[Owasp-board] Owasp-ireland Digest, Vol 101, Issue 5

johanna curiel curiel johanna.curiel at owasp.org
Mon Aug 31 23:54:41 UTC 2015


>The speaker agreement as it stands today is pretty clear.I think we need
to follow the rules as they are now or change them.I am putting this topic
on the agenda for the board meeting in a few weeks for discussion and will
keep you posted.

I think the board should consider the following actions

   - Place David's presentation back on OWASP wiki pages. There is no sales
   pitch here in my opinion. The only thing promoted is that a Riot Game
   employee  has a security engineer using OWASP bets practices.Isn't that
   good for OWASP? What if instead of Riot Games was Google, or other big
   techno name..would it you find that positive for owasp image? (PCI using
   OWASP testing guide is the equivalent, lets not forget who expensive is to
   become a QSA auditor...)

Evaluate the added value to the community on the talks allowed to be
presented at APPSEC/Chapter /Day Presentations based on:

   - Is the subject of the talk trying to persuade the audience to buy or
   use a service or product with a commercial value?(this is definitely a no
   go)
   - Is there an open source component being presented or 'best practice'
   in the talk that we could disregard the fact that the company doing the
   presentation could have a *slightly* commercial  interest? (Docker for
   example is open source but has commercial activities on the same product as
   the open source one and its use can make applications indeed more secure,
   but so does McAfee or any other 'commercial security vendor' product trying
   to make software more safe...however Docker is also available as  open
   source opposed to mcAfee

Last but not least recommendation:

   - Please, do not apply rules as a black and white /all or nothing
   decision factor. Each case should be evaluated based on the content and
   context before taking hard decisions, otherwise you will busy most of your
   time during board meetings changing laws adding bylaws, voting,  because
   'the rule' broken/didn't work (latest example Fabio with 75% assistance
   issue when he could not assist due to time-zone issues).


   - Please be more pragmatic, I think I speak for the community when I say
   we would  like to see the members of the board more busy trying to focus on
   the OWASP mission with actions plans instead giving to much time to discuss
    rules, change rules or chase rule breakers.


 In the end "by their fruits you shall know them"(not by missing the 75%
attendance ratio or not attending live an OWASP board meeting 😁)


