[Owasp-board] Vote Request - OWASP Participation at RSA (Update)

Michael Coates michael.coates at owasp.org
Tue Jan 7 20:06:18 UTC 2014


Tom,

Thanks for your thoughts. From point #1 I'll record your vote as NO to the
proposed vote.

For you and everyone's knowledge your comment #2 is inline with the second
part of the proposed vote - which is to still provide the training if
possible.


-Michael


--
Michael Coates
@_mwc



On Tue, Jan 7, 2014 at 11:58 AM, Tom Brennan <tomb at owasp.org> wrote:

> 1) Should OWASP cancel the co-marketing agreement that will raise
> awareness for OWASP Foundation and our mission globally? =  NO do not
> cancel it.
>
> -- The greater good is awareness and the core purpose of the co-op.
> This is NOT a joint-partnership agreement rather a marketing
> relationship.
>
> 2) Should OWASP cancel or withdrawal the speakers (Eoin/Jim) from
> delivery of a software security training at RSA and reimburse for
> travel/lodging that has the purpose of raising awareness of OWASP
> Foundation as well as awareness marketing of the OWASP Foundation
> brand = NO do not cancel it.
>
> -- The greater good is awareness and clarification from elected
> leadership in a public forum that "WE" do not approve of weak software
> security
>
> -- This material that is being provided is not a OWASP Project per
> se., hence it could better align with
> https://www.owasp.org/index.php/OWASP_Training as example but that is
> a different topic.
>
> -- BSides is not a alternative option.. rather delivery at that
> organizations event would be a ++ but don't confuse the issue.  We are
> "marketing" to the RSA attendees about OWASP, goto the BSides event
> and "market" OWASP to them also but don't cross streams.
>
> 3) 'The Open Web Application Security Project (OWASP) is a 501(c)(3)
> worldwide not-for-profit charitable organization focused on improving
> the security of software"
>
> Should OWASP do a disclaimer in writing (on a slide #2) before
> delivery of the training that reinforces the mission = YES and make a
> clear statement that they represent OWASP to do exactly that and even
> put focus on the actual issue of why CRYPTO is HARD... Yes Again.
>
>
> http://arstechnica.com/security/2014/01/how-the-nsa-may-have-put-a-backdoor-in-rsas-cryptography-a-technical-primer/
>
> 4) Spy agencies (foreign or domestic) focus on influencing, handling,
> subverting to gain a advantage -- if they did not do that they would
> not be a "spy agency".....    That is not the business of OWASP
> Foundation  our "business" is providing a platform for individuals,
> academia, corporations, governments and aliens equal access to the
> information at http://www.owasp.org that can be trusted.  That is all.
>
> Hope EVERYONE is looking at OWASP California
> (https://appseccalifornia.org)  and this type of "training" should be
> delivered there as well
>
> Flames to dev/null
>
> Questions #973-202-0122  -- see you in California!
>
> ## EOF
>
>
> On Tue, Jan 7, 2014 at 1:33 PM, Michael Coates <michael.coates at owasp.org>
> wrote:
> > Board,
> >
> > Here is the current status of the vote:
> >
> > Michael - Yes
> > Tom - No vote cast or opinion stated
> > Tobias - Yes
> > Fabio - clarification needed
> > Josh - Yes
> > Jim - abstain
> > Eoin - abstain
> >
> >
> >
> >
> >
> >
> > --
> > Michael Coates
> > @_mwc
> >
> >
> >
> > On Tue, Jan 7, 2014 at 8:32 AM, Michael Coates <michael.coates at owasp.org
> >
> > wrote:
> >>
> >> Fabio,
> >>
> >> Thanks for your thoughts and reading through the thread of discussion.
> >>
> >> Can you clarify your position in regards to the proposed vote? In
> addition
> >> to whether or not OWASP provides the free training there is also the
> element
> >> of co-marketing with RSA. Sarah provided all the details here
> >> (http://lists.owasp.org/pipermail/owasp-board/2014-January/012876.html)
> >>
> >> The proposed vote is to cancel the co-marketing contract and, if
> possible,
> >> still provide the free training. This specifically means OWASP would be
> at
> >> RSA; however, we would not be engaging in any promotion of the event
> per the
> >> contract outlined in Sarah's email.
> >>
> >> Here is the exact wording proposed:
> >>
> >>
> >> OWASP will terminate the co-marketing agreement with RSA for RSA 2014.
> >> This may place our training at risk, but if permitted we will still
> >> provide the free training at RSA and the OWASP speaking slot.
> >>
> >>
> >>
> >> Thanks,
> >> Michael
> >>
> >>
> >>
> >>
> >>
> >>
> >> On Tue, Jan 7, 2014 at 6:23 AM, Fabio Cerullo <fcerullo at owasp.org>
> wrote:
> >>>
> >>> Hey guys
> >>>
> >>> Apologies for the silence in the last couple of days. It took me a
> while
> >>> to read the whole thread and reviewing external sources as well while
> on the
> >>> road.
> >>>
> >>> As Eoin's just stated below, we need to take an 'in or out' decision.
> >>>
> >>> Cancelling the contract but maybe delivering training is not an option.
> >>>
> >>> To his question "Are we to support RSAC this year given the
> allegations?"
> >>>
> >>> I would personally vote YES. My reasoning is as follows:
> >>>
> >>> - There is no concrete evidence about the allegations of a payout.
> >>> - RSA is firmly refuting any accusations.
> >>> - i still believe in the premise: "Innocent until proven guilty"
> >>>
