[Owasp-board] [Owasp-leaders] OWASP Board decision that I don't agree with

Jim Manico jim.manico at owasp.org
Sun Jan 5 08:45:41 UTC 2014

By the way everyone, RSA completely denies these allegations.

…“we also categorically state that we have never entered into any contract
or engaged in any project with the intention of weakening RSA’s products,
or introducing potential ‘backdoors’ into our products for anyone’s use.” -

It’s tough to know who to trust these days, but I do want to put RSA’s
official comment on the table for consideration.


-          Jim

*From:* Josh Sokol [mailto:josh.sokol at owasp.org]
*Sent:* Saturday, January 04, 2014 5:04 PM
*To:* Eoin Keary
*Cc:* Jim Manico; Abbas Naderi; Kanwal Singh (WebMentors); Nishant Johar
(EMOBX); OWASP Foundation Board List; Ravdeep Sodhi; OWASP Leaders
*Subject:* Re: [Owasp-board] [Owasp-leaders] OWASP Board decision that I
don't agree with

My apologies in the delay in responding to this.  I've been on the road all
day today and will be slow to respond tomorrow as well.

First off, let me admit that while my term hadn't officially begun yet, I
am one of the Board members who encouraged Jim and Eoin to move forward
with the training.  My rationale for this was simple; OWASP's mission is to
make software security visible, so that individuals and organizations
worldwide can make informed decisions about true software security risks.
The core of this statement being VISBILITY.  We need to find and take
advantage of as many ways as possible to raise the visibility of security
risks.  Our mission says nothing about making political statements.  It
says nothing about ethical business practices.  Our mission can certainly
be amended to reflect other imperatives, if so desired by our membership,
but until that day we need to prevent mission scope creep.

Now, since our mission is making software security visible, we simply have
to ask ourselves if we better serve this mission by:

1) Performing a free training at a major conference, thereby increasing our
exposure to people who haven't heard of OWASP before and enlightening them
to software security risks that they likely were not aware of before.

2) Taking a stance against a company where some evidence may imply that
they took a bribe to sacrifice security in one of their products.

Let me be clear on #2.  I don't agree that what RSA did is right, if it is
true.  In fact, I have made the explicit decision to not do business with
RSA in my day job because there are many other options out there and it's
just not worth the risk.  But my passive decision to not purchase from RSA
is very different than OWASP reneging on our agreement and making a public
statement about their ethics.

So, given these two options, my gut is that OWASP's mission will be best
served by #1.  It doesn't mean that we're supporting RSA.  It doesn't mean
that we agree with unethical business practices.  It just means that we are
doing the best we can to make application security visible.  If that means
piggy-backing on the massive marketing effort they put into the conference
or the infrastructure that supports it, I'm ok with that.  I understand
that others may object to this on ethical grounds, and that's fine, but as
a non-profit organization, we have a mandate to stay true to our mission,
not to speak out against whatever the latest security headline is.

I do have one question about this training for clarification.  The training
is FREE for anyone who would like to attend and not just for RSA attendees,
correct?  My assumption is the former, but if the latter, this changes
things significantly in my opinion.


On Sat, Jan 4, 2014 at 5:40 PM, Eoin Keary <eoin.keary at owasp.org> wrote:

Good point.
Bottom line is we want people to build secure code. Delivering this message
under the same roof as RSA does not dilute the quality of the class
There is no black and white, only shades of grey :)

Eoin Keary
Owasp Global Board
+353 87 977 2988

On 4 Jan 2014, at 23:36, Jim Manico <jim.manico at owasp.org> wrote:

> Another issue that is tangential.
> We are applying for several big money DHS grants. These help keep the
foundation running.
> Should be reject all of these grants because of the Snowden affair? It we
abort RSA but continue to take DHS money, then we send a mixed message.
> Aloha,
> Jim
>> I strongly support Sastry on this one.
>> You might be participating as individuals, but people see you guys as
the OWASP Board, and that’s something that many of us don’t like to be the
image of OWASP.
>> Thanks
>> -Abbas
>> On Jan 4, 2014, at 1:18 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>> To be clear, there was no recorded vote on this but a debate.
>>> I started the debate after reading about Mikko. (Even though I was
delivering the training with Jim and it is my material).
>>> The majority of board of OWASP feels getting involved in politics is
wrong and wanted to push ahead with the training.
>>> So if feelings are strong we need to vote on this ASAP? as leaders of
OWASP. A formal board vote? Executive decision from Sarah, our executive
>>> Eoin Keary
>>> Owasp Global Board
>>> +353 87 977 2988
>>> On 4 Jan 2014, at 16:48, Sastry Tumuluri <sastry.tumuluri at owasp.org>
>>>> Friends,
>>>> Please see the following full conversation on twitter:
>>>> https://twitter.com/EoinKeary/status/419111748424454145
>>>> Eoin Keary and Jim Manico (both OWASP board members) will be
presenting/conducting 4 hrs of free-of-cost AppSec training at the RSA
Conference, 2014. Michael Coates, Chairman of the OWASP Board is also said
to be present. Apparently, this was discussed at the OWASP board level; and
the board has decided to go ahead, keeping in mind the benefit to the
attending developers.
>>>> As you are aware, RSA is strongly suspected (we'll never be 100% sure,
I'm afraid) of being complicit with NSA in enabling fatal weakening of
crypto products. RSA has issued a sort of a denial that only deepens the
mistrust. As a protest, many leading speakers are cancelling their talks at
the upcoming RSAC 2014. Among them are (to my knowledge) Mikko Hypponen,
Jeffrey Carr and Josh Thomas.
>>>> At such a time, I am saddened by the OWASP board decision to support
RSAC by their presence. At a time when they had the opportunity to let the
world know how much they care for the Information Security profession
(esp., against weakening crypto); and how much they care about the privacy
of people (against NSA's unabashed spying on Americans & non-Americans
alike), the board has copped out using a flimsy rationalization ("benefit
of (a few) developers", many of who would rethink their attendance had
OWASP and more organizations didn't blink!").
>>>> I'm sure there was a heated debate. I'm sure all angles were
considered. However, this goes too deep for me to take it as "better men
than me have considered and decided". As a matter of my personal values, if
the situation doesn't change, I would no longer wish to continue as the
OWASP Chapter Lead. Please let me know if any of you would like to take
over from me.
>>>> I will also share my feelings with fellow chapter members at our next
chapter meeting on Jan 21st. Needless to say, no matter how things go, I
remain committed to the principles of our open and open-source infosec
>>>> Best regards,
>>>> ==Sas3==
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
Owasp-board mailing list
Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140104/90318924/attachment.html>

More information about the Owasp-board mailing list