[Owasp-board] [Governance] OWASP statement on security: your opinion? - until Monday 14:00 CST

Tobias tobias.gondrom at owasp.org
Mon Jan 27 18:42:40 UTC 2014


Christian,

sorry to say that, but your points are not relevant here.

I do listen to everyones input. And I take the community's feedback very
serious, including the more than 90% community votes that asked for such
a statement to be made. It would be a little bit silly to discuss the
text here with you, as you are at this moment not an OWASP member (as
you can see from the membership list), nor have read the proposed text.
I ask you to have some trust in the OWASP community members and their
great efforts in the review.

Regarding your comments:
1. there is no need for Jeff to make any points with regard to this
statement.
2. as you could take from my email, the statement objective is to
promote our OWASP goals,

And regarding your wish that we shall explicitly say in the press
release text that you are personally against it: I will not add such
text to the statement to include that it doesn't promote your personal
view. This would be unprofessional. This is a statement for the
community not about you. And you are not even a member of OWASP at this
point in time (as you can see from the membership list), so I can not
see how anyone would assume that this statement would be your personal
view unless you actively support it - which I still hope you will do
once you have actually read it. Of course, please feel free to distance
yourself from the statement if you don't agree with its text once it has
been published.

Best regards and thank you for your feedback, Tobias




On 27/01/14 00:51, Christian Heinrich wrote:
> Tobias,
>
> In relation to http://lists.owasp.org/pipermail/owasp-board/2014-January/013044.html
> I would like to raise two additional points:
>
> 1. Jeff Williams would have to provide visibility around
> https://lists.owasp.org/pipermail/esapi-user/2010-June/000311.html or
> RSA/EMC would be able to make a plausible rebuttal?
>
> 2. If the PR doesn't promote OWASP somehow (and every PR has an agenda
> and ulterior motive) then what is the point of issuing the PR?  If
> we're not going to promote OWASP visibility and transparency then
> OWASP is simply issuing an opinion which its individual members could
> ultimately do for free?
>
> I would also like added to the PR that it doesn't promote my view in
> this matter.  I have some minor involvement with the development of
> various crypto API and I respect NIST immensely.
>
> As I said before, there are better alternatives for OWASP in making a
> positive contribution to this issue and being recognised by joe public
> as such.
>
> On Fri, Jan 24, 2014 at 3:48 PM, Christian Heinrich
> <christian.heinrich at cmlh.id.au> wrote:
>> Tobias,
>>
>> Without reading the statement (as I don't have access to it) how does
>> the OWASP Board intend to address that OWASP doesn't have expertise in
>> crypto in response, such as
>> http://www.blackhat.com/html/bh-eu-10/bh-eu-10-briefings.html#Duong
>> i.e. "We show that even OWASP folks can't get it right,"
>>
>> Furthermore, OWASP paid to have Bruce Schneier present at OWASP EU
>> 2009 i.e. http://vimeo.com/6495257 (BTW that's me heckling Bruce in
>> this video), Counterpane BT, where Bruce was their CTO until recently,
>> had poor internal security according to Tina Bird i.e.
>> http://www.flickr.com/photos/cmlh/782124242/
>>
>> In addition, Bruce admitted to significantly damaging the
>> cryptographic field with "Applied Cryptography":
>> https://www.schneier.com/book-sandl-pref.html (search for the "Applied
>> Cryptography").  I would assume that the rejection of TwoFish in the
>> final round for AES was the reason Bruce reinvented himself from a
>> cryptographer to Ross Anderson, who pioneered
>> http://www.cl.cam.ac.uk/~rja14/econsec.html.
>>
>> As far as the ESAPI and the NSA i.e.
>> https://lists.owasp.org/pipermail/esapi-user/2010-June/000311.html, I
>> don't believe it was the NSA who made this offer because I never cited
>> any documentation to support this claim aside from Jeff Williams'
>> telling me.  I suspect Jeff may have been mislead by an employee of
>> the US equivalent of http://www.asd.gov.au/infosec/aisep/providers.htm
>> instead and don't evaluate crypto as per their mandate i.e. "DSD
>> performs cryptographic evaluations independently of the AISEP." to
>> quote http://www.asd.gov.au/infosec/aisep/crypto.htm
