[Owasp-board] [Global_conference_committee] Loss from AppSec Asia

Sarah Baso sarah.baso at owasp.org
Thu Dec 8 15:13:45 UTC 2011


Yes - I will compile/summarize/ask for clarification where needed and send
back to the list by the end of the day.

Sarah

On Wed, Dec 7, 2011 at 3:44 PM, Michael Coates <michael.coates at owasp.org>wrote:

> From the brief details I've gleaned here it sounds like everyone has been
> working for the common good. But we have some losses and need to
> appropriately handle them.  There are several moving parts.  Kate, Sarah,
> can one of you gather and summarize the pertinent information from these
> threads (clarify what's missing or needed)?
>
> The board does need to make some decisions in this specific case and also
> a need to clarify larger issues for future growth / expansion.
>
>
>
> Michael Coates
> OWASP
>
>
>
> On Dec 7, 2011, at 1:05 PM, Tin Zaw wrote:
>
> > As Mark pointed out, it is an issue with China. It is an issue because
> > they have different culture and it is in a country where bureaucracy
> > and red tapes are everywhere. But I can assure you that they -- people
> > behind this event -- really want to promote OWASP in China. You can
> > question their motives but their efforts and commitment are obvious.
> >
> > We have a choice to be flexible and make it easier for them to promote
> > our mission, or we can stick to our rules and protect OWASP. I am sure
> > the board will give us direction.
> >
> > On Wed, Dec 7, 2011 at 12:53 PM, Mark Bristow <mark.bristow at owasp.org>
> wrote:
> >> Tin,
> >>
> >> This is how I also understand our relationship with one caveat.  I
> >> don't believe that there is a formal agreement between SecZone and
> >> OWASP for them to act as our representative.  Had this agreement been
> >> in place, we could have clearly defined how profit/loss would be
> >> shared for the event, as well as a bunch of other requirements that we
> >> impose on legal entities representing OWASP elsewhere in the world.
> >> This however is a larger question beyond this event, and is one the
> >> board has taken for action.
> >>
> >> There are a few points here:
> >> 1. In this case, it seems to that the OWASP foundation should realize
> >> a $5,500 loss for this event (The fact that this was not spelled out
> >> before hand is troubling)
> >> 2. We need to clarify and formalize our relationship with SecZone as
> >> it relates to OWASP in China (Board Action)
> >> 3. We need to better define and vett budgets and impose additional
> >> auditing requirements as event planning is in process
> >> 4. We need to be more dilligent in determining the exact composition
> >> of the on-site planning team earlier in the process to identify
> >> potential issues earlier in rather than ex-post facto.
> >>
> >> On Wed, Dec 7, 2011 at 3:38 PM, Tin Zaw <tin.zaw at owasp.org> wrote:
> >>> I am not sure if Mark's comments or understanding is in sync with what
> >>> conference organizers -- Rip, Ivy, Frank -- had told me.
> >>>
> >>> To me, it was 100% OWASP conference. OWASP, not SecZone or others, was
> >>> the name used, as you can see in the photos here.
> >>>
> https://plus.google.com/photos/106576365897061578673/albums/5678655625299333025
> >>>
> >>> SecZone is listed as one of the supporters, just like Frank's company
> >>> and other supporters.
> >>>
> >>> OWASP does not have a legal entity in China and you need a legal
> >>> entity in China to do a conference like that. So SecZone (a registered
> >>> non-profit in China, that I was told) was used as a legal entity to
> >>> organize things for OWASP, on OWASP's behalf.
> >>>
> >>> On the bigger scope, OWASP China is "housed" inside SecZone. My
> >>> understanding is that this is not dissimilar to NASA JPL housed inside
> >>> Caltech.  SecZone/Caltech provides administrative support while the
> >>> housed organization carries out OWASP's/NASA's mission. The main
> >>> reason for this is that an organization in China needs to be a
> >>> registered legal entity with the government. (Let's not forget that
> >>> "Communist Party" still rules China). They also informed us that OWASP
> >>> is not the only organization housed inside SecZone. There are others
> >>> but OWASP is the major org supported by SecZone.
> >>>
> >>> I think it is correct to consider SecZone's and OWASP's budgets (for
> >>> conference and the chapter) separate. But we should understand the
> >>> nuances we face when we advance our mission in different cultural
> >>> contexts.
> >>>
> >>> On Wed, Dec 7, 2011 at 11:46 AM, Mark Bristow <mark.bristow at owasp.org>
> wrote:
> >>>> So before we get to far down this road.  AppSecASIAPAC was an anomoly.
> >>>>  GCC (at least I) was not aware that there was another organization
> >>>> involved until VERY late in the game (weeks before the event).
> >>>> Technically it should have been classified as a partner event, where a
> >>>> contract between our two organizations would have been signed (by the
> >>>> board) up front, clearly identifiying these issues.
> >>>>
> >>>> In this case, this was presented as a 100% OWASP event when it reality
> >>>> it was not.  That's the root of the problem here and unlike LATAM the
> >>>> other organization is more "partner" than "contractor".
> >>>>
> >>>> On Wed, Dec 7, 2011 at 1:50 PM, Sarah Baso <sarah.baso at owasp.org>
> wrote:
> >>>>> I agree with capping the loss. I also think we should have some more
> strict
> >>>>> budget requirements for global appsec conferences, especially when
> we have
> >>>>> 3rd parties handling the money.  If Alison is the one making
> payments and
> >>>>> accepting money, we can check in with her at any point to find out
> the
