[Owasp-leaders] [Owasp-board] OWASP Board decision that I don't agree with

Josh Sokol josh.sokol at owasp.org
Sun Jan 5 13:38:09 UTC 2014


A key differentiator when we did this free training at AppSecUSA in Austin
and LASCON 2013 is that it was 100% free and open to all.  No conference
pass was required to participate.  Since that is not the case here, and
since the training is only open to RSA attendees, then I think this
demonstrates a much closer tie between OWASP and RSA than I would like to
see.  I like the idea of approaching BSides SF and seeing if maybe they
would be interested in hosting this training for free for the community at
large.  If we can do that, then I think its the true win here as we get the
visibility to satisfy our mission and we remove the negative stigma of
being associated with RSA.

I would diaagree, however, that visibility is only a means to an end.
Since its in our mission statement, all of our activities and
prioritizations are required, by law, to follow that.  And if we ever reach
the point where everyone, everywhere, knows about application security,
then we can close up shop and move on.  There is no compromising the end
goal here because, per the mission statement, visibility is the end goal.
I'm sorry if that compromises your principals Sastry but its the truth
about OWASP as a non-profit.

~josh
On Jan 5, 2014 12:32 AM, "Sastry Tumuluri" <sastry.tumuluri at owasp.org>
wrote:

> 1. The immediate focus on RSAC:
> No matter how we rationalize, the fact is that we (OWASP) have
> options. This, at worst, is one missed opportunity. So let us not, in
> our relentless pursuit of VISIBILITY, compromise on principles.
>
> VISIBILITY is a means to an end (better security, more secure software
> -- which in itself is likely a never-ending activity). Let us not
> compromise on the end-goal while chasing the means.
>
> Short term gains (of reaching some developers) will easily be lost if
> we take the low road. Even 300 more "aware" developers are for naught
> if, based on RSAC acceptance, just one more company feels that the
> risks of trucking with NSA/GCHQ and compromising underlying
> foundations are acceptable.
>
> Is it our job/charter to "convey such a message"? I believe so.
> Conversely, can we say "we merely advocate tech principles and
> educate... this is not for us"? If we want to be treated as a
> responsible member of the ecosystem, we can't duck like that.
>
> Related, but a slightly different perspective: Robert Graham's blog
> post on this:
> http://blog.erratasec.com/2014/01/why-we-have-to-boycott-rsa.html
>
> 2. The tough world of principles, ethics, etc:
> Jim Manico raised a very pertinent point regarding sending mixed
> messages (=> recognition-of and consistency-in-applying our
> principles). It isn't easy.
>
> Funding goes to the very heart of neutrality and ethics. So it is not
> so tangential, after all. I know we shouldn't accept funds or even
> projects from NSA, GCHQ, etc. Whether DHS is to be painted by the same
> brush, I don't know (depends on internal structure, etc.). Let the
> more knowledgeable people decide on this.
>
> Chasing "quick results at any cost" and then splitting hairs on
> legality and rationalizations will not paint us black; but will surely
> park us firmly in the gray areas of ethics. Is that what we want?
>
> Cheers,
>
> ==Sas3==
>
> On Sun, Jan 5, 2014 at 8:33 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > My apologies in the delay in responding to this.  I've been on the road
> all
> > day today and will be slow to respond tomorrow as well.
> >
> > First off, let me admit that while my term hadn't officially begun yet,
> I am
> > one of the Board members who encouraged Jim and Eoin to move forward with
> > the training.  My rationale for this was simple; OWASP's mission is to
> make
> > software security visible, so that individuals and organizations
> worldwide
> > can make informed decisions about true software security risks.  The
> core of
> > this statement being VISBILITY.  We need to find and take advantage of as
> > many ways as possible to raise the visibility of security risks.  Our
> > mission says nothing about making political statements.  It says nothing
> > about ethical business practices.  Our mission can certainly be amended
> to
> > reflect other imperatives, if so desired by our membership, but until
> that
> > day we need to prevent mission scope creep.
> >
> > Now, since our mission is making software security visible, we simply
> have
> > to ask ourselves if we better serve this mission by:
> >
> > 1) Performing a free training at a major conference, thereby increasing
> our
> > exposure to people who haven't heard of OWASP before and enlightening
> them
> > to software security risks that they likely were not aware of before.
> >
> > 2) Taking a stance against a company where some evidence may imply that
> they
> > took a bribe to sacrifice security in one of their products.
> >
> > Let me be clear on #2.  I don't agree that what RSA did is right, if it
> is
> > true.  In fact, I have made the explicit decision to not do business with
> > RSA in my day job because there are many other options out there and it's
> > just not worth the risk.  But my passive decision to not purchase from
> RSA
> > is very different than OWASP reneging on our agreement and making a
> public
> > statement about their ethics.
> >
> > So, given these two options, my gut is that OWASP's mission will be best
> > served by #1.  It doesn't mean that we're supporting RSA.  It doesn't
> mean
> > that we agree with unethical business practices.  It just means that we
> are
> > doing the best we can to make application security visible.  If that
> means
> > piggy-backing on the massive marketing effort they put into the
> conference
