[Owasp-board] Owasp-ireland Digest, Vol 101, Issue 5

johanna curiel curiel johanna.curiel at owasp.org
Mon Aug 31 12:45:07 UTC 2015


Hi All

The discussion about David Rook being questioned regarding his slides
content really concerns me, I still don't see how his slides can be more
commercial that the talk at this appsec in SFO called
Securing your application using Docker
<https://appsecusa2015.sched.org/event/fd18011c9c21852dc66f812ef96af4b8?iframe=yes&w=i:0;&sidebar=yes&bg=no#?iframe=yes&w=i:100;&sidebar=yes&bg=no>
"https://2015.appsecusa.org/agenda/speakers/?speaker=diogo_monica.1tssilmd"

Why: Because Docker also has a commercial side. Many could consider this
talk a 'sells talk', especially when Docker also has a very commercial side:
Pricing section of Docker:
https://www.docker.com/pricing#?section=1

In my opinion, David is not selling games in the slides regarding how he
applied security at Riot Games, he is explaining how he implement it at his
work, using awesome slides. IF a security specialist is going to hear his
talk or check his slides, is he suddenly going to become a 'gamer' and buy
League of legends? I doubt that. he is not even selling how to use the game
and what is that about.

If rules must be applied then they need to be evaluated properly for all.
If a talk like Docker are accepted, where is the moral compass for judging
David and his slides, especially if you look careful at the content.

BTW, I think a talk about Docker and use it to secure applications is
definitely very good one, but that does not take the commercial influence
of Docker to buy or use his product for 'security purposes' and the
inequality of judgement when looking at other OWASP presenters like David.

Cheers

Johanna

On Mon, Aug 31, 2015 at 7:30 AM, Martin Knobloch <martin.knobloch at owasp.org>
wrote:

