[Owasp-board] Member Nation Portal

Michael Coates michael.coates at owasp.org
Sat Dec 14 22:18:01 UTC 2013


This all sounds very positive and I support. For third party vendor
security reviews we can request their standard information they will
provide when any customer asks. Note: it is generally a lengthy process to
get authorization to test. That will require specific testers, legal
contracts and liability statements and more. I've worked through many 3rd
party reviews while at mozilla.

It is good to know that the data is stored and protected within salesforce.
On Dec 14, 2013 2:49 PM, "Dave Wichers" <dave.wichers at owasp.org> wrote:

> I just learned from the vendor that:
>
>
>
> 100% of our application (back end and portals) are built on Salesforce who
> guarantees their security and reliability (www.trust.salesforce.com).
>
>
>
> Now I don’t know if that means they can’t introduce an XSS into their
> portal that is exposed by Salesforce to the world, for example, but I
> suspect it makes it less likely. And we already trust Salesforce today, so
> at this point I would certainly think it’s ‘good enough’.
>
>
>
> -Dave
>
>
>
>
>
> *From:* Eoin Keary [mailto:eoin.keary at owasp.org]
> *Sent:* Saturday, December 14, 2013 1:06 PM
> *To:* Dave Wichers
> *Cc:* Sarah Baso; OWASP Foundation Board List
> *Subject:* Re: [Owasp-board] Member Nation Portal
>
>
>
> Ta Dave.
>
> So can we answer the sec question??
>
> Eoin Keary
>
> Owasp Global Board
>
> +353 87 977 2988
>
>
>
>
> On 14 Dec 2013, at 17:55, "Dave Wichers" <dave.wichers at owasp.org> wrote:
>
> I forgot to ask Fonteva (the vendor) about the security question (shame on
> me). Sarah – can you ask them about that or have you already? Hope so….
>
>
>
> All our users will be going through Salesforce to access to data they
> provide. They don’t access Fonteva (Member Nation is the name of their
> service) directly. So most of the security is provided by Salesforce, not
> Fonteva, which is a significant mitigating factor. Like all
> authentication/authorization is from Salesforce for example.
>
>
>
> The cost savings are clearly spelled out in the referenced doc Sarah
> forwarded the link to, and they are substantial:
>
>
> Year 1
>
> $35,000
>
> ($20k Cvent, $7k regonline, $1k forms & surveys, $7k CFP, CFT & scheduling
> software)
>
> $56789
>
> +$21,789 year 1 added cost
>
> Year 2
>
> $35,000
>
> $11,100
>
> $23,900 (annual savings)/ +  $2,111(total savings recognized)
>
> Year 3
>
> $35,000
>
> $11,100
>
> $23,900 (annual savings)/ $26,011 (total savings recognized)
>
> Year 4
>
> $35,000
>
> $11,100
>
> $23,900 (annual savings)/ $49,911 (total savings recognized)
>
> Year 5
>
> $35,000
>
> $11,100
>
> $23,900 (annual savings)/$73,811 (total savings recognized)
>
>
>
> I’m not worried about Fonteva going out of business. We’ve never pushed on
> that point with any of our previous providers. They are a Salesforce
> partner, and Salesforce wouldn’t enter into an arrangement with them if
> they were seriously worried about that. Go read:
> http://www.fonteva.com/company/about/.   They have 4000 customers
> already. So they are a pretty big outfit.
>
>
>
> -Dave
>
>
>
>
>
> *From:* owasp-board-bounces at lists.owasp.org [
> mailto:owasp-board-bounces at lists.owasp.org<owasp-board-bounces at lists.owasp.org>]
> *On Behalf Of *Eoin Keary
> *Sent:* Saturday, December 14, 2013 4:43 AM
> *To:* Sarah Baso
> *Cc:* OWASP Foundation Board List
> *Subject:* Re: [Owasp-board] Member Nation Portal
>
>
>
> Hey,
>
> before i vote i need to understand.
>
>
>
> Have they had a penetration test/Code review/ SDLC security etc etc.
>
> Any evidence of security on the SaaS?
>
> Would be rather ironic if they were hacked an our data was pasted all over
> the web?
>
>
>
> What are the tangible savings how much projected per year/ 3years?
>
>
>
> If the company collapses what happens our data?
>
>
>
>
>
>
>
> Eoin Keary
>
> Owasp Global Board
>
> +353 87 977 2988
>
>
>
>
> On 13 Dec 2013, at 17:53, Sarah Baso <sarah.baso at owasp.org> wrote:
>
> All -
>
>
>
> Dave, Kate, and I had a call with our rep at Member Nation today and I
> also have spent a bit of time on the financials. I have updated the
> proposal here:
> https://docs.google.com/a/owasp.org/document/d/1yDTFCdmmZN3t732sqHTOFHMhQrXgUC46YbgDhGROcXM/edit
>
>
>
> Here are the key points of new information
>
>    - The cost of all the systems that the new Member Nation Portal will
>    be able to replace for us starting in 2014, is $35,000/year.  Note that
>    some of those systems/costs are based on actual registrations so I have
>    used past numbers and current projections to put together an estimate.
>    - This "cost" does not include the staff time/costs in managing
>    multiple registration systems, running ineffective reports, and other
>    operational overhead.  I expect that this new system will be much better
>    for our data management and staff time in managing (not to mention the
>    benefits for the community).
>    - The first year costs at the point are estimates ($45,000) and we are
>    hoping to get that number down by handling some of our own data migration
>    and customization.
>    - On our call this morning, we learned that Salesforce has adjusted
>    some of its pricing (and minimums), which will save us an additional $2600
>    on our annual fees (reducing them to $11,100)
>    - *We should be able to break even with costs after 2 years and
>    recognizing $26,000 in savings in year 3.*
>
>
>
> Here are some answers to the other questions in this thread:
>
>
>
> *Internationalization*
>
