[Owasp-board] Fwd: With Regret

Kate Hartmann kate.hartmann at owasp.org
Mon Oct 6 22:20:51 UTC 2008

Minnesota is running through Cvent.  I was also contacted by the Denver
chapter to help with their upcoming conference in March.  


Kate Hartmann

OWASP Operations Director

9175 Guilford Road

Suite 300

Columbia, MD  21046


301-575-0189 (office)

301-275-9403 (mobile)

kate.hartmann at owasp.org 


From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Dave Wichers
Sent: Monday, October 06, 2008 4:14 PM
To: 'Seba'; 'OWASP Foundation Board List'
Subject: Re: [Owasp-board] Fwd: With Regret


They ran their own finances last year, but I think the event was free.


India ran their own finances and charged a fee. They provided their
financial data to Alison for analysis.


OWASP Israel also handles their own finances and they are run by Ofer
through his company (I believe).


So there is certainly precedent for doing it yourself. I think OWASP
Minnesota and OWASP Denver mini conferences are also self managed with
regard to their funding.


The domain registrars show that owasp.tw is actually available but I did see
their site once,  but frequently I get that it can't be resolved. I had
thought that they had provided the domain info to Larry so he could take it
over, but I might have confused that with the www.webgoat.org domain that
SPI bought and handed over to OWASP at one point.




From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Seba
Sent: Monday, October 06, 2008 7:24 AM
To: OWASP Foundation Board List
Subject: [Owasp-board] Fwd: With Regret




Check out


The usage of a seperate owasp.tw domain is indeed disturbing!

Do we have proof the domain is transferred to OWASP ?


They are charging a registration fee: is this under control of the OWASP
Foundation ?





---------- Forwarded message ----------
From: jderry jderry <jderry at owasp.org>
Date: Mon, Oct 6, 2008 at 12:57 PM
Subject: With Regret
To: dinis cruz <dinis.cruz at owasp.org>, Dave Wichers
<dave.wichers at owasp.org>, Tom Brennan <tomb at owasp.org>, jeff williams
<jeff.williams at owasp.org>, seba seba <seba at owasp.org>

HI Everyone,

So i am sure i am on the tip of everyone's tongue (probably not for good
reasons) in regards to the movements in Asia Pacific. Anyhow I have been
discussing numerous events with Tom and have recently engaged with Wayne
(Taiwan Chapter) to help out with the so called ASIA event. 

Anyhow in the past 48 hours i have communicated numerous emails with Wayne
(i have included the emails below) suggesting things for the event and
offering to help out with any planning etc. Wayne has refused any assistance
(as you can read below). I am left with no alternative but to remove myself
from most OWASP activities effective immediately. It's really unfortunate,
but I do not believe in the OWASP way of things anymore. i.e I have lost
complete faith. There are many like me, and there is alot of people that i
am associated with across the world that i have spoken with about what's
been going on and I have also been collecting advice from these people.
(mostly OWASP project/chapter leaders). I think some of them may vent a
little over the coming weeks to the OWASP board or leaders list so apologies
but i am not the only one feeling this way.

I suppose if anything my concerns relate specifically to governance but more
to complete in-action by the board. More than likely because they do not
share my view of things (which is fine everyone is entitled to their

OWASP is a not-for-profit organization and most activities undertaken by
people are done so on their own time. (Like myself and the amount of effort
i have put into the region these days and the past 4-5 years). These people
work on the concept of everyone doing the right thing and putting effort in
to help the cause, not helping themselves. It should be the role of the
OWASP board to ensure that a collective and open non vendor and non
self/business promotion approach is taken by all members, unfortunately it's
my belief the board has fallen way short of this.

The core of the problem is in the APAC region where i have invested alot of
personal time and actually even business time lately. I struggle with
everything when I see people within the OWASP using the organization for
complete self/business promotion. Why should I invest time and effort into
an organization that will allow this to continue.

So lets get to the core of my problem. OWASP ASIA and Wayne. Sorry guys, but
he is doing this for self/business promotion!.. Here's the reason why.....

1)      This is not a regional event, he has not contacted any chapter
leader other than those contacting him (i know Japan & china and all of AU
have not been involved) why - i have met each one of these in the past week.
None know about this conference.

