[Owasp-leaders] [Owasp-board] OWASP Board decision that I don't agree with

Tobias tobias.gondrom at owasp.org
Sun Jan 5 12:08:06 UTC 2014

Hi Simon,

just to clarify on one of your assumptions in your email, as I learned
this info on the board mailing-list last night, correcting my initial
(wrong) assumption that everyone would be attending RSA just as
"individual volunteers":

- RSA approached OWASP if we (owasp) would deliver free
training/awareness session.
- All contractual agreements were signed by OWASP and not by us as
individuals. -> OWASP training.
- "we are delivering the training as OWASP."
"OWASP was approached by RSA."
- "this is a RSA association slot. The whole point is to officially
represent OWASP at RSA...."
- this is as "formal reps of OWASP for this event."

Not sure whether that would be relevant for any of your comments?

All the best, Tobias

Ps.: regarding your remark about whether "OWASP is financially
sponsoring an event": as board member, I have initiated a request for
info with Sarah to clarify the extend of OWASPs financial arrangements
for RSA.

On 05/01/14 11:05, psiinon wrote:
> Heres my take on this:
> OWASP _should_ get involved in politics - thats where the big
> decisions are made. Organizations like OWASP can have a much greater
> impact than a set of 'concerned individuals'.
> OWASP should _not_ 'ban' volunteers from presenting / training etc at
> any event unless it is clearly at odds with the OWASP mission, eg a
> 'cracker' event.
> Volunteers presenting / training at an event does not indicate that
> OWASP as an organization supports the past (alleged) actions of the
> event organizers. OWASP financially sponsoring an event would be a
> different matter.
> The fact that the volunteers we are discussing are board member is
> irrelevant - we all represent OWASP when we appear under the OWASP banner.
> I dont think this is a clear cut case (as can be seen by the opposing
> views on this thread), and so the decision should be made by those
> individuals.
> I have no problem with people attempting to sway these individuals
> either way on this thread, but I'm confident they will make the right
> decision for them and I dont think that will reflect badly on OWASP
> the organization which ever way they choose.
> Feel free to disagree with any of those opinions ;)
> Simon
> On Sun, Jan 5, 2014 at 8:51 AM, Jim Manico <jim.manico at owasp.org
> <mailto:jim.manico at owasp.org>> wrote:
>     Josh,
>     This training is for RSA Badge types: "Full Conference, Explorer
>     Expo, Explorer Expo Plus, Exhibitor, Press, Speaker".
>     The minimum someone would have to pay to attend this is 75$ right
>     now, other than press and other speakers get in for free.
>     -      Jim
>     *From:*Josh Sokol [mailto:josh.sokol at owasp.org
>     <mailto:josh.sokol at owasp.org>]
>     *Sent:* Saturday, January 04, 2014 5:04 PM
>     *To:* Eoin Keary
>     *Cc:* Jim Manico; Abbas Naderi; Kanwal Singh (WebMentors); Nishant
>     Johar (EMOBX); OWASP Foundation Board List; Ravdeep Sodhi; OWASP
>     Leaders
>     *Subject:* Re: [Owasp-board] [Owasp-leaders] OWASP Board decision
>     that I don't agree with
>     My apologies in the delay in responding to this.  I've been on the
>     road all day today and will be slow to respond tomorrow as well.
>     First off, let me admit that while my term hadn't officially begun
>     yet, I am one of the Board members who encouraged Jim and Eoin to
>     move forward with the training.  My rationale for this was simple;
>     OWASP's mission is to make software security visible, so that
>     individuals and organizations worldwide can make informed
>     decisions about true software security risks.  The core of this
>     statement being VISBILITY.  We need to find and take advantage of
>     as many ways as possible to raise the visibility of security
>     risks.  Our mission says nothing about making political
>     statements.  It says nothing about ethical business practices. 
>     Our mission can certainly be amended to reflect other imperatives,
>     if so desired by our membership, but until that day we need to
>     prevent mission scope creep. 
>     Now, since our mission is making software security visible, we
>     simply have to ask ourselves if we better serve this mission by:
>     1) Performing a free training at a major conference, thereby
>     increasing our exposure to people who haven't heard of OWASP
>     before and enlightening them to software security risks that they
>     likely were not aware of before.
>     2) Taking a stance against a company where some evidence may imply
>     that they took a bribe to sacrifice security in one of their products.
>     Let me be clear on #2.  I don't agree that what RSA did is right,
>     if it is true.  In fact, I have made the explicit decision to not
>     do business with RSA in my day job because there are many other
>     options out there and it's just not worth the risk.  But my
>     passive decision to not purchase from RSA is very different than
>     OWASP reneging on our agreement and making a public statement
>     about their ethics.
>     So, given these two options, my gut is that OWASP's mission will
>     be best served by #1.  It doesn't mean that we're supporting RSA. 
>     It doesn't mean that we agree with unethical business practices. 
>     It just means that we are doing the best we can to make
>     application security visible.  If that means piggy-backing on the
>     massive marketing effort they put into the conference or the
>     infrastructure that supports it, I'm ok with that.  I understand
>     that others may object to this on ethical grounds, and that's
>     fine, but as a non-profit organization, we have a mandate to stay
>     true to our mission, not to speak out against whatever the latest
>     security headline is.
>     I do have one question about this training for clarification.  The
>     training is FREE for anyone who would like to attend and not just
>     for RSA attendees, correct?  My assumption is the former, but if