>>
>> I would also like to draw your attention to
>> http://gcn.com/Articles/2006/07/17/Open-Source-encryption-module-loses-FIPS-certification.aspx?Page=2
>> which was alleged to be driven by the vested interests of commercial
>> providers.
>>
>> I won't claim that
>> http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220
>> is creditable since the two sources claiming to be from RSA elected to
>> be anonymous and most journalists has an agenda in making sensational
>> claims against the NSA. I speculate that RSA were paid to integrate
>> Dual Elliptic Curve into BSAFE (which has been free for sometime now)
>> and is as innocent as integrating a web service into my own API (as a
>> very simplified example).
>>
>> My recommendation to OWASP would be to make a donation and contribute
>> to http://www.keyczar.org/ or similar effort and then issue a press
>> release since the public's perception would then be that OWASP is
>> doing something about the issue while not having to admit that any
>> crypto expertise does not exist within OWASP.
>>
>> This was the same recommendation that I provided Jim Manico on Skype
>> for http://lists.owasp.org/pipermail/owasp-leaders/2013-September/010122.html
>> as to how OWASP could avoid this PR fallout in the future.
>>
>>
>> On Fri, Jan 24, 2014 at 11:35 AM, Tobias <tobias.gondrom at owasp.org> wrote:
>>> Hello dear fellow OWASP leaders and members,
>>>
>>> one of the results of last weeks survey was that there was a very strong
>>> majority of over 90% in favour of that OWASP shall release a statement on
>>> security.
>>> "Should OWASP make a public statement to the effect that
>>> subverting/weakening crypto is a bad idea: Yes 93%"
>>> (https://www.owasp.org/index.php/Polls)
>>>
>>> The board members agree with this and prepared the following statement.
>>> But before we release it, we want to involve the community and listen to
>>> your opinions.
>>> Please do not hand this text to the press, yet. It is first only for your
>>> internal approval feedback as OWASP leaders, contributors and members,
>>> before we release it.
>>>
>>> FYI:
>>> - All board members reviewed the text and think it is ok.
>>> - Several thorough external spelling and grammar reviews have been conducted
>>> and we feel comfortable with the language and the text has been reviewed by
>>> our external PR expert.
>>> (Note: The board has not cast a formal vote on this statement. We like to
>>> listen to the community before we release it.)
>>>
>>> The text of the statement is here:
>>> https://docs.google.com/a/owasp.org/document/d/1wy7EsxQu03eRMAjWW7pXXr9GKpW_O-eJuOlQKbsnMbE/edit?usp=sharing
>>>
>>> We put our best efforts into writing this text and that it shall reflect the
>>> best common consensus for our global community. Please submit your opinion
>>> here:
>>> https://docs.google.com/a/owasp.org/forms/d/18kngpGOR4-ySYCZ-74zAgjyE2elpPp2Gg780mtbZDu0/viewform
>>> either on "Yes, we shall release it" or "No, we shall not release it".
>>>
>>> We will close the survey on Monday Jan-27, 14:00 EST and plan on releasing
>>> the statement shortly after, pending your feedback.
>>>
>>> The statement text and the survey are open to all OWASP members with owasp
>>> email addresses. Please do not publish them to the press before we formally
>>> release them.
>>>
>>> If you have individual feedback or find a last spelling error, please send
>>> it directly to me or to the board list.
>>>
>>> Thank you so much for your feedback and your great continuous efforts and
>>> energy for our community,
>>>
>>> Tobias
>>>
>>>
>>> Ps.: And as you could see from a Sarah's last email on the leaders list,
>>> OWASP will also make an announcement that we will host a free public
>>> training open to everybody during the week of Feb-24 (the week of the RSA
>>> conference) in San Francisco (followed by a social event). This training
>>> will be free and open to everyone (not limited to only paying attendees of
>>> the RSA conference).
>>>
>>>
>>>
>>> Tobias Gondrom
>>> OWASP Global Board Member
>>> email: tobias.gondrom at owasp.org
>>> mobile: +852 56002975
>>> mobile: +44 7521003005
>>> skype: tgondrom
>>> twitter: @tgondrom
>>>
>>>
>>>
>>> _______________________________________________
>>> Governance mailing list
>>> Governance at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/governance
>>>
>>
>>


More information about the Owasp-board mailing list