>    - Yes supports internationalization - currency is based on merchant
>    accounts and we will be able to accept payments in other currencies (which
>    will settle into whatever accounts we have set up).
>    - Languages - Salesforce translates into the following languages
>    (built in): English, French, German, Italian, Japanese, Spanish, Swedish,
>    Korean, Simplified Chinese, Traditional Chinese, and Thai
>
>
>
> *Handling payments*
>
>    - Payments will be handled through our same payment processors - chase
>    payment tech and payflow pro. Member Nation itself is not accepting the
>    money.
>
>
>
> *Protection of data *
>
>    - Data is held by Salesforce, I don't foresee issues with this.
>
>
>
> *Because time is of the essence in making a decision on this and going
> forward with the contract (we need to have a full 3 months to implement and
> roll out, and need to plan for event registrations in 2014 as well as
> memberships with the new membership model) - I am adding this for a vote on
> Monday's board meeting.  This is included in the budget, but even if the
> budget isn't finalized Monday it is critical for the operations team to
> have a decision on this.*
>
>
>
> *Sarah*
>
>
>
>
>
>
>
> On Thu, Dec 5, 2013 at 5:50 AM, Fabio Cerullo <fcerullo at owasp.org> wrote:
>
> Sarah,
>
>
>
> I've checked the tool and indeed looks impressive. There are a few
> questions that will appreciate your clarification:
>
>
>
> - Does the platform support internationalisation? Eg. Would members in
> Asia/Latin America be able to use it?
>
>
>
> - Does it handle payments for conferences, memberships, etc? If so, is it
> PCI-DSS certified to accept payments?
>
>
>
> - Eoin's point about escrow... would it be possible to pay in monthly
> installments? This could limit our liability if they go busted.
>
>
>
> - Regarding the protection of our data... do they have an certications
> such as ISO27001/SAS70?
>
>
>
> Thanks,
> Fabio
>
>
>
> On Thu, Dec 5, 2013 at 9:47 AM, Eoin <eoin.keary at owasp.org> wrote:
>
> If there is no escrow...
>
> Lets say we spend 40K and the service is terminated / company folds etc
> etc do we have any protection?
>
> Does the system have adequate protection of our data also? Security of our
> data? SLA/availability, access to our data if they company folds.
>
> These are common questions when outsourcing services to SaaS and COTS
> solutions.
>
>
>
> Eoin
>
>
>
>
>
>
>
> On 5 December 2013 05:11, Seba <seba at owasp.org> wrote:
>
> Hi
>
> Kate showed me this in New York, and it seems a really good fit for owasp.
> I fully support this proposal.
>
> Regards
> Seba
>
> On 04 Dec 2013 22:00, "Sarah Baso" <sarah.baso at owasp.org> wrote:
>
> Board members -
>
> This came up briefly on Monday's budget call, but I wanted to provide some
> additional operational details on the portal that the staff would like to
> transition to in 2014.
>
> Details are available here:
>
>
> https://docs.google.com/a/owasp.org/document/d/1yDTFCdmmZN3t732sqHTOFHMhQrXgUC46YbgDhGROcXM/edit
>
> Additionally -  here is a short video demo put together by another
> organization about the portal: http://www.youtube.com/watch?v=g7s5j-i9BUU
>
> Info about Member Nation by Fonteva:
> http://www.fonteva.com/products/membernation/
>
> *Operational Notes:*
>
> ·         The transition to Member Nation is MUCH MORE than a new system
> for membership and event registration, it is a community management
> platform that will give us tools to assist with volunteer management and
> recognition and a place for dynamic update of project and chapter related
> data so we can gather metrics and run reports.  It will also be a one stop
> shop for community members to manage all their information membership,
> event, chapters, projects, volunteer and other ways they interact with
> OWASP.
>
> ·         The critical points are that in order to implement as smooth a
> transition as possible, we would like to have a 3 month roll out plan
> (starting no later than January 1) to be completed by end of Q1 when our 2
> year contract with cvent expires.  Additionally, I know there were some
> points of frustration and lack of communication in the move from Regonline
> to Cvent a couple year ago, so the more time we have to plan and work on
> the roll out plan, the better.
>
> ·         The OWASP Staff will manage the set up of events and other
> administration of the portal - and will receive training as part of our set
> up costs. The portal does support various access controls and "roles" for
> members of the community (i.e. chapter leader, project leader, event
> planner).
>
> *Financial*
>
>
>
> There will be a one time set up cost of $45,689 and an ongoing annual
> portal user fee of $13,500 - so a total of $59,189 for the first year. This
> $13,5000 will significantly reduce our annual costs for other registration
> and membership systems (estimated at $24856). And enable us to
> dramatically decrease our fees over the next several years.
>
>
>
>
> Please let me know any additional questions you have.
>
>
>
>
> Regards,
>
> Sarah Baso
>
>
>
> --
>
> Executive Director
>
> OWASP Foundation
>
>
>
> sarah.baso at owasp.org
> +1.312.869.2779
>
>
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
> --
> Eoin Keary
> OWASP Member
> https://twitter.com/EoinKeary
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
>
> --
>
> Executive Director
>
> OWASP Foundation
>
>
>
> sarah.baso at owasp.org
> +1.312.869.2779
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20131214/77d90d99/attachment-0001.html>


More information about the Owasp-board mailing list