[Owasp-board] [Global_conference_committee] Loss from AppSec Asia

Mark Bristow mark.bristow at owasp.org
Wed Dec 7 20:36:02 UTC 2011


As far as I know SecZone is not an OWASP foundation subsidiary (Like
OWASP EU is).  If this is incorrect I withdraw my statement.  Had
OWASP hired SecZone (under contract) to handle the financials for the
event, then it would have been a 100% OWASP event.  As it was, China
was effectively co-hosted by OWASP and SecZone.

On Wed, Dec 7, 2011 at 3:24 PM, Sarah Baso <sarah.baso at owasp.org> wrote:
> Mark -
> Can you clarify why AppSec AsiaPac 2011 was an anomaly?  Also what makes
> this a partner event vs. 100% OWASP event?  I want to make sure we are all
> on the same page and those hosting the event in China understand the
> difference as well.
>
> The "other organization" involved - SecZone - plans to continue handling
> OWASP-related money in China and if they want to do an event like this in
> the future, what would they do differently to not make it a partner event?
>
> I also think it is important to separate the event definitions and "lessons
> learned" from this conference from the larger issues of: How can OWASP
> maintain financial transparency for international events (especially large
> ones like this)?  and What policies can OWASP put into place to protect
> ourselves from future unanticipated losses at events (especially large ones
> like this)?
>
> I think these two questions/issues important for the Foundation to look at
> as we move more and more into bring an international organization.
>
> Sarah
>
>
>
> On Wed, Dec 7, 2011 at 1:46 PM, Mark Bristow <mark.bristow at owasp.org> wrote:
>>
>> So before we get to far down this road.  AppSecASIAPAC was an anomoly.
>>  GCC (at least I) was not aware that there was another organization
>> involved until VERY late in the game (weeks before the event).
>> Technically it should have been classified as a partner event, where a
>> contract between our two organizations would have been signed (by the
>> board) up front, clearly identifiying these issues.
>>
>> In this case, this was presented as a 100% OWASP event when it reality
>> it was not.  That's the root of the problem here and unlike LATAM the
>> other organization is more "partner" than "contractor".
>>
>> On Wed, Dec 7, 2011 at 1:50 PM, Sarah Baso <sarah.baso at owasp.org> wrote:
>> > I agree with capping the loss. I also think we should have some more
>> > strict
>> > budget requirements for global appsec conferences, especially when we
>> > have
>> > 3rd parties handling the money.  If Alison is the one making payments
>> > and
>> > accepting money, we can check in with her at any point to find out the
>> > status of an event; however, we don't have this visibility/transparency
>> > right now with the 3rd parties.
>> >
>> > I think before we go forward with signing contracts for 2012 events
>> > (especially in Latin America and AsiaPac where they have not run the
>> > money
>> > through the Foundation), we should discuss and decide on  a policy for
>> > this.
>> >
>> > Sarah
>> >
>> >
>> > On Wed, Dec 7, 2011 at 12:45 PM, Eoin <eoin.keary at owasp.org> wrote:
>> >>
>> >> Matt ,
>> >> As treasurer what are your thoughts on limiting liability for losses at
>> >> global conferences. My view is If we don't do this we are leaving the
>> >> foundation exposed. Such a cap should be in a contract signed by the
>> >> conference organisers?? It can be a % or a figure, but right now are we
>> >> in a
>> >> position if unlimited liability??
>> >> Anyone, thoughts??
>> >>
>> >>
>> >>
>> >>
>> >> On 7 Dec 2011, at 18:19, Sarah Baso <sarah.baso at owasp.org> wrote:
>> >>
>> >> Alison -
>> >> Can you find look to see (or maybe you know off the top of your head)
>> >> if
>> >> we sent any down payment or money (other than the approx. $3222 sent
>> >> recently to cover hotel costs) to China for this conference.  It
>> >> probably
>> >> would have been in late July or August of this year?
>> >>
>> >> They are currently at a $16,166.22 loss, but Frank Fan's company
>> >> (DBAppSecurity) still owes $4742 and SecZone has said they can cover
>> >> about
>> >> $6,000 of the loss. The leaves about $5,500 for us to possibly cover.
>> >>  I
>> >> want to make sure we have a full financial picture of what we have paid
>> >> before anything is decided though.
>> >>
>> >> Thanks,
>> >> Sarah
>> >>
>> >> On Wed, Dec 7, 2011 at 9:41 AM, Mark Bristow <mark.bristow at owasp.org>
>> >> wrote:
>> >>>
>> >>> I believe some of the loss will be realized by each party
>> >>>
>> >>> -Mark
>> >>>
>> >>> Sent from my wireless device
>> >>>
>> >>> On Dec 7, 2011, at 10:33 AM, "Kate Hartmann" <kate.hartmann at owasp.org>
>> >>> wrote:
>> >>>
>> >>> I know there is a documented loss for AppSec Asia for 2011.  Is the
>> >>> foundation expected to reimburse SecZone for this loss?  What was the
>> >>> agreement for the financials for this event.  I know that much of this
>> >>> has
>> >>> come from Rip’s personal account.
>> >>>
>> >>>
>> >>>
>> >>> We need to clear this up before the end of the year.
>> >>>
>> >>>
>> >>>
>> >>> Kate Hartmann
>> >>>
>> >>> Operations Director
>> >>>
>> >>> 301-275-9403
>> >>>
>> >>> www.owasp.org
>> >>>
>> >>> Skype:  Kate.hartmann1
>> >>>
>> >>>
>> >>>
>> >>> <Copy of OWASP 2011 Appsec Asia cost-1128.xlsx>
>> >>>
>> >>> _______________________________________________
>> >>> Global_conference_committee mailing list
>> >>> Global_conference_committee at lists.owasp.org
>> >>> https://lists.owasp.org/mailman/listinfo/global_conference_committee
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> Global_conference_committee mailing list
>> >>> Global_conference_committee at lists.owasp.org
>> >>> https://lists.owasp.org/mailman/listinfo/global_conference_committee
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >> Administrator for
>> >> OWASP Global Conference Committee
>> >> OWASP Global Chapter Committee
>> >>
>> >> Dir: 312-869-2779
>> >> skype: sarah.baso
>> >>
>> >> _______________________________________________
>> >> Owasp-board mailing list
>> >> Owasp-board at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-board
>> >
>> >
>> >
>> >
>> > --
>> > Administrator for
>> > OWASP Global Conference Committee
>> > OWASP Global Chapter Committee
>> >
>> > Dir: 312-869-2779
>> > skype: sarah.baso
>> >
>> >
>> > _______________________________________________
>> > Owasp-board mailing list
>> > Owasp-board at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-board
>> >
>>
>>
>>
>> --
>> Mark Bristow
>> (703) 596-5175
>> mark.bristow at owasp.org
>>
>> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
>> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
>> AppSec DC Organizer - https://www.appsecdc.org
>
>
>
>
> --
> Administrator for
> OWASP Global Conference Committee
> OWASP Global Chapter Committee
>
> Dir: 312-869-2779
> skype: sarah.baso
>



-- 
Mark Bristow
(703) 596-5175
mark.bristow at owasp.org

OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
AppSec DC Organizer - https://www.appsecdc.org



More information about the Owasp-board mailing list