[Owasp-board] Owasp-ireland Digest, Vol 101, Issue 5

johanna curiel curiel johanna.curiel at owasp.org
Tue Sep 1 00:37:15 UTC 2015


Jim

These are just suggestions. I believe that the only thing I 'm suggesting
is just actions and less meetings about decisions to take actions.

What is the general opinion about the David Rook issue? My impression is
that a mistake has been done, so why not correct that as soon as possible
instead of looking at laws/adapt laws, take decisions ...etc..zzzz.

If thats not the case then please ignore my suggestion(s).

Hope you get my point.

Cheers

Johanna

On Mon, Aug 31, 2015 at 8:29 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Johanna,
>
> I am confused by this email.
>
> On one hand you as that the board get directly involved with a chapter
> matter and force a specific action at the board level.
>
> "I think the board should consider the following actions. Place David's
> presentation back on OWASP wiki pages."
>
> Then, shortly below that request, you ask that the board focus on other
> issues and not get involved in these matters.
>
> "Please be more pragmatic, I think I speak for the community when I say we
> would  like to see the members of the board more busy trying to focus on
> the OWASP mission with actions plans instead giving to much time to discuss
> rules, change rules or chase rule breakers"
>
> This is where I feel a bit thrashed. On one hand, members of this chapter
> as well as other members of the community specifically called *me* out in
> a very public manner to get involved in this specific situation. This was
> asked of me even after I asked those involved to go to staff first with
> this issue.
>
> Then, after I am involved in an issue that is already filled with
> conflict, I get comments such as "the board should be doing better things".
> :)
>
> Johanna, I agree that there are other avenues of OWASP that are important.
> But when multiple members of the community ask me to get involved in and
> weigh in on certain issues, I will almost always do so. In this manner, I
> suggested that (1) they go to staff first - and if that did not work to
> resolve the issue - then (2) email the entire board, not just call out one
> member over social media.
>
> So while I understand that you are fairly upset with many aspects of the
> foundation, including this situation, I want you do know that I did my best
> to act properly in the middle of a very sticky and difficult decision.
>
> Regards,
>
> --
> Jim Manico
> Global Board Member
> OWASP Foundationhttps://www.owasp.org
> Join me at AppSecUSA 2015!
>
>
>
>
>
> On 8/31/15 1:54 PM, johanna curiel curiel wrote:
>
> >The speaker agreement as it stands today is pretty clear.I think we need
> to follow the rules as they are now or change them.I am putting this
> topic on the agenda for the board meeting in a few weeks for discussion and
> will keep you posted.
>
> I think the board should consider the following actions
>
>    - Place David's presentation back on OWASP wiki pages. There is no
>    sales pitch here in my opinion. The only thing promoted is that a Riot Game
>    employee  has a security engineer using OWASP bets practices.Isn't that
>    good for OWASP? What if instead of Riot Games was Google, or other big
>    techno name..would it you find that positive for owasp image? (PCI using
>    OWASP testing guide is the equivalent, lets not forget who expensive is to
>    become a QSA auditor...)
>
> Evaluate the added value to the community on the talks allowed to be
> presented at APPSEC/Chapter /Day Presentations based on:
>
>    - Is the subject of the talk trying to persuade the audience to buy or
>    use a service or product with a commercial value?(this is definitely a no
>    go)
>    - Is there an open source component being presented or 'best practice'
>    in the talk that we could disregard the fact that the company doing the
>    presentation could have a *slightly* commercial  interest? (Docker for
>    example is open source but has commercial activities on the same product as
>    the open source one and its use can make applications indeed more secure,
