[Owasp-leaders] Indemnity

Jim Manico jim.manico at owasp.org
Thu Aug 11 00:22:38 EDT 2011


Mark,

Your concern is fair. The leaders list is primarily a governance list.

If you want to discuss secure coding practices, I suggest the ESAPI-dev
list. We are in maintenance mode mostly, but we are happy to help you if you
have any questions about WebAppSec defensive coding practices.

If you have questions about WebAppSec in general, I find that your friends
at WASC are fairy active chatting about...  WebAppSec:
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

A lot of good technical conversarions happen 1-2-1 or on twitter. Please
feel free to drop me a line anytime. A lot has changed in WebAppSec over the
past few years and I'd be happy to help catch you up or at least point you
to the right person who can.

Welcome back!

Regards,

--
Jim Manico


On Aug 10, 2011, at 11:59 PM, Tom Brennan <tomb at owasp.org> wrote:

Yes, there are a few;

https://lists.owasp.org/mailman/listinfo

Semper Fi,

Tom Brennan
Tel: 973-202-0122







On Aug 10, 2011, at 10:06 PM, mark curphey <mark at curphey.com> wrote:

Please forgive what maybe a naive message. Having been away form OWASP for a
number of years I just don't recognize the project I left or understand how
things work these days.

This list seems to be focus on beuraucracy and administivia (neither of
which I personally have any interest in). Is there a "leaders" list where
project leaders focus on improving the state of application security,
discussing ways to make OWASP have more impact or share ideas on how
individual projects can be better? If so I would like to unsubscribe for
this list and join that one.

I look forward to hearing from you.

Cheers!

Mark



On Aug 10, 2011, at 6:28 PM, Christian Heinrich wrote:

Abraham,

On Thu, Aug 11, 2011 at 1:04 AM, Abraham Kang < <abraham.kang at owasp.org>
abraham.kang at owasp.org> wrote:

> Most companies have an indemnity clause in their bylaws because officers
> and directors have a fiduciary duty to the company.  A fiduciary duty
> entails a Duty of Loyalty and Duty of Care.
>

What is the difference between a "Company" and a "Not for Profit Foundation"
i.e. OWASP as defined by USA Law?

On Thu, Aug 11, 2011 at 1:04 AM, Abraham Kang < <abraham.kang at owasp.org>
abraham.kang at owasp.org> wrote:

> A duty of loyalty requires officers and directors to place the interests of
> the organization above their own.  This implies that officers and directors
> cannot usurp opportunities for themselves which could have be taken by the
> organization unless notifying non-interested directors and getting approval
> or if the organization would not be able to avail itself of the opportunity.
>  If an officer or director breaches this duty they can be sued.  However,
> the indemnity will only apply when the officer or director does not have an
> adverse ruling against him/her in the proceeding.  If the officer or
> director is found to have acted in bad faith they, individually, he/she will
> be responsible for paying their attorney's fees (no indemnity and
> accountability).
>

On a slight tangent, does the above paragraph infer that OWASP Board Members
have to declare all commercial opportunities, i.e. webappsec product or
professional service, delivered by their respective employer?

I am very much in favor of reducing perceived conflict of interests within
the OWASP Board.

On Thu, Aug 11, 2011 at 1:04 AM, Abraham Kang < <abraham.kang at owasp.org>
abraham.kang at owasp.org> wrote:

> Members do not have a fiduciary duty to the organization per se.  However,
> if a member is acting as an agent of the organization and the organization
> has held the agent out as representing the organization or acknowledged the
> agency relationship then the organization will be liable for the member's
> actions (indemnity).  An example of agency would be were members set up
> conferences like AppSec USA and sign contracts for the venue, food,
> services, etc. on behalf of OWASP.  So there is indemnity of members in
> certain cases.
>

I believe this addresses my request and is therefore similar to my
experience in NSW, Australia i.e.
<http://www.fairtrading.nsw.gov.au/Cooperatives_and_associations/Associations/Incorporated_associations.html#What_is_the_associations_liability>
http://www.fairtrading.nsw.gov.au/Cooperatives_and_associations/Associations/Incorporated_associations.html#What_is_the_associations_liability

Does this indemnity extend to:
1. Libel/slander on OWASP Mailing Lists and Chapter Meetings or Conferences?
2. Lack of OH&S, such as an attendee breaking their arm in a fall at an
OWASP Chapter Meeting or Conference?

On Thu, Aug 11, 2011 at 1:04 AM, Abraham Kang < <abraham.kang at owasp.org>
abraham.kang at owasp.org> wrote:

> But requiring OWASP to indemnify all of its members would be a tremendous
> legal burden. Especially if the member is not acting as an agent for OWASP.
>  This would open OWASP to potential liability for actions that any member
> partakes (hacking government institutions, negligence, as well as other
> criminal and civil torts).
>

The above would then be addressed by their employer's indemnity insurance -
correct?

On Thu, Aug 11, 2011 at 1:04 AM, Abraham Kang < <abraham.kang at owasp.org>
abraham.kang at owasp.org> wrote:

> I have to say this is an unreasonable request and it is not related to
> Americans trying to control everything.
>

I deliberately avoided making reference to this - rather I am interested in
the difference between the USA and Australian (State) Laws regarding "Not
For Profits".

 On Thu, Aug 11, 2011 at 1:04 AM, Abraham Kang < <abraham.kang at owasp.org>
abraham.kang at owasp.org> wrote:

> I attended this year's OWASP leadership conference in Lisbon, Portugal.
>  This conference was not held in the states.  And although it was a pain
> flying to Europe from the US I think we had good representation of members
> outside of the US for leadership purposes.  This shows that OWASP is
> globally centric and not US centric.
>

I might address the Summit in a separate thread.  However, the OWASP
Community has extended beyond Europe and USA.

On Thu, Aug 11, 2011 at 1:04 AM, Abraham Kang < <abraham.kang at owasp.org>
abraham.kang at owasp.org> wrote:

> Come guys, OWASP wants to support and reach out to the world.
>

Thanks for taking the time to clarify this in detail.


-- 
Regards,
Christian Heinrich
<http://www.owasp.org/index.php/user:cmlh>
http://www.owasp.org/index.php/user:cmlh


 _______________________________________________
OWASP-Leaders mailing list
<OWASP-Leaders at lists.owasp.org>OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110811/3cb12c64/attachment.html 


More information about the OWASP-Leaders mailing list