[Owasp-board] [Global_conference_committee] Loss from AppSec Asia

Michael Coates michael.coates at owasp.org
Wed Dec 7 21:44:11 UTC 2011


From the brief details I've gleaned here it sounds like everyone has been working for the common good. But we have some losses and need to appropriately handle them.  There are several moving parts.  Kate, Sarah, can one of you gather and summarize the pertinent information from these threads (clarify what's missing or needed)?

The board does need to make some decisions in this specific case and also a need to clarify larger issues for future growth / expansion.



Michael Coates
OWASP



On Dec 7, 2011, at 1:05 PM, Tin Zaw wrote:

> As Mark pointed out, it is an issue with China. It is an issue because
> they have different culture and it is in a country where bureaucracy
> and red tapes are everywhere. But I can assure you that they -- people
> behind this event -- really want to promote OWASP in China. You can
> question their motives but their efforts and commitment are obvious.
> 
> We have a choice to be flexible and make it easier for them to promote
> our mission, or we can stick to our rules and protect OWASP. I am sure
> the board will give us direction.
> 
> On Wed, Dec 7, 2011 at 12:53 PM, Mark Bristow <mark.bristow at owasp.org> wrote:
>> Tin,
>> 
>> This is how I also understand our relationship with one caveat.  I
>> don't believe that there is a formal agreement between SecZone and
>> OWASP for them to act as our representative.  Had this agreement been
>> in place, we could have clearly defined how profit/loss would be
>> shared for the event, as well as a bunch of other requirements that we
>> impose on legal entities representing OWASP elsewhere in the world.
>> This however is a larger question beyond this event, and is one the
>> board has taken for action.
>> 
>> There are a few points here:
>> 1. In this case, it seems to that the OWASP foundation should realize
>> a $5,500 loss for this event (The fact that this was not spelled out
>> before hand is troubling)
>> 2. We need to clarify and formalize our relationship with SecZone as
>> it relates to OWASP in China (Board Action)
>> 3. We need to better define and vett budgets and impose additional
>> auditing requirements as event planning is in process
>> 4. We need to be more dilligent in determining the exact composition
>> of the on-site planning team earlier in the process to identify
>> potential issues earlier in rather than ex-post facto.
>> 
>> On Wed, Dec 7, 2011 at 3:38 PM, Tin Zaw <tin.zaw at owasp.org> wrote:
>>> I am not sure if Mark's comments or understanding is in sync with what
>>> conference organizers -- Rip, Ivy, Frank -- had told me.
>>> 
>>> To me, it was 100% OWASP conference. OWASP, not SecZone or others, was
>>> the name used, as you can see in the photos here.
>>> https://plus.google.com/photos/106576365897061578673/albums/5678655625299333025
>>> 
>>> SecZone is listed as one of the supporters, just like Frank's company
>>> and other supporters.
>>> 
>>> OWASP does not have a legal entity in China and you need a legal
>>> entity in China to do a conference like that. So SecZone (a registered
>>> non-profit in China, that I was told) was used as a legal entity to
>>> organize things for OWASP, on OWASP's behalf.
>>> 
>>> On the bigger scope, OWASP China is "housed" inside SecZone. My
>>> understanding is that this is not dissimilar to NASA JPL housed inside
>>> Caltech.  SecZone/Caltech provides administrative support while the
>>> housed organization carries out OWASP's/NASA's mission. The main
>>> reason for this is that an organization in China needs to be a
>>> registered legal entity with the government. (Let's not forget that
>>> "Communist Party" still rules China). They also informed us that OWASP
>>> is not the only organization housed inside SecZone. There are others
>>> but OWASP is the major org supported by SecZone.
>>> 
>>> I think it is correct to consider SecZone's and OWASP's budgets (for
>>> conference and the chapter) separate. But we should understand the
>>> nuances we face when we advance our mission in different cultural
>>> contexts.
>>> 
>>> On Wed, Dec 7, 2011 at 11:46 AM, Mark Bristow <mark.bristow at owasp.org> wrote:
>>>> So before we get to far down this road.  AppSecASIAPAC was an anomoly.
>>>>  GCC (at least I) was not aware that there was another organization
>>>> involved until VERY late in the game (weeks before the event).
>>>> Technically it should have been classified as a partner event, where a
>>>> contract between our two organizations would have been signed (by the
>>>> board) up front, clearly identifiying these issues.
>>>> 
>>>> In this case, this was presented as a 100% OWASP event when it reality
>>>> it was not.  That's the root of the problem here and unlike LATAM the
>>>> other organization is more "partner" than "contractor".
>>>> 
>>>> On Wed, Dec 7, 2011 at 1:50 PM, Sarah Baso <sarah.baso at owasp.org> wrote:
>>>>> I agree with capping the loss. I also think we should have some more strict
>>>>> budget requirements for global appsec conferences, especially when we have
