[Owasp-board] Vote Request - OWASP Participation at RSA

Fabio Cerullo fcerullo at owasp.org
Tue Jan 7 14:23:54 UTC 2014


Hey guys

Apologies for the silence in the last couple of days. It took me a while to
read the whole thread and reviewing external sources as well while on the
road.

As Eoin's just stated below, we need to take an 'in or out' decision.

Cancelling the contract but maybe delivering training is not an option.

To his question "*Are we to support RSAC this year given the allegations?"*

I would personally vote YES. My reasoning is as follows:

- There is no concrete evidence about the allegations of a payout.
- RSA is firmly refuting any accusations.
- i still believe in the premise: "Innocent until proven guilty"

I'm also monitoring the poll created by Simon to get a feel of the
Community and there is no clear distinction between one opinion or the
other. If the Community strongly believes we should pull out, and as a
matter of principles, I might be inclined to change my decision and vote NO
instead. But for the time being, my decision stands to go ahead as planned.

In any case, if we (OWASP) are dropping our support and making an official
statement about 'weaking crypto in products is bad' I would highly
recommend for this document to be reviewed by a solicitor or qualified
professional before making it public. I don't feel is OWASP position to
accuse companies of any wrongdoings based on news articles or blog posts.

Regards
Fabio




El Tuesday, January 7, 2014, Eoin escribió:

> I am not voting but the topic that is up for vote is wrong in my opinion.
>
> Some media, people in general will see OWASP participation in RSA as
> negative, hence the debate.
> Cancelling a contract does not really cut it. its "window dressing."
>
> Either we  (OWASP) are engaging with RSAC or not, its that simple.
>
> Delivering anything at RSAC shall be interpreted as a sign of support,
> this is the root cause of the debate: *Are we to support RSAC this year
> given the allegations?* (contract is circumstantial).
>
>
>
>
> On 7 January 2014 00:42, Tobias <tobias.gondrom at owasp.org> wrote:
>
>  My vote is: Yes. OWASP shall terminate the co-marketing agreement with
> RSA for RSA 2014.
>
> My reasons are:
>
>  1. community feedback and discussion (there seems to be a significant
> part of the community concerned about this) Note: I would have loved to see
> an OWASP community poll on this before making this decision to get a better
> feel for the wishes of our community, but acknowledge Michael's request
> that we need to decide this urgently.
>
>  2. we have an alternative (as outlined in Sarah's email, BSides) that
> can fulfil the goal equally.
>
>  3. I understand that there is a lot of uncertainty about RSA's level of
> involvement. And I don't feel in a position to make a final judgement about
> this. And as often with secrecy, we possibly never will be.
> But in this case we don't have to have final judgement. The co-marketing
> agreement is quite extensive and could be seen as active endorsement. To
> follow such an agreement we would need to have a very high level of
> confidence and trust in the other party. So already a reasonable shadow of
> doubt is sufficient grounds, to distance OWASP in this case from a very
> active co-marketing agreement with the company RSA, to avoid being
> interpreted as an active endorsement of a commercial entity currently under
> review. And we should abstain from actively endorsing RSA for the time
> being, until all facts of the case have been properly examined (note: not
> by us, as we are not an investigative body).
>
> In addition to that:
> I propose that OWASP should prepare and release a press release or public
> statement that OWASP thinks weakening or undermining crypto is a really bad
> idea. (I will be happy to assist with the preparation of the text.) This
> press release shall advocate our general OWASP principles and shall _not_
> mention RSA, the RSA conference or any other company by name. (personal
> note: btw. RSA should have no problem with such a press release, as they
> officially deny any such activities...)
>
> All the best, Tobias
>
>
> Tobias Gondrom
> Owasp Global Board
>
>
>
>
>
>
> On 06/01/14 23:51, Michael Coates wrote:
>
>   "OWASP will terminate the co-marketing agreement with RSA for RSA 2014.
> This may place our training at risk, but if permitted we will still
> provide the free training at RSA and the OWASP speaking slot."
>
>  Michael - Yes
> Tom -
> Tobias -
> Fabio -
> Josh - Yes
>  Jim - abstain
>  Eoin - abstain
>
>
>
>
>
> --
> Michael Coates
>
>
>
>
> On Mon, Jan 6, 2014 at 3:47 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>
>  Same here, I can't vote, I believe as the class delivery and material is
> mine and it would be a conflict.
> I would be a "no" if I could.
>
>  Not sure why participation in an event requires a vote given other
> events did not require such....
>
>  My view is based on
>
>  1.
>
> --
> Eoin Keary
> OWASP Member
> https://twitter.com/EoinKeary
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140107/4c386963/attachment.html>


More information about the Owasp-board mailing list