[Owasp-board] [Global_conference_committee] Loss from AppSec Asia

Jim Manico jim.manico at owasp.org
Wed Dec 7 21:04:53 UTC 2011


I just sent you a PDF copy, Mark.

--
Jim Manico
(808) 652-3805

On Dec 7, 2011, at 1:00 PM, Mark Bristow <mark.bristow at owasp.org> wrote:

> I can't read google docs from here.
>
> On Wed, Dec 7, 2011 at 3:59 PM, Sarah Baso <sarah.baso at owasp.org> wrote:
>> Mark -
>> What about this agreement?
>> https://docs.google.com/a/owasp.org/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNNmNlNmUyMzMtZmYzNC00NWU3LWIyNzgtNzRlMTdlZGMxMTBj&hl=en
>>
>> Sarah
>>
>>
>> On Wed, Dec 7, 2011 at 2:53 PM, Mark Bristow <mark.bristow at owasp.org> wrote:
>>>
>>> Tin,
>>>
>>> This is how I also understand our relationship with one caveat.  I
>>> don't believe that there is a formal agreement between SecZone and
>>> OWASP for them to act as our representative.  Had this agreement been
>>> in place, we could have clearly defined how profit/loss would be
>>> shared for the event, as well as a bunch of other requirements that we
>>> impose on legal entities representing OWASP elsewhere in the world.
>>> This however is a larger question beyond this event, and is one the
>>> board has taken for action.
>>>
>>> There are a few points here:
>>> 1. In this case, it seems to that the OWASP foundation should realize
>>> a $5,500 loss for this event (The fact that this was not spelled out
>>> before hand is troubling)
>>> 2. We need to clarify and formalize our relationship with SecZone as
>>> it relates to OWASP in China (Board Action)
>>> 3. We need to better define and vett budgets and impose additional
>>> auditing requirements as event planning is in process
>>> 4. We need to be more dilligent in determining the exact composition
>>> of the on-site planning team earlier in the process to identify
>>> potential issues earlier in rather than ex-post facto.
>>>
>>> On Wed, Dec 7, 2011 at 3:38 PM, Tin Zaw <tin.zaw at owasp.org> wrote:
>>>> I am not sure if Mark's comments or understanding is in sync with what
>>>> conference organizers -- Rip, Ivy, Frank -- had told me.
>>>>
>>>> To me, it was 100% OWASP conference. OWASP, not SecZone or others, was
>>>> the name used, as you can see in the photos here.
>>>>
>>>> https://plus.google.com/photos/106576365897061578673/albums/5678655625299333025
>>>>
>>>> SecZone is listed as one of the supporters, just like Frank's company
>>>> and other supporters.
>>>>
>>>> OWASP does not have a legal entity in China and you need a legal
>>>> entity in China to do a conference like that. So SecZone (a registered
>>>> non-profit in China, that I was told) was used as a legal entity to
>>>> organize things for OWASP, on OWASP's behalf.
>>>>
>>>> On the bigger scope, OWASP China is "housed" inside SecZone. My
>>>> understanding is that this is not dissimilar to NASA JPL housed inside
>>>> Caltech.  SecZone/Caltech provides administrative support while the
>>>> housed organization carries out OWASP's/NASA's mission. The main
>>>> reason for this is that an organization in China needs to be a
>>>> registered legal entity with the government. (Let's not forget that
>>>> "Communist Party" still rules China). They also informed us that OWASP
>>>> is not the only organization housed inside SecZone. There are others
>>>> but OWASP is the major org supported by SecZone.
>>>>
>>>> I think it is correct to consider SecZone's and OWASP's budgets (for
>>>> conference and the chapter) separate. But we should understand the
>>>> nuances we face when we advance our mission in different cultural
>>>> contexts.
>>>>
>>>> On Wed, Dec 7, 2011 at 11:46 AM, Mark Bristow <mark.bristow at owasp.org>
>>>> wrote:
>>>>> So before we get to far down this road.  AppSecASIAPAC was an anomoly.
>>>>>  GCC (at least I) was not aware that there was another organization
>>>>> involved until VERY late in the game (weeks before the event).
>>>>> Technically it should have been classified as a partner event, where a
>>>>> contract between our two organizations would have been signed (by the
>>>>> board) up front, clearly identifiying these issues.
>>>>>
>>>>> In this case, this was presented as a 100% OWASP event when it reality
>>>>> it was not.  That's the root of the problem here and unlike LATAM the
>>>>> other organization is more "partner" than "contractor".
>>>>>
>>>>> On Wed, Dec 7, 2011 at 1:50 PM, Sarah Baso <sarah.baso at owasp.org>
>>>>> wrote:
>>>>>> I agree with capping the loss. I also think we should have some more
>>>>>> strict
>>>>>> budget requirements for global appsec conferences, especially when we
>>>>>> have
>>>>>> 3rd parties handling the money.  If Alison is the one making payments
>>>>>> and
>>>>>> accepting money, we can check in with her at any point to find out the
>>>>>> status of an event; however, we don't have this
>>>>>> visibility/transparency
>>>>>> right now with the 3rd parties.
>>>>>>
>>>>>> I think before we go forward with signing contracts for 2012 events
>>>>>> (especially in Latin America and AsiaPac where they have not run the