Cheers

Johanna






On Mon, Aug 31, 2015 at 2:56 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Fair comments. I think we need to follow the rules as they are now or
> change them. The speaker agreement as it stands today is pretty clear. I am
> putting this topic on the agenda for the board meeting in a few weeks for
> discussion and will keep you posted.
>
> --
> Jim Manico
> Global Board Member
> OWASP Foundation
> https://www.owasp.org
> Join me at AppSecUSA <http://appsecusa.org/> 2015!
>
> On Aug 31, 2015, at 2:45 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
> Hi All
>
> The discussion about David Rook being questioned regarding his slides
> content really concerns me, I still don't see how his slides can be more
> commercial that the talk at this appsec in SFO called
> Securing your application using Docker
> <https://appsecusa2015.sched.org/event/fd18011c9c21852dc66f812ef96af4b8?iframe=yes&w=i:0;&sidebar=yes&bg=no#?iframe=yes&w=i:100;&sidebar=yes&bg=no>
> "https://2015.appsecusa.org/agenda/speakers/?speaker=diogo_monica.1tssilmd
> "
>
> Why: Because Docker also has a commercial side. Many could consider this
> talk a 'sells talk', especially when Docker also has a very commercial side:
> Pricing section of Docker:
> https://www.docker.com/pricing#?section=1
>
> In my opinion, David is not selling games in the slides regarding how he
> applied security at Riot Games, he is explaining how he implement it at his
> work, using awesome slides. IF a security specialist is going to hear his
> talk or check his slides, is he suddenly going to become a 'gamer' and buy
> League of legends? I doubt that. he is not even selling how to use the game
> and what is that about.
>
> If rules must be applied then they need to be evaluated properly for all.
> If a talk like Docker are accepted, where is the moral compass for judging
> David and his slides, especially if you look careful at the content.
>
> BTW, I think a talk about Docker and use it to secure applications is
> definitely very good one, but that does not take the commercial influence
> of Docker to buy or use his product for 'security purposes' and the
> inequality of judgement when looking at other OWASP presenters like David.
>
> Cheers
>
> Johanna
>
> On Mon, Aug 31, 2015 at 7:30 AM, Martin Knobloch <
> martin.knobloch at owasp.org> wrote:
>
>> Hi Owen,
>>
>> Yes, I will be in Dublin for SOURCE, please see me there! I fly in late
>> Sunday and will leave early on Tuesday, best to talk Monday after lunch.
>>
>> Cheers,
>> -martin
>>
>>
>> *From: *Owen Pendlebury
>> *Sent: *maandag 31 augustus 2015 13:10
>> *To: *Jim Manico
>> *Cc: *Rahim Jina; Mark Denihan; Noreen Whysel; Fabio Cerullo; Eoin
>> Keary; Martin Knobloch; OWASP Foundation Board List
>> *Subject: *Re: Owasp-ireland Digest, Vol 101, Issue 5
>>
>> Hi Jim,
>>
>> No I've not escalated it as I was happy that the board was going to
>> assess the situation and revert with its recommendations.
>>
>> I've cc'd the board and Martin as I feel that this has gotten way out of
>> hand. Martin happy to catch up to discuss at any stage. I believe you're in
>> Dublin for Source and could meet then.
>>
>>
>>
>> Owen Pendlebury
>> OWASP Ireland-Dublin Chapter Lead
>> https://www.owasp.org/index.php/Ireland-Dublin
>>
>> On 31 August 2015 at 11:51, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>> I am very sorry to hear all this. Because again while I am stating my
>>> opinion I'm not about strict enforcement and it seems to me that David is
>>> caught in the middle of four different sets of folks.
>>>
>>> David, I'm sorry for this and do not blame you for being upset and
>>> frustrated.
>>>
>>> Have the other issues been resolved or is there conflict going on? If
>>> you need help resolving this, you can goto staff or even go to our
>>> Ombudsman, Martin Knoblock.
>>>
>>> I of course have a serious conflict of interest here since Eoin and
>>> Rahim are business partners and friends of mine. But there are plenty of
>>> ways to approach conflict resolution if you need that support, Owen.
>>>
>>> Aloha,
>>> --
>>> Jim Manico
>>> Global Board Member
>>> OWASP Foundation
>>> https://www.owasp.org
>>> Join me at AppSecUSA <http://appsecusa.org/> 2015!
>>>
>>> On Aug 31, 2015, at 12:42 AM, Owen Pendlebury <owen.pendlebury at owasp.org>
>>> wrote:
>>>
>>> Hi All,
>>>
>>> I'm removing the Ireland list as I do not deem it necessary to involve
>>> others in something that has dragged on and to be honest seems like an open
>>> and closed case based on the speaker agreement.
>>>
>>> Just to clarify things. This was driven off a complaint received from
>>> Rahim and Eoin in relation to slides on the WIKI and not David Rook. This
>>> complaint was in relation to the contents in the slides. An email was sent
