[Owasp-leaders] [Owasp-board] OWASP Board decision that I don't agree with

psiinon psiinon at gmail.com
Sun Jan 5 11:05:20 UTC 2014

Heres my take on this:

OWASP _should_ get involved in politics - thats where the big decisions are
made. Organizations like OWASP can have a much greater impact than a set of
'concerned individuals'.

OWASP should _not_ 'ban' volunteers from presenting / training etc at any
event unless it is clearly at odds with the OWASP mission, eg a 'cracker'

Volunteers presenting / training at an event does not indicate that OWASP
as an organization supports the past (alleged) actions of the event
organizers. OWASP financially sponsoring an event would be a different

The fact that the volunteers we are discussing are board member is
irrelevant - we all represent OWASP when we appear under the OWASP banner.

I dont think this is a clear cut case (as can be seen by the opposing views
on this thread), and so the decision should be made by those individuals.

I have no problem with people attempting to sway these individuals either
way on this thread, but I'm confident they will make the right decision for
them and I dont think that will reflect badly on OWASP the organization
which ever way they choose.

Feel free to disagree with any of those opinions ;)


On Sun, Jan 5, 2014 at 8:51 AM, Jim Manico <jim.manico at owasp.org> wrote:

> Josh,
> This training is for RSA Badge types: “Full Conference, Explorer Expo,
> Explorer Expo Plus, Exhibitor, Press, Speaker”.
> The minimum someone would have to pay to attend this is 75$ right now,
> other than press and other speakers get in for free.
> -      Jim
> *From:* Josh Sokol [mailto:josh.sokol at owasp.org]
> *Sent:* Saturday, January 04, 2014 5:04 PM
> *To:* Eoin Keary
> *Cc:* Jim Manico; Abbas Naderi; Kanwal Singh (WebMentors); Nishant Johar
> (EMOBX); OWASP Foundation Board List; Ravdeep Sodhi; OWASP Leaders
> *Subject:* Re: [Owasp-board] [Owasp-leaders] OWASP Board decision that I
> don't agree with
> My apologies in the delay in responding to this.  I've been on the road
> all day today and will be slow to respond tomorrow as well.
> First off, let me admit that while my term hadn't officially begun yet, I
> am one of the Board members who encouraged Jim and Eoin to move forward
> with the training.  My rationale for this was simple; OWASP's mission is to
> make software security visible, so that individuals and organizations
> worldwide can make informed decisions about true software security risks.
> The core of this statement being VISBILITY.  We need to find and take
> advantage of as many ways as possible to raise the visibility of security
> risks.  Our mission says nothing about making political statements.  It
> says nothing about ethical business practices.  Our mission can certainly
> be amended to reflect other imperatives, if so desired by our membership,
> but until that day we need to prevent mission scope creep.
> Now, since our mission is making software security visible, we simply have
> to ask ourselves if we better serve this mission by:
> 1) Performing a free training at a major conference, thereby increasing
> our exposure to people who haven't heard of OWASP before and enlightening
> them to software security risks that they likely were not aware of before.
> 2) Taking a stance against a company where some evidence may imply that
> they took a bribe to sacrifice security in one of their products.
> Let me be clear on #2.  I don't agree that what RSA did is right, if it is
> true.  In fact, I have made the explicit decision to not do business with
> RSA in my day job because there are many other options out there and it's
> just not worth the risk.  But my passive decision to not purchase from RSA
> is very different than OWASP reneging on our agreement and making a public
> statement about their ethics.
> So, given these two options, my gut is that OWASP's mission will be best
> served by #1.  It doesn't mean that we're supporting RSA.  It doesn't mean
> that we agree with unethical business practices.  It just means that we are
> doing the best we can to make application security visible.  If that means
> piggy-backing on the massive marketing effort they put into the conference
> or the infrastructure that supports it, I'm ok with that.  I understand
> that others may object to this on ethical grounds, and that's fine, but as
> a non-profit organization, we have a mandate to stay true to our mission,
> not to speak out against whatever the latest security headline is.
