[Owasp-cert] Subject Areas

Antti Vähä-Sipilä avs at iki.fi
Mon Sep 1 14:59:10 EDT 2008


On 31 Aug 2008, at 17:28, james at architectbook.com wrote:
> FYI. I watched my third laptop die this week where I may have missed  
> many of the emails related to this project (those that weren't  
> copied to the list).


I sent some comments on the NDA. I'll resend them now, copied to the  
list, and add some rationale as to why I feel these changes would be  
useful.

- Please define the address and state/country of incorporation for  
OWASP Inc. In addition, the NDA would need to be signed by OWASP as  
well.

Why? Because this way (given that there are two identical signed  
copies) the NDA can be used to prove that one has indeed signed it and  
is thus "authorised". Otherwise, anyone could claim to have signed the  
NDA but they might not have ever sent it to OWASP.

- The definition of Confidential information is too wide in the cotext  
of OWASP, which usually uses public documents. I believe that the NDA  
should specificly cover only the OWASP certification project, not  
OWASP activities generally, and only material that has been explicitly  
stamped as "OWASP Certification Project Confidential" (or somesuch).

Why? Because openness should be the default. In addition, this type of  
clause would encourage proper classification markings on the  
documents, and most likely would also decrease the probability of  
accidental leaks.

- The definition of confidential documents should explicitly exclude  
information that has been published or has become public knowledge, or  
information that was published or publicly known before entering the  
NDA, if becoming public knowledge or publication not been due to  
actions by the person in question.

Why? This is standard NDA stuff. Also acts as an anti-gagging clause,  
so if laundry gets washed in public, does not prohibit people from  
taking part.

- Definition of an "unauthorized" individual is missing. Should  
perhaps be defined as those who are not under an NDA. Otherwise, how  
is the signatory spposed to know who are unauthorized? It should be  
specified that when discussing issues on a mailing list, group, event  
or forum maintained by OWASP, Inc. for authorized persons, the  
existence of such group is enough to authorize discussion there  
(meaning that each single person must not need to determine whether  
all participants have an NDA or not).

Why? Because otherwise the NDA gives OWASP an open cheque to  
(retroactively?) label someone as unauthorised.

- "Returning" documentation in its digital form is meaningless. This  
should only apply to physical items and this should be explicit.

- There is no expiration clause, but the NDA is valid in perpetuity.  
There should really be an expiration clause, for example five years,  
unless a document is still being actively used in the OWASP  
certification, in which case, in the context of that specific  
document, the NDA would expire only after the document is obsolete.

Why? This is because if there's something badly wrong in the  
Organization or Certification, whistleblowing must be possible - even  
legally - after some years. Also, I see really no point in forcing  
people to forever keep silent if the subject matter has long since  
ceased being relevant.

- The NDA expiry date should be tied to the person informing OWASP,  
Inc. about termination, and the termination should happen after the  
termination period as above.

- Key/password escrow requirement does not have any reason to be  
there. I mean, OWASP Inc. may internally have any data accessability  
steps in place including escrow but volunteers all around the world,  
while working on this project, should not have any need for that.

- "best protection" for information is too vague. OWASP must  
specifically describe what level of protection is required. This has  
the effect of encouraging a secure baseline for document handling  
practices. Also, it would be good to add that if the Organization  
provides the person with software, proper usage of that software must  
be always seen to fulfill this requirement.

Cheers,

Antti

--
http://www.iki.fi/avs/  GnuPG FE5E11B666F04EE8EB0C:F261AFC299AF3DE9A7CA
GIT/CS/ED a C++$ UL+ PS++ [email protected] Y++ PGP++ [email protected] R b++ e+++ h y? avs at iki.fi


More information about the Owasp-cert mailing list