[Owasp-board] [Global_conference_committee] Loss from AppSec Asia

Sarah Baso sarah.baso at owasp.org
Thu Dec 8 00:51:23 UTC 2011


Lucas isn't able to post to the board list so here is his message....

Sent from my iPhone

On Dec 7, 2011, at 6:37 PM, Lucas Ferreira <lucas.ferreira at owasp.org> wrote:

> Guys,
>
> If you look at the contract, we have three entities defined: SecZone,
> the Foundation and the conference organizing committee. The contract
> defines somewhat the relationship between these parties. It also
> defines the responsibilities of each party.
>
> The first thing is that the contract says that SecZone should have
> provided monthly statements on the financials of the conference. This
> did not happen despite several requests from the GCC. The financials
> should have been handled openly but we only learn how things were
> going after the conference. We need to change this and define
> mechanisms to allow more control of externally-handled conference
> financials.
>
> The second important point is that the contract requires SecZone "to
> seek authorization from the foundation before taking any actions that
> may incur any expenses to the event". This also did not happen. We had
> a tentative budget at the beginning of the process and no moe
> information on expenses. If the foundation only authorizes expenses if
> there is a matching income, risk should be greatly reduced.
>
> In short, I think the problem is not in defining rules. If the process
> had been followed, we would have better information and early warnings
> about the problems, making it easier to manage. The problem we have is
> that we have been unable to enforce the process with conference
> organizers. My feeling is that we need to rely less on trust and
> really require the organizers to follow the process define in the
> contract.
>
> Regards,
>
> Lucas
>
> On Wed, Dec 7, 2011 at 22:22, Mark Bristow <mark.bristow at owasp.org> wrote:
>> For multi party contracts that might be appropriate.  Not OWASP only events
>>
>> -Mark
>>
>> Sent from my wireless device
>>
>> On Dec 7, 2011, at 6:59 PM, Eoin <eoin.keary at owasp.org> wrote:
>>
>>> Mark,
>>> Nothing replaces a liability cap written into a contract and signed by both parties.
>>>
>>>
>>>
>>>
>>>
>>> On 7 Dec 2011, at 19:01, Mark Bristow <mark.bristow at owasp.org> wrote:
>>>
>>>> Eoin,
>>>>
>>>> Liability limitations is the point of the OCMS process and budgetary
>>>> review however I think the system could be made more robust.
>>>> Currently planners are only required to submit initial budgets for
>>>> review by the GCC and are supposed to get all major contracts signed
>>>> by the GCC liasion (although there have been several issues getting
>>>> this authority granted).  Once the initial budgets are reviewed, there
>>>> are no requirements for followup (it is often requested) or any
>>>> additional checks when funds are dispersed.
>>>>
>>>> I'd propose that, for Global AppSecs we:
>>>> Require initial budgets as described for approvals
>>>> Require events report actual expendatures/revised budgets monthly
>>>> Have all expendatures not within the origional budget for that line
>>>> item be approved by the GCC liasion (and updated on subsequent
>>>> projections)
>>>>
>>>> I think adding some of these basic controls would have alieviated this
>>>> issue.  However, on the other side of the issue we need to actually
>>>> enforce these rules which may be dificult.
>>>>
>>>> On Wed, Dec 7, 2011 at 1:45 PM, Eoin <eoin.keary at owasp.org> wrote:
>>>>> Matt ,
>>>>> As treasurer what are your thoughts on limiting liability for losses at
>>>>> global conferences. My view is If we don't do this we are leaving the
>>>>> foundation exposed. Such a cap should be in a contract signed by the
>>>>> conference organisers?? It can be a % or a figure, but right now are we in a
>>>>> position if unlimited liability??
>>>>> Anyone, thoughts??
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 7 Dec 2011, at 18:19, Sarah Baso <sarah.baso at owasp.org> wrote:
>>>>>
>>>>> Alison -
>>>>> Can you find look to see (or maybe you know off the top of your head) if we
>>>>> sent any down payment or money (other than the approx. $3222 sent recently
>>>>> to cover hotel costs) to China for this conference.  It probably would have
>>>>> been in late July or August of this year?
>>>>>
>>>>> They are currently at a $16,166.22 loss, but Frank Fan's company
>>>>> (DBAppSecurity) still owes $4742 and SecZone has said they can cover about
>>>>> $6,000 of the loss. The leaves about $5,500 for us to possibly cover.  I
>>>>> want to make sure we have a full financial picture of what we have paid
>>>>> before anything is decided though.
>>>>>
>>>>> Thanks,
>>>>> Sarah
>>>>>
>>>>> On Wed, Dec 7, 2011 at 9:41 AM, Mark Bristow <mark.bristow at owasp.org> wrote:
>>>>>>
>>>>>> I believe some of the loss will be realized by each party
>>>>>>
>>>>>> -Mark
>>>>>>
>>>>>> Sent from my wireless device
>>>>>>
>>>>>> On Dec 7, 2011, at 10:33 AM, "Kate Hartmann" <kate.hartmann at owasp.org>
>>>>>> wrote:
>>>>>>
>>>>>> I know there is a documented loss for AppSec Asia for 2011.  Is the
>>>>>> foundation expected to reimburse SecZone for this loss?  What was the
>>>>>> agreement for the financials for this event.  I know that much of this has
>>>>>> come from Rip’s personal account.
>>>>>>
>>>>>>
>>>>>>
>>>>>> We need to clear this up before the end of the year.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Kate Hartmann
>>>>>>
>>>>>> Operations Director
>>>>>>
>>>>>> 301-275-9403
>>>>>>
>>>>>> www.owasp.org
>>>>>>
>>>>>> Skype:  Kate.hartmann1
>>>>>>
>>>>>>
>>>>>>
>>>>>> <Copy of OWASP 2011 Appsec Asia cost-1128.xlsx>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Global_conference_committee mailing list
>>>>>> Global_conference_committee at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/global_conference_committee
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Global_conference_committee mailing list
>>>>>> Global_conference_committee at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/global_conference_committee
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Administrator for
>>>>> OWASP Global Conference Committee
>>>>> OWASP Global Chapter Committee
>>>>>
>>>>> Dir: 312-869-2779
>>>>> skype: sarah.baso
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Mark Bristow
>>>> (703) 596-5175
>>>> mark.bristow at owasp.org
>>>>
>>>> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
>>>> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
>>>> AppSec DC Organizer - https://www.appsecdc.org
>
>
>
> --
> Homo sapiens non urinat in ventum.



More information about the Owasp-board mailing list