>>> out to all speakers asking if they would mind providing a non vendor
>>> version for the WIKI. This complaint was driven by me questioning Eoin, a
>>> former global board member on slides  as they were not abiding by the
>>> speaker agreement ( Something he had agreed would be vendor neutral)
>>>
>>> Eoin proceeded to have his company and a service they provide on every
>>> slide. He also gave business cards to attendees regarding his company
>>> providing training for them and mentioned that he would give attendees jobs
>>> if they were able to answer questions he asked. This I felt was not vendor
>>> neutral and questioned him on it.
>>>
>>> Once he was questioned, we then received a complaint from Eoin and Rahim
>>> (Same Company), which facts wise were incorrect and seemed tailored to
>>> something less befitting of a professional services company.
>>>
>>> Owen Pendlebury
>>> OWASP Ireland-Dublin Chapter Lead
>>> https://www.owasp.org/index.php/Ireland-Dublin
>>>
>>> On 31 August 2015 at 11:29, David Rook <drook at riotgames.com> wrote:
>>>
>>>> I look forward to seeing how well this is enforced at AppSec USA in a
>>>> few weeks time.
>>>>
>>>> On Mon, Aug 31, 2015 at 11:28 AM, Jim Manico <jim.manico at owasp.org>
>>>> wrote:
>>>>
>>>>> Clarified in my last email, I stand correctly my apologies for that
>>>>> mistake....
>>>>>
>>>>> --
>>>>> Jim Manico
>>>>> Global Board Member
>>>>> OWASP Foundation
>>>>> https://www.owasp.org
>>>>> Join me at AppSecUSA <http://appsecusa.org/> 2015!
>>>>>
>>>>> On Aug 31, 2015, at 12:13 AM, David Rook <drook at riotgames.com> wrote:
>>>>>
>>>>> Specifically I said "I've got nothing to sell, only ideas to share" in
>>>>> our last exchange so I'd like to figure out where you got that from dude.
>>>>>
>>>>> On Mon, Aug 31, 2015 at 11:11 AM, David Rook <drook at riotgames.com>
>>>>> wrote:
>>>>>
>>>>>> Hey Jim,
>>>>>>
>>>>>> I have to call you out on "But you gave a talk that by your own
>>>>>> admission was trying to benefit Riot Games and sell games" < I don't
>>>>>> believe I've ever said that. We produce a free to play game dude, we don't
>>>>>> sell games :)
>>>>>>
>>>>>> On Mon, Aug 31, 2015 at 11:09 AM, Jim Manico <jim.manico at owasp.org>
>>>>>> wrote:
>>>>>>
>>>>>>> Rahim, David and others,
>>>>>>>
>>>>>>> I hope you are well. The current speaker agreement allows for a bio
>>>>>>> slide up front where you can mention your commercial connections, logo as
>>>>>>> well.
>>>>>>>
>>>>>>> The rest of the presentation needs to be non-commercial, per the
>>>>>>> current speaker agreement. I like that policy personally since it's in tune
>>>>>>> with out bylaws and mission statement around vendor neutrality. 99.99% that
>>>>>>> speaker agreement is honored with no fuss.
>>>>>>>
>>>>>>> And to be honest, especially at the chapter level, the foundation
>>>>>>> does not strongly enforce this. There are presentations that do not fit
>>>>>>> this policy that slip through. And in fact there are even some chapters
>>>>>>> that encourage commercial talks.
>>>>>>>
>>>>>>> But keep in mind OWASP is an educational charity, with a mission to
>>>>>>> be free of commercial affiliations. I think that honoring the wishes of the
>>>>>>> current speaker agreement is a ethical standard that speakers should
>>>>>>> seriously consider.
>>>>>>>
>>>>>>> And really, if there is a chapter arguing about footers and headers
>>>>>>> - geesh we have better things to do. I am sorry it has all degenerated down
>>>>>>> to this and I wish there was a better way.
>>>>>>>
>>>>>>> To the persons trying to hold up a better ethical standard, thank
>>>>>>> you! To those who will not spend the 10 seconds to turn off commercial
>>>>>>> footers and are making commercial footers an issue that requires board
>>>>>>> level attention, I ask, what are
>>>>>>> you trying to accomplish when you give a talk at our vendor-neutral
>>>>>>> primarily open source charity?
>>>>>>>
>>>>>>> And by the way, I was dragged into this over social media and forced
>>>>>>> to make a decision.
>>>>>>>
>>>>>>> So be it.
>>>>>>>
>>>>>>> David Rook I love you and your talk was VERY well received. I
>>>>>>> consider you a friend. But you gave a talk that by your own admission was
>>>>>>> trying to benefit Riot Games and sell games. Per our current speaker
>>>>>>> guidelines this is not acceptable. I know how smart you are, Rook, and I'd
>>>>>>> personally prefer (but not enforce) that you give talks more suited to a
>>>>>>> non profit educational charity. I have seen literally hundreds of speakers
>>>>>>> at OWASP chapters and conferences with tight commercial affiliations still
>>>>>>> find a way to give vendor neutral non commercial tech talks at OWASP
>>>>>>> events. It CAN be done if you have the will to do it. And I hope you do! :)
