[Owasp-board] [Global_conference_committee] Loss from AppSec Asia

Tin Zaw tin.zaw at owasp.org
Wed Dec 7 20:38:14 UTC 2011


I am not sure if Mark's comments or understanding is in sync with what
conference organizers -- Rip, Ivy, Frank -- had told me.

To me, it was 100% OWASP conference. OWASP, not SecZone or others, was
the name used, as you can see in the photos here.
https://plus.google.com/photos/106576365897061578673/albums/5678655625299333025

SecZone is listed as one of the supporters, just like Frank's company
and other supporters.

OWASP does not have a legal entity in China and you need a legal
entity in China to do a conference like that. So SecZone (a registered
non-profit in China, that I was told) was used as a legal entity to
organize things for OWASP, on OWASP's behalf.

On the bigger scope, OWASP China is "housed" inside SecZone. My
understanding is that this is not dissimilar to NASA JPL housed inside
Caltech.  SecZone/Caltech provides administrative support while the
housed organization carries out OWASP's/NASA's mission. The main
reason for this is that an organization in China needs to be a
registered legal entity with the government. (Let's not forget that
"Communist Party" still rules China). They also informed us that OWASP
is not the only organization housed inside SecZone. There are others
but OWASP is the major org supported by SecZone.

I think it is correct to consider SecZone's and OWASP's budgets (for
conference and the chapter) separate. But we should understand the
nuances we face when we advance our mission in different cultural
contexts.

On Wed, Dec 7, 2011 at 11:46 AM, Mark Bristow <mark.bristow at owasp.org> wrote:
> So before we get to far down this road.  AppSecASIAPAC was an anomoly.
>  GCC (at least I) was not aware that there was another organization
> involved until VERY late in the game (weeks before the event).
> Technically it should have been classified as a partner event, where a
> contract between our two organizations would have been signed (by the
> board) up front, clearly identifiying these issues.
>
> In this case, this was presented as a 100% OWASP event when it reality
> it was not.  That's the root of the problem here and unlike LATAM the
> other organization is more "partner" than "contractor".
>
> On Wed, Dec 7, 2011 at 1:50 PM, Sarah Baso <sarah.baso at owasp.org> wrote:
>> I agree with capping the loss. I also think we should have some more strict
>> budget requirements for global appsec conferences, especially when we have
>> 3rd parties handling the money.  If Alison is the one making payments and
>> accepting money, we can check in with her at any point to find out the
>> status of an event; however, we don't have this visibility/transparency
>> right now with the 3rd parties.
>>
>> I think before we go forward with signing contracts for 2012 events
>> (especially in Latin America and AsiaPac where they have not run the money
>> through the Foundation), we should discuss and decide on  a policy for this.
>>
>> Sarah
>>
>>
>> On Wed, Dec 7, 2011 at 12:45 PM, Eoin <eoin.keary at owasp.org> wrote:
>>>
>>> Matt ,
>>> As treasurer what are your thoughts on limiting liability for losses at
>>> global conferences. My view is If we don't do this we are leaving the
>>> foundation exposed. Such a cap should be in a contract signed by the
>>> conference organisers?? It can be a % or a figure, but right now are we in a
>>> position if unlimited liability??
>>> Anyone, thoughts??
>>>
>>>
>>>
>>>
>>> On 7 Dec 2011, at 18:19, Sarah Baso <sarah.baso at owasp.org> wrote:
>>>
>>> Alison -
>>> Can you find look to see (or maybe you know off the top of your head) if
>>> we sent any down payment or money (other than the approx. $3222 sent
>>> recently to cover hotel costs) to China for this conference.  It probably
>>> would have been in late July or August of this year?
>>>
>>> They are currently at a $16,166.22 loss, but Frank Fan's company
>>> (DBAppSecurity) still owes $4742 and SecZone has said they can cover about
>>> $6,000 of the loss. The leaves about $5,500 for us to possibly cover.  I
>>> want to make sure we have a full financial picture of what we have paid
>>> before anything is decided though.
>>>
>>> Thanks,
>>> Sarah
>>>
>>> On Wed, Dec 7, 2011 at 9:41 AM, Mark Bristow <mark.bristow at owasp.org>
>>> wrote:
>>>>
>>>> I believe some of the loss will be realized by each party
>>>>
>>>> -Mark
>>>>
>>>> Sent from my wireless device
>>>>
>>>> On Dec 7, 2011, at 10:33 AM, "Kate Hartmann" <kate.hartmann at owasp.org>
>>>> wrote:
>>>>
>>>> I know there is a documented loss for AppSec Asia for 2011.  Is the
>>>> foundation expected to reimburse SecZone for this loss?  What was the
>>>> agreement for the financials for this event.  I know that much of this has
>>>> come from Rip’s personal account.
>>>>
>>>>
>>>>
>>>> We need to clear this up before the end of the year.
>>>>
>>>>
>>>>
>>>> Kate Hartmann
>>>>
>>>> Operations Director
>>>>
>>>> 301-275-9403
>>>>
>>>> www.owasp.org
>>>>
>>>> Skype:  Kate.hartmann1
>>>>
>>>>
>>>>
>>>> <Copy of OWASP 2011 Appsec Asia cost-1128.xlsx>
>>>>
>>>> _______________________________________________
>>>> Global_conference_committee mailing list
>>>> Global_conference_committee at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/global_conference_committee
>>>>
>>>>
>>>> _______________________________________________
>>>> Global_conference_committee mailing list
>>>> Global_conference_committee at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/global_conference_committee
>>>>
>>>
>>>
>>>
>>> --
>>> Administrator for
>>> OWASP Global Conference Committee
>>> OWASP Global Chapter Committee
>>>
>>> Dir: 312-869-2779
>>> skype: sarah.baso
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>
>>
>> --
>> Administrator for
>> OWASP Global Conference Committee
>> OWASP Global Chapter Committee
>>
>> Dir: 312-869-2779
>> skype: sarah.baso
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>
>
>
> --
> Mark Bristow
> (703) 596-5175
> mark.bristow at owasp.org
>
> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
> AppSec DC Organizer - https://www.appsecdc.org
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board



-- 
Tin Zaw, CISSP, CSSLP
Chapter Leader and President, OWASP Los Angeles Chapter
Chair, OWASP Global Chapter Committee
Google Voice: (213) 973-9295
LinkedIn: http://www.linkedin.com/in/tinzaw



More information about the Owasp-board mailing list