[Owasp-board] Owasp-ireland Digest, Vol 101, Issue 5

Jim Manico jim.manico at owasp.org
Tue Sep 1 00:29:24 UTC 2015


Johanna,

I am confused by this email.

On one hand you as that the board get directly involved with a chapter 
matter and force a specific action at the board level.

"I think the board should consider the following actions. Place David's 
presentation back on OWASP wiki pages."

Then, shortly below that request, you ask that the board focus on other 
issues and not get involved in these matters.

"Please be more pragmatic, I think I speak for the community when I say 
we would  like to see the members of the board more busy trying to focus 
on the OWASP mission with actions plans instead giving to much time to 
discuss rules, change rules or chase rule breakers"

This is where I feel a bit thrashed. On one hand, members of this 
chapter as well as other members of the community specifically called 
_*me*_ out in a very public manner to get involved in this specific 
situation. This was asked of me even after I asked those involved to go 
to staff first with this issue.

Then, after I am involved in an issue that is already filled with 
conflict, I get comments such as "the board should be doing better 
things". :)

Johanna, I agree that there are other avenues of OWASP that are 
important. But when multiple members of the community ask me to get 
involved in and weigh in on certain issues, I will almost always do so. 
In this manner, I suggested that (1) they go to staff first - and if 
that did not work to resolve the issue - then (2) email the entire 
board, not just call out one member over social media.

So while I understand that you are fairly upset with many aspects of the 
foundation, including this situation, I want you do know that I did my 
best to act properly in the middle of a very sticky and difficult decision.

Regards,

-- 
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org
Join me at AppSecUSA 2015!