> Hi Owen,
>
> Yes, I will be in Dublin for SOURCE, please see me there! I fly in late
> Sunday and will leave early on Tuesday, best to talk Monday after lunch.
>
> Cheers,
> -martin
>
>
> *From: *Owen Pendlebury
> *Sent: *maandag 31 augustus 2015 13:10
> *To: *Jim Manico
> *Cc: *Rahim Jina; Mark Denihan; Noreen Whysel; Fabio Cerullo; Eoin Keary;
> Martin Knobloch; OWASP Foundation Board List
> *Subject: *Re: Owasp-ireland Digest, Vol 101, Issue 5
>
> Hi Jim,
>
> No I've not escalated it as I was happy that the board was going to assess
> the situation and revert with its recommendations.
>
> I've cc'd the board and Martin as I feel that this has gotten way out of
> hand. Martin happy to catch up to discuss at any stage. I believe you're in
> Dublin for Source and could meet then.
>
>
>
> Owen Pendlebury
> OWASP Ireland-Dublin Chapter Lead
> https://www.owasp.org/index.php/Ireland-Dublin
>
> On 31 August 2015 at 11:51, Jim Manico <jim.manico at owasp.org> wrote:
>
>> I am very sorry to hear all this. Because again while I am stating my
>> opinion I'm not about strict enforcement and it seems to me that David is
>> caught in the middle of four different sets of folks.
>>
>> David, I'm sorry for this and do not blame you for being upset and
>> frustrated.
>>
>> Have the other issues been resolved or is there conflict going on? If you
>> need help resolving this, you can goto staff or even go to our Ombudsman,
>> Martin Knoblock.
>>
>> I of course have a serious conflict of interest here since Eoin and Rahim
>> are business partners and friends of mine. But there are plenty of ways to
>> approach conflict resolution if you need that support, Owen.
>>
>> Aloha,
>> --
>> Jim Manico
>> Global Board Member
>> OWASP Foundation
>> https://www.owasp.org
>> Join me at AppSecUSA <http://appsecusa.org/> 2015!
>>
>> On Aug 31, 2015, at 12:42 AM, Owen Pendlebury <owen.pendlebury at owasp.org>
>> wrote:
>>
>> Hi All,
>>
>> I'm removing the Ireland list as I do not deem it necessary to involve
>> others in something that has dragged on and to be honest seems like an open
>> and closed case based on the speaker agreement.
>>
>> Just to clarify things. This was driven off a complaint received from
>> Rahim and Eoin in relation to slides on the WIKI and not David Rook. This
>> complaint was in relation to the contents in the slides. An email was sent
>> out to all speakers asking if they would mind providing a non vendor
>> version for the WIKI. This complaint was driven by me questioning Eoin, a
>> former global board member on slides  as they were not abiding by the
>> speaker agreement ( Something he had agreed would be vendor neutral)
>>
>> Eoin proceeded to have his company and a service they provide on every
>> slide. He also gave business cards to attendees regarding his company
>> providing training for them and mentioned that he would give attendees jobs
>> if they were able to answer questions he asked. This I felt was not vendor
>> neutral and questioned him on it.
>>
>> Once he was questioned, we then received a complaint from Eoin and Rahim
>> (Same Company), which facts wise were incorrect and seemed tailored to
>> something less befitting of a professional services company.
>>
>> Owen Pendlebury
>> OWASP Ireland-Dublin Chapter Lead
>> https://www.owasp.org/index.php/Ireland-Dublin
>>
>> On 31 August 2015 at 11:29, David Rook <drook at riotgames.com> wrote:
>>
>>> I look forward to seeing how well this is enforced at AppSec USA in a
>>> few weeks time.
>>>
>>> On Mon, Aug 31, 2015 at 11:28 AM, Jim Manico <jim.manico at owasp.org>
>>> wrote:
>>>
>>>> Clarified in my last email, I stand correctly my apologies for that
>>>> mistake....
>>>>
>>>> --
>>>> Jim Manico
>>>> Global Board Member
>>>> OWASP Foundation
>>>> https://www.owasp.org
>>>> Join me at AppSecUSA <http://appsecusa.org/> 2015!
>>>>
>>>> On Aug 31, 2015, at 12:13 AM, David Rook <drook at riotgames.com> wrote:
>>>>
>>>> Specifically I said "I've got nothing to sell, only ideas to share" in
>>>> our last exchange so I'd like to figure out where you got that from dude.
>>>>
>>>> On Mon, Aug 31, 2015 at 11:11 AM, David Rook <drook at riotgames.com>
>>>> wrote:
>>>>
>>>>> Hey Jim,
>>>>>
>>>>> I have to call you out on "But you gave a talk that by your own
>>>>> admission was trying to benefit Riot Games and sell games" < I don't
>>>>> believe I've ever said that. We produce a free to play game dude, we don't
>>>>> sell games :)
>>>>>
>>>>> On Mon, Aug 31, 2015 at 11:09 AM, Jim Manico <jim.manico at owasp.org>
>>>>> wrote:
>>>>>
>>>>>> Rahim, David and others,
>>>>>>
>>>>>> I hope you are well. The current speaker agreement allows for a bio
>>>>>> slide up front where you can mention your commercial connections, logo as
>>>>>> well.
>>>>>>
>>>>>> The rest of the presentation needs to be non-commercial, per the
>>>>>> current speaker agreement. I like that policy personally since it's in tune
>>>>>> with out bylaws and mission statement around vendor neutrality. 99.99% that
>>>>>> speaker agreement is honored with no fuss.
>>>>>>
>>>>>> And to be honest, especially at the chapter level, the foundation
>>>>>> does not strongly enforce this. There are presentations that do not fit
>>>>>> this policy that slip through. And in fact there are even some chapters
>>>>>> that encourage commercial talks.
>>>>>>
>>>>>> But keep in mind OWASP is an educational charity, with a mission to
>>>>>> be free of commercial affiliations. I think that honoring the wishes of the
>>>>>> current speaker agreement is a ethical standard that speakers should
>>>>>> seriously consider.
>>>>>>
>>>>>> And really, if there is a chapter arguing about footers and headers -
>>>>>> geesh we have better things to do. I am sorry it has all degenerated down
>>>>>> to this and I wish there was a better way.
>>>>>>
>>>>>> To the persons trying to hold up a better ethical standard, thank