2)      No Call for Papers, yep, he handpicked the people he wanted to talk.
There are 3 people that work for amorize presenting. Funny do some research,
the speakers at the conference have been speaking at every conference wayne
has been associated with since 2005. The same names pop up every time....

3)      Refuses categorically (after 3 separate emails) to take me up on my
offer for help (see emails below) even though i would change coffee cups to
help out... (he doesn't want me around)

4)      He is taking funds on behalf of OWASP without being OWASP. Sorry but
i believe this is the biggest thing you SHOULDN'T DO. Where's the

5)      Advertising? How is he inviting people to this conference? It hasn't
gone to the everyone list as a CFP/Event notification, nor has it officially
gone to anyone in AU apart from Taiwan. Actually i looked at the Taiwan
mailing list through owasp and can't see anything, but it's possible he is
using something associated with the owasp.org.tw domain name he still
controls and uses.

6)      Self promotion, he gets the people there because he invites them
from Taiwan Government on behalf of armorize (it's the only way people in
Taiwan and some countries will attend a "vendor" type session). I am more
then happy to give you the name of the GM i know in the Defence department
that categorically told me the invite last year and this year is from
Armorize and that Wayne is the president of OWASP and so both of them do it
together? If this is not true how else is he advertising to the OWASP
community or abroad??

7)      This is a business benefit to armorize, I have had numerous people
tell me stories about wayne's activities in the region (even before last
year's event?)

8)      NO Sponsors? Armorize put money in last year, and I can bet Armorize
is helping out with costs this year. Thats great, but i can't see that he
isn't getting something out of it can you? Seriously what kind of crazy
marketing scheme exists where there is no benefit back to the company? And
on this note, why isn't other vendors/corporate sponsors or OWASP allowed to
get involved. Oh and BTW Fortify is not wanting to put money into the event
(we will provide staff to assist) but our marketing budget is spent for the

9)      Won't involve other people across the region. I know of 3 others (1
outspoken) whom is also upset with the fact there is no CFP (Call for
Papers) or anything like this and he will allow us to attend but not assist
in the planning?

10)   The chapter in Taiwan is totally inactive. The last meeting was the
conference last year, no updates no nothing? Then he pulls the conference?
Doesn't this sound a little strange?

11)   Normally the prep work for an event like this would take months at
least? Why have we heard about it now? Surely this has been on the cards for
a long time? And last year the same thing happened? The Taiwan chapter's
last OWASP meeting according to the web site and mailing list was 12 months
ago (the 2007 conference).

12) Wayne's speaking as a key speaker at his own conference? Not on OWASP
but on APPSEC topics, i looked back through other conferences no one has
done this before?? Not as the organizer at least?

So I could go on and on with the problems relating to this. But I am not
going to (i've had enough trying to prove my point to the board. Though a
little confused at why the 12 points above are ignored, i think they are
pretty valid?). The fact is Wayne has done things in the past that are
inappropriate and the board has had to step in previously.

Let me give you some business promotion quotes that are interesting: (i
thought it was Wayne whom founded the chapter not armorize? This is exactly
how wayne sells in the region..

"Open Web Application Security Project (OWASP) Taiwan chapter, founded by

Armorize Technologies - an open community"

http://armorize-cht.blogspot.com/ (Corporate Blog, and personally my
feelings are there is too much OWASP stuff relating to Armorize and OWASP.)
Maybe it's just me.

Unfortunately I have been putting alot of personal time into OWASP and
honestly I feel like an idiot. Helping someone else build their business off
of my hard work.  - Can't do it. I understand that OWASP gets abused these
days, but not deliberately and not in front of the board and we let them get
away with it.

Anyhow my activities currently involve:

1)      Planning for OWASP AU 2009

2)      SOC Interceptor Project

3)      Brisbane Chapter Leader

4)      Helping out AU and JP and SG and CHINA chapters with speakers (not
me) etc

5)      Significant involvement in the OWASP CMM project as Jeff/Dave are

6)      Many other activities and speaking spots at OWASP and promotion of
OWASP in the true APAC region. (which don't include self promotion, google
it, you won't find anything thats not what i am about.. even last year at
the Au conference i spoke for OWASP on the status of OWASP in the region
never a topic as a keynote?)

