[Owasp-board] Member Nation Portal

Jim Manico jim.manico at owasp.org
Sat Dec 14 20:55:33 UTC 2013

Can we do a third party audit of this "custom salesforce module"? I am
certain we can rally a few volunteers to do this for free.

Jim Manico
(808) 652-3805

On Dec 14, 2013, at 11:49 AM, Dave Wichers <dave.wichers at owasp.org> wrote:

I just learned from the vendor that:

100% of our application (back end and portals) are built on Salesforce who
guarantees their security and reliability (www.trust.salesforce.com).

Now I don’t know if that means they can’t introduce an XSS into their
portal that is exposed by Salesforce to the world, for example, but I
suspect it makes it less likely. And we already trust Salesforce today, so
at this point I would certainly think it’s ‘good enough’.


*From:* Eoin Keary [mailto:eoin.keary at owasp.org <eoin.keary at owasp.org>]
*Sent:* Saturday, December 14, 2013 1:06 PM
*To:* Dave Wichers
*Cc:* Sarah Baso; OWASP Foundation Board List
*Subject:* Re: [Owasp-board] Member Nation Portal

Ta Dave.

So can we answer the sec question??

Eoin Keary

Owasp Global Board

+353 87 977 2988

On 14 Dec 2013, at 17:55, "Dave Wichers" <dave.wichers at owasp.org> wrote:

I forgot to ask Fonteva (the vendor) about the security question (shame on
me). Sarah – can you ask them about that or have you already? Hope so….

All our users will be going through Salesforce to access to data they
provide. They don’t access Fonteva (Member Nation is the name of their
service) directly. So most of the security is provided by Salesforce, not
Fonteva, which is a significant mitigating factor. Like all
authentication/authorization is from Salesforce for example.

The cost savings are clearly spelled out in the referenced doc Sarah
forwarded the link to, and they are substantial:

Year 1


($20k Cvent, $7k regonline, $1k forms & surveys, $7k CFP, CFT & scheduling


+$21,789 year 1 added cost

Year 2



$23,900 (annual savings)/ +  $2,111(total savings recognized)

Year 3



$23,900 (annual savings)/ $26,011 (total savings recognized)

Year 4



$23,900 (annual savings)/ $49,911 (total savings recognized)

Year 5



$23,900 (annual savings)/$73,811 (total savings recognized)

I’m not worried about Fonteva going out of business. We’ve never pushed on
that point with any of our previous providers. They are a Salesforce
partner, and Salesforce wouldn’t enter into an arrangement with them if
they were seriously worried about that. Go read:
http://www.fonteva.com/company/about/.   They have 4000 customers already.
So they are a pretty big outfit.


*From:* owasp-board-bounces at lists.owasp.org [
mailto:owasp-board-bounces at lists.owasp.org<owasp-board-bounces at lists.owasp.org>]
*On Behalf Of *Eoin Keary
*Sent:* Saturday, December 14, 2013 4:43 AM
*To:* Sarah Baso
*Cc:* OWASP Foundation Board List
*Subject:* Re: [Owasp-board] Member Nation Portal


before i vote i need to understand.

Have they had a penetration test/Code review/ SDLC security etc etc.

Any evidence of security on the SaaS?

Would be rather ironic if they were hacked an our data was pasted all over
the web?

What are the tangible savings how much projected per year/ 3years?

If the company collapses what happens our data?

Eoin Keary

Owasp Global Board

+353 87 977 2988

On 13 Dec 2013, at 17:53, Sarah Baso <sarah.baso at owasp.org> wrote:

All -

Dave, Kate, and I had a call with our rep at Member Nation today and I also
have spent a bit of time on the financials. I have updated the proposal

Here are the key points of new information

   - The cost of all the systems that the new Member Nation Portal will be
   able to replace for us starting in 2014, is $35,000/year.  Note that some
   of those systems/costs are based on actual registrations so I have used
   past numbers and current projections to put together an estimate.
   - This "cost" does not include the staff time/costs in managing multiple
   registration systems, running ineffective reports, and other operational
   overhead.  I expect that this new system will be much better for our data
   management and staff time in managing (not to mention the benefits for the
   - The first year costs at the point are estimates ($45,000) and we are
   hoping to get that number down by handling some of our own data migration
   and customization.
   - On our call this morning, we learned that Salesforce has adjusted some
   of its pricing (and minimums), which will save us an additional $2600 on
   our annual fees (reducing them to $11,100)
   - *We should be able to break even with costs after 2 years and
   recognizing $26,000 in savings in year 3.*

Here are some answers to the other questions in this thread:


   - Yes supports internationalization - currency is based on merchant
   accounts and we will be able to accept payments in other currencies (which
   will settle into whatever accounts we have set up).
   - Languages - Salesforce translates into the following languages (built
   in): English, French, German, Italian, Japanese, Spanish, Swedish, Korean,
   Simplified Chinese, Traditional Chinese, and Thai

*Handling payments*

   - Payments will be handled through our same payment processors - chase
   payment tech and payflow pro. Member Nation itself is not accepting the

*Protection of data *

   - Data is held by Salesforce, I don't foresee issues with this.

