[Owasp-board] [Owasp-leaders] OWASP Board decision that I don't agree with
Tobias
tobias.gondrom at owasp.org
Sun Jan 5 12:08:06 UTC 2014
Hi Simon,
just to clarify on one of your assumptions in your email, as I learned
this info on the board mailing-list last night, correcting my initial
(wrong) assumption that everyone would be attending RSA just as
"individual volunteers":
- RSA approached OWASP if we (owasp) would deliver free
training/awareness session.
- All contractual agreements were signed by OWASP and not by us as
individuals. -> OWASP training.
http://lists.owasp.org/pipermail/owasp-board/2014-January/012845.html
- "we are delivering the training as OWASP."
"OWASP was approached by RSA."
http://lists.owasp.org/pipermail/owasp-board/2014-January/012823.html
- "this is a RSA association slot. The whole point is to officially
represent OWASP at RSA...."
http://lists.owasp.org/pipermail/owasp-board/2014-January/012848.html
- this is as "formal reps of OWASP for this event."
http://lists.owasp.org/pipermail/owasp-board/2014-January/012859.html
Not sure whether that would be relevant for any of your comments?
All the best, Tobias
Ps.: regarding your remark about whether "OWASP is financially
sponsoring an event": as board member, I have initiated a request for
info with Sarah to clarify the extend of OWASPs financial arrangements
for RSA.
<http://lists.owasp.org/pipermail/owasp-board/2014-January/012823.html>
On 05/01/14 11:05, psiinon wrote:
> Heres my take on this:
>
> OWASP _should_ get involved in politics - thats where the big
> decisions are made. Organizations like OWASP can have a much greater
> impact than a set of 'concerned individuals'.
>
> OWASP should _not_ 'ban' volunteers from presenting / training etc at
> any event unless it is clearly at odds with the OWASP mission, eg a
> 'cracker' event.
>
> Volunteers presenting / training at an event does not indicate that
> OWASP as an organization supports the past (alleged) actions of the
> event organizers. OWASP financially sponsoring an event would be a
> different matter.
>
> The fact that the volunteers we are discussing are board member is
> irrelevant - we all represent OWASP when we appear under the OWASP banner.
>
> I dont think this is a clear cut case (as can be seen by the opposing
> views on this thread), and so the decision should be made by those
> individuals.
>
> I have no problem with people attempting to sway these individuals
> either way on this thread, but I'm confident they will make the right
> decision for them and I dont think that will reflect badly on OWASP
> the organization which ever way they choose.
>
> Feel free to disagree with any of those opinions ;)
>
> Simon
>
>
> On Sun, Jan 5, 2014 at 8:51 AM, Jim Manico <jim.manico at owasp.org
> <mailto:jim.manico at owasp.org>> wrote:
>
> Josh,
>
>
>
> This training is for RSA Badge types: "Full Conference, Explorer
> Expo, Explorer Expo Plus, Exhibitor, Press, Speaker".
>
>
>
> The minimum someone would have to pay to attend this is 75$ right
> now, other than press and other speakers get in for free.
>
>
>
> - Jim
>
>
>
>
>
> *From:*Josh Sokol [mailto:josh.sokol at owasp.org
> <mailto:josh.sokol at owasp.org>]
> *Sent:* Saturday, January 04, 2014 5:04 PM
> *To:* Eoin Keary
> *Cc:* Jim Manico; Abbas Naderi; Kanwal Singh (WebMentors); Nishant
> Johar (EMOBX); OWASP Foundation Board List; Ravdeep Sodhi; OWASP
> Leaders
> *Subject:* Re: [Owasp-board] [Owasp-leaders] OWASP Board decision
> that I don't agree with
>
>
>
> My apologies in the delay in responding to this. I've been on the
> road all day today and will be slow to respond tomorrow as well.
>
> First off, let me admit that while my term hadn't officially begun
> yet, I am one of the Board members who encouraged Jim and Eoin to
> move forward with the training. My rationale for this was simple;
> OWASP's mission is to make software security visible, so that
> individuals and organizations worldwide can make informed
> decisions about true software security risks. The core of this
> statement being VISBILITY. We need to find and take advantage of
> as many ways as possible to raise the visibility of security
> risks. Our mission says nothing about making political
> statements. It says nothing about ethical business practices.
> Our mission can certainly be amended to reflect other imperatives,
> if so desired by our membership, but until that day we need to
> prevent mission scope creep.
>
> Now, since our mission is making software security visible, we
> simply have to ask ourselves if we better serve this mission by:
>
> 1) Performing a free training at a major conference, thereby
> increasing our exposure to people who haven't heard of OWASP
> before and enlightening them to software security risks that they
> likely were not aware of before.
>
> 2) Taking a stance against a company where some evidence may imply
> that they took a bribe to sacrifice security in one of their products.
>
> Let me be clear on #2. I don't agree that what RSA did is right,
> if it is true. In fact, I have made the explicit decision to not
> do business with RSA in my day job because there are many other
> options out there and it's just not worth the risk. But my
> passive decision to not purchase from RSA is very different than
> OWASP reneging on our agreement and making a public statement
> about their ethics.
>
> So, given these two options, my gut is that OWASP's mission will
> be best served by #1. It doesn't mean that we're supporting RSA.
> It doesn't mean that we agree with unethical business practices.