>>>>>> you! To those who will not spend the 10 seconds to turn off commercial
>>>>>> footers and are making commercial footers an issue that requires board
>>>>>> level attention, I ask, what are
>>>>>> you trying to accomplish when you give a talk at our vendor-neutral
>>>>>> primarily open source charity?
>>>>>>
>>>>>> And by the way, I was dragged into this over social media and forced
>>>>>> to make a decision.
>>>>>>
>>>>>> So be it.
>>>>>>
>>>>>> David Rook I love you and your talk was VERY well received. I
>>>>>> consider you a friend. But you gave a talk that by your own admission was
>>>>>> trying to benefit Riot Games and sell games. Per our current speaker
>>>>>> guidelines this is not acceptable. I know how smart you are, Rook, and I'd
>>>>>> personally prefer (but not enforce) that you give talks more suited to a
>>>>>> non profit educational charity. I have seen literally hundreds of speakers
>>>>>> at OWASP chapters and conferences with tight commercial affiliations still
>>>>>> find a way to give vendor neutral non commercial tech talks at OWASP
>>>>>> events. It CAN be done if you have the will to do it. And I hope you do! :)
>>>>>>
>>>>>> With respect,
>>>>>> --
>>>>>> Jim Manico
>>>>>> Global Board Member
>>>>>> OWASP Foundation
>>>>>> https://www.owasp.org
>>>>>> Join me at AppSecUSA <http://appsecusa.org/> 2015!
>>>>>>
>>>>>> On Aug 30, 2015, at 11:39 PM, Owen Pendlebury <
>>>>>> owen.pendlebury at owasp.org> wrote:
>>>>>>
>>>>>> Hi Rahim,
>>>>>>
>>>>>> Thanks for your mail.
>>>>>>
>>>>>> I believe that this matter is being discussed at a global board
>>>>>> level. As of now the OWASP speaker agreement (
>>>>>> https://www.owasp.org/index.php/Speaker_Agreement) still applies.
>>>>>>
>>>>>> Thanks
>>>>>> Owen
>>>>>>
>>>>>> Owen Pendlebury
>>>>>> OWASP Ireland-Dublin Chapter Lead
>>>>>> https://www.owasp.org/index.php/Ireland-Dublin
>>>>>>
>>>>>> On 31 August 2015 at 10:29, Rahim Jina <rahim.jina at owasp.org> wrote:
>>>>>>
>>>>>>>
>>>>>>> Hi Owen,
>>>>>>>
>>>>>>> Is there any follow-up on the below from the owasp leadership team
>>>>>>> regarding the use of company logos on slide headers/footers?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Rahim
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> *From:* eoinkeary at gmail.com [mailto:eoinkeary at gmail.com] *On
>>>>>>>> Behalf Of *Eoin
>>>>>>>> *Sent:* 20 July 2015 14:48
>>>>>>>> *To:* Owen Pendlebury <owen.pendlebury at owasp.org>
>>>>>>>> *Cc:* Fabio Cerullo <fcerullo at owasp.org>; Mark Denihan <
>>>>>>>> Mark.Denihan at owasp.org>
>>>>>>>> *Subject:* Re: Owasp-ireland Digest, Vol 101, Issue 5
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Hi Owen,
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> How is life in Deloitte, hope all is well and you are settling in
>>>>>>>> ok.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Please feel free to put the PDF's on the OWASP website if you wish.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> I don't believe I referred to any commercial offerings in the
>>>>>>>> slides apart from the cover and bio slides. Correct me if I am wrong and
>>>>>>>> i'll gladly take them out.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> The feedback overall was very very good so I'm sure 90% of the
>>>>>>>> delegates got lots from the class.
>>>>>>>>
>>>>>>>> Direct feedback to myself and the funds I raised for OWASP and the
>>>>>>>> chapter were also very positive, I hope you agree.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> kind regards,
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Eoin
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 20 July 2015 at 13:38, Owen Pendlebury <
>>>>>>>> owen.pendlebury at owasp.org> wrote *To:* Eoin Keary <
>>>>>>>> eoin.keary at owasp.org> :
>>>>>>>>
>>>>>>> Can you put your slides on the WIKI via OWASP file upload. I dont
>>>>>>>> think its appropriate for you to be plugging edgescan as its nothing to do
>>>>>>>> with the training.
>>>>>>>>
>>>>>>>> It was supposed to be OWASP training event for the chapter to raise
>>>>>>>> funds and you had edgescan/ BCC Risk advisory plastered all over your
>>>>>>>> slides.
>>>>>>>>
>>>>>>>> In case you need to reference it ( I've highlighted the relevant
>>>>>>>> parts); https://www.owasp.org/index.php/Speaker_Agreement
>>>>>>>>
>>>>>>>> OWASP holds highly a neutral and unbiased approach to security that
>>>>>>>> is free from undue vendor influence. Here are a few specific tips to
>>>>>>>> maximize the value of your talk with the OWASP audience
>>>>>>>>
>>>>>>>>    - *Please be sure that your talk is objective, stresses open
>>>>>>>>    source approaches, and avoids references to any commercial offerings of
>>>>>>>>    your company. *
>>>>>>>>    - *Feel free to introduce yourself and your current company on
>>>>>>>>    the bio slide, but avoid references to your company throughout the
>>>>>>>>    presentation *
>>>>>>>>    - *Please either use a blank presentation template or the OWASP
>>>>>>>>    template File:OWASP Presentation Template.zip
>>>>>>>>    <https://www.owasp.org/index.php/File:OWASP_Presentation_Template.zip> or
>>>>>>>>    File:PPT 2013 Toolbox.zip
>>>>>>>>    <https://www.owasp.org/index.php/File:PPT_2013_Toolbox.zip>. Unfortunately,
>>>>>>>>    company slide templates aren't acceptable for OWASP talks. *
>>>>>>>>    - *That's it - OWASP'ers love good talks with new ideas and
>>>>>>>>    approaches for security! *
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Owen Pendlebury
>>>>>>>>
>>>>>>>> OWASP Ireland-Dublin Chapter Lead
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>> Eoin Keary
>>>>>>>> OWASP Member
>>>>>>>> https://twitter.com/EoinKeary
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150831/1b83d524/attachment-0001.html>


More information about the Owasp-board mailing list