[Owasp-board] [Owasp-leaders] don't allow explicit discrimination 🙏🏿 (women only)

Avi D (OWASP Israel) avi.douglen at owasp.org
Sun Mar 17 08:46:00 UTC 2019

Absolutely agree. 


One thing that Liam did say was about “equal access to opportunity”. I agree with that 100% - this is absolutely about equalizing access to opportunity.

However, the situation today is that there is NOT equal access – the overwhelming bias in almost all markets means that most of the opportunities are going to men (and in many countries, specifically “straight white men”) – whether it is companies that prefer to send one group of employees to conference opportunities, default to promoting (and hiring) from a specific group, pay for training for one group of employees… Or if someone wanted to pay for this themselves, one group has on average 20-30% (or more) higher salary than the others, which means more available cash to afford this themselves. 


The point of this WIA training is to compensate for that existing bias, even if just a little, and provide extra opportunities for those that otherwise would miss out on opportunities and not be able to join. As I said we would not ban anyone from joining for being a man, however as a group men do not need that that extra opportunity. 


The point is that *as a group* there are people that are de facto excluded from events like this, even if it is “open to everybody”. It is like offering “unisex” tshirts that only fit men… 


The point of this training is to equalize access to opportunity. 


Is anyone truly opposed to that? 


Avi D 



From: owasp-leaders-bounces+avi.douglen=owasp.org at lists.owasp.org [mailto:owasp-leaders-bounces+avi.douglen=owasp.org at lists.owasp.org] On Behalf Of Prashant Kv
Sent: Sunday, March 17, 2019 7:36
To: Timur 'x' Khrotko [owasp] <timur at owasp.org>
Cc: OWASP Foundation Board List <owasp-board at lists.owasp.org>; Josh Grossman <josh.grossman at owasp.org>; OWASP Leaders <owasp-leaders at lists.owasp.org>
Subject: Re: [Owasp-leaders] don't allow explicit discrimination 🙏🏿 (women only)






Above initiatives are started in USA . Don’t tell me problem is there only in countries like India. I am part of San Francisco Bay Area Owasp chapter and I hardly see women boldly asking questions. Problem is worldwide. 

For all the talk, Usa never ever had a women president and Israel had one lady prime minister. India and all its neighboring countries has had lady head of states in past.

On Saturday, March 16, 2019, Timur 'x' Khrotko [owasp] <timur at owasp.org <mailto:timur at owasp.org> > wrote:

Dear all, I still maintain my request to correct the condition of the free Burp/ZAP training in Tel Aviv to anything tolerable from 'women only'.


'Women only' is gender discriminatory by design and as such should not be tolerated. In the below conversation I found no reason that could outweigh this issue. While Kevin and Liam suggested solutions which could fulfill the purpose of helping/sponsoring/engaging chosen groups/causes. 


Dear Vandana, I respect your missionary work. It's only that the solution you proposed to replicate from your successful practice in India is not proper in Europe/Israel. As well I would not assume that the situation you are curing in India is present in Europe in the same manner. Especially in Israel where women join the regular service in defense forces equally to men. And I assume that female developers travelling to Appsec Global can easily learn in coeducational circumstances. 


PS. Also I see a parallel issue in that that there is no regulation of having free trainings of any kind at OWASP conferences. Like if there is a preselected free training then its topic should be announced in the CfT to prevent trainers proposing their for profit trainings with the same topic. Etc.


Thanks for the discussion,



On Fri, Mar 15, 2019 at 3:37 PM Liam Smit <liam.smit at gmail.com <mailto:liam.smit at gmail.com> > wrote:


Hi Avi


It seemed that Timur was pointing out the double standard or hypocrisy involved in claiming to be inclusive yet being exclusive to one gender and thus discriminating. This would see to be confirmed by his questions around other exclusive training examples of race, religion, not having children and sexual orientation. In effect he appears to be asking if it is only OK to discriminate to increase diversity.


If the end goal to ensure equal representation of every gender, race, age, sexual orientation, gender identity, religion, etc. in every field, conference and other walk of life then it is going to involve a gargantuan amount of social engineering to achieve that  which would entail individuals giving up their right to privacy of those attributes as well as some sort of bureaucracy to assign more resources to certain groups defined by the chosen defining characteristic as well as encourage people to pursue a certain direction at the expense of their other options.


By mentioning "gender, e.g. PoC, trans, and more" you have already touched on the problem of how does one define let alone measure diversity. What about diversity of age, current or past financial status, interests, or ideas? Ironically with enough effort and enough groups we could end up with a list of permutations that result in one individual per permutation at which point we could probably dispense with dividing people up into groups... ;-)


Personally I do not feel offended if there is an event aimed at women, one aimed at the youth to explain the dangers of social media, training aimed at the elderly on how to spot con artist scams, etc. Of course at the same time it would be silly to prevent, e.g., parents or teachers from attending a course aimed at children because they would most likely be able to pass knowledge on to children and younger people who have parents who they consider at risk to such scams. 


I would suggest equal access to opportunity is the simplest way of allowing people to learn and partake in what they find interesting. Online computer based training offers a scalable (physical space is limited), affordable (financial considerations are real) and effective way to learn the basic (and even the more advanced) concepts without having to fear being ridiculed (a specific issue raised by Pravant). You could also have a classroom rule of do not ridicule basic questions, provide the basic information before the training to get everyone up to a similar level or encourage a friendly atmosphere in the class so that the worst anyone gets is a gentle ribbing and I mention that last one as someone who purposefully asks the stupid question in a group environment.


