[Owasp-board] [Owasp-leaders] Vendor Neutrality

Seba seba at owasp.org
Sun Feb 24 06:57:43 UTC 2013

please keep the red tape to a minimum
I am all for openess and vendor neutrality, but don't put in place too much
regulation & policies if not required.
Better to put this time & energy in the projects/community.


On Sat, Feb 23, 2013 at 7:57 PM, Jim Manico <jim.manico at owasp.org> wrote:

> I agree 100% with you and Tom on this
> - we need to convert this into a real policy. I'm working on draft 1
> of a more prescriptive policy around brand use and vendor relations.
> On it.
> Now, besides that future policy there is the law of being a 501c3
> board member in the US, which is always going to be there regardless
> of our policy. Read more on that below. It's a good read and stands
> true regardless of our policy.
> One thing that is very clear in the law is the fiduciary
> responsibility of a non profit board. When a board member acts towards
> our volunteer membership in a way is harmful, especially in a way that
> financially benefits that board member, this is in #1 core violation
> of a non profit board member that can get that member legally removed
> from the board.
> --
> Jim Manico
> @Manicode
> (808) 652-3805
> On Feb 23, 2013, at 2:44 AM, Eoin <eoin.keary at owasp.org> wrote:
> > Jim, the majority of what you are saying is agreeable. We need to put
> much of the below conditions of board membership in the appropriate ethical
> documents which are part of the definition, roles and responsibilities of
> leader and board membership.
> >
> >
> >
> > Eoin Keary
> >
> > Owasp Global Board
> >
> > +353 87 977 2988
> >
> >
> > On 23 Feb 2013, at 04:53, Jim Manico <jim.manico at owasp.org> wrote:
> >
> >> Thank you for speaking out, Josh.
> >>
> >> Switching to the board list. Here is a great ethics resource to
> consider as board members. To your point, Tom, the takeaway on vendor
> neutrality here is: "Institute a system of checks and balances to
> circumvent actual or potential conflict of interest, beginning with well
> defined operating policies on all matters that might lead to conflict."
> >>
> >> http://www.boardsource.org/Knowledge.asp?ID=3.389
> >>
> >> Q&As
> >> How does a nonprofit safeguard against organizational conflict of
> interest?
> >> When the personal or professional concerns of a board member or a staff
> member affect his or her ability to put the welfare of the organization
> before personal benefit, conflict of interest exists. Nonprofit board
> members are likely to be affiliated with many organizations in their
> communities, both on a professional and a personal basis, so it is not
> unusual for actual or potential conflict of interest to arise.
> >>
> >> Why must we be concerned about conflict of interest?
> >> Board service in the nonprofit sector carries with it important ethical
> obligations. Nonprofits serve the broad public good, and when board members
> fail to exercise reasonable care in their oversight of the organization
> they are not living up to their public trust. In addition, board members
> have a legal responsibility to assure the prudent management of an
> organization's resources. In fact, they may be held liable for the
> organization's actions. A 1974 court decision known as the "Sibley Hospital
> case" set a precedent by confirming that board members can be held legally
> liable for conflict of interest because it constitutes a breach of their
> fiduciary responsibility.
> >>
> >> Does conflict of interest involve only financial accountability?
> >> No. Conflict of interest relates broadly to ethical behavior, which
> includes not just legal issues but considerations in every aspect of
> governance. A statement by Independent Sector describes three levels of
> ethical behavior: obeying the law; decisions where the right action is
> clear, but one is tempted to take a different course; and decisions that
> require a choice among competing options.
> >>
> >> The third level of behavior can pose especially difficult ethical
> dilemmas for nonprofit board members.
> >>
> >> What can we do to prevent conflict-of-interest situations?
> >> Self monitoring is the best preventative measure. Institute a system of
> checks and balances to circumvent actual or potential conflict of interest,
> beginning with well defined operating policies on all matters that might
> lead to conflict. Most important, create a carefully written
> conflict-of-interest policy based on the needs and circumstances of the
> organization. Ask each board and staff member to agree in writing to uphold
> the policy. A conflict of interest policy should be reviewed regularly as
> part of board self assessment.
> >>
> >> What should be included in a conflict-of-interest policy?
> >> A policy on conflict of interest has three essential elements:
> >>
> >> Board members and staff members in decision-making roles should make
> known their connections with groups doing business with the organization.
> This information should be provided annually.
> >> Board members who have an actual or potential conflict of interest
> should not participate in discussions or vote on matters affecting
> transactions between the organization and the other group.
> >> Staff members who have an actual or potential conflict should not be
> substantively involved in decision-making affecting such transactions.
> >> For a sample conflict of interest policy and disclosure form, see the
> BoardSource book, Managing Conflicts of Interest
> >>
> >> What are some examples of actual and potential conflict of interest?
> >> Organization policy requires competitive bidding on purchases of more
> than $1,000, but a printing firm owned by a board member's spouse receives
> the $25,000 contract for the annual report and no other bids are solicited.
> >> A board member serves on two boards in the community and finds himself