>    but so does McAfee or any other 'commercial security vendor' product trying
>    to make software more safe...however Docker is also available as  open
>    source opposed to mcAfee
>
> Last but not least recommendation:
>
>    - Please, do not apply rules as a black and white /all or nothing
>    decision factor. Each case should be evaluated based on the content and
>    context before taking hard decisions, otherwise you will busy most of your
>    time during board meetings changing laws adding bylaws, voting,  because
>    'the rule' broken/didn't work (latest example Fabio with 75% assistance
>    issue when he could not assist due to time-zone issues).
>
>
>    - Please be more pragmatic, I think I speak for the community when I
>    say we would  like to see the members of the board more busy trying to
>    focus on the OWASP mission with actions plans instead giving to much time
>    to discuss  rules, change rules or chase rule breakers.
>
>
>  In the end "by their fruits you shall know them"(not by missing the 75%
> attendance ratio or not attending live an OWASP board meeting 😁)
>
>
> Cheers
>
> Johanna
>
>
>
>
>
>
> On Mon, Aug 31, 2015 at 2:56 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> Fair comments. I think we need to follow the rules as they are now or
>> change them. The speaker agreement as it stands today is pretty clear. I am
>> putting this topic on the agenda for the board meeting in a few weeks for
>> discussion and will keep you posted.
>>
>> --
>> Jim Manico
>> Global Board Member
>> OWASP Foundation
>> https://www.owasp.org
>> Join me at AppSecUSA <http://appsecusa.org/> 2015!
>>
>> On Aug 31, 2015, at 2:45 AM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>> Hi All
>>
>> The discussion about David Rook being questioned regarding his slides
>> content really concerns me, I still don't see how his slides can be more
>> commercial that the talk at this appsec in SFO called
>> Securing your application using Docker
>> <https://appsecusa2015.sched.org/event/fd18011c9c21852dc66f812ef96af4b8?iframe=yes&w=i:0;&sidebar=yes&bg=no#?iframe=yes&w=i:100;&sidebar=yes&bg=no>
>> "
>> https://2015.appsecusa.org/agenda/speakers/?speaker=diogo_monica.1tssilmd
>> "
>>
>> Why: Because Docker also has a commercial side. Many could consider this
>> talk a 'sells talk', especially when Docker also has a very commercial side:
>> Pricing section of Docker:
>> https://www.docker.com/pricing#?section=1
>>
>> In my opinion, David is not selling games in the slides regarding how he
>> applied security at Riot Games, he is explaining how he implement it at his
>> work, using awesome slides. IF a security specialist is going to hear his
>> talk or check his slides, is he suddenly going to become a 'gamer' and buy
>> League of legends? I doubt that. he is not even selling how to use the game
>> and what is that about.
>>
>> If rules must be applied then they need to be evaluated properly for all.
>> If a talk like Docker are accepted, where is the moral compass for judging
>> David and his slides, especially if you look careful at the content.
>>
>> BTW, I think a talk about Docker and use it to secure applications is
>> definitely very good one, but that does not take the commercial influence
>> of Docker to buy or use his product for 'security purposes' and the
>> inequality of judgement when looking at other OWASP presenters like David.
>>
>> Cheers
>>
>> Johanna
>>
>> On Mon, Aug 31, 2015 at 7:30 AM, Martin Knobloch <
>> <martin.knobloch at owasp.org>martin.knobloch at owasp.org> wrote:
>>
>>> Hi Owen,
>>>
>>> Yes, I will be in Dublin for SOURCE, please see me there! I fly in late
>>> Sunday and will leave early on Tuesday, best to talk Monday after lunch.
>>>
>>> Cheers,
>>> -martin
>>>
>>>
>>> *From: *Owen Pendlebury
>>> *Sent: *maandag 31 augustus 2015 13:10
>>> *To: *Jim Manico
>>> *Cc: *Rahim Jina; Mark Denihan; Noreen Whysel; Fabio Cerullo; Eoin
>>> Keary; Martin Knobloch; OWASP Foundation Board List
>>> *Subject: *Re: Owasp-ireland Digest, Vol 101, Issue 5
>>>
>>> Hi Jim,
>>>
>>> No I've not escalated it as I was happy that the board was going to
>>> assess the situation and revert with its recommendations.
>>>
