[Owasp-board] Issues raised about AppSec Brazil 2009

Matt Tesauro matt.tesauro at owasp.org
Mon Nov 30 17:49:05 UTC 2009

Leo emailed the items below in response to my request he specify the issues
he was raising.  I'm working on gathering up all the back and forth that
occurred after I sent the initial email.  As soon as I get all that gathered
together, I'll forward to the group that will be looking into this further.
I'm hoping to get some time this evening to gather all this together.  None
of this should be treated as 'secret' - I just haven't had a chance to group
it into a single something.


Starting from the premise that the conference was totally sponsored by the
government, and it was to be Open and Free for everyone, the issues I raised

- Reserved seats: more than 50% seats at training session were reserved for
the government, having some sessions with NO seats available for the
community. So, using OWASP resources, people and expertise improperly not
for the OWASP/AppSec community, but focused on government community;

- Sponsoring: Conviso and Leadcomm were tied as sponsors of the event, while
the government stated that NO ONE could sponsor it, except by UNB and
TI-Controle, since it paid all the expenses. How does explain they being
sponsor if the conference hadn't a sponsoring model publicly available?;

- Organization team: even I supporting many tasks, the ticket and hotel was
denied to me while paid only for Wagner/Eduardo.

Those 3 issues are the most relevant and show that the process missed
transparency, impartially and promoted two companies improperly, thus
bumping with OWASP values.


Lucas replied to each of the above points explaining his side of things.
Like I said, I've got a ton of emails gathered on this but I'm still working
on collecting them into a sensible whole.

Even though I've collected the data, I do not want to be part of the group
that resolves this as I trained/spoke at that conference.  I've been very
careful to remain neutral while I collected the data.  I just wanted to get
that part out of the way before the board meeting so we resolve this ASAP.

-- Matt Tesauro
OWASP Board Member
OWASP Live CD Project Lead
http://AppSecLive.org - Community and Download site

On Mon, Nov 30, 2009 at 11:21 AM, Eoin <eoin.keary at owasp.org> wrote:

> Matt what actually was the issue in Brazil?
> 2009/11/30 Matt Tesauro <matt.tesauro at owasp.org>
>> I've already added this to the Board Agenda for tomorrow but part of what
>> I added mentioned that I'd forward the email sent to the various parties to
>> the Board List so here goes:
>> -------- Forwarded Message --------
>> From: Matt Tesauro <mtesauro at gmail.com>
>> To: Eduardo V. C. Neves <eduardo at camargoneves.com>, 'Lucas Ferreira' <
>> lucas at sapao.net>, 'Wagner Elias' <wagner.elias at gmail.com>, LeoCavallari <
>> leo.cavallari at owasp.org>
>> Cc: Dinis Cruz <dinis.cruz at owasp.org>, Paulo Coimbra <
>> paulo.coimbra at owasp.org>, Kate Hartmann <kate.hartmann at owasp.org>
>> Subject: Questions raised about AppSec Brazil 2009
>> Date: Wed, 25 Nov 2009 09:19:44 -0600
>> As I assume all parties already know, issues have been raised about the
>> AppSec Brazil 2009 conference.  These questions were raised publicly and
>> the questions raised have potential impact on future conferences plus
>> OWASP as a whole.  The OWASP community needs to determine what, if any,
>> adjustments need to be made to rectify this situation as well as prevent
>> another occurrence should problem(s) be identified.  As everything in
>> OWASP, this will need to be an open discussion with the community.
>> Initially, the issues were discussed on the Global Project Committee
>> (GPC) call on Monday.  However, considering the scope, the GPC felt that
>> this was a OWASP Board level issue.  Thus, the issue will be raised
>> during the next OWASP Board meeting on Tuesday, December 1st.
>> In the time between now and the board meeting, I've offered to gather
>> data from the parties.  Any issues, supporting documentation, or other
>> material you think would be useful in answering the questions raised,
>> please forward to me so I can gather it in a single location.
>> When this is discussed at the board meeting, I  will propose the
>> following to start the discussion.  I suspect that changes will occur to
>> my proposal during the board meeting so please consider this a beta
>> version.
>> (1) Collect data - I've already stated this process and it will continue
>> until the board meeting (and likely after).  The outcome of this portion
>> is to determine an objective picture of all the parties' perspectives.
>> (2) Discuss - Ask open questions, listen and engage the parties involved
>> to get the full story.
>> (3) Document - Use precise, descriptive language to document the
>> situation and its outcomes.  All parties will be involved in the
>> drafting of this document to ensure it represents the consensus opinion
>> of the data collected in (1) and (2) above.
>> (4) Reflect and maintain - Depending on the outcomes determined in (3),
>> review current community efforts to ensure that any negative outcomes
>> are avoided in future and that incentives are in place to keep the
>> community on track.  Should any changes be needed, the Global Committee
>> responsible for that area will handle implementation - e.g. changes to
>> conference rules would be handled by the Global Conference Committee.
>> There are specific circumstances surrounding this issue that also need
>> to be addressed.
>> * Two board members, Dinis Cruiz and myself, attended AppSec Brazil so I
>> believe that both of us should be excused from direct involvement in the
>> resolution of this issue.  Both of us will gladly provide our
>> perspective on the event but neither of us should judge the facts as
>> that represents a potential conflict of interest.  I believe the
>> collection of data to be a neutral activity which will hopefully speed
>> this to conclusion.
>> * Much of the dialog which transpired occurred in Portuguese. With the
>> exception of Dinis, the Board does not speak/read Portuguese.  The
>> services of Dinis and Paulo Coimbra may need to be engaged to facilitate
>> and validate any translations of Portuguese to English.
>> * From my perspective the group conducting the bulk of the work, (2) to
>> (4) above, should have representatives from several areas of the
>> community.  My suggestion will be:
>> ** OWASP Board: Minimally Jeff Williams - sorry but your law background
>> seems glaringly in need here
>> ** A representative from the following Global Committees
>>     *** Conference
>>     *** Chapters
>>     *** Membership
>> I do not know the inner workings of those committees enough to suggest
>> representatives at this time.  Hopefully the Board meeting will work
>> this point out.
>> This is probably a more-than-long-enough email as it is, but if you have
>> any questions or clarifications you'd like about the above, please feel
>> free to email me directly or reply to this group as a whole.
>> ---------------------------------------------------
>> --
>> -- Matt Tesauro
>> OWASP Board Member
>> OWASP Live CD Project Lead
>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>> http://AppSecLive.org <http://appseclive.org/> - Community and Download
>> site
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> --
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
> OWASP Ireland Chapter Lead
> OWASP Global Committee Member (Industry)
> http://asg.ie/
> https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20091130/616d7116/attachment-0002.html>

More information about the Owasp-board mailing list