> > or the infrastructure that supports it, I'm ok with that.  I understand
> that
> > others may object to this on ethical grounds, and that's fine, but as a
> > non-profit organization, we have a mandate to stay true to our mission,
> not
> > to speak out against whatever the latest security headline is.
> >
> > I do have one question about this training for clarification.  The
> training
> > is FREE for anyone who would like to attend and not just for RSA
> attendees,
> > correct?  My assumption is the former, but if the latter, this changes
> > things significantly in my opinion.
> >
> > ~josh
> >
> >
> > On Sat, Jan 4, 2014 at 5:40 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
> >>
> >> Good point.
> >> Bottom line is we want people to build secure code. Delivering this
> >> message under the same roof as RSA does not dilute the quality of the
> class
> >> delivered.
> >> There is no black and white, only shades of grey :)
> >>
> >>
> >> Eoin Keary
> >> Owasp Global Board
> >> +353 87 977 2988
> >>
> >>
> >> On 4 Jan 2014, at 23:36, Jim Manico <jim.manico at owasp.org> wrote:
> >>
> >> > Another issue that is tangential.
> >> >
> >> > We are applying for several big money DHS grants. These help keep the
> >> > foundation running.
> >> >
> >> > Should be reject all of these grants because of the Snowden affair? It
> >> > we abort RSA but continue to take DHS money, then we send a mixed
> message.
> >> >
> >> > Aloha,
> >> > Jim
> >> >
> >> >> I strongly support Sastry on this one.
> >> >>
> >> >> You might be participating as individuals, but people see you guys as
> >> >> the OWASP Board, and that’s something that many of us don’t like to
> be the
> >> >> image of OWASP.
> >> >>
> >> >> Thanks
> >> >> -Abbas
> >> >> On Jan 4, 2014, at 1:18 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
> >> >>
> >> >>> To be clear, there was no recorded vote on this but a debate.
> >> >>>
> >> >>> I started the debate after reading about Mikko. (Even though I was
> >> >>> delivering the training with Jim and it is my material).
> >> >>>
> >> >>> The majority of board of OWASP feels getting involved in politics is
> >> >>> wrong and wanted to push ahead with the training.
> >> >>>
> >> >>> So if feelings are strong we need to vote on this ASAP? as leaders
> of
> >> >>> OWASP. A formal board vote? Executive decision from Sarah, our
> executive
> >> >>> director.
> >> >>>
> >> >>>
> >> >>>
> >> >>> Eoin Keary
> >> >>> Owasp Global Board
> >> >>> +353 87 977 2988
> >> >>>
> >> >>>
> >> >>> On 4 Jan 2014, at 16:48, Sastry Tumuluri <sastry.tumuluri at owasp.org
> >
> >> >>> wrote:
> >> >>>
> >> >>>> Friends,
> >> >>>>
> >> >>>> Please see the following full conversation on twitter:
> >> >>>> https://twitter.com/EoinKeary/status/419111748424454145
> >> >>>>
> >> >>>> Eoin Keary and Jim Manico (both OWASP board members) will be
> >> >>>> presenting/conducting 4 hrs of free-of-cost AppSec training at the
> RSA
> >> >>>> Conference, 2014. Michael Coates, Chairman of the OWASP Board is
> also said
> >> >>>> to be present. Apparently, this was discussed at the OWASP board
> level; and
> >> >>>> the board has decided to go ahead, keeping in mind the benefit to
> the
> >> >>>> attending developers.
> >> >>>>
> >> >>>> As you are aware, RSA is strongly suspected (we'll never be 100%
> >> >>>> sure, I'm afraid) of being complicit with NSA in enabling fatal
> weakening of
> >> >>>> crypto products. RSA has issued a sort of a denial that only
> deepens the
> >> >>>> mistrust. As a protest, many leading speakers are cancelling their
> talks at
> >> >>>> the upcoming RSAC 2014. Among them are (to my knowledge) Mikko
> Hypponen,
> >> >>>> Jeffrey Carr and Josh Thomas.
> >> >>>>
> >> >>>> At such a time, I am saddened by the OWASP board decision to
> support
> >> >>>> RSAC by their presence. At a time when they had the opportunity to
> let the
> >> >>>> world know how much they care for the Information Security
> profession (esp.,
> >> >>>> against weakening crypto); and how much they care about the
> privacy of
> >> >>>> people (against NSA's unabashed spying on Americans &
> non-Americans alike),
> >> >>>> the board has copped out using a flimsy rationalization ("benefit
> of (a few)
> >> >>>> developers", many of who would rethink their attendance had OWASP
> and more
> >> >>>> organizations didn't blink!").
> >> >>>>
> >> >>>> I'm sure there was a heated debate. I'm sure all angles were
> >> >>>> considered. However, this goes too deep for me to take it as
> "better men
> >> >>>> than me have considered and decided". As a matter of my personal
> values, if
> >> >>>> the situation doesn't change, I would no longer wish to continue
> as the
> >> >>>> OWASP Chapter Lead. Please let me know if any of you would like to
> take over
> >> >>>> from me.
> >> >>>>
> >> >>>> I will also share my feelings with fellow chapter members at our
> next
> >> >>>> chapter meeting on Jan 21st. Needless to say, no matter how things
> go, I
> >> >>>> remain committed to the principles of our open and open-source
> infosec
> >> >>>> community.
> >> >>>>
> >> >>>> Best regards,
> >> >>>>
> >> >>>> ==Sas3==
> >> >>> _______________________________________________
> >> >>> OWASP-Leaders mailing list
> >> >>> OWASP-Leaders at lists.owasp.org
> >> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> _______________________________________________
> >> >> OWASP-Leaders mailing list
> >> >> OWASP-Leaders at lists.owasp.org
> >> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >> >
> >> _______________________________________________
> >> Owasp-board mailing list
> >> Owasp-board at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-board
> >
> >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140105/de664ceb/attachment-0001.html>


More information about the OWASP-Leaders mailing list