>>> I've cc'd the board and Martin as I feel that this has gotten way out of
>>> hand. Martin happy to catch up to discuss at any stage. I believe you're in
>>> Dublin for Source and could meet then.
>>>
>>>
>>>
>>> Owen Pendlebury
>>> OWASP Ireland-Dublin Chapter Lead
>>> <https://www.owasp.org/index.php/Ireland-Dublin>
>>> https://www.owasp.org/index.php/Ireland-Dublin
>>>
>>> On 31 August 2015 at 11:51, Jim Manico < <jim.manico at owasp.org>
>>> jim.manico at owasp.org> wrote:
>>>
>>>> I am very sorry to hear all this. Because again while I am stating my
>>>> opinion I'm not about strict enforcement and it seems to me that David is
>>>> caught in the middle of four different sets of folks.
>>>>
>>>> David, I'm sorry for this and do not blame you for being upset and
>>>> frustrated.
>>>>
>>>> Have the other issues been resolved or is there conflict going on? If
>>>> you need help resolving this, you can goto staff or even go to our
>>>> Ombudsman, Martin Knoblock.
>>>>
>>>> I of course have a serious conflict of interest here since Eoin and
>>>> Rahim are business partners and friends of mine. But there are plenty of
>>>> ways to approach conflict resolution if you need that support, Owen.
>>>>
>>>> Aloha,
>>>> --
>>>> Jim Manico
>>>> Global Board Member
>>>> OWASP Foundation
>>>> <https://www.owasp.org/>https://www.owasp.org
>>>> Join me at AppSecUSA <http://appsecusa.org/> 2015!
>>>>
>>>> On Aug 31, 2015, at 12:42 AM, Owen Pendlebury <
>>>> <owen.pendlebury at owasp.org>owen.pendlebury at owasp.org> wrote:
>>>>
>>>> Hi All,
>>>>
>>>> I'm removing the Ireland list as I do not deem it necessary to involve
>>>> others in something that has dragged on and to be honest seems like an open
>>>> and closed case based on the speaker agreement.
>>>>
>>>> Just to clarify things. This was driven off a complaint received from
>>>> Rahim and Eoin in relation to slides on the WIKI and not David Rook. This
>>>> complaint was in relation to the contents in the slides. An email was sent
>>>> out to all speakers asking if they would mind providing a non vendor
>>>> version for the WIKI. This complaint was driven by me questioning Eoin, a
>>>> former global board member on slides  as they were not abiding by the
>>>> speaker agreement ( Something he had agreed would be vendor neutral)
>>>>
>>>> Eoin proceeded to have his company and a service they provide on every
>>>> slide. He also gave business cards to attendees regarding his company
>>>> providing training for them and mentioned that he would give attendees jobs
>>>> if they were able to answer questions he asked. This I felt was not vendor
>>>> neutral and questioned him on it.
>>>>
>>>> Once he was questioned, we then received a complaint from Eoin and
>>>> Rahim (Same Company), which facts wise were incorrect and seemed tailored
>>>> to something less befitting of a professional services company.
>>>>
>>>> Owen Pendlebury
>>>> OWASP Ireland-Dublin Chapter Lead
>>>> <https://www.owasp.org/index.php/Ireland-Dublin>
>>>> https://www.owasp.org/index.php/Ireland-Dublin
>>>>
>>>> On 31 August 2015 at 11:29, David Rook < <drook at riotgames.com>
>>>> drook at riotgames.com> wrote:
>>>>
>>>>> I look forward to seeing how well this is enforced at AppSec USA in a
>>>>> few weeks time.
>>>>>
>>>>> On Mon, Aug 31, 2015 at 11:28 AM, Jim Manico < <jim.manico at owasp.org>
>>>>> jim.manico at owasp.org> wrote:
>>>>>
>>>>>> Clarified in my last email, I stand correctly my apologies for that
>>>>>> mistake....
>>>>>>
>>>>>> --
>>>>>> Jim Manico
>>>>>> Global Board Member
>>>>>> OWASP Foundation
>>>>>> <https://www.owasp.org/>https://www.owasp.org
>>>>>> Join me at AppSecUSA <http://appsecusa.org/> 2015!
>>>>>>
>>>>>> On Aug 31, 2015, at 12:13 AM, David Rook < <drook at riotgames.com>
>>>>>> drook at riotgames.com> wrote:
>>>>>>
>>>>>> Specifically I said "I've got nothing to sell, only ideas to share"
>>>>>> in our last exchange so I'd like to figure out where you got that from dude.
>>>>>>
>>>>>> On Mon, Aug 31, 2015 at 11:11 AM, David Rook < <drook at riotgames.com>
>>>>>> drook at riotgames.com> wrote:
>>>>>>
>>>>>>> Hey Jim,
>>>>>>>
>>>>>>> I have to call you out on "But you gave a talk that by your own
