[Owasp-leaders] [Committees-chairs] No i will not sign your NDA but...

dinis cruz dinis.cruz at owasp.org
Thu Jun 30 13:08:19 EDT 2011


I don't buy the argument that there is a ton of opportunities that OWASP is
missing because we don't have this 'save harbour' locations to talk.

The other key concept that you guys are missing is that the 'no
NDA everything is public' is actually the best way for *OWASP to control
OWASP* and to prevent the existence of 'pockets of knowledge' or 'groups
that know more than others' inside OWASP (just try to image how this would
work in practice and you will see how impractical this would be).

If we want to preserve our community and open spirit we need to have
an uncompromising Open environment.

I would also argue that a big problem in our industry (and software
development/apps in general) is the excessive use of NDA and lack of
information sharing. So if any thing, OWASP should be pushing the other
direction and be actively promoting dialog and 'conversations'

For example look at how we were able at the last OWASP Summit to get
directly competing companies to sit on the same table and talk 'openly'.
THAT is what we need to. Create the time and place, and the dialog with
OWASP will come.

Dinis Cruz

On 30 June 2011 17:59, Rex Booth <rex.booth at owasp.org> wrote:

> **
> Agreed 100%.
>
> An uncompromising "no NDA, everything is public" rule is a great way to
> limit our ability to fulfill our mission and to alienate a large percentage
> of our target audience.  We need to strike a balance and the Chatham House
> Rule is a great way to do so.
>
> Rex
>
>
> On 6/30/2011 11:10 AM, Yvan Boily wrote:
>
> Don't lose sight of the fact that a community can be open while respecting
> the privacy and concerns of its constituents.
>
> The goal of introducing something like the Chatham House Rule is not to
> lock up or protect proprietary presentations, it is to facilitate open
> discussion among people who have feel the need to discuss something, but are
> concerned about the consequences of doing so.  A useful refinement of the
> rule for OWASP would be to limit the scope of the rule to discussions, while
> allowing or requiring attribution for presentations or other content
> delivered at the meeting.
>
> On Thu, Jun 30, 2011 at 12:09 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
>
>> I completely disagree, there should never be any NDA or 'soft non
>> disclosure' contacts or documents at OWASP.
>>
>> We cannot have a situation where some information is provided to owasp
>> that cannot be shared , everything must be done under CC licenses
>>
>> There are plenty of places where 'closed' info can be shared, owasp is
>> not one of those.
>>
>> In fact, when talking to government officials a bit appeal of OWASP is
>> it's openness and lack of bias. Owasp can be (as is) a force for
>> openness and information sharing (let's push that agenda, not
>> undermine it)
>>
>> Going down the NDA or Chatham house rule is a sliperly slope , that
>> owasp shouldn't go
>>
>> Dinis Cruz
>>
>> On 30 Jun 2011, at 04:40, Andrew van der Stock <vanderaj at owasp.orgwrote:
>>
>> > I think Chatham House rules (or "in camera") is a good way to go for
>> > certain (limited) briefings and circumstances, but the average
>> > chapter presentation should be open and unrestrained by NDA or
>> > Chatham House rules by default.
>> >
>> > This is how Lions, Rotary, et al run things, and it works.
>> >
>> > thanks,
>> > Andrew
>> >
>> > On 30/06/2011, at 1:11 PM, Jim Manico wrote:
>> >
>> >> It's not that simple Matt.
>> >>
>> >> There have been several situations where represnetatives for entire
>> >> industries (like banking) have approached OWASP seeking help. They
>> >> wanted to "open kimono" and explain the specific difficulties they
>> >> are
>> >> facing around AppSec. And they wanted to ensure that OWASP reps who
>> >> listened would not turn around and blog (etc) about specific
>> >> challenges
>> >> faced, so they requested NDA's.
>> >>
>> >> I'm OWASP and open at heart, and we may not want to take different
>> >> groups up on their request for NDA's. But I think its important to
>> >> understand why they are asking.
>> >>
>> >> - Jim
>> >>
>> >>
>> >>> I think it's sad we actually have to specify this in any
>> >>> documentation.
>> >>> Who asked OWASP leaders to sign NDAs? If some vendor asked me to
>> >>> sign an
>> >>> NDA at a chapter meeting or OWASP conference I'd tell him to shove
>> >>> it,
>> >>> leave the event, and never talk to OWASP people again.
>> >>>
>> >>> --matt
>> >>>
>> >>>
>> >>> On Wed, Jun 29, 2011 at 5:05 PM, Tom Brennan <tomb at owasp.org
>> >>> <mailto:tomb at owasp.org>> wrote:
>> >>>
>> >>>   Recently OWASP leaders were asked to sign NDA's for several onsite
>> >>>   meetings, education sessions and collaboration efforts.   Some
>> >>> have
>> >>>   experienced a similar concern at chapter meetings from attending
>> >>>   individuals.
>> >>>
>> >>>   I suggest adoption of: "Chatham House Rule" to enable open
>> >>>   discussions that fits our model.
>> >>>
>> >>>    <http://en.m.wikipedia.org/wiki/Chatham_House_Rule>
>> http://en.m.wikipedia.org/wiki/Chatham_House_Rule
>> >>>
>> >>>   It can be incorporated into the disclaimers for those giving talks
>> >>>   at chapters, operational/bylaws of local chapters, mailing
>> >>>   list/forum terms and referenced as how OWASP operates enabling
>> >>> Open
>> >>>   exchange of information in our community.
>> >>>
>> >>>   "When a meeting, or part thereof, is held under the Chatham House
>> >>>   Rule, participants are free to use the information received, but
>> >>>   neither the identity nor the affiliation of the speaker(s), nor
>> >>> that
>> >>>   of any other participant, may be revealed."
>> >>>
>> >>>   Discussion / Thoughts?
>> >>>
>> >>>   Semper Fi,
>> >>>
>> >>>   Tom Brennan
>> >>>   Tel: 973-202-0122 <tel:973-202-0122>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>   _______________________________________________
>> >>>   Committees-chairs mailing list
>> >>>   Committees-chairs at lists.owasp.org
>> >>>   <mailto:Committees-chairs at lists.owasp.org>
>> >>>   https://lists.owasp.org/mailman/listinfo/committees-chairs
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> OWASP-Leaders mailing list
>> >>> OWASP-Leaders at lists.owasp.org
>> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>
>> >> _______________________________________________
>> >> OWASP-Leaders mailing list
>> >> OWASP-Leaders at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110630/1d671f76/attachment.html 


More information about the OWASP-Leaders mailing list