> I do have one question about this training for clarification.  The
> training is FREE for anyone who would like to attend and not just for RSA
> attendees, correct?  My assumption is the former, but if the latter, this
> changes things significantly in my opinion.
> ~josh
> On Sat, Jan 4, 2014 at 5:40 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
> Good point.
> Bottom line is we want people to build secure code. Delivering this
> message under the same roof as RSA does not dilute the quality of the class
> delivered.
> There is no black and white, only shades of grey :)
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
> On 4 Jan 2014, at 23:36, Jim Manico <jim.manico at owasp.org> wrote:
> > Another issue that is tangential.
> >
> > We are applying for several big money DHS grants. These help keep the
> foundation running.
> >
> > Should be reject all of these grants because of the Snowden affair? It
> we abort RSA but continue to take DHS money, then we send a mixed message.
> >
> > Aloha,
> > Jim
> >
> >> I strongly support Sastry on this one.
> >>
> >> You might be participating as individuals, but people see you guys as
> the OWASP Board, and that’s something that many of us don’t like to be the
> image of OWASP.
> >>
> >> Thanks
> >> -Abbas
> >> On Jan 4, 2014, at 1:18 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
> >>
> >>> To be clear, there was no recorded vote on this but a debate.
> >>>
> >>> I started the debate after reading about Mikko. (Even though I was
> delivering the training with Jim and it is my material).
> >>>
> >>> The majority of board of OWASP feels getting involved in politics is
> wrong and wanted to push ahead with the training.
> >>>
> >>> So if feelings are strong we need to vote on this ASAP? as leaders of
> OWASP. A formal board vote? Executive decision from Sarah, our executive
> director.
> >>>
> >>>
> >>>
> >>> Eoin Keary
> >>> Owasp Global Board
> >>> +353 87 977 2988
> >>>
> >>>
> >>> On 4 Jan 2014, at 16:48, Sastry Tumuluri <sastry.tumuluri at owasp.org>
> wrote:
> >>>
> >>>> Friends,
> >>>>
> >>>> Please see the following full conversation on twitter:
> >>>> https://twitter.com/EoinKeary/status/419111748424454145
> >>>>
> >>>> Eoin Keary and Jim Manico (both OWASP board members) will be
> presenting/conducting 4 hrs of free-of-cost AppSec training at the RSA
> Conference, 2014. Michael Coates, Chairman of the OWASP Board is also said
> to be present. Apparently, this was discussed at the OWASP board level; and
> the board has decided to go ahead, keeping in mind the benefit to the
> attending developers.
> >>>>
> >>>> As you are aware, RSA is strongly suspected (we'll never be 100%
> sure, I'm afraid) of being complicit with NSA in enabling fatal weakening
> of crypto products. RSA has issued a sort of a denial that only deepens the
> mistrust. As a protest, many leading speakers are cancelling their talks at
> the upcoming RSAC 2014. Among them are (to my knowledge) Mikko Hypponen,
> Jeffrey Carr and Josh Thomas.
> >>>>
> >>>> At such a time, I am saddened by the OWASP board decision to support
> RSAC by their presence. At a time when they had the opportunity to let the
> world know how much they care for the Information Security profession
> (esp., against weakening crypto); and how much they care about the privacy
> of people (against NSA's unabashed spying on Americans & non-Americans
> alike), the board has copped out using a flimsy rationalization ("benefit
> of (a few) developers", many of who would rethink their attendance had
> OWASP and more organizations didn't blink!").
> >>>>
> >>>> I'm sure there was a heated debate. I'm sure all angles were
> considered. However, this goes too deep for me to take it as "better men
> than me have considered and decided". As a matter of my personal values, if
> the situation doesn't change, I would no longer wish to continue as the
> OWASP Chapter Lead. Please let me know if any of you would like to take
> over from me.
> >>>>
> >>>> I will also share my feelings with fellow chapter members at our next
> chapter meeting on Jan 21st. Needless to say, no matter how things go, I
> remain committed to the principles of our open and open-source infosec
> community.
> >>>>
> >>>> Best regards,
> >>>>
> >>>> ==Sas3==
> >>> _______________________________________________
> >>> OWASP-Leaders mailing list
> >>> OWASP-Leaders at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140105/2e56ac4e/attachment-0001.html>

More information about the OWASP-Leaders mailing list