I am going to pull out of most (probably not all) but definitely the
conference. Will remain as the Brisbane Chapter lead as this has enough
effort in itself. (And take tom's advice and already seeking a second person
to be put onto the web site - Jason harris from Brisbane has already agreed
to this.)

I used to believe in OWASP and I thought the goal of awareness is critical
to fixing this problem globally. However i can't simply stand by and watch
this go on. It's crazy! And I know that there are many more like me, some

It's a real struggle, i am sorry for the long email, but i don't like
jumping the gun without evidence and my feelings. I hope over the coming
time that the OWASP board will look at how some people abuse OWASP and the
people that put "real" effort into the organization. Show me where these
people that above have ever done anything other then run a small chapter
(which is still to be rewarded) or run a conference that benefits them.
Actually Taiwan's annual chapter meeting is every year for this conference
thats it...

Ok, so thanks for listening hopefully some of this will make it onto
people's mind and they will do something about it at a later time.. Maybe
then i will be prepared to get involved again.

Tom to ensure that i haven't been "un" professional, i have remained nice
(no personal attacks) and completed significant research on all comments in
this email.. Just making sure... Still disappointed that it has come to

Kindest Regards

Justin Derry (Brisbane Chapter Lead).


---------- Forwarded message ----------
From: jderry jderry <jderry at owasp.org>
Date: Mon, Oct 6, 2008 at 6:22 PM
Subject: Re: DId you get my previous email about assistance
To: Wayne Huang <wayne at armorize.com>

Its pretty clear your stance on things. Which is fine.

I am wording an email to the board and I will be pulling out of all OWASP
activities as i cannot be part of something i don't believe in, and I am
sorry but there is more then enough evidence (and many others agree) that
you are abusing your position with OWASP which is disappointing.


Anyhow good luck with your conference and growing your company.

Kindest Regards


On Mon, Oct 6, 2008 at 6:06 PM, Wayne Huang <wayne at armorize.com> wrote:

Hi Justin,


I wanted to give you my mobile--+886-922780838, feel free to call me any
time if you want to discuss something. If you can let me have yours that
would be great.




From: jderry jderry [mailto:jderry at owasp.org] 

Sent: Monday, October 06, 2008 1:16 PM
To: Wayne Huang
Cc: Wayne Huang

Subject: Re: DId you get my previous email about assistance 


HI Wayne,

I suppose the problem i have is that if this is to be called OWASP ASIA then
lets make it OWASP ASIA.

I would like to see people from China, Japan, Singapore etc attending and
being involved.? (possibly even Australia/NZ)


I have no problems if you wish to call this OWASP Taiwan conference with
international speakers, but i will be honest and say i have a problem when
we call this ASIA (and you and tim argured that Australia shouldn't be
included) then lets make it a regional conference. (What happens with
Japan/China etc)


Tell me what i can do to help make this a great regional true "ASIA"
conference including all countries in ASIA?

There seems to be 3 speakers from Amorize talking. Wouldn't it be much
better from a governance and regional standpoint to open this open to the


Your comments appreciated.

Please also answer if you would like assistance from me for the conference.?

Kindest Regards



On Mon, Oct 6, 2008 at 1:43 PM, Wayne Huang <wayne at armorize.com> wrote:

Hi Justin,


It would be good if chapter leaders can be here. I know everyone has very
interesting talks but right now the agenda is very full already. Many have
asked to speak, but we really cannot squeeze in everyone. We already have
speakers from India, Thailand, and Taiwan.





From: jderry jderry [mailto:jderry at owasp.org] 
Sent: Monday, October 06, 2008 12:22 PM
To: Wayne Huang; Wayne Huang
Subject: DId you get my previous email about assistance


Hi Wayne,

I wanna help with this conference, it would also be nice to have regional
speakers etc and really make this something big across the region.

(thats if it is called the ASIA conference)


My Okada from Japan chapter and the guys up here in tokyo (i am currently
here) want to get involved and can provide a speaker also, and China can get
involved also.

I think the guys from singapore or someone might also want to.


Let me know what i can do to help, i wouldn't mind also talking on the hot
OWASP project OWASP CMM (Maturity Model Project) that i am involved with.


Looking forward to hearing from you.

Kindest Regards






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20081006/07bcf2ef/attachment-0002.html>

More information about the Owasp-board mailing list