> >>>>> status of an event; however, we don't have this
> visibility/transparency
> >>>>> right now with the 3rd parties.
> >>>>>
> >>>>> I think before we go forward with signing contracts for 2012 events
> >>>>> (especially in Latin America and AsiaPac where they have not run the
> money
> >>>>> through the Foundation), we should discuss and decide on  a policy
> for this.
> >>>>>
> >>>>> Sarah
> >>>>>
> >>>>>
> >>>>> On Wed, Dec 7, 2011 at 12:45 PM, Eoin <eoin.keary at owasp.org> wrote:
> >>>>>>
> >>>>>> Matt ,
> >>>>>> As treasurer what are your thoughts on limiting liability for
> losses at
> >>>>>> global conferences. My view is If we don't do this we are leaving
> the
> >>>>>> foundation exposed. Such a cap should be in a contract signed by the
> >>>>>> conference organisers?? It can be a % or a figure, but right now
> are we in a
> >>>>>> position if unlimited liability??
> >>>>>> Anyone, thoughts??
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On 7 Dec 2011, at 18:19, Sarah Baso <sarah.baso at owasp.org> wrote:
> >>>>>>
> >>>>>> Alison -
> >>>>>> Can you find look to see (or maybe you know off the top of your
> head) if
> >>>>>> we sent any down payment or money (other than the approx. $3222 sent
> >>>>>> recently to cover hotel costs) to China for this conference.  It
> probably
> >>>>>> would have been in late July or August of this year?
> >>>>>>
> >>>>>> They are currently at a $16,166.22 loss, but Frank Fan's company
> >>>>>> (DBAppSecurity) still owes $4742 and SecZone has said they can
> cover about
> >>>>>> $6,000 of the loss. The leaves about $5,500 for us to possibly
> cover.  I
> >>>>>> want to make sure we have a full financial picture of what we have
> paid
> >>>>>> before anything is decided though.
> >>>>>>
> >>>>>> Thanks,
> >>>>>> Sarah
> >>>>>>
> >>>>>> On Wed, Dec 7, 2011 at 9:41 AM, Mark Bristow <
> mark.bristow at owasp.org>
> >>>>>> wrote:
> >>>>>>>
> >>>>>>> I believe some of the loss will be realized by each party
> >>>>>>>
> >>>>>>> -Mark
> >>>>>>>
> >>>>>>> Sent from my wireless device
> >>>>>>>
> >>>>>>> On Dec 7, 2011, at 10:33 AM, "Kate Hartmann" <
> kate.hartmann at owasp.org>
> >>>>>>> wrote:
> >>>>>>>
> >>>>>>> I know there is a documented loss for AppSec Asia for 2011.  Is the
> >>>>>>> foundation expected to reimburse SecZone for this loss?  What was
> the
> >>>>>>> agreement for the financials for this event.  I know that much of
> this has
> >>>>>>> come from Rip’s personal account.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> We need to clear this up before the end of the year.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> Kate Hartmann
> >>>>>>>
> >>>>>>> Operations Director
> >>>>>>>
> >>>>>>> 301-275-9403
> >>>>>>>
> >>>>>>> www.owasp.org
> >>>>>>>
> >>>>>>> Skype:  Kate.hartmann1
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> <Copy of OWASP 2011 Appsec Asia cost-1128.xlsx>
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> Global_conference_committee mailing list
> >>>>>>> Global_conference_committee at lists.owasp.org
> >>>>>>>
> https://lists.owasp.org/mailman/listinfo/global_conference_committee
> >>>>>>>
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> Global_conference_committee mailing list
> >>>>>>> Global_conference_committee at lists.owasp.org
> >>>>>>>
> https://lists.owasp.org/mailman/listinfo/global_conference_committee
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> Administrator for
> >>>>>> OWASP Global Conference Committee
> >>>>>> OWASP Global Chapter Committee
> >>>>>>
> >>>>>> Dir: 312-869-2779
> >>>>>> skype: sarah.baso
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> Owasp-board mailing list
> >>>>>> Owasp-board at lists.owasp.org
> >>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Administrator for
> >>>>> OWASP Global Conference Committee
> >>>>> OWASP Global Chapter Committee
> >>>>>
> >>>>> Dir: 312-869-2779
> >>>>> skype: sarah.baso
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> Owasp-board mailing list
> >>>>> Owasp-board at lists.owasp.org
> >>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Mark Bristow
> >>>> (703) 596-5175
> >>>> mark.bristow at owasp.org
> >>>>
> >>>> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
> >>>> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
> >>>> AppSec DC Organizer - https://www.appsecdc.org
> >>>> _______________________________________________
> >>>> Owasp-board mailing list
> >>>> Owasp-board at lists.owasp.org
> >>>> https://lists.owasp.org/mailman/listinfo/owasp-board
> >>>
> >>>
> >>>
> >>> --
> >>> Tin Zaw, CISSP, CSSLP
> >>> Chapter Leader and President, OWASP Los Angeles Chapter
> >>> Chair, OWASP Global Chapter Committee
> >>> Google Voice: (213) 973-9295
> >>> LinkedIn: http://www.linkedin.com/in/tinzaw
> >>
> >>
> >>
> >> --
> >> Mark Bristow
> >> (703) 596-5175
> >> mark.bristow at owasp.org
> >>
> >> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
> >> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
> >> AppSec DC Organizer - https://www.appsecdc.org
> >
> >
> >
> > --
> > Tin Zaw, CISSP, CSSLP
> > Chapter Leader and President, OWASP Los Angeles Chapter
> > Chair, OWASP Global Chapter Committee
> > Google Voice: (213) 973-9295
> > LinkedIn: http://www.linkedin.com/in/tinzaw
> > _______________________________________________
> > Owasp-board mailing list
> > Owasp-board at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-board
>
>


-- 
Administrator for
OWASP Global Conference Committee
OWASP Global Chapter Committee

Dir: 312-869-2779
skype: sarah.baso
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20111208/7312742e/attachment-0002.html>


More information about the Owasp-board mailing list