>>>>>>>
>>>>>>> With respect,
>>>>>>> --
>>>>>>> Jim Manico
>>>>>>> Global Board Member
>>>>>>> OWASP Foundation
>>>>>>> https://www.owasp.org
>>>>>>> Join me at AppSecUSA <http://appsecusa.org/> 2015!
>>>>>>>
>>>>>>> On Aug 30, 2015, at 11:39 PM, Owen Pendlebury <
>>>>>>> owen.pendlebury at owasp.org> wrote:
>>>>>>>
>>>>>>> Hi Rahim,
>>>>>>>
>>>>>>> Thanks for your mail.
>>>>>>>
>>>>>>> I believe that this matter is being discussed at a global board
>>>>>>> level. As of now the OWASP speaker agreement (
>>>>>>> https://www.owasp.org/index.php/Speaker_Agreement) still applies.
>>>>>>>
>>>>>>> Thanks
>>>>>>> Owen
>>>>>>>
>>>>>>> Owen Pendlebury
>>>>>>> OWASP Ireland-Dublin Chapter Lead
>>>>>>> https://www.owasp.org/index.php/Ireland-Dublin
>>>>>>>
>>>>>>> On 31 August 2015 at 10:29, Rahim Jina <rahim.jina at owasp.org> wrote:
>>>>>>>
>>>>>>>>
>>>>>>>> Hi Owen,
>>>>>>>>
>>>>>>>> Is there any follow-up on the below from the owasp leadership team
>>>>>>>> regarding the use of company logos on slide headers/footers?
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Rahim
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>> *From:* eoinkeary at gmail.com [mailto:eoinkeary at gmail.com] *On
>>>>>>>>> Behalf Of *Eoin
>>>>>>>>> *Sent:* 20 July 2015 14:48
>>>>>>>>> *To:* Owen Pendlebury <owen.pendlebury at owasp.org>
>>>>>>>>> *Cc:* Fabio Cerullo <fcerullo at owasp.org>; Mark Denihan <
>>>>>>>>> Mark.Denihan at owasp.org>
>>>>>>>>> *Subject:* Re: Owasp-ireland Digest, Vol 101, Issue 5
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hi Owen,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> How is life in Deloitte, hope all is well and you are settling in
>>>>>>>>> ok.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Please feel free to put the PDF's on the OWASP website if you
>>>>>>>>> wish.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I don't believe I referred to any commercial offerings in the
>>>>>>>>> slides apart from the cover and bio slides. Correct me if I am wrong and
>>>>>>>>> i'll gladly take them out.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> The feedback overall was very very good so I'm sure 90% of the
>>>>>>>>> delegates got lots from the class.
>>>>>>>>>
>>>>>>>>> Direct feedback to myself and the funds I raised for OWASP and the
>>>>>>>>> chapter were also very positive, I hope you agree.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> kind regards,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Eoin
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 20 July 2015 at 13:38, Owen Pendlebury <
>>>>>>>>> owen.pendlebury at owasp.org> wrote *To:* Eoin Keary <
>>>>>>>>> eoin.keary at owasp.org> :
>>>>>>>>>
>>>>>>>> Can you put your slides on the WIKI via OWASP file upload. I dont
>>>>>>>>> think its appropriate for you to be plugging edgescan as its nothing to do
>>>>>>>>> with the training.
>>>>>>>>>
>>>>>>>>> It was supposed to be OWASP training event for the chapter to
>>>>>>>>> raise funds and you had edgescan/ BCC Risk advisory plastered all over your
>>>>>>>>> slides.
>>>>>>>>>
>>>>>>>>> In case you need to reference it ( I've highlighted the relevant
>>>>>>>>> parts); https://www.owasp.org/index.php/Speaker_Agreement
>>>>>>>>>
>>>>>>>>> OWASP holds highly a neutral and unbiased approach to security
>>>>>>>>> that is free from undue vendor influence. Here are a few specific tips to
>>>>>>>>> maximize the value of your talk with the OWASP audience
>>>>>>>>>
>>>>>>>>>    - *Please be sure that your talk is objective, stresses open
>>>>>>>>>    source approaches, and avoids references to any commercial offerings of
>>>>>>>>>    your company. *
>>>>>>>>>    - *Feel free to introduce yourself and your current company on
>>>>>>>>>    the bio slide, but avoid references to your company throughout the
>>>>>>>>>    presentation *
>>>>>>>>>    - *Please either use a blank presentation template or the
>>>>>>>>>    OWASP template File:OWASP Presentation Template.zip
>>>>>>>>>    <https://www.owasp.org/index.php/File:OWASP_Presentation_Template.zip> or
>>>>>>>>>    File:PPT 2013 Toolbox.zip
>>>>>>>>>    <https://www.owasp.org/index.php/File:PPT_2013_Toolbox.zip>. Unfortunately,
>>>>>>>>>    company slide templates aren't acceptable for OWASP talks. *
>>>>>>>>>    - *That's it - OWASP'ers love good talks with new ideas and
>>>>>>>>>    approaches for security! *
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Owen Pendlebury
>>>>>>>>>
>>>>>>>>> OWASP Ireland-Dublin Chapter Lead
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>>
>>>>>>>>> Eoin Keary
>>>>>>>>> OWASP Member
>>>>>>>>> https://twitter.com/EoinKeary
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150831/b50ecc00/attachment-0001.html>


More information about the Owasp-board mailing list