'OWASP Leaders'
> > > > <owasp-leaders at lists.owasp.org>,'Justin Derry'
> > > > <JDerry at b-sec.com>
> > > > Subject: Re: [Owasp-leaders] OWASP Asia
> > > >
> > > >
> > > > hey all,
> > > >
> > > >
> > > > Will reply to this, currently in Burma and net access is slow as
> > > > hell!! (oh and also really heavily monitored by the military)
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On 8 Aug 2007, at 00:37, Dave Wichers wrote:
> > > >
> > > >
> > > > I don't have time for a lengthy reply (I'm on vacation) but here are
> > > > some quick answers.
> > > >
> > > > 1)      We always come out a head on the conferences so far. They
> are
> > > > not intended to make lots of money but a little bit ahead is nice
> for
> > > > OWASP and I'm not too keen on going in the red on such an event.
> > > > 2)      If you need some up front money to reserve the venue, we can
> > > > cover those costs, as people start to register we usually quickly
> have
> > > > more money in than we spend and then the final bills come in and
> > > > hopefully we end up in the black. Holding training events and
> looking
> > > > for conference sponsors makes a big difference in coming out ahead.
> > > > 3)      As to your posting question, I'd suggest yes, but we can
> also
> > > > post it OWASP wide, I don't see a problem with that if they are only
> > > > done once in a while.
> > > >
> > > > Any chance you can find a large local company to sponsor the
> facility,
> > > > like eBay is doing for us in San Jose, CA?
> > > >
> > > > -Dave
> > > >
> > > >
> > > >
> > > > From: Justin Derry [mailto:JDerry at b-sec.com <JDerry at b-sec.com> <
> mailto:JDerry at b-sec.com <JDerry at b-sec.com>>
> > > > ]
> > > > Sent: Monday, August 06, 2007 7:50 PM
> > > > To: Andrew van der Stock; Daniel Cuthbert; Dave Wichers
> > > > Cc: OWASP Leaders
> > > > Subject: RE: OWASP Asia
> > > >
> > > > Hi Guys,
> > > > As you know i am keen to do something in this space (have been for a
> > while).
> > > > The one thing i would like to understand is costs and possible
> attendance.
> > > >
> > > > If we said set a date for February 2008 in OZ maybe? Or Singapore?
> > > >
> > > > A) is there a way we can work out costs? What has OWASP got in the
> bank?
> > > > And how have we come out of previous conferences?
> > > >
> > > > B) do we post to all the Asia based lists/chapters and see what we
> can
> > > > get in the way of interest?
> > > >
> > > > If we are going to host this in either OZ or Singapore then i would
> be
> > > > happy to put my hand up as conference chair and organise.? Though i
> > > > would like to understand the financial viability (or with OWASP
> being
> > > > not for profit) can we afford to spend dollars on this and if so how
> much?
> > i.e
> > > venue etc?
> > > >
> > > > Thoughts?
> > > > Regards
> > > > Justin
> > > > P.S I would be happy to aim for an ASIA OWASP Conference in February
> > > > 2008 as long as we start now...
> > > >
> > > >
> > > > From: Andrew van der Stock [mailto:vanderaj at owasp.org<vanderaj at owasp.org>
> > > > <mailto:vanderaj at owasp.org <vanderaj at owasp.org>> ]
> > > > Sent: Monday, 6 August 2007 5:48 PM
> > > > To: Daniel Cuthbert; Dave Wichers; Justin Derry
> > > > Cc: 'OWASP Leaders'
> > > > Subject: OWASP Asia
> > > >
> > > > Daniel,
> > > >
> > > > Can you please coordinate with Justin Derry (who is cc'd) on
> > > > organizing OWASP Asia. Justin, Jeff and I had a discussion at Black
> > > > Hat, and with Dave's blessing in a previous e-mail, we agree it
> could
> > > > be goer as long as locals in the region run it and take the load off
> > > > Dave. You will need a program committee to go over submissions and
> > > > review presentations and get the materials ready, and a conference
> > > > chair to organize everything else including sponsors, dates,
> location,
> > > > wireless Internet, and all sotrs of other logistics. This is not a
> > > > small role and whoever has it will need to be there. We use a
> > > > conference web site to out task registrations, etc, but a location
> > > > will need to be found, booked (by Dave most likely), hotels found
> for
> > > > out of towners, and locals available on the days of the conference
> to
> > > > do onsite registration, speaker liaison, etc. If you are going to a
> location
> > > where English is not commonly spoken (say Korea or Japan), translation
> will
> > be
> > > necessary for most of the speakers unless they are local.
> > > >
> > > > There are two good conferences in Australia we could back on to:
> > > > Ruxcon – Sydney, generally held in October. Ruxcon is friendly
> towards
> > > > OWASP – I've presented there twice. The other is AusCERT in the
> earlier
> > > part of the year.
> > > > However, they are unfriendly towards most everyone and the location
> is
> > > > junket town (Gold Coast at Royal Pines Golf Course), which would
> > > > preclude many government and corporate attendees as managers don't
> > > > like approving travel to junket locations.
> > > >
> > > > Other conferences in the region:
> > > >
> > > > Linux.conf.au – held in January / February in differing locations.
> > > > Many open source junkies in town (usually includes the who's who of
> > > > open source folks) RSA is in August in various countries (such as
> > > > Thailand or Japan). Same problem as AusCERT – junket locations and
> > > > very corporate audience HITBSecCon – Malaysia – October. Maybe too
> > > > close to our agenda to want to collaborate. Getting very close to
> > > > OWASP USA conference Syscan – Singapore – July. Seems aligned with
> our
> > > > interests. Might be too close to Black Hat / Defcon.
> > > > SAGE-AU - All over Australia (July – conflicts with BlackHat/Defcon)
> > > >
> > > > We don't need to back on to other conferences per se, but it might
> > > > help with speaker selection as they will be in the area anyway.
> > > >
> > > > My main concern is logistics. We have logos, banners, etc which
> travel
> > > > to each conference as needed. If we back on to another conference
> > > > during late April / May / late Oct / November, it will knock around
> > > > our ability to have the other two conferences without duplicating
> the
> > > > conference goodies locally in the region. I would prefer OWASP Asia
> to be
> > in
> > > January / February to avoid this.
> > > > However, for most of Asia Pacific, this is either the hottest part
> of
> > > > summer (temperate areas of Australia) or the monsoon season
> (extremely
> > > > ugly humidity, possible high winds, regular heavy rains most days)
> > > > everywhere near the equator (say north Australia, Indonesia,
> > > > Singapore, KL), and then coldest winter in Japan, Beijing, Seoul,
> and
> > > > the northern parts of India. January is also holidays for most of
> Australia,
> > so
> > > attendance might be a little on the light side.
> > > >
> > > > The other thing is visas. It would be best to choose countries which
> > > > have visa waiver programs for most of the planet. It's tricky to get
> > > > overseas folks to attend if they need to organize a visa at a
> consulate.
> > > >
> > > > Thoughts?
> > > >
> > > > Thanks,
> > > > Andrew
> > > >
> > > > _______________________________________________
> > > > OWASP-Leaders mailing list
> > > > OWASP-Leaders at lists.owasp.org
> > > > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> > > >
> > > > _______________________________________________
> > > > OWASP-Leaders mailing list
> > > > OWASP-Leaders at lists.owasp.org
> > > > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070827/0de899f1/attachment-0002.html>


More information about the Owasp-board mailing list