>>>>>>> admission was trying to benefit Riot Games and sell games" < I
>>>>>>> don't believe I've ever said that. We produce a free to play game dude, we
>>>>>>> don't sell games :)
>>>>>>>
>>>>>>> On Mon, Aug 31, 2015 at 11:09 AM, Jim Manico <
>>>>>>> <jim.manico at owasp.org>jim.manico at owasp.org> wrote:
>>>>>>>
>>>>>>>> Rahim, David and others,
>>>>>>>>
>>>>>>>> I hope you are well. The current speaker agreement allows for a bio
>>>>>>>> slide up front where you can mention your commercial connections, logo as
>>>>>>>> well.
>>>>>>>>
>>>>>>>> The rest of the presentation needs to be non-commercial, per the
>>>>>>>> current speaker agreement. I like that policy personally since it's in tune
>>>>>>>> with out bylaws and mission statement around vendor neutrality. 99.99% that
>>>>>>>> speaker agreement is honored with no fuss.
>>>>>>>>
>>>>>>>> And to be honest, especially at the chapter level, the foundation
>>>>>>>> does not strongly enforce this. There are presentations that do not fit
>>>>>>>> this policy that slip through. And in fact there are even some chapters
>>>>>>>> that encourage commercial talks.
>>>>>>>>
>>>>>>>> But keep in mind OWASP is an educational charity, with a mission to
>>>>>>>> be free of commercial affiliations. I think that honoring the wishes of the
>>>>>>>> current speaker agreement is a ethical standard that speakers should
>>>>>>>> seriously consider.
>>>>>>>>
>>>>>>>> And really, if there is a chapter arguing about footers and headers
>>>>>>>> - geesh we have better things to do. I am sorry it has all degenerated down
>>>>>>>> to this and I wish there was a better way.
>>>>>>>>
>>>>>>>> To the persons trying to hold up a better ethical standard, thank
>>>>>>>> you! To those who will not spend the 10 seconds to turn off commercial
>>>>>>>> footers and are making commercial footers an issue that requires board
>>>>>>>> level attention, I ask, what are
>>>>>>>> you trying to accomplish when you give a talk at our vendor-neutral
>>>>>>>> primarily open source charity?
>>>>>>>>
>>>>>>>> And by the way, I was dragged into this over social media and
>>>>>>>> forced to make a decision.
>>>>>>>>
>>>>>>>> So be it.
>>>>>>>>
>>>>>>>> David Rook I love you and your talk was VERY well received. I
>>>>>>>> consider you a friend. But you gave a talk that by your own admission was
>>>>>>>> trying to benefit Riot Games and sell games. Per our current speaker
>>>>>>>> guidelines this is not acceptable. I know how smart you are, Rook, and I'd
>>>>>>>> personally prefer (but not enforce) that you give talks more suited to a
>>>>>>>> non profit educational charity. I have seen literally hundreds of speakers
>>>>>>>> at OWASP chapters and conferences with tight commercial affiliations still
>>>>>>>> find a way to give vendor neutral non commercial tech talks at OWASP
>>>>>>>> events. It CAN be done if you have the will to do it. And I hope you do! :)
>>>>>>>>
>>>>>>>> With respect,
>>>>>>>> --
>>>>>>>> Jim Manico
>>>>>>>> Global Board Member
>>>>>>>> OWASP Foundation
>>>>>>>> <https://www.owasp.org/>https://www.owasp.org
>>>>>>>> Join me at AppSecUSA <http://appsecusa.org/> 2015!
>>>>>>>>
>>>>>>>> On Aug 30, 2015, at 11:39 PM, Owen Pendlebury <
>>>>>>>> <owen.pendlebury at owasp.org>owen.pendlebury at owasp.org> wrote:
>>>>>>>>
>>>>>>>> Hi Rahim,
>>>>>>>>
>>>>>>>> Thanks for your mail.
>>>>>>>>
>>>>>>>> I believe that this matter is being discussed at a global board
>>>>>>>> level. As of now the OWASP speaker agreement (
>>>>>>>> <https://www.owasp.org/index.php/Speaker_Agreement>
>>>>>>>> https://www.owasp.org/index.php/Speaker_Agreement) still applies.
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>> Owen
>>>>>>>>
>>>>>>>> Owen Pendlebury
>>>>>>>> OWASP Ireland-Dublin Chapter Lead
>>>>>>>> <https://www.owasp.org/index.php/Ireland-Dublin>
>>>>>>>> https://www.owasp.org/index.php/Ireland-Dublin
>>>>>>>>
>>>>>>>> On 31 August 2015 at 10:29, Rahim Jina < <rahim.jina at owasp.org>
>>>>>>>> rahim.jina at owasp.org> wrote:
>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hi Owen,
>>>>>>>>>
>>>>>>>>> Is there any follow-up on the below from the owasp leadership team