> It just means that we are doing the best we can to make
> application security visible. If that means piggy-backing on the
> massive marketing effort they put into the conference or the
> infrastructure that supports it, I'm ok with that. I understand
> that others may object to this on ethical grounds, and that's
> fine, but as a non-profit organization, we have a mandate to stay
> true to our mission, not to speak out against whatever the latest
> security headline is.
>
> I do have one question about this training for clarification. The
> training is FREE for anyone who would like to attend and not just
> for RSA attendees, correct? My assumption is the former, but if
> the latter, this changes things significantly in my opinion.
>
> ~josh
>
>
>
> On Sat, Jan 4, 2014 at 5:40 PM, Eoin Keary <eoin.keary at owasp.org
> <mailto:eoin.keary at owasp.org>> wrote:
>
> Good point.
> Bottom line is we want people to build secure code. Delivering
> this message under the same roof as RSA does not dilute the
> quality of the class delivered.
> There is no black and white, only shades of grey :)
>
>
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>
> On 4 Jan 2014, at 23:36, Jim Manico <jim.manico at owasp.org
> <mailto:jim.manico at owasp.org>> wrote:
>
> > Another issue that is tangential.
> >
> > We are applying for several big money DHS grants. These help
> keep the foundation running.
> >
> > Should be reject all of these grants because of the Snowden
> affair? It we abort RSA but continue to take DHS money, then
> we send a mixed message.
> >
> > Aloha,
> > Jim
> >
> >> I strongly support Sastry on this one.
> >>
> >> You might be participating as individuals, but people see
> you guys as the OWASP Board, and that's something that many of
> us don't like to be the image of OWASP.
> >>
> >> Thanks
> >> -Abbas
> >> On Jan 4, 2014, at 1:18 PM, Eoin Keary
> <eoin.keary at owasp.org <mailto:eoin.keary at owasp.org>> wrote:
> >>
> >>> To be clear, there was no recorded vote on this but a debate.
> >>>
> >>> I started the debate after reading about Mikko. (Even
> though I was delivering the training with Jim and it is my
> material).
> >>>
> >>> The majority of board of OWASP feels getting involved in
> politics is wrong and wanted to push ahead with the training.
> >>>
> >>> So if feelings are strong we need to vote on this ASAP? as
> leaders of OWASP. A formal board vote? Executive decision from
> Sarah, our executive director.
> >>>
> >>>
> >>>
> >>> Eoin Keary
> >>> Owasp Global Board
> >>> +353 87 977 2988 <tel:%2B353%2087%20977%202988>
> >>>
> >>>
> >>> On 4 Jan 2014, at 16:48, Sastry Tumuluri
> <sastry.tumuluri at owasp.org <mailto:sastry.tumuluri at owasp.org>>
> wrote:
> >>>
> >>>> Friends,
> >>>>
> >>>> Please see the following full conversation on twitter:
> >>>> https://twitter.com/EoinKeary/status/419111748424454145
> >>>>
> >>>> Eoin Keary and Jim Manico (both OWASP board members) will
> be presenting/conducting 4 hrs of free-of-cost AppSec training
> at the RSA Conference, 2014. Michael Coates, Chairman of the
> OWASP Board is also said to be present. Apparently, this was
> discussed at the OWASP board level; and the board has decided
> to go ahead, keeping in mind the benefit to the attending
> developers.
> >>>>
> >>>> As you are aware, RSA is strongly suspected (we'll never
> be 100% sure, I'm afraid) of being complicit with NSA in
> enabling fatal weakening of crypto products. RSA has issued a
> sort of a denial that only deepens the mistrust. As a protest,
> many leading speakers are cancelling their talks at the
> upcoming RSAC 2014. Among them are (to my knowledge) Mikko
> Hypponen, Jeffrey Carr and Josh Thomas.
> >>>>
> >>>> At such a time, I am saddened by the OWASP board decision
> to support RSAC by their presence. At a time when they had the
> opportunity to let the world know how much they care for the
> Information Security profession (esp., against weakening
> crypto); and how much they care about the privacy of people
> (against NSA's unabashed spying on Americans & non-Americans
> alike), the board has copped out using a flimsy
> rationalization ("benefit of (a few) developers", many of who
> would rethink their attendance had OWASP and more
> organizations didn't blink!").
> >>>>
> >>>> I'm sure there was a heated debate. I'm sure all angles
> were considered. However, this goes too deep for me to take it
> as "better men than me have considered and decided". As a
> matter of my personal values, if the situation doesn't change,
> I would no longer wish to continue as the OWASP Chapter Lead.
> Please let me know if any of you would like to take over from me.
> >>>>
> >>>> I will also share my feelings with fellow chapter members
> at our next chapter meeting on Jan 21st. Needless to say, no
> matter how things go, I remain committed to the principles of
> our open and open-source infosec community.
> >>>>
> >>>> Best regards,
> >>>>
> >>>> ==Sas3==
> >>> _______________________________________________
> >>> OWASP-Leaders mailing list
> >>> OWASP-Leaders at lists.owasp.org
> <mailto:OWASP-Leaders at lists.owasp.org>
> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> <mailto:OWASP-Leaders at lists.owasp.org>
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140105/57c85609/attachment-0001.html>
More information about the Owasp-board
mailing list