[Owasp-board] OWASP & SecZone

Sarah Baso sarah.baso at owasp.org
Fri Dec 9 19:11:42 UTC 2011

*All - *
*Here is the follow up information abou**
t SecZone and the relationship between OWASP & SecZone. I have also cc'ed
Helen and Ivy so they can add anything or correct me if needed.

 In China, OWASP is not a stand-alone legal entity; nor is SecZone an OWASP
foundation subsidiary (LikeOWASP EU is).   Instead, a non-profit was formed
with the name Security Zone (SecZone), which acts as the legal entity to
organize things for OWASP and process OWASP finances in China.  That being
said, the organization of SecZone is not just OWASP - it is also an
organization that promotes and facilitates internet security research.  On
the bigger scope, OWASP China is "housed" inside SecZone. The main reason
for this is that an organization in China needs to be a registered legal
entity with the government.

Additionally, Ivy Zhang is a full time employee of SecZone who, from my
understanding, is paid to handle all things OWASP-related (OWASP China
chapters, projects, and conference).  So, they have a full time employee
dedicated primarily to OWASP.

To correct Tin's statement

"... there is OWASP China, an OWASP chapter, but does not hold a legal
entity in China. Its officers, such as Rip, Frank, Ivy, and volunteers, all
unpaid, also organized the event. I don't believe they signed any contract
on OWASP's behalf."

   - OWASP China is not a legal entity, but OWASP China is the org housed
   inside of SecZone. SecZone's intent is to handle all OWASP China finances,
   not just the conference.
   - OWASP China's officers - Rip, Frank, and others were not paid to
   organize the event. HOWEVER, Ivy Zhang (although she volunteered at the
   previous OWASP China Conference), is now a paid employee of SecZone and was
   paid to organize the conference (as part full-time position where she
   handles all things OWASP)

*Regarding the Conference Specifically:*

In the mind of the conference organizers, AppSec AsiaPac 2011 WAS a 100%
OWASP event. SecZone is listed as one of the supporters, just like other
sponsors and supporters (such as Frank's company).

Although, OWASP did not "hire" SecZone to handle AppSec AsiaPac 2011
finances, it did enter into a contract delegating authority to manage the
event and handle finances. As noted in my other email, SecZone did not
honor their responsibilities under the contract, nevertheless I think we
should help them out in covering the loss $5,500.

I don't know it it makes sense to go into the details of liability, but as
Tin pointed out, the event was organized by SecZone who would be on the
hook legally and financially for the event. We entered into a contract with
SecZone to act on our behalf and I do not know enough about international
law to know how that contract, given the breaches by SecZone, would stand
up.  I don't think we want to go down that road anyhow - the point is to
better protect ourselves going forward, right?

*Links to other information:*

   - Here is more information on the organization: http://www.seczone.org/
   - http://www.owasp.org.cn/ is the local OWASP page for OWASP China
   because they are not able to access the wiki (in early 2012 we will work on
   setting up a mirror for them to have access to wiki content)
   - From Ivy, I have attached the registration certification, tax
   registration, and Organization code certificate. Ivy has translated the
   registration certification as follows:

* Non-enterprise Unit Registration Certification
Issuing authority: Bureau of Civil Affairs in Shenzhen Municipal
Issuing Date: Dec 7th, 2010
Expiring Date: Dec 7th, 2014
Name: Shenzhen Open Source Internet Security Research Center(Translated
according to the Chinese*

*meaning. Its english name is Security Zone, shorted as** Seczone**.)
Address: Room 1912, CEC Information Building East,No.1 Xinwen Road,
Shenzhen,518034, PRC.
Legal representative: Zhenhua Wan(Rip Torn)
Registered capital: RMB 50,000
Unit in Charge:Shenzhen Science and Technology Association
Business Range: internet security research, implementing internet security
benchmark, making internet security standards in China.*

*About **SecZone** (English translation): Internet security research center
focused on cutting-edge Internet security technology research. Our mission
is to introduce, absorb, the purpose of innovation, constantly absorbing
domestic and foreign newest and most professional security technology, and
innovation applied to the various domestic industries, to promote domestic
Internet security technology.*

*Internet Security Research Centre for the industry's leading security
vendors and service providers to provide a neutral test security products
and solutions, businesses can securely over the Internet Research Center
analysis needs to choose their own products and solutions*

*Going forward:*

>From my perspective, if SecZone is a third party for handling OWASP money
in China, this isn't necessarily a problem, but we need get more
information about their operations and define this working relationship
(via contract). Also, there needs to be more financial transparency
(probably along the lines that I defined in the other email).

Ivy has told me that no membership fees have been collected by people
involved in OWASP China, but next year SecZone would like to start asking
for people who will pay for memberships (as we handle memberships here).
 However, they will need to process the memberships in China through
 SecZone and want to keep the money there.  Also, they have questions about
whether our liability insurance (or to what extent our insurance) applies
to them - in both the meeting and event contexts.

 Additionally, since Ivy is being paid to handle OWASP things in China,
maybe we can find a better way to integrate her with our operations team?
 She recently completed an application for the Chapters
while we certainly want to encourage her participate, if she is paid for
her involvement with OWASP (albeit by SecZone) should she be precluded from
being a voting committee member.  That is, should she be participating the
same way Kate, Kelly, Alison, and I would - listening, participating in
discussion, and letting the community pass the votes?


Sarah Baso

Administrator for
OWASP Global Conference Committee
OWASP Global Chapter Committee

Dir: 312-869-2779
skype: sarah.baso
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20111209/f0ed2989/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ???????.jpg
Type: image/jpeg
Size: 396337 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20111209/f0ed2989/attachment-0004.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ????????.jpg
Type: image/jpeg
Size: 706899 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20111209/f0ed2989/attachment-0005.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ??????(??)1.jpg.jpeg
Type: image/jpeg
Size: 597807 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20111209/f0ed2989/attachment-0002.jpeg>

More information about the Owasp-board mailing list