On 8/31/15 1:54 PM, johanna curiel curiel wrote:
> >The speaker agreement as it stands today is pretty clear.I think we need to 
> follow the rules as they are now or change them.I am putting this 
> topic on the agenda for the board meeting in a few weeks for 
> discussion and will keep you posted.
>
> I think the board should consider the following actions
>
>   * Place David's presentation back on OWASP wiki pages. There is no
>     sales pitch here in my opinion. The only thing promoted is that a
>     Riot Game employee  has a security engineer using OWASP bets
>     practices.Isn't that good for OWASP? What if instead of Riot Games
>     was Google, or other big techno name..would it you find that
>     positive for owasp image? (PCI using OWASP testing guide is the
>     equivalent, lets not forget who expensive is to become a QSA
>     auditor...)
>
> Evaluate the added value to the community on the talks allowed to be 
> presented at APPSEC/Chapter /Day Presentations based on:
>
>   * Is the subject of the talk trying to persuade the audience to buy
>     or use a service or product with a commercial value?(this is
>     definitely a no go)
>   * Is there an open source component being presented or 'best
>     practice' in the talk that we could disregard the fact that the
>     company doing the presentation could have a /slightly/ commercial
>      interest? (Docker for example is open source but has commercial
>     activities on the same product as the open source one and its use
>     can make applications indeed more secure, but so does McAfee or
>     any other 'commercial security vendor' product trying to make
>     software more safe...however Docker is also available as  open
>     source opposed to mcAfee
>
> Last but not least recommendation:
>
>   * Please, do not apply rules as a black and white /all or nothing
>     decision factor. Each case should be evaluated based on the
>     content and context before taking hard decisions, otherwise you
>     will busy most of your time during board meetings changing laws
>     adding bylaws, voting,  because 'the rule' broken/didn't work
>     (latest example Fabio with 75% assistance issue when he could not
>     assist due to time-zone issues).
>
>   * Please be more pragmatic, I think I speak for the community when I
>     say we would  like to see the members of the board more busy
>     trying to focus on the OWASP mission with actions plans instead
>     giving to much time to discuss  rules, change rules or chase rule
>     breakers.
>
>
>  In the end "by their fruits you shall know them"(not by missing the 
> 75% attendance ratio or not attending live an OWASP board meeting 😁)
>
>
> Cheers
>
> Johanna
>
>
>
>
>
>
> On Mon, Aug 31, 2015 at 2:56 PM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>     Fair comments. I think we need to follow the rules as they are now
>     or change them. The speaker agreement as it stands today is pretty
>     clear. I am putting this topic on the agenda for the board meeting
>     in a few weeks for discussion and will keep you posted.
>
>     --
>     Jim Manico
>     Global Board Member
>     OWASP Foundation
>     https://www.owasp.org <https://www.owasp.org/>
>     Join me at AppSecUSA <http://appsecusa.org/> 2015!
>
>     On Aug 31, 2015, at 2:45 AM, johanna curiel curiel
>     <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>> wrote:
>
>>     Hi All
>>
>>     The discussion about David Rook being questioned regarding his
>>     slides content really concerns me, I still don't see how his
>>     slides can be more commercial that the talk at this appsec in SFO
>>     called
>>     Securing your application using Docker
>>     <https://appsecusa2015.sched.org/event/fd18011c9c21852dc66f812ef96af4b8?iframe=yes&w=i:0;&sidebar=yes&bg=no#?iframe=yes&w=i:100;&sidebar=yes&bg=no>
>>     "https://2015.appsecusa.org/agenda/speakers/?speaker=diogo_monica.1tssilmd"
>>
>>     Why: Because Docker also has a commercial side. Many could
>>     consider this talk a 'sells talk', especially when Docker also
>>     has a very commercial side:
>>     Pricing section of Docker:
>>     https://www.docker.com/pricing#?section=1
>>
>>     In my opinion, David is not selling games in the slides regarding
>>     how he applied security at Riot Games, he is explaining how he
>>     implement it at his work, using awesome slides. IF a security
>>     specialist is going to hear his talk or check his slides, is he
>>     suddenly going to become a 'gamer' and buy League of legends? I
>>     doubt that. he is not even selling how to use the game and what
>>     is that about.
>>
>>     If rules must be applied then they need to be evaluated properly
>>     for all. If a talk like Docker are accepted, where is the moral
>>     compass for judging David and his slides, especially if you look
>>     careful at the content.
>>
>>     BTW, I think a talk about Docker and use it to secure
>>     applications is definitely very good one, but that does not take
>>     the commercial influence of Docker to buy or use his product for
>>     'security purposes' and the inequality of judgement when looking
>>     at other OWASP presenters like David.
>>
>>     Cheers
>>
>>     Johanna
>>
>>     On Mon, Aug 31, 2015 at 7:30 AM, Martin Knobloch
>>     <martin.knobloch at owasp.org <mailto:martin.knobloch at owasp.org>> wrote:
>>
>>         Hi Owen,
>>
>>         Yes, I will be in Dublin for SOURCE, please see me there! I
>>         fly in late Sunday and will leave early on Tuesday, best to
>>         talk Monday after lunch.
>>
>>         Cheers,
>>         -martin
>>
>>
>>         *From: *Owen Pendlebury
>>         *Sent: *maandag 31 augustus 2015 13:10
>>         *To: *Jim Manico
>>         *Cc: *Rahim Jina; Mark Denihan; Noreen Whysel; Fabio Cerullo;
>>         Eoin Keary; Martin Knobloch; OWASP Foundation Board List
>>         *Subject: *Re: Owasp-ireland Digest, Vol 101, Issue 5
>>
>>
>>         Hi Jim,
>>
>>         No I've not escalated it as I was happy that the board was
>>         going to assess the situation and revert with its
>>         recommendations.
>>
>>         I've cc'd the board and Martin as I feel that this has gotten
>>         way out of hand. Martin happy to catch up to discuss at any
>>         stage. I believe you're in Dublin for Source and could meet
>>         then.
>>
>>
>>
>>         Owen Pendlebury
>>         OWASP Ireland-Dublin Chapter Lead
>>         https://www.owasp.org/index.php/Ireland-Dublin
>>
>>         On 31 August 2015 at 11:51, Jim Manico <jim.manico at owasp.org
>>         <mailto:jim.manico at owasp.org>> wrote:
>>
>>             I am very sorry to hear all this. Because again while I
>>             am stating my opinion I'm not about strict enforcement
>>             and it seems to me that David is caught in the middle of
>>             four different sets of folks.
>>
>>             David, I'm sorry for this and do not blame you for being
>>             upset and frustrated.
>>
>>             Have the other issues been resolved or is there conflict
>>             going on? If you need help resolving this, you can goto
>>             staff or even go to our Ombudsman, Martin Knoblock.
>>
>>             I of course have a serious conflict of interest here
>>             since Eoin and Rahim are business partners and friends of
>>             mine. But there are plenty of ways to approach conflict
>>             resolution if you need that support, Owen.
>>
>>             Aloha,
>>             --
>>             Jim Manico
>>             Global Board Member
>>             OWASP Foundation
>>             https://www.owasp.org <https://www.owasp.org/>
>>             Join me at AppSecUSA <http://appsecusa.org/> 2015!
>>
>>             On Aug 31, 2015, at 12:42 AM, Owen Pendlebury
>>             <owen.pendlebury at owasp.org
>>             <mailto:owen.pendlebury at owasp.org>> wrote:
>>
>>>             Hi All,
>>>
>>>             I'm removing the Ireland list as I do not deem it
>>>             necessary to involve others in something that has
>>>             dragged on and to be honest seems like an open and
>>>             closed case based on the speaker agreement.
>>>
>>>             Just to clarify things. This was driven off a complaint
>>>             received from Rahim and Eoin in relation to slides on
>>>             the WIKI and not David Rook. This complaint was in
>>>             relation to the contents in the slides. An email was
>>>             sent out to all speakers asking if they would mind
>>>             providing a non vendor version for the WIKI. This
>>>             complaint was driven by me questioning Eoin, a former
>>>             global board member on slides  as they were not abiding
>>>             by the speaker agreement ( Something he had agreed would
>>>             be vendor neutral)
>>>
>>>             Eoin proceeded to have his company and a service they
>>>             provide on every slide. He also gave business cards to
>>>             attendees regarding his company providing training for
>>>             them and mentioned that he would give attendees jobs if
>>>             they were able to answer questions he asked. This I felt
>>>             was not vendor neutral and questioned him on it.
>>>
>>>             Once he was questioned, we then received a complaint
>>>             from Eoin and Rahim (Same Company), which facts wise
>>>             were incorrect and seemed tailored to something less
>>>             befitting of a professional services company.
>>>
>>>             Owen Pendlebury
>>>             OWASP Ireland-Dublin Chapter Lead
>>>             https://www.owasp.org/index.php/Ireland-Dublin
>>>
>>>             On 31 August 2015 at 11:29, David Rook
>>>             <drook at riotgames.com <mailto:drook at riotgames.com>> wrote:
>>>
>>>                 I look forward to seeing how well this is enforced
>>>                 at AppSec USA in a few weeks time.
>>>
>>>                 On Mon, Aug 31, 2015 at 11:28 AM, Jim Manico
>>>                 <jim.manico at owasp.org <mailto:jim.manico at owasp.org>>
>>>                 wrote:
>>>
>>>                     Clarified in my last email, I stand correctly my
>>>                     apologies for that mistake....
>>>
>>>                     --
>>>                     Jim Manico
>>>                     Global Board Member
>>>                     OWASP Foundation
>>>                     https://www.owasp.org <https://www.owasp.org/>
>>>                     Join me at AppSecUSA <http://appsecusa.org/> 2015!
>>>
>>>                     On Aug 31, 2015, at 12:13 AM, David Rook
>>>                     <drook at riotgames.com
>>>                     <mailto:drook at riotgames.com>> wrote:
>>>
>>>>                     Specifically I said "I've got nothing to sell,
>>>>                     only ideas to share" in our last exchange so
>>>>                     I'd like to figure out where you got that from
>>>>                     dude.
>>>>
>>>>                     On Mon, Aug 31, 2015 at 11:11 AM, David Rook
>>>>                     <drook at riotgames.com
>>>>                     <mailto:drook at riotgames.com>> wrote:
>>>>
>>>>                         Hey Jim,
>>>>
>>>>                         I have to call you out on "But you gave a
>>>>                         talk that by your own admission was trying
>>>>                         to benefit Riot Games and sell games" < I
>>>>                         don't believe I've ever said that. We
>>>>                         produce a free to play game dude, we don't
>>>>                         sell games :)
>>>>
>>>>                         On Mon, Aug 31, 2015 at 11:09 AM, Jim
>>>>                         Manico <jim.manico at owasp.org
>>>>                         <mailto:jim.manico at owasp.org>> wrote:
>>>>
>>>>                             Rahim, David and others,
>>>>
>>>>                             I hope you are well. The current
>>>>                             speaker agreement allows for a bio
>>>>                             slide up front where you can mention
>>>>                             your commercial connections, logo as well.
>>>>
>>>>                             The rest of the presentation needs to
>>>>                             be non-commercial, per the current
>>>>                             speaker agreement. I like that policy
>>>>                             personally since it's in tune with out
>>>>                             bylaws and mission statement around
>>>>                             vendor neutrality. 99.99% that speaker
>>>>                             agreement is honored with no fuss.
>>>>
>>>>                             And to be honest, especially at the
>>>>                             chapter level, the foundation does not
>>>>                             strongly enforce this. There are
>>>>                             presentations that do not fit this
>>>>                             policy that slip through. And in fact
>>>>                             there are even some chapters that
>>>>                             encourage commercial talks.
>>>>
>>>>                             But keep in mind OWASP is an
