[Owasp-board] Information about OWASP China & SecZone

Dan Cornell dan at denimgroup.com
Wed Nov 23 15:12:49 UTC 2011

You all may want to talk to Helen Gao as well (CC'd on this) if you haven't already.  She is active with the China AppSec conference and spearheaded a lot of the updates to the Membership model to make it useful in China.



From: owasp-board-bounces at lists.owasp.org [mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Sarah Baso
Sent: Wednesday, November 23, 2011 8:31 AM
To: Kate Hartmann
Cc: OWASP Foundation Board List; kelly.santalucia at owasp.org; alison mcnamee
Subject: [Owasp-board] Information about OWASP China & SecZone

Kate -

Here is I have learned about OWASP China and its "parent organization" SecZone.

In China, OWASP is not a stand-alone legal entity. Instead, a non-profit was formed with the name Security Zone (SecZone) to handle the OWASP finances. Additionally, Ivy Zhang is a full time employee of SecZone who, from my understanding, is paid to handle all things OWASP-related (OWASP China chapters, projects, and conference).  So, they have a full time employee dedicated to OWASP. That being said, the organization of SecZone is not just OWASP - it is also an organization that promotes and facilitates internet security research.

Here is more information on the organization:


>From Ivy, I have attached the registration certification, tax registration, and Organization code certificate. Ivy has translated the registration certification as follows and I have asked for a translation of the other 2 documents.

 Non-enterprise Unit Registration Certification
Issuing authority: Bureau of Civil Affairs in Shenzhen Municipal
Issuing Date: Dec 7th, 2010
Expiring Date: Dec 7th, 2014
Name: Shenzhen Open Source Internet Security Research Center(Translated according to the Chinese
meaning. Its english name is Security Zone, shorted as Seczone.)
Address: Room 1912, CEC Information Building East,No.1 Xinwen Road, Shenzhen,518034, PRC.
Legal representative: Zhenhua Wan(Rip Torn)
Registered capital: RMB 50,000
Unit in Charge:Shenzhen Science and Technology Association
Business Range: internet security research, implementing internet security benchmark, making internet security standards in China.

About SecZone (English translation): Internet security research center focused on cutting-edge Internet security technology research. Our mission is to introduce, absorb, the purpose of innovation, constantly absorbing domestic and foreign newest and most professional security technology, and innovation applied to the various domestic industries, to promote domestic Internet security technology.
Internet Security Research Centre for the industry's leading security vendors and service providers to provide a neutral test security products and solutions, businesses can securely over the Internet Research Center analysis needs to choose their own products and solutions

From my perspective, if SecZone is a third party for handling money in China, this isn't necessarily a problem... but I think we need to investigate a bit more about the operation of things. Also, I think there should be more transparency about how they are running things.  Ivy said at the chapter leaders workshop that it is not possible for OWASP to become a legal entity in China, and while I am not necessarily disagreeing, I would like some insight into why this is.  Also, I think we should learn about SecZone and where their funding comes from.

Ivy has told me that no membership fees have been collected by people involved in OWASP China, but next year SecZone would like to start asking for people who will pay for memberships (as we handle memberships here).  However, they will need to process the memberships in China through SecZone and keep the money there.  Also, they have questions about whether our liability insurance (or to what extent our insurance) applies to them.  I know for purposes of the conference, we explicitly signed a contract with SecZone to handle finances:

Also, here are the documents I put together from the events in China earlier this month:
Report on AppSec Asia 2011 event:

Meeting minutes from Chapters Workshop: https://docs.google.com/a/owasp.org/document/d/1z_3ehI9T_lIeMmkeUo9QL9mbjh8ygSKquVlBaJY7ed4/edit?hl=en_US

I think we should consider some sort of legal agreement expressly stating what we (OWASP Foundation - US) are agreeing to and authorizing SecZone to handle on our behalf.  Additionally, if Ivy IS exclusively handling OWASP things in China, maybe we can find a better way to integrate her with our operations team?

Ivy, and the leaders of OWASP China also are considering how to structure their OWASP Chapter(s) within China.  Right now they exist as one big chapter consisting of mainland China (Hong Kong has its own chapter).  They would like to break this up into possibly 5 different cities, but are unsure on the best way to structure this... the two options seem to be:
1. Instead of 1 OWASP China-Mainland Chapter, we would have 5 smaller chapters such as OWASP Beijing Chapter, OWASP City 2 Chapter, etc.  These chapters would all exist in the same flat structure as the other OWASP Chapters throughout the world.
2. OWASP China - Mainland continues to exist as a country-wide "board" that oversees the smaller Chinese sub-chapters.  This is slightly more hierarchical and apparently is the structure used in India (and Brazil is also considering it).  The local chapters have leaders/boards and then a national level board would resolve disputes and make other decisions.

Right now, option #2 is the preference of OWASP China - but they are open to suggestion from us (or the Chapter Committee).

This is quite a bit of new information for me, and I expect for others as well. I am not sure what our next steps are but at a minimum, I think there is more information to be gathered to help us understand the full scope of relationships and how we can better work together with them.


Administrator for
OWASP Global Conference Committee
OWASP Global Chapter Committee

Dir: 312-869-2779<tel:312-869-2779>
skype: sarah.baso

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20111123/e7e2fe86/attachment-0002.html>

More information about the Owasp-board mailing list