>     the latter, this changes things significantly in my opinion.
>     ~josh
>     On Sat, Jan 4, 2014 at 5:40 PM, Eoin Keary <eoin.keary at owasp.org
>     <mailto:eoin.keary at owasp.org>> wrote:
>         Good point.
>         Bottom line is we want people to build secure code. Delivering
>         this message under the same roof as RSA does not dilute the
>         quality of the class delivered.
>         There is no black and white, only shades of grey :)
>         Eoin Keary
>         Owasp Global Board
>         +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>         On 4 Jan 2014, at 23:36, Jim Manico <jim.manico at owasp.org
>         <mailto:jim.manico at owasp.org>> wrote:
>         > Another issue that is tangential.
>         >
>         > We are applying for several big money DHS grants. These help
>         keep the foundation running.
>         >
>         > Should be reject all of these grants because of the Snowden
>         affair? It we abort RSA but continue to take DHS money, then
>         we send a mixed message.
>         >
>         > Aloha,
>         > Jim
>         >
>         >> I strongly support Sastry on this one.
>         >>
>         >> You might be participating as individuals, but people see
>         you guys as the OWASP Board, and that's something that many of
>         us don't like to be the image of OWASP.
>         >>
>         >> Thanks
>         >> -Abbas
>         >> On Jan 4, 2014, at 1:18 PM, Eoin Keary
>         <eoin.keary at owasp.org <mailto:eoin.keary at owasp.org>> wrote:
>         >>
>         >>> To be clear, there was no recorded vote on this but a debate.
>         >>>
>         >>> I started the debate after reading about Mikko. (Even
>         though I was delivering the training with Jim and it is my
>         material).
>         >>>
>         >>> The majority of board of OWASP feels getting involved in
>         politics is wrong and wanted to push ahead with the training.
>         >>>
>         >>> So if feelings are strong we need to vote on this ASAP? as
>         leaders of OWASP. A formal board vote? Executive decision from
>         Sarah, our executive director.
>         >>>
>         >>>
>         >>>
>         >>> Eoin Keary
>         >>> Owasp Global Board
>         >>> +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>         >>>
>         >>>
>         >>> On 4 Jan 2014, at 16:48, Sastry Tumuluri
>         <sastry.tumuluri at owasp.org <mailto:sastry.tumuluri at owasp.org>>
>         wrote:
>         >>>
>         >>>> Friends,
>         >>>>
>         >>>> Please see the following full conversation on twitter:
>         >>>> https://twitter.com/EoinKeary/status/419111748424454145
>         >>>>
>         >>>> Eoin Keary and Jim Manico (both OWASP board members) will
>         be presenting/conducting 4 hrs of free-of-cost AppSec training
>         at the RSA Conference, 2014. Michael Coates, Chairman of the
>         OWASP Board is also said to be present. Apparently, this was
>         discussed at the OWASP board level; and the board has decided
>         to go ahead, keeping in mind the benefit to the attending
>         developers.
>         >>>>
>         >>>> As you are aware, RSA is strongly suspected (we'll never
>         be 100% sure, I'm afraid) of being complicit with NSA in
>         enabling fatal weakening of crypto products. RSA has issued a
>         sort of a denial that only deepens the mistrust. As a protest,
>         many leading speakers are cancelling their talks at the
>         upcoming RSAC 2014. Among them are (to my knowledge) Mikko
>         Hypponen, Jeffrey Carr and Josh Thomas.
>         >>>>
>         >>>> At such a time, I am saddened by the OWASP board decision
>         to support RSAC by their presence. At a time when they had the
>         opportunity to let the world know how much they care for the
>         Information Security profession (esp., against weakening
>         crypto); and how much they care about the privacy of people
>         (against NSA's unabashed spying on Americans & non-Americans
>         alike), the board has copped out using a flimsy
>         rationalization ("benefit of (a few) developers", many of who
>         would rethink their attendance had OWASP and more
>         organizations didn't blink!").
>         >>>>
>         >>>> I'm sure there was a heated debate. I'm sure all angles
>         were considered. However, this goes too deep for me to take it
>         as "better men than me have considered and decided". As a
>         matter of my personal values, if the situation doesn't change,
>         I would no longer wish to continue as the OWASP Chapter Lead.
>         Please let me know if any of you would like to take over from me.
>         >>>>
>         >>>> I will also share my feelings with fellow chapter members
>         at our next chapter meeting on Jan 21st. Needless to say, no
>         matter how things go, I remain committed to the principles of
>         our open and open-source infosec community.
>         >>>>
>         >>>> Best regards,
>         >>>>
>         >>>> ==Sas3==
>         >>> _______________________________________________
>         >>> OWASP-Leaders mailing list
>         >>> OWASP-Leaders at lists.owasp.org
>         <mailto:OWASP-Leaders at lists.owasp.org>
>         >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>         >>
>         >>
>         >>
>         >>
>         >> _______________________________________________
>         >> OWASP-Leaders mailing list
>         >> OWASP-Leaders at lists.owasp.org
>         <mailto:OWASP-Leaders at lists.owasp.org>
>         >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>         >
>         _______________________________________________
>         Owasp-board mailing list
>         Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>         https://lists.owasp.org/mailman/listinfo/owasp-board
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
> -- 
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140105/57c85609/attachment-0001.html>

More information about the OWASP-Leaders mailing list