>>>>>> money
>>>>>> through the Foundation), we should discuss and decide on  a policy for
>>>>>> this.
>>>>>>
>>>>>> Sarah
>>>>>>
>>>>>>
>>>>>> On Wed, Dec 7, 2011 at 12:45 PM, Eoin <eoin.keary at owasp.org> wrote:
>>>>>>>
>>>>>>> Matt ,
>>>>>>> As treasurer what are your thoughts on limiting liability for losses
>>>>>>> at
>>>>>>> global conferences. My view is If we don't do this we are leaving the
>>>>>>> foundation exposed. Such a cap should be in a contract signed by the
>>>>>>> conference organisers?? It can be a % or a figure, but right now are
>>>>>>> we in a
>>>>>>> position if unlimited liability??
>>>>>>> Anyone, thoughts??
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 7 Dec 2011, at 18:19, Sarah Baso <sarah.baso at owasp.org> wrote:
>>>>>>>
>>>>>>> Alison -
>>>>>>> Can you find look to see (or maybe you know off the top of your head)
>>>>>>> if
>>>>>>> we sent any down payment or money (other than the approx. $3222 sent
>>>>>>> recently to cover hotel costs) to China for this conference.  It
>>>>>>> probably
>>>>>>> would have been in late July or August of this year?
>>>>>>>
>>>>>>> They are currently at a $16,166.22 loss, but Frank Fan's company
>>>>>>> (DBAppSecurity) still owes $4742 and SecZone has said they can cover
>>>>>>> about
>>>>>>> $6,000 of the loss. The leaves about $5,500 for us to possibly cover.
>>>>>>>  I
>>>>>>> want to make sure we have a full financial picture of what we have
>>>>>>> paid
>>>>>>> before anything is decided though.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Sarah
>>>>>>>
>>>>>>> On Wed, Dec 7, 2011 at 9:41 AM, Mark Bristow <mark.bristow at owasp.org>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>> I believe some of the loss will be realized by each party
>>>>>>>>
>>>>>>>> -Mark
>>>>>>>>
>>>>>>>> Sent from my wireless device
>>>>>>>>
>>>>>>>> On Dec 7, 2011, at 10:33 AM, "Kate Hartmann"
>>>>>>>> <kate.hartmann at owasp.org>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> I know there is a documented loss for AppSec Asia for 2011.  Is the
>>>>>>>> foundation expected to reimburse SecZone for this loss?  What was
>>>>>>>> the
>>>>>>>> agreement for the financials for this event.  I know that much of
>>>>>>>> this has
>>>>>>>> come from Rip’s personal account.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> We need to clear this up before the end of the year.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Kate Hartmann
>>>>>>>>
>>>>>>>> Operations Director
>>>>>>>>
>>>>>>>> 301-275-9403
>>>>>>>>
>>>>>>>> www.owasp.org
>>>>>>>>
>>>>>>>> Skype:  Kate.hartmann1
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> <Copy of OWASP 2011 Appsec Asia cost-1128.xlsx>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Global_conference_committee mailing list
>>>>>>>> Global_conference_committee at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/global_conference_committee
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Global_conference_committee mailing list
>>>>>>>> Global_conference_committee at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/global_conference_committee
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Administrator for
>>>>>>> OWASP Global Conference Committee
>>>>>>> OWASP Global Chapter Committee
>>>>>>>
>>>>>>> Dir: 312-869-2779
>>>>>>> skype: sarah.baso
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Owasp-board mailing list
>>>>>>> Owasp-board at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Administrator for
>>>>>> OWASP Global Conference Committee
>>>>>> OWASP Global Chapter Committee
>>>>>>
>>>>>> Dir: 312-869-2779
>>>>>> skype: sarah.baso
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Owasp-board mailing list
>>>>>> Owasp-board at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Mark Bristow
>>>>> (703) 596-5175
>>>>> mark.bristow at owasp.org
>>>>>
>>>>> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
>>>>> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
>>>>> AppSec DC Organizer - https://www.appsecdc.org
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>>
>>>> --
>>>> Tin Zaw, CISSP, CSSLP
>>>> Chapter Leader and President, OWASP Los Angeles Chapter
>>>> Chair, OWASP Global Chapter Committee
>>>> Google Voice: (213) 973-9295
>>>> LinkedIn: http://www.linkedin.com/in/tinzaw
>>>
>>>
>>>
>>> --
>>> Mark Bristow
>>> (703) 596-5175
>>> mark.bristow at owasp.org
>>>
>>> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
>>> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
>>> AppSec DC Organizer - https://www.appsecdc.org
>>
>>
>>
>>
>> --
>> Administrator for
>> OWASP Global Conference Committee
>> OWASP Global Chapter Committee
>>
>> Dir: 312-869-2779
>> skype: sarah.baso
>>
>
>
>
> --
> Mark Bristow
> (703) 596-5175
> mark.bristow at owasp.org
>
> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
> AppSec DC Organizer - https://www.appsecdc.org
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board



More information about the Owasp-board mailing list