[Owasp-leaders] OWASP Board decision that I don't agree with

tonyuv at owasp.org tonyuv at owasp.org
Sat Jan 4 19:35:27 UTC 2014

In the spirit of openness, here are my thoughts from a long time chapter lead.

First some key points.  This is a MARKETING conference.  Don't kid yourself.  Beyond what you think any conference is, this is a marketing platform where most attendees make a judgment on what they are going to get out of it versus what company is headlining it. ‘RSA’ at this point isn't really even RSA….its a marketing platform.  It does not represent a medley of technology, standards, business related to what took place - which yes is offensive, revolting, and disheartening. But don’t let your emotions of taking a stand against ‘RSA’ get overly romantic to think that an OWASP decline is going to equate to a brazen stand for change. Its not.

Speaking of ‘community’, ‘strong brand’, and being the most formidable voice of AppSec in the world….please consider the audience of who attends RSA.  Please don’t include the 20-40 people you fraternize with but instead the majority of the people that have badges from a wide range of industries that you DON’T associate with.  I promise you that for the majority that attend, no one is looking to OWASP to be a beacon of truth, good or bad.  The majority, in the true literal meaning of that word, are not putting OWASP in that role.  A great litmus test is to fathom what the feedback would be in response to ‘Do you know OWASP’ aimed at a sample size of developer groups world wide.  Very quickly you’ll be humbled to see how recognizable our brand is.   

This brings me full circle to the point that this is a marketing platform….just like BSides….just like ThotCon….just like Shmoocon….etc.  Don’t believe me - just look at the speaker list and (if you actually know them) you’ll see many of those same individuals/ leaders from those cons speaking at RSA 2014.  This is a marketing platform.  Better said: this is a marketing opportunity for OWASP to further our inclusiveness of developers. We need marketing. Taking a stand with figurative ‘fists in the air’ in rejection to RSA will at most trigger a few hundred retweets in your beloved InfoSec #lists and fizzle into no knowledge gained for anyone.  More long lasting are the effects of knowledge sharing that could take place to developers in a well delivered, RSA agnostic delivery and platform.  

Tony UV


From: John Wilander
Sent: ‎Saturday‎, ‎January‎ ‎4‎, ‎2014 ‎2‎:‎31‎ ‎PM
To: Eoin Keary
Cc: Kanwal Singh (WebMentors), Nishant Johar (EMOBX), OWASP Foundation Board List, Ravdeep Sodhi, OWASP Leaders

My personal view as a longtime community member …

I would like OWASP to cancel the developer training and any other official presence at this year's RSA Con.

You might argue the NSA revelations are politics. I disagree. This is technology, standards, research, business, and politics in a disastrous cocktail. Global mass surveillance and weakened crypto are things we used to talk about as worst case scenarios, remember? Others would call us paranoids.

Now we know. This is earthshakingly bad, at the core of what OWASP stands for.

Our brand is strong. We're independent, community-driven and global. This is our chance to show we're better than RSA and our conference series OWASP AppSec is a better place to give talks and meet peers.

Don't support RSA until they come clean. Please.



Twitter https://twitter.com/johnwilander

CV or Résumé http://johnwilander.se

4 jan 2014 kl. 19:42 skrev Eoin Keary <eoin.keary at owasp.org>:

we are participating as OWASP.

OWASP was asked to do this initially by RSA.

Our material has no personal or company branding but OWASP branding.

Thanks for feedback.

Eoin Keary
Owasp Global Board

+353 87 977 2988

On 4 Jan 2014, at 18:24, Abbas Naderi <abbas.naderi at owasp.org> wrote:

I strongly support Sastry on this one.

You might be participating as individuals, but people see you guys as the OWASP Board, and that’s something that many of us don’t like to be the image of OWASP.



On Jan 4, 2014, at 1:18 PM, Eoin Keary <eoin.keary at owasp.org> wrote:

To be clear, there was no recorded vote on this but a debate.

I started the debate after reading about Mikko. (Even though I was delivering the training with Jim and it is my material).

The majority of board of OWASP feels getting involved in politics is wrong and wanted to push ahead with the training.

So if feelings are strong we need to vote on this ASAP? as leaders of OWASP. A formal board vote? Executive decision from Sarah, our executive director. 

Eoin Keary
Owasp Global Board

+353 87 977 2988

On 4 Jan 2014, at 16:48, Sastry Tumuluri <sastry.tumuluri at owasp.org> wrote:


Please see the following full conversation on twitter: 


Eoin Keary and Jim Manico (both OWASP board members) will be presenting/conducting 4 hrs of free-of-cost AppSec training at the RSA Conference, 2014. Michael Coates, Chairman of the OWASP Board is also said to be present. Apparently, this was discussed at the OWASP board level; and the board has decided to go ahead, keeping in mind the benefit to the attending developers.

As you are aware, RSA is strongly suspected (we'll never be 100% sure, I'm afraid) of being complicit with NSA in enabling fatal weakening of crypto products. RSA has issued a sort of a denial that only deepens the mistrust. As a protest, many leading speakers are cancelling their talks at the upcoming RSAC 2014. Among them are (to my knowledge) Mikko Hypponen, Jeffrey Carr and Josh Thomas.

At such a time, I am saddened by the OWASP board decision to support RSAC by their presence. At a time when they had the opportunity to let the world know how much they care for the Information Security profession (esp., against weakening crypto); and how much they care about the privacy of people (against NSA's unabashed spying on Americans & non-Americans alike), the board has copped out using a flimsy rationalization ("benefit of (a few) developers", many of who would rethink their attendance had OWASP and more organizations didn't blink!"). 

I'm sure there was a heated debate. I'm sure all angles were considered. However, this goes too deep for me to take it as "better men than me have considered and decided". As a matter of my personal values, if the situation doesn't change, I would no longer wish to continue as the OWASP Chapter Lead. Please let me know if any of you would like to take over from me. 

I will also share my feelings with fellow chapter members at our next chapter meeting on Jan 21st. Needless to say, no matter how things go, I remain committed to the principles of our open and open-source infosec community.

Best regards,

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140104/7ae0c224/attachment-0001.html>

More information about the OWASP-Leaders mailing list