>>>>                             educational charity, with a mission to
>>>>                             be free of commercial affiliations. I
>>>>                             think that honoring the wishes of the
>>>>                             current speaker agreement is a ethical
>>>>                             standard that speakers should seriously
>>>>                             consider.
>>>>
>>>>                             And really, if there is a chapter
>>>>                             arguing about footers and headers -
>>>>                             geesh we have better things to do. I am
>>>>                             sorry it has all degenerated down to
>>>>                             this and I wish there was a better way.
>>>>
>>>>                             To the persons trying to hold up a
>>>>                             better ethical standard, thank you! To
>>>>                             those who will not spend the 10 seconds
>>>>                             to turn off commercial footers and are
>>>>                             making commercial footers an issue that
>>>>                             requires board level attention, I ask,
>>>>                             what are
>>>>                             you trying to accomplish when you give
>>>>                             a talk at our vendor-neutral primarily
>>>>                             open source charity?
>>>>
>>>>                             And by the way, I was dragged into this
>>>>                             over social media and forced to make a
>>>>                             decision.
>>>>
>>>>                             So be it.
>>>>
>>>>                             David Rook I love you and your talk was
>>>>                             VERY well received. I consider you a
>>>>                             friend. But you gave a talk that by
>>>>                             your own admission was trying to
>>>>                             benefit Riot Games and sell games. Per
>>>>                             our current speaker guidelines this is
>>>>                             not acceptable. I know how smart you
>>>>                             are, Rook, and I'd personally prefer
>>>>                             (but not enforce) that you give talks
>>>>                             more suited to a non profit educational
>>>>                             charity. I have seen literally hundreds
>>>>                             of speakers at OWASP chapters and
>>>>                             conferences with tight commercial
>>>>                             affiliations still find a way to give
>>>>                             vendor neutral non commercial tech
>>>>                             talks at OWASP events. It CAN be done
>>>>                             if you have the will to do it. And I
>>>>                             hope you do! :)
>>>>
>>>>                             With respect,
>>>>                             --
>>>>                             Jim Manico
>>>>                             Global Board Member
>>>>                             OWASP Foundation
>>>>                             https://www.owasp.org
>>>>                             <https://www.owasp.org/>
>>>>                             Join me at AppSecUSA
>>>>                             <http://appsecusa.org/> 2015!
>>>>
>>>>                             On Aug 30, 2015, at 11:39 PM, Owen
>>>>                             Pendlebury <owen.pendlebury at owasp.org
>>>>                             <mailto:owen.pendlebury at owasp.org>> wrote:
>>>>
>>>>>                             Hi Rahim,
>>>>>
>>>>>                             Thanks for your mail.
>>>>>
>>>>>                             I believe that this matter is being
>>>>>                             discussed at a global board level. As
>>>>>                             of now the OWASP speaker agreement
>>>>>                             (https://www.owasp.org/index.php/Speaker_Agreement)
>>>>>                             still applies.
>>>>>
>>>>>                             Thanks
>>>>>                             Owen
>>>>>
>>>>>                             Owen Pendlebury
>>>>>                             OWASP Ireland-Dublin Chapter Lead
>>>>>                             https://www.owasp.org/index.php/Ireland-Dublin
>>>>>
>>>>>                             On 31 August 2015 at 10:29, Rahim Jina
>>>>>                             <rahim.jina at owasp.org
>>>>>                             <mailto:rahim.jina at owasp.org>> wrote:
>>>>>
>>>>>
>>>>>                                 Hi Owen,
>>>>>
>>>>>                                 Is there any follow-up on the
>>>>>                                 below from the owasp leadership
>>>>>                                 team regarding the use of company
>>>>>                                 logos on slide headers/footers?
>>>>>
>>>>>                                 Thanks,
>>>>>                                 Rahim
>>>>>
>>>>>
>>>>>                                     *From:*eoinkeary at gmail.com
>>>>>                                     <mailto:eoinkeary at gmail.com>
>>>>>                                     [mailto:eoinkeary at gmail.com
>>>>>                                     <mailto:eoinkeary at gmail.com>]
>>>>>                                     *On Behalf Of *Eoin
>>>>>                                     *Sent:* 20 July 2015 14:48
>>>>>                                     *To:* Owen Pendlebury
>>>>>                                     <owen.pendlebury at owasp.org
>>>>>                                     <mailto:owen.pendlebury at owasp.org>>
>>>>>                                     *Cc:* Fabio Cerullo
>>>>>                                     <fcerullo at owasp.org
>>>>>                                     <mailto:fcerullo at owasp.org>>;
>>>>>                                     Mark Denihan
>>>>>                                     <Mark.Denihan at owasp.org
>>>>>                                     <mailto:Mark.Denihan at owasp.org>>
>>>>>                                     *Subject:* Re: Owasp-ireland
>>>>>                                     Digest, Vol 101, Issue 5
>>>>>
>>>>>                                     Hi Owen,
>>>>>
>>>>>                                     How is life in Deloitte, hope
>>>>>                                     all is well and you are
>>>>>                                     settling in ok.
>>>>>
>>>>>                                     Please feel free to put the
>>>>>                                     PDF's on the OWASP website if
>>>>>                                     you wish.