> >>> I'm also monitoring the poll created by Simon to get a feel of the
> >>> Community and there is no clear distinction between one opinion or the
> >>> other. If the Community strongly believes we should pull out, and as a
> >>> matter of principles, I might be inclined to change my decision and
> vote NO
> >>> instead. But for the time being, my decision stands to go ahead as
> planned.
> >>>
> >>> In any case, if we (OWASP) are dropping our support and making an
> >>> official statement about 'weaking crypto in products is bad' I would
> highly
> >>> recommend for this document to be reviewed by a solicitor or qualified
> >>> professional before making it public. I don't feel is OWASP position to
> >>> accuse companies of any wrongdoings based on news articles or blog
> posts.
> >>>
> >>> Regards
> >>> Fabio
> >>>
> >>>
> >>>
> >>>
> >>> El Tuesday, January 7, 2014, Eoin escribió:
> >>>>
> >>>> I am not voting but the topic that is up for vote is wrong in my
> >>>> opinion.
> >>>>
> >>>> Some media, people in general will see OWASP participation in RSA as
> >>>> negative, hence the debate.
> >>>> Cancelling a contract does not really cut it. its "window dressing."
> >>>>
> >>>> Either we  (OWASP) are engaging with RSAC or not, its that simple.
> >>>>
> >>>> Delivering anything at RSAC shall be interpreted as a sign of support,
> >>>> this is the root cause of the debate: Are we to support RSAC this
> year given
> >>>> the allegations? (contract is circumstantial).
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> On 7 January 2014 00:42, Tobias <tobias.gondrom at owasp.org> wrote:
> >>>>
> >>>> My vote is: Yes. OWASP shall terminate the co-marketing agreement with
> >>>> RSA for RSA 2014.
> >>>>
> >>>> My reasons are:
> >>>>
> >>>> 1. community feedback and discussion (there seems to be a significant
> >>>> part of the community concerned about this) Note: I would have loved
> to see
> >>>> an OWASP community poll on this before making this decision to get a
> better
> >>>> feel for the wishes of our community, but acknowledge Michael's
> request that
> >>>> we need to decide this urgently.
> >>>>
> >>>> 2. we have an alternative (as outlined in Sarah's email, BSides) that
> >>>> can fulfil the goal equally.
> >>>>
> >>>> 3. I understand that there is a lot of uncertainty about RSA's level
> of
> >>>> involvement. And I don't feel in a position to make a final judgement
> about
> >>>> this. And as often with secrecy, we possibly never will be.
> >>>> But in this case we don't have to have final judgement. The
> co-marketing
> >>>> agreement is quite extensive and could be seen as active endorsement.
> To
> >>>> follow such an agreement we would need to have a very high level of
> >>>> confidence and trust in the other party. So already a reasonable
> shadow of
> >>>> doubt is sufficient grounds, to distance OWASP in this case from a
> very
> >>>> active co-marketing agreement with the company RSA, to avoid being
> >>>> interpreted as an active endorsement of a commercial entity currently
> under
> >>>> review. And we should abstain from actively endorsing RSA for the time
> >>>> being, until all facts of the case have been properly examined (note:
> not by
> >>>> us, as we are not an investigative body).
> >>>>
> >>>> In addition to that:
> >>>> I propose that OWASP should prepare and release a press release or
> >>>> public statement that OWASP thinks weakening or undermining crypto is
> a
> >>>> really bad idea. (I will be happy to assist with the preparation of
> the
> >>>> text.) This press release shall advocate our general OWASP principles
> and
> >>>> shall _not_ mention RSA, the RSA conference or any other company by
> name.
> >>>> (personal note: btw. RSA should have no problem with such a press
> release,
> >>>> as they officially deny any such activities...)
> >>>>
> >>>> All the best, Tobias
> >>>>
> >>>>
> >>>> Tobias Gondrom
> >>>> Owasp Global Board
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> On 06/01/14 23:51, Michael Coates wrote:
> >>>>
> >>>> "OWASP will terminate the co-marketing agreement with RSA for RSA
> 2014.
> >>>> This may place our training at risk, but if permitted we will still
> >>>> provide the free training at RSA and the OWASP speaking slot."
> >>>>
> >>>> Michael - Yes
> >>>> Tom -
> >>>> Tobias -
> >>>> Fabio -
> >>>> Josh - Yes
> >>>> Jim - abstain
> >>>> Eoin - abstain
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Michael Coates
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> On Mon, Jan 6, 2014 at 3:47 PM, Eoin Keary <eoin.keary at owasp.org>
> wrote:
> >>>>
> >>>> Same here, I can't vote, I believe as the class delivery and material
> is
> >>>> mine and it would be a conflict.
> >>>> I would be a "no" if I could.
> >>>>
> >>>> Not sure why participation in an event requires a vote given other
> >>>> events did not require such....
> >>>>
> >>>> My view is based on
> >>>>
> >>>> 1.
> >>>>
> >>>> --
> >>>> Eoin Keary
> >>>> OWASP Member
> >>>> https://twitter.com/EoinKeary
> >>>>
> >>>
> >>> _______________________________________________
> >>> Owasp-board mailing list
> >>> Owasp-board at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-board
> >>>
> >>
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140107/656571d5/attachment-0001.html>


More information about the Owasp-board mailing list