*Because time is of the essence in making a decision on this and going
forward with the contract (we need to have a full 3 months to implement and
roll out, and need to plan for event registrations in 2014 as well as
memberships with the new membership model) - I am adding this for a vote on
Monday's board meeting.  This is included in the budget, but even if the
budget isn't finalized Monday it is critical for the operations team to
have a decision on this.*


On Thu, Dec 5, 2013 at 5:50 AM, Fabio Cerullo <fcerullo at owasp.org> wrote:


I've checked the tool and indeed looks impressive. There are a few
questions that will appreciate your clarification:

- Does the platform support internationalisation? Eg. Would members in
Asia/Latin America be able to use it?

- Does it handle payments for conferences, memberships, etc? If so, is it
PCI-DSS certified to accept payments?

- Eoin's point about escrow... would it be possible to pay in monthly
installments? This could limit our liability if they go busted.

- Regarding the protection of our data... do they have an certications such
as ISO27001/SAS70?


On Thu, Dec 5, 2013 at 9:47 AM, Eoin <eoin.keary at owasp.org> wrote:

If there is no escrow...

Lets say we spend 40K and the service is terminated / company folds etc etc
do we have any protection?

Does the system have adequate protection of our data also? Security of our
data? SLA/availability, access to our data if they company folds.

These are common questions when outsourcing services to SaaS and COTS


On 5 December 2013 05:11, Seba <seba at owasp.org> wrote:


Kate showed me this in New York, and it seems a really good fit for owasp.
I fully support this proposal.


On 04 Dec 2013 22:00, "Sarah Baso" <sarah.baso at owasp.org> wrote:

Board members -

This came up briefly on Monday's budget call, but I wanted to provide some
additional operational details on the portal that the staff would like to
transition to in 2014.

Details are available here:


Additionally -  here is a short video demo put together by another
organization about the portal: http://www.youtube.com/watch?v=g7s5j-i9BUU

Info about Member Nation by Fonteva:

*Operational Notes:*

·         The transition to Member Nation is MUCH MORE than a new system
for membership and event registration, it is a community management
platform that will give us tools to assist with volunteer management and
recognition and a place for dynamic update of project and chapter related
data so we can gather metrics and run reports.  It will also be a one stop
shop for community members to manage all their information membership,
event, chapters, projects, volunteer and other ways they interact with

·         The critical points are that in order to implement as smooth a
transition as possible, we would like to have a 3 month roll out plan
(starting no later than January 1) to be completed by end of Q1 when our 2
year contract with cvent expires.  Additionally, I know there were some
points of frustration and lack of communication in the move from Regonline
to Cvent a couple year ago, so the more time we have to plan and work on
the roll out plan, the better.

·         The OWASP Staff will manage the set up of events and other
administration of the portal - and will receive training as part of our set
up costs. The portal does support various access controls and "roles" for
members of the community (i.e. chapter leader, project leader, event


There will be a one time set up cost of $45,689 and an ongoing annual
portal user fee of $13,500 - so a total of $59,189 for the first year. This
$13,5000 will significantly reduce our annual costs for other registration
and membership systems (estimated at $24856). And enable us to dramatically
decrease our fees over the next several years.

Please let me know any additional questions you have.


Sarah Baso


Executive Director

OWASP Foundation

sarah.baso at owasp.org

Owasp-board mailing list
Owasp-board at lists.owasp.org

Owasp-board mailing list
Owasp-board at lists.owasp.org

Eoin Keary
OWASP Member

Owasp-board mailing list
Owasp-board at lists.owasp.org

Owasp-board mailing list
Owasp-board at lists.owasp.org


Executive Director

OWASP Foundation

sarah.baso at owasp.org

Owasp-board mailing list
Owasp-board at lists.owasp.org

Owasp-board mailing list
Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20131214/cf673d90/attachment-0001.html>

More information about the Owasp-board mailing list