[Owasp-board] Issues raised about AppSec Brazil 2009

Matt Tesauro matt.tesauro at owasp.org
Mon Nov 30 17:17:01 UTC 2009

I've already added this to the Board Agenda for tomorrow but part of what I
added mentioned that I'd forward the email sent to the various parties to
the Board List so here goes:

-------- Forwarded Message --------
From: Matt Tesauro <mtesauro at gmail.com>
To: Eduardo V. C. Neves <eduardo at camargoneves.com>, 'Lucas Ferreira' <
lucas at sapao.net>, 'Wagner Elias' <wagner.elias at gmail.com>, LeoCavallari <
leo.cavallari at owasp.org>
Cc: Dinis Cruz <dinis.cruz at owasp.org>, Paulo Coimbra <
paulo.coimbra at owasp.org>, Kate Hartmann <kate.hartmann at owasp.org>
Subject: Questions raised about AppSec Brazil 2009
Date: Wed, 25 Nov 2009 09:19:44 -0600

As I assume all parties already know, issues have been raised about the
AppSec Brazil 2009 conference.  These questions were raised publicly and
the questions raised have potential impact on future conferences plus
OWASP as a whole.  The OWASP community needs to determine what, if any,
adjustments need to be made to rectify this situation as well as prevent
another occurrence should problem(s) be identified.  As everything in
OWASP, this will need to be an open discussion with the community.

Initially, the issues were discussed on the Global Project Committee
(GPC) call on Monday.  However, considering the scope, the GPC felt that
this was a OWASP Board level issue.  Thus, the issue will be raised
during the next OWASP Board meeting on Tuesday, December 1st.

In the time between now and the board meeting, I've offered to gather
data from the parties.  Any issues, supporting documentation, or other
material you think would be useful in answering the questions raised,
please forward to me so I can gather it in a single location.

When this is discussed at the board meeting, I  will propose the
following to start the discussion.  I suspect that changes will occur to
my proposal during the board meeting so please consider this a beta

(1) Collect data - I've already stated this process and it will continue
until the board meeting (and likely after).  The outcome of this portion
is to determine an objective picture of all the parties' perspectives.

(2) Discuss - Ask open questions, listen and engage the parties involved
to get the full story.

(3) Document - Use precise, descriptive language to document the
situation and its outcomes.  All parties will be involved in the
drafting of this document to ensure it represents the consensus opinion
of the data collected in (1) and (2) above.

(4) Reflect and maintain - Depending on the outcomes determined in (3),
review current community efforts to ensure that any negative outcomes
are avoided in future and that incentives are in place to keep the
community on track.  Should any changes be needed, the Global Committee
responsible for that area will handle implementation - e.g. changes to
conference rules would be handled by the Global Conference Committee.

There are specific circumstances surrounding this issue that also need
to be addressed.
* Two board members, Dinis Cruiz and myself, attended AppSec Brazil so I
believe that both of us should be excused from direct involvement in the
resolution of this issue.  Both of us will gladly provide our
perspective on the event but neither of us should judge the facts as
that represents a potential conflict of interest.  I believe the
collection of data to be a neutral activity which will hopefully speed
this to conclusion.
* Much of the dialog which transpired occurred in Portuguese. With the
exception of Dinis, the Board does not speak/read Portuguese.  The
services of Dinis and Paulo Coimbra may need to be engaged to facilitate
and validate any translations of Portuguese to English.
* From my perspective the group conducting the bulk of the work, (2) to
(4) above, should have representatives from several areas of the
community.  My suggestion will be:
** OWASP Board: Minimally Jeff Williams - sorry but your law background
seems glaringly in need here
** A representative from the following Global Committees
    *** Conference
    *** Chapters
    *** Membership
I do not know the inner workings of those committees enough to suggest
representatives at this time.  Hopefully the Board meeting will work
this point out.

This is probably a more-than-long-enough email as it is, but if you have
any questions or clarifications you'd like about the above, please feel
free to email me directly or reply to this group as a whole.


-- Matt Tesauro
OWASP Board Member
OWASP Live CD Project Lead
http://AppSecLive.org - Community and Download site
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20091130/53fa1378/attachment-0002.html>

More information about the Owasp-board mailing list