[Owasp-board] [Vote Requested] Loss from AppSec Asia

Dave Wichers dave.wichers at owasp.org
Wed Dec 21 18:46:51 UTC 2011

Agree with Eoin. Yes to this year’s payment.


From: owasp-board-bounces at lists.owasp.org [mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Eoin
Sent: Wednesday, December 21, 2011 12:31 PM
To: Michael Coates
Cc: OWASP Foundation Board List
Subject: Re: [Owasp-board] [Vote Requested] Loss from AppSec Asia


Pay back this time but limit liability going forward in the contractual sense, as we discussed.

On 21 Dec 2011, at 17:12, Michael Coates <michael.coates at owasp.org> wrote:

Board Vote requested to pay $5500 to cover a portion of the AppSec Asia losses. 



Further actions (not part of this vote) - We'll work with conference committee to shore up the contracts and avoid this situation in the future. An item to discuss in January's call.


Michael Coates


Begin forwarded message:

From: Michael Coates <michael.coates at owasp.org>

Date: December 15, 2011 6:08:25 PM PST

To: Sarah Baso <sarah.baso at owasp.org>

Cc: Kate Hartmann <kate.hartmann at owasp.org>, Tin Zaw <tin.zaw at owasp.org>, Mark Bristow <mark.bristow at owasp.org>, alison mcnamee <alison.shrader at owasp.org>, MattTesauro Tesauro <mtesauro at gmail.com>, OWASP Foundation Board List <owasp-board at lists.owasp.org>, Lucas Ferreira <lucas.ferreira at owasp.org>, global_conference_committee <global_conference_committee at lists.owasp.org>

Subject: Re: [Owasp-board] [Global_conference_committee] Loss from AppSec Asia




Thanks for this summary.  I've reread the threads on this issue and also Sarah's summary below.  


Here is where I am sitting on this issue:


- OWASP was made aware of this event and signed off on it as an official owasp event

- Per Lucas Ferreira's email (forwarded by Sarah on 12/7/11) OWASP did enter into a relationship with SecZone

- We had some controls in place to require visibility into expenses. These controls failed since we did not receive requested documentation

- The total loss is at $16,166.22 

-- DBAppSecurity will cover $4742

-- SecZone will cover $6,000

-- This leaves $5,500


I believe we should cover a share of this loss ($5500) and also look at the $5,500 as an investment in the China region.  We have tremendous growth opportunities in the AsiaPac region and hopefully we can help this OWASP region get on its feet for self funding events too.



Moving forward:

Mark suggested several items to refine our policies to help prevent future situations such as this.  Lucas as pointed out that we need to be more effective in reacting when our intermediate checkpoints are not being met.  In addition we should update our agreements to ensure caps are established and clear boundaries on who is controlling what aspects of the financial operations.


Sarah, you also outlined several action items in your email. I'd like to get those on the schedule so we can work to address each of those points to strengthen our ability to work with other organizations for future conferences.




Michael Coates


On Dec 9, 2011, at 9:50 AM, Sarah Baso wrote:

Michael -


I think there are 3 different "issues" being discussed in this thread. 


1. How can OWASP to limit its liability and ensure financial transparency when organizations other then the OWASP Foundation (US) and OWASP, Inc. (Europe) are handling event or chapter money?


As explained in Lucas's email (which I agree with): Event contract we entered into with SecZone defines the relationship between the parties as well as responsibilities.  That being said, there are a couple big "responsibilities" that SecZone had that they did not follow through on: providing monthly statements on the financials of the conference AND seeking authorization from the foundation before taking any actions that

may incur any expenses to the event.


"In short, I think the problem is not in defining rules. If the process had been followed, we would have better information and early warnings
about the problems, making it easier to manage. The problem we have is that we have been unable to enforce the process with conference
organizers. My feeling is that we need to rely less on trust and really require the organizers to follow the process define in the contract."


So action points for the committee:

*	Ensure that a detailed and comprehensive contract is signed by all 3rd parties handling event finances (anytime it is someone other than the OWASP Foundation in US and OWASP Inc in Europe) should include certain terms decided by the Board.

*	Better define and vet budgets and impose additional auditing requirements as event planning is in process. This includes:

           --> Require initial budgets as described for approvals

           --> Require events to report actual expenditures/revised budgets monthly

           --> Have all expenditures not within the original budget for that line item be approved by the GCC liaison (and updated on subsequent

                projections). I would recommend that expenditures over a certain dollar amount require a "second signer" who is aware        

                of current OWASP financial situation (committee chair, board member, Kate, etc.) 


Action points for the Board/Foundation


Adopt a template contract (or contract terms) to be used any time a 3rd party --someone other than the OWASP Foundation (US) and OWASP Inc. (Europe)-- is handling OWASP Funds. It should require the exact things we asked for in the agreement with SecZone:  providing monthly statements on the financials of the conference AND seeking authorization from the foundation before taking any actions that may incur any expenses to the event or chapter (that will be covered by the Foundation)


This contract can set a maximum out of pocket liability (set dollar amount) if the terms are not adhered to.  While I certainly don't want      anyone to be held personally liable for running a conference that results in a loss, when the Foundation is authorizing another entity to make expenditures (and decisions) on its behalf, we need to be pro-active in limiting our liability. They can either involve us in their decisions (by providing budget updates and getting authorization before spending), or take on complete responsibility for the financial liability.


One thing no one has mentioned (although it undoubtedly is a consideration): OWASP has a responsibility to show its supporters that their donations (via members, sponsorship or other) are being used properly - in support of the OWASP mission. Anytime we (OWASP) is giving up control of how its funds are used, we also are supposing a level of trust that the funds will be spent appropriately. I think this trust is good to a certain extent, but people in China (or other areas of the world) may not have the same understanding of this Fiducuary Duty that we do, and they will not be held accountable as we will here in the US. Thus, the only financially responsible decision is for us to limit the amount of money we will will "reimburse" or "cover" when the expenses haven't been provided or pre-approved.

I am happy to work on putting a draft contract together based on the 3rd party contracts we have used in the past.


2. What is relationship between SecZone and OWASP - both OWASP China and the OWASP Foundation? 

I am going to follow up on this in a separate thread. It is important, but slightly tangential to the purpose of this thread. 


3. Event Specific: How do we handle this loss?

In this case, the OWASP Foundation should realize a $5,500 loss for this event (which is what the event organizers are asking for).  They are currently at a $16,166.22 loss, but Frank Fan's company (DBAppSecurity) still owes $4742 and SecZone has said they can cover about $6,000 of the loss. The leaves about $5,500 for us to cover. 


Seczone did not adhere to its financial responsibilities as outlined in our event contract with them. However, since they acted in good faith and we could have done a better job setting forth the repercussions for not adhering to the contract, I think it is fair for us to pay about $5500 or splitting the loss with Seczone.  This is a good chance for us to learn from our mistakes and understand what we can do differently to prevent this (or larger losses) from happening in the future.




Sarah Baso



Administrator for

OWASP Global Conference Committee

OWASP Global Chapter Committee 


Dir: 312-869-2779

skype: sarah.baso






On Wed, Dec 7, 2011 at 3:44 PM, Michael Coates <michael.coates at owasp.org> wrote:

>From the brief details I've gleaned here it sounds like everyone has been working for the common good. But we have some losses and need to appropriately handle them.  There are several moving parts.  Kate, Sarah, can one of yo

Owasp-board mailing list
Owasp-board at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20111221/b4fdddea/attachment-0001.html>

More information about the Owasp-board mailing list