I am not sure why you saw fit to make a comment about Jim Crow laws or joking about white supremacy. Perhaps I am missing some context but if it solely based on Timur's email then it would appear that you are attempting to label him as a bad person to dismiss his argument instead of addressing the substance of his argument. If that is indeed the case then that is at best poor debating skills. Regardless, it is far better to identify the specific issues hindering access to education or training and address each of those in turn to improve the situation. 


My sincere thanks to everyone (including Timur and Avi) in the thread who highlighted what they considered specific problems, offered feedback and suggestions on how to improve access to information security training and of course to those like Vandana who volunteer their time and effort to provide free training! Being able to rationally discuss problems in a civil manner in order to come up with potential solutions is a fundamental requirement to helping OWASP achieve its purpose of safe and secure software.







On Fri, Mar 15, 2019 at 11:05 AM Avi D (OWASP Israel) <avi.douglen at owasp.org <mailto:avi.douglen at owasp.org> > wrote:

Hi Timur, 


As you know, I am the conference chair for this event. It’s a shame you didn’t feel comfortable reaching out to me directly before complaining at everybody. :) 


As Josh explained to you, I added this training outside the CFT submission process. As such there was never any conflict between this and any other submitted training proposal that may have been on a similar topic. This FREE training is being organized by the WIA committee, and Vandana in particular, and offered free (at her own personal expense) to _increase_ inclusion in OWASP events, and the industry in general. 


Whether or not you have encountered a problem with the current level of diversity in OWASP, AppSec events, and the industry in general – I assure you, this problem exists, it is significant, and it’s in a pretty terrible state right now. This free training is a blessed effort to get more women (and those identifying as women, as well as other underrepresented groups) into the industry, help them get started in a field that has traditionally been (and still is) biased against these groups, and hopefully rebalance our overwhelmingly male community. This is absolutely one of the core causes of OWASP, and part of our core mission: to make security visible and accessible to ALL developers etc. 


That said, if you feel strongly about it you can just as well sign up for the course – we will not be checking anyone’s genitals before we let them through the door. (Though I believe you are teaching a course yourself at the same time? So I’m not sure what you’re cranky about here.)


FYI, I will point out that we do have a strict Code of Conduct at our event, in addition to OWASP’s generic one. TBF it is a bit basic IMO, but it DOES have teeth: any abuse, harassment, or making someone feel like they do not belong is not acceptable, and can even lead to expelling an abuser, no matter who they are. Anyone and everyone should feel comfortable and safe attending and participating in the conference. 

Suggesting a comparison between WIA and other inclusivity efforts to Jim Crow laws, or trivializing these efforts as “political reasons”, or joking about white supremacy – this is not really a bannable offense, but I would strongly suggest reconsidering this approach. It’s not a wholesome path to be on… :) 


Looking forward to seeing you here again, and discussing further over a beer (or non-alcoholic drink if you prefer)! 



Avi D 


P.S. I am aware that are lack of diversity is not solely based on gender, e.g. PoC, trans, and more. As there are many groups that are not quite comfortable in many of these events, we do try to express universal inclusivity, and explicitly mention that anyone from underrepresented groups are included, not just women. If anyone feels they are still left out from this, please let me know and we will do whatever we can. 



From: owasp-leaders-bounces+avi.douglen=owasp.org at lists.owasp.org <mailto:owasp.org at lists.owasp.org>  [mailto:owasp-leaders-bounces+avi.douglen <mailto:owasp-leaders-bounces%2Bavi.douglen> =owasp.org at lists.owasp.org <mailto:owasp.org at lists.owasp.org> ] On Behalf Of Timur 'x' Khrotko [owasp]
Sent: Friday, March 15, 2019 3:31
To: Josh Grossman <josh.grossman at owasp.org <mailto:josh.grossman at owasp.org> >; OWASP Foundation Board List <owasp-board at lists.owasp.org <mailto:owasp-board at lists.owasp.org> >; owasp-leaders at lists.owasp.org <mailto:owasp-leaders at lists.owasp.org> 
Subject: [Owasp-leaders] don't allow explicit discrimination 🙏🏿 (women only)


Dear Board, dear Josh,


please modify the conditions of the Burp/ZAP training announced at Appsec Global in Tel Aviv. The "women only" condition is gender discriminatory, that is just plainly discriminatory and as such contradicts the faith and probably the policies of OWASP. Also it contradicted the training review policy which promised to make choices solely on professional grounds. 


Dear all,


I understand the idea behind it and I support the WIA initiative but there must be common sense limits. You shouldn't encourage black only tailor shops in your holy fight with racially discriminatory tailor shops. 


There're options to keep the idea, maybe make the training free for WIA members -- that would be against my taste still but maybe something tolerable. Or let WIA invent a clever and tasteful solution for the conditions of a free training to engage female devs in secdev.


As far as I know this isn't an issue with the Tel Aviv organisers as this training was nested from above. And also this women only thing already happened at one of the previous conferences, in the US probably.


Consider that when one inserts trainings for political reasons then similar trainings which could compete on professional grounds get automatically excluded. So by promoting causes which are not exactly the core causes OWASP exists for one harms the professional impartiality/etc.


Satirical sidenote: I'm not afraid of being tagged as trumpist since I'm already a Russian troll 😀 And during the Samantha-gate I already accepted highbrow American comments that we don't know modern social/moral norms at this side of the world.


Or would it be a good move next time to announce a 'Muslims only', 'Jews only', 'childfree only' or a 'gay only' training next time? (I subscribe to support all these causes and peoples sometimes discriminated -- even in my OWASP hat but not in a discriminatory way.)


Your thoughts?


Current reference: https://telaviv.appsecglobal.org/registration/



OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org> 


This message may contain confidential information - you should handle it accordingly.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20190317/846b12ca/attachment-0001.html>

More information about the Owasp-board mailing list