[Owasp-board] Dennis's position regarding RSA
dennis.groves at owasp.org
Wed Jan 8 12:45:37 UTC 2014
I am deeply divided by this issue. And, I am also forced to think about the
future of OWASP the organization as well as the community. So I apologize
if I seem to be changing position.
I to am disappointed by the allegations against RSA, but currently not
enough information is known to hold informed judgment. However the NSA is
hurting everyone, and I have to wonder if RSA even had a choice given the
situation with Quest communications.
A simple statement of our position on cryptography will suffice until we
have a better understanding of the situation. We must not be neutral
regarding security lest we loose our credibility and trust.
Additionally, Partnerships are very important to OWASP, and we need to
tread carefully or we will be forced to walk alone in areas we simply can
not afford to be competitive.
I believe that if we made a promise we need to keep that promise, to RSA
who invested in us, and to the people who invested in this in order to
learn to write secure code.
I think OWASP should revisit this issue regularly to see if it is still in
our best interest to continue the relationship with RSA after the training.
Sent from my mobile device, apologies for the brevity and spelling errors.
On Jan 8, 2014 1:35 AM, "Jim Manico" <jim.manico at owasp.org> wrote:
> The mythopoetical depiction of justice throughout history is an
> interesting study. The Roman depiction of Lady Justice is blindfolded. The
> Goddess Maat and Isis were depicted with balanced scales during Egyptian
> times. Lady Justice is also depicted with scales and sword as well as being
> The point is that justice should be applied evenly, without regard to who
> the punished is, to be dispensed evenly to all, with the same kind of
> Make no mistake, the public pull-out of our marketing co-agreement with
> RSA is a punishment that is harmful to the RSA brand.
> What I feel we have done is enact “justice” through “the anger of the
> masses” on an issue where the information is still being sorted out and,
> ahem, **many** more are guilty of similar “sins” if not worse.
> If we are to walk away from RSA, then we also need to give back or walk
> away from our Department of Homeland Security grants. To “slap” one while
> taking money from another I think is inconsistent wide-open targeted
> justice that will hurt more than help us in the end. This is not blind
> justice. I am NOT SAYING that RSA is innocent, in fact I am quite angry at
> what RSA is alleged to have done. I am saying that many more are guilty and
> we are not applying fair and consistent rules. We might also be acting “too
> soon” before all the facts are on the table.
> I am deeply in conflict of interest here because I am supposed to deliver
> this training and I’m also a professional trainer. But I wanted to state my
> nuanced position here that we should continue down the current path and
> decide in the future to cancel this agreement and other agreements once the
> facts are sorted out.
> And last, we are supposed to be vendor-neutral. I am starting to question
> the entire commercial conference partnership program.
> https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference We might
> want to cancel conference partnerships with any commercial conference due
> to the vendor neutrality rules in our bylaws.
> Thanks for your consideration over this matter. It’s not an easy one.
> Jim Manico
> OWASP Board Member
> (808) 652-3806
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board