>>>>> 3rd parties handling the money.  If Alison is the one making payments and
>>>>> accepting money, we can check in with her at any point to find out the
>>>>> status of an event; however, we don't have this visibility/transparency
>>>>> right now with the 3rd parties.
>>>>> 
>>>>> I think before we go forward with signing contracts for 2012 events
>>>>> (especially in Latin America and AsiaPac where they have not run the money
>>>>> through the Foundation), we should discuss and decide on  a policy for this.
>>>>> 
>>>>> Sarah
>>>>> 
>>>>> 
>>>>> On Wed, Dec 7, 2011 at 12:45 PM, Eoin <eoin.keary at owasp.org> wrote:
>>>>>> 
>>>>>> Matt ,
>>>>>> As treasurer what are your thoughts on limiting liability for losses at
>>>>>> global conferences. My view is If we don't do this we are leaving the
>>>>>> foundation exposed. Such a cap should be in a contract signed by the
>>>>>> conference organisers?? It can be a % or a figure, but right now are we in a
>>>>>> position if unlimited liability??
>>>>>> Anyone, thoughts??
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> On 7 Dec 2011, at 18:19, Sarah Baso <sarah.baso at owasp.org> wrote:
>>>>>> 
>>>>>> Alison -
>>>>>> Can you find look to see (or maybe you know off the top of your head) if
>>>>>> we sent any down payment or money (other than the approx. $3222 sent
>>>>>> recently to cover hotel costs) to China for this conference.  It probably
>>>>>> would have been in late July or August of this year?
>>>>>> 
>>>>>> They are currently at a $16,166.22 loss, but Frank Fan's company
>>>>>> (DBAppSecurity) still owes $4742 and SecZone has said they can cover about
>>>>>> $6,000 of the loss. The leaves about $5,500 for us to possibly cover.  I
>>>>>> want to make sure we have a full financial picture of what we have paid
>>>>>> before anything is decided though.
>>>>>> 
>>>>>> Thanks,
>>>>>> Sarah
>>>>>> 
>>>>>> On Wed, Dec 7, 2011 at 9:41 AM, Mark Bristow <mark.bristow at owasp.org>
>>>>>> wrote:
>>>>>>> 
>>>>>>> I believe some of the loss will be realized by each party
>>>>>>> 
>>>>>>> -Mark
>>>>>>> 
>>>>>>> Sent from my wireless device
>>>>>>> 
>>>>>>> On Dec 7, 2011, at 10:33 AM, "Kate Hartmann" <kate.hartmann at owasp.org>
>>>>>>> wrote:
>>>>>>> 
>>>>>>> I know there is a documented loss for AppSec Asia for 2011.  Is the
>>>>>>> foundation expected to reimburse SecZone for this loss?  What was the
>>>>>>> agreement for the financials for this event.  I know that much of this has
>>>>>>> come from Rip’s personal account.
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> We need to clear this up before the end of the year.
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> Kate Hartmann
>>>>>>> 
>>>>>>> Operations Director
>>>>>>> 
>>>>>>> 301-275-9403
>>>>>>> 
>>>>>>> www.owasp.org
>>>>>>> 
>>>>>>> Skype:  Kate.hartmann1
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> <Copy of OWASP 2011 Appsec Asia cost-1128.xlsx>
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> Global_conference_committee mailing list
>>>>>>> Global_conference_committee at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/global_conference_committee
>>>>>>> 
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> Global_conference_committee mailing list
>>>>>>> Global_conference_committee at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/global_conference_committee
>>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> --
>>>>>> Administrator for
>>>>>> OWASP Global Conference Committee
>>>>>> OWASP Global Chapter Committee
>>>>>> 
>>>>>> Dir: 312-869-2779
>>>>>> skype: sarah.baso
>>>>>> 
>>>>>> _______________________________________________
>>>>>> Owasp-board mailing list
>>>>>> Owasp-board at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> --
>>>>> Administrator for
>>>>> OWASP Global Conference Committee
>>>>> OWASP Global Chapter Committee
>>>>> 
>>>>> Dir: 312-869-2779
>>>>> skype: sarah.baso
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>> 
>>>> 
>>>> 
>>>> 
>>>> --
>>>> Mark Bristow
>>>> (703) 596-5175
>>>> mark.bristow at owasp.org
>>>> 
>>>> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
>>>> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
>>>> AppSec DC Organizer - https://www.appsecdc.org
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>> 
>>> 
>>> 
>>> --
>>> Tin Zaw, CISSP, CSSLP
>>> Chapter Leader and President, OWASP Los Angeles Chapter
>>> Chair, OWASP Global Chapter Committee
>>> Google Voice: (213) 973-9295
>>> LinkedIn: http://www.linkedin.com/in/tinzaw
>> 
>> 
>> 
>> --
>> Mark Bristow
>> (703) 596-5175
>> mark.bristow at owasp.org
>> 
>> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
>> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
>> AppSec DC Organizer - https://www.appsecdc.org
> 
> 
> 
> -- 
> Tin Zaw, CISSP, CSSLP
> Chapter Leader and President, OWASP Los Angeles Chapter
> Chair, OWASP Global Chapter Committee
> Google Voice: (213) 973-9295
> LinkedIn: http://www.linkedin.com/in/tinzaw
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board




More information about the Owasp-board mailing list