>>>>>
>>>>>                                     I don't believe I referred to
>>>>>                                     any commercial offerings in
>>>>>                                     the slides apart from the
>>>>>                                     cover and bio slides. Correct
>>>>>                                     me if I am wrong and i'll
>>>>>                                     gladly take them out.
>>>>>
>>>>>                                     The feedback overall was very
>>>>>                                     very good so I'm sure 90% of
>>>>>                                     the delegates got lots from
>>>>>                                     the class.
>>>>>
>>>>>                                     Direct feedback to myself and
>>>>>                                     the funds I raised for OWASP
>>>>>                                     and the chapter were also very
>>>>>                                     positive, I hope you agree.
>>>>>
>>>>>                                     kind regards,
>>>>>
>>>>>                                     Eoin
>>>>>
>>>>>                                     On 20 July 2015 at 13:38, Owen
>>>>>                                     Pendlebury
>>>>>                                     <owen.pendlebury at owasp.org
>>>>>                                     <mailto:owen.pendlebury at owasp.org>>
>>>>>                                     wrote *To:* Eoin Keary
>>>>>                                     <eoin.keary at owasp.org
>>>>>                                     <mailto:eoin.keary at owasp.org>> :
>>>>>
>>>>>                                         Can you put your slides on
>>>>>                                         the WIKI via OWASP file
>>>>>                                         upload. I dont think its
>>>>>                                         appropriate for you to be
>>>>>                                         plugging edgescan as its
>>>>>                                         nothing to do with the
>>>>>                                         training.
>>>>>
>>>>>                                         It was supposed to be
>>>>>                                         OWASP training event for
>>>>>                                         the chapter to raise funds
>>>>>                                         and you had edgescan/ BCC
>>>>>                                         Risk advisory plastered
>>>>>                                         all over your slides.
>>>>>
>>>>>                                         In case you need to
>>>>>                                         reference it ( I've
>>>>>                                         highlighted the relevant
>>>>>                                         parts);
>>>>>                                         https://www.owasp.org/index.php/Speaker_Agreement
>>>>>
>>>>>                                         OWASP holds highly a
>>>>>                                         neutral and unbiased
>>>>>                                         approach to security that
>>>>>                                         is free from undue vendor
>>>>>                                         influence. Here are a few
>>>>>                                         specific tips to maximize
>>>>>                                         the value of your talk
>>>>>                                         with the OWASP audience
>>>>>
>>>>>                                           * *Please be sure that
>>>>>                                             your talk is
>>>>>                                             objective, stresses
>>>>>                                             open source
>>>>>                                             approaches, and avoids
>>>>>                                             references to any
>>>>>                                             commercial offerings
>>>>>                                             of your company. *
>>>>>                                           * *Feel free to
>>>>>                                             introduce yourself and
>>>>>                                             your current company
>>>>>                                             on the bio slide, but
>>>>>                                             avoid references to
>>>>>                                             your company
>>>>>                                             throughout the
>>>>>                                             presentation *
>>>>>                                           * *Please either use a
>>>>>                                             blank presentation
>>>>>                                             template or the OWASP
>>>>>                                             template File:OWASP
>>>>>                                             Presentation
>>>>>                                             Template.zip
>>>>>                                             <https://www.owasp.org/index.php/File:OWASP_Presentation_Template.zip>
>>>>>                                             or File:PPT 2013
>>>>>                                             Toolbox.zip
>>>>>                                             <https://www.owasp.org/index.php/File:PPT_2013_Toolbox.zip>.
>>>>>                                             Unfortunately, company
>>>>>                                             slide templates aren't
>>>>>                                             acceptable for OWASP
>>>>>                                             talks. *
>>>>>                                           * *That's it - OWASP'ers
>>>>>                                             love good talks with
>>>>>                                             new ideas and
>>>>>                                             approaches for security! *
>>>>>
>>>>>
>>>>>                                         Owen Pendlebury
>>>>>
>>>>>                                         OWASP Ireland-Dublin
>>>>>                                         Chapter Lead
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>                                     -- 
>>>>>
>>>>>                                     Eoin Keary
>>>>>                                     OWASP Member
>>>>>                                     https://twitter.com/EoinKeary
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>>
>>         _______________________________________________
>>         Owasp-board mailing list
>>         Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150831/62c6c345/attachment-0001.html>


More information about the Owasp-board mailing list