> in the position of approaching the same donors on behalf of both
> organizations.
> >> A staff member receives an honorarium for conducting a workshop for
> another group in the organization's field of interest.
> >> Should an organization contract with a board member for professional
> services, such as legal counsel or accounting?
> >> Attorneys, accountants, and other professionals can contribute valuable
> expertise to a board. Due to the potential for conflict of interest, their
> contributions should be voluntary. At the very least, a board member who is
> associated with a firm competing for a contract should abstain from
> discussion and voting in the selection process. If a competitive bidding
> process results in the selection of that board member's firm, he or she
> should disclose the affiliation and abstain from voting on future board
> actions connected with that firm's contract with the organization.
> >>
> >> References
> >> Daniel L. Kurtz and Sarah E. Paul, Managing Conflicts of Interest: A
> Primer for Nonprofit Boards (BoardSource 2006).
> >>
> >>> I guess I'm late to the party, but figured I'd chime in here as well.
> >>> While it can sometimes be uncomfortable when naming specific names in
> group
> >>> settings, it's these specific topics that enable us to define, as an
> >>> organization, what is and is not appropriate.  I, personally, applaud
> Jim
> >>> for bringing this issue to the attention of the leaders.  If we truly
> are
> >>> an "Open" organization as we say we are, then we should have no
> problems
> >>> with our activities being under the microscope.  Frankly, we should
> always
> >>> be acting as though our actions are under the scrutiny of others.  In
> this
> >>> case, I think we can all agree that this communication probably could
> have
> >>> been worded differently to show an OWASP event from the mouth of an
> >>> leader, but I see no intentional abuse in this.  It was a mistake.  One
> >>> which, now that it has been brought to light, we can all learn from
> and aim
> >>> to do better next time.
> >>>
> >>> I've witnessed far more flagrant abuses since my involvement with
> >>> For example, we made the mistake for LASCON 2011 to have an open
> speaker
> >>> selection process.  It was supposed to allow members to have a voice
> in the
> >>> topics selected.  It turns out that one company sent four people to
> that
> >>> meeting in an attempt to sway the results in their favor.  This was a
> >>> blatant abuse by a vendor and was disheartening to say the least.  We
> >>> learned our lesson and created an impartial selection committee
> separate
> >>> from our planning team for AppSec USA 2012.
> >>>
> >>> Speaking of AppSec USA 2012, after making our CFT selections by
> committee
> >>> and being very confident in our selections, our team was approached by
> a
> >>> well-known member and participant in our community upset that his
> company's
> >>> training was not selected.  He stated that his company had a
> long-running
> >>> trend of trainings at AppSec and he thought they should have been
> >>> selected.  They had submitted what was effectively the same training as
> >>> another company and our committee decided on the other.  The fact that
> >>> there was some expectation that he would be selected because of his
> high
> >>> level involvement with OWASP or his company's sponsorship of OWASP
> >>> activities really rubbed me wrong because of this topic of vendor
> >>> neutrality.
> >>>
> >>> I think that we can all agree that vendor neutrality is one of the key
> >>> things that makes OWASP what it is.  It's even highlighted in bold
> text on
> >>> the front page of owasp.org:
> >>>
> >>> OWASP *does not endorse or recommend commercial products or services*,
> >>>> allowing our community to remain vendor neutral with the collective
> wisdom
> >>>> of the best minds in software security worldwide.
> >>>
> >>> I don't think any of us can be so naive as to think that some people
> and/or
> >>> companies won't or don't use OWASP for personal gain.  For many, OWASP
> is a
> >>> means to some end and I'm generally OK with that if the relationship is
> >>> still mutually beneficial.  I think that Eric Sheridan said it well.
> >>> "People need the ability to promote themselves or their company to some
> >>> extent, as long as it is not "blatant abuse" of the brand which needs
> to be
> >>> defined if not done so already."  To me, this says that the Leaders
> and the
> >>> Board need to keep a watchful eye on what we all say and do to
> represent
> >>> the organization.  We should never be afraid to call someone (or a
> company)
> >>> out for their actions just as we should always give them the
> opportunity to
> >>> justify them.  With a community as small as ours, it's sometimes
> difficult
> >>> to do this knowing that its often a friend or respected peer that
> you're
> >>> calling out, but if we remain silent, then the abuses will continue.
>  Thank
> >>> you Jim for breaking the silence and bringing this to our attention.
>  Thank
> >>> you Tom for being thick-skinned enough to stand the scrutiny and
> explaining
> >>> the situation in a rational fashion.  And especially thank you leaders
> for
> >>> chiming in and voicing your opinions on this matter.  I'd encourage
> more
> >>> discussions like these as they eventually lead us toward positive
> change.
> >>> I just wish they could happen on a better suited forum like
> >>> http://my.owasp.org.  Just sayin'.  ;-)
> >>>
> >>> ~josh
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> OWASP-Leaders mailing list
> >>> OWASP-Leaders at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >> _______________________________________________
> >> Owasp-board mailing list
> >> Owasp-board at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20130224/5b867062/attachment.html>

More information about the Owasp-board mailing list