[Owasp-leaders] OWASP Board decision that I don't agree with

Konstantinos Papapanagiotou konstantinos at owasp.org
Sat Jan 4 22:19:35 UTC 2014

Totally agree with Tony. The fact that a handful of rock stars made an
impressive statement does not mean that this will not be a successful
conference, or that fewer people will eventually participate. I think that
OWASP has more to lose if we don't participate. On top of that, I
understand that the RSA-NSA relation is not officially confirmed.


On Saturday, January 4, 2014, wrote:

>  In the spirit of openness, here are my thoughts from a long time chapter
> lead.
> First some key points.  This is a MARKETING conference.  Don't kid
> yourself.  Beyond what you think any conference is, this is a marketing
> platform where most attendees make a judgment on what they are going to get
> out of it versus what company is headlining it. ‘RSA’ at this point isn't
> really even RSA….its a marketing platform.  It does not represent a medley
> of technology, standards, business related to what took place - which yes
> is offensive, revolting, and disheartening. But don’t let your emotions of
> taking a stand against ‘RSA’ get overly romantic to think that an OWASP
> decline is going to equate to a brazen stand for change. Its not*.*
> Speaking of ‘community’, ‘strong brand’, and being the most formidable
> voice of AppSec in the world….please consider the audience of who attends
> RSA.  Please don’t include the 20-40 people you fraternize with but instead
> the majority of the people that have badges from a wide range of industries
> that you DON’T associate with.  I promise you that for the majority that
> attend, no one is looking to OWASP to be a beacon of truth, good or bad.
> The majority, in the true literal meaning of that word, are not putting
> OWASP in that role.  A great litmus test is to fathom what the feedback
> would be in response to ‘Do you know OWASP’ aimed at a sample size of
> developer groups world wide.  Very quickly you’ll be humbled to see how
> recognizable our brand is.
> This brings me full circle to the point that this is a marketing
> platform….just like BSides….just like ThotCon….just like Shmoocon….etc.
> Don’t believe me - just look at the speaker list and (if you actually know
> them) you’ll see many of those same individuals/ leaders from those cons
> speaking at RSA 2014.  This is a marketing platform.  Better said: this is
> a marketing opportunity for OWASP to further our inclusiveness of
> developers. We need marketing. Taking a stand with figurative ‘fists in the
> air’ in rejection to RSA will at most trigger a few hundred retweets in
> your beloved InfoSec #lists and fizzle into no knowledge gained for
> anyone.  More long lasting are the effects of knowledge sharing that could
> take place to developers in a well delivered, RSA agnostic delivery and
> platform.
> Tony UV
> *From:* John Wilander
> *Sent:* Saturday, January 4, 2014 2:31 PM
> *To:* Eoin Keary
> *Cc:* Kanwal Singh (WebMentors), Nishant Johar (EMOBX), OWASP Foundation
> Board List, Ravdeep Sodhi, OWASP Leaders
> My personal view as a longtime community member …
> I would like OWASP to cancel the developer training and any other official
> presence at this year's RSA Con.
> You might argue the NSA revelations are politics. I disagree. This is
> technology, standards, research, business, and politics in a disastrous
> cocktail. Global mass surveillance and weakened crypto are things we used
> to talk about as worst case scenarios, remember? Others would call us
> paranoids.
> Now we know. This is earthshakingly bad, at the core of what OWASP stands
> for.
> Our brand is strong. We're independent, community-driven and global. This
> is our chance to show we're better than RSA and our conference series OWASP
> AppSec is a better place to give talks and meet peers.
> Don't support RSA until they come clean. Please.
> /John
> --
> Twitter https://twitter.com/johnwilander
> CV or Résumé http://johnwilander.se
> 4 jan 2014 kl. 19:42 skrev Eoin Keary <eoin.keary at owasp.org>:
> we are participating as OWASP.
> OWASP was asked to do this initially by RSA.
> Our material has no personal or company branding but OWASP branding.
> Thanks for feedback.
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
> On 4 Jan 2014, at 18:24, Abbas Naderi <abbas.naderi at owasp.org> wrote:
> I strongly support Sastry on this one.
> You might be participating as individuals, but people see you guys as the
> OWASP Board, and that’s something that many of us don’t like to be the
> image of OWASP.
> Thanks
> -Abbas
> On Jan 4, 2014, at 1:18 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
> To be clear, there was no recorded vote on this but a debate.
> I started the debate after reading about Mikko. (Even though I was
> delivering the training with Jim and it is my material).
> The majority of board of OWASP feels getting involved in politics is wrong
> and wanted to push ahead with the training.
> So if feelings are strong we need to vote on this ASAP? as leaders of
> OWASP. A formal board vote? Executive decision from Sarah, our executive
> director.
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
> On 4 Jan 2014, at 16:48, Sastry Tumuluri <sastry.tumuluri at owasp.org>
> wrote:
> Friends,
> Please see the following full conversation on twitter:
> https://twitter.com/EoinKeary/status/419111748424454145
> Eoin Keary and Jim Manico (both OWASP board members) will be
> presenting/conducting 4 hrs of free-of-cost AppSec training at the RSA
> Conference, 2014. Michael Coates, Chairman of the OWASP Board is also said
> to be present. Apparently, this was discussed at the OWASP board level; and
> the board has decided to go ahead, keeping in mind the benefit to the
> attending developers.
> As you are aware, RSA is strongly suspected (we'll never be 100% sure, I'm
> afraid) of being complicit with NSA in enabling fatal weakening of crypto
> products. RSA has issued a sort of a denial that only deepens the mistrust.
> As a protest, many leading speakers are cancelling their talks at the
> upcoming RSAC 2014. Among them are (to my knowledge) Mikko Hypponen,
> Jeffrey Carr and Josh Thomas.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140105/25f5176a/attachment-0001.html>

More information about the OWASP-Leaders mailing list