[Owasp-board] Please how to avoid this - conference codes in mailing list

Matt Tesauro matt.tesauro at owasp.org
Fri Feb 24 17:01:39 UTC 2017


TLDR:

This was a conscious, one-time decision on the part of the staff based on
the available systems and data stores to get the discount codes out to the
leaders in our community with maximum coverage.  There are compensating
controls in place currently to catch any abuse of the OWASP leader discount
codes.

The new AMS system currently being installed/upgraded will be used for
future registrations and can better handle leader discount codes.

NON-TLDR:

When Laura asked the O&A Committee how she should get the discount codes
out to our leaders, the default answer was to run a report of leaders in
Saleforce and directly email each person on that report - aka those people
SF has listed as OWASP Leaders.

While gathering this list from Salesforce, Laura noticed that there were
some omissions of project leaders and talked with Claudia about it.

As part of our current migration effort to the new AMS, we are doing
reviews/sanity checking of the leadership of all chapters and projects.
This is a significant undertaking and the effort for projects is still in
process.  This lead to missing and incorrect data in the SF report for
project.

We revised the report to remove project leaders from the SF output and sent
the discount code to the non-project leaders.

To reach the project leaders in a timely fashion, we made the decision to
send them via the leader list - the best method to ensure we reached
project leaders without potentially missing the leaders.  *This was a
one-time decision done to maximize coverage of the community leaders,
especially project leaders. Our preference was to broadcast those codes and
reach all leaders over missing some of our valued community leaders.*

Note:  AppSec EU is using the existing registration system which is does
not support a robust method of doing discount codes.  Historically, Laura
has checked all registrations using the leader discount code against our
Salesforce data and verified with Claudia or Tiffany where there were gaps
in our data.  The same process is in place for the AppSec EU 2017
registration so any inappropriate use of those code will be caught by the
above process.

Going forward, the new AMS upgrade will handle conference registrations and
has a significantly enhanced functionality for discount codes, including
verifying at registration time the registrant's leadership status in
Salesforce and unique discount codes for each individual.

HTH

Cheers!

--
-- Matt Tesauro
OWASP AppSec Pipeline Lead
https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
OWASP WTE Project Lead
*https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
<https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
http://AppSecLive.org <http://appseclive.org/> - Community and Download site


On Thu, Feb 23, 2017 at 12:21 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

>
> Hi All
>
> This is the second year that we publish all the 'conference free of
> charge' discount codes in the mailing list!!!!!
>
> I mentioned this last year! People can just find this info online and go
> for free without being a leader, or...is there any form of control that the
> person that used the code is an actual OWASP leader
>
> How can we avoid this mistake again?
>
> Regards
>
> Johanna Curiel
> OWASP Volunteer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20170224/69454b15/attachment.html>


More information about the Owasp-board mailing list