>>>>>>>>> regarding the use of company logos on slide headers/footers?
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Rahim
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> *From:* <eoinkeary at gmail.com>eoinkeary at gmail.com [mailto:
>>>>>>>>>> <eoinkeary at gmail.com>eoinkeary at gmail.com] *On Behalf Of *Eoin
>>>>>>>>>> *Sent:* 20 July 2015 14:48
>>>>>>>>>> *To:* Owen Pendlebury < <owen.pendlebury at owasp.org>
>>>>>>>>>> owen.pendlebury at owasp.org>
>>>>>>>>>> *Cc:* Fabio Cerullo < <fcerullo at owasp.org>fcerullo at owasp.org>;
>>>>>>>>>> Mark Denihan < <Mark.Denihan at owasp.org>Mark.Denihan at owasp.org>
>>>>>>>>>> *Subject:* Re: Owasp-ireland Digest, Vol 101, Issue 5
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Hi Owen,
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> How is life in Deloitte, hope all is well and you are settling in
>>>>>>>>>> ok.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Please feel free to put the PDF's on the OWASP website if you
>>>>>>>>>> wish.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I don't believe I referred to any commercial offerings in the
>>>>>>>>>> slides apart from the cover and bio slides. Correct me if I am wrong and
>>>>>>>>>> i'll gladly take them out.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> The feedback overall was very very good so I'm sure 90% of the
>>>>>>>>>> delegates got lots from the class.
>>>>>>>>>>
>>>>>>>>>> Direct feedback to myself and the funds I raised for OWASP and
>>>>>>>>>> the chapter were also very positive, I hope you agree.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> kind regards,
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Eoin
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 20 July 2015 at 13:38, Owen Pendlebury <
>>>>>>>>>> <owen.pendlebury at owasp.org>owen.pendlebury at owasp.org> wrote *To:*
>>>>>>>>>> Eoin Keary < <eoin.keary at owasp.org>eoin.keary at owasp.org> :
>>>>>>>>>>
>>>>>>>>> Can you put your slides on the WIKI via OWASP file upload. I dont
>>>>>>>>>> think its appropriate for you to be plugging edgescan as its nothing to do
>>>>>>>>>> with the training.
>>>>>>>>>>
>>>>>>>>>> It was supposed to be OWASP training event for the chapter to
>>>>>>>>>> raise funds and you had edgescan/ BCC Risk advisory plastered all over your
>>>>>>>>>> slides.
>>>>>>>>>>
>>>>>>>>>> In case you need to reference it ( I've highlighted the relevant
>>>>>>>>>> parts); <https://www.owasp.org/index.php/Speaker_Agreement>
>>>>>>>>>> https://www.owasp.org/index.php/Speaker_Agreement
>>>>>>>>>>
>>>>>>>>>> OWASP holds highly a neutral and unbiased approach to security
>>>>>>>>>> that is free from undue vendor influence. Here are a few specific tips to
>>>>>>>>>> maximize the value of your talk with the OWASP audience
>>>>>>>>>>
>>>>>>>>>>    - *Please be sure that your talk is objective, stresses open
>>>>>>>>>>    source approaches, and avoids references to any commercial offerings of
>>>>>>>>>>    your company. *
>>>>>>>>>>    - *Feel free to introduce yourself and your current company
>>>>>>>>>>    on the bio slide, but avoid references to your company throughout the
>>>>>>>>>>    presentation *
>>>>>>>>>>    - *Please either use a blank presentation template or the
>>>>>>>>>>    OWASP template
>>>>>>>>>>    <https://www.owasp.org/index.php/File:OWASP_Presentation_Template.zip>File:OWASP
>>>>>>>>>>    Presentation Template.zip or
>>>>>>>>>>    <https://www.owasp.org/index.php/File:PPT_2013_Toolbox.zip>File:PPT 2013
>>>>>>>>>>    Toolbox.zip. Unfortunately, company slide templates aren't acceptable for
>>>>>>>>>>    OWASP talks. *
>>>>>>>>>>    - *That's it - OWASP'ers love good talks with new ideas and
>>>>>>>>>>    approaches for security! *
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Owen Pendlebury
>>>>>>>>>>
>>>>>>>>>> OWASP Ireland-Dublin Chapter Lead
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>>
>>>>>>>>>> Eoin Keary
>>>>>>>>>> OWASP Member
>>>>>>>>>> <https://twitter.com/EoinKeary>https://twitter.com/EoinKeary
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150831/8e0beeb5/attachment-0001.html>


More information about the Owasp-board mailing list