[Owasp-leaders] [Owasp-board] OWASP Board decision that I don't agree with

Josh Sokol josh.sokol at owasp.org
Sun Jan 5 13:52:43 UTC 2014


A quick point of clarification before I get run out on a rail.  I'm not
saying that we should sacrifice our principals or be unethical to adhere to
our mission either.  But in this case, I don't feel that we are doing that
just by giving this training.

I'll be on the road the rest of the day and non-responsive so please don't
take it personally if you don't hear back from me until late tonight or
tomorrow.

~josh


On Sun, Jan 5, 2014 at 7:38 AM, Josh Sokol <josh.sokol at owasp.org> wrote:

> A key differentiator when we did this free training at AppSecUSA in Austin
> and LASCON 2013 is that it was 100% free and open to all.  No conference
> pass was required to participate.  Since that is not the case here, and
> since the training is only open to RSA attendees, then I think this
> demonstrates a much closer tie between OWASP and RSA than I would like to
> see.  I like the idea of approaching BSides SF and seeing if maybe they
> would be interested in hosting this training for free for the community at
> large.  If we can do that, then I think its the true win here as we get the
> visibility to satisfy our mission and we remove the negative stigma of
> being associated with RSA.
>
> I would diaagree, however, that visibility is only a means to an end.
> Since its in our mission statement, all of our activities and
> prioritizations are required, by law, to follow that.  And if we ever reach
> the point where everyone, everywhere, knows about application security,
> then we can close up shop and move on.  There is no compromising the end
> goal here because, per the mission statement, visibility is the end goal.
> I'm sorry if that compromises your principals Sastry but its the truth
> about OWASP as a non-profit.
>
> ~josh
> On Jan 5, 2014 12:32 AM, "Sastry Tumuluri" <sastry.tumuluri at owasp.org>
> wrote:
>
>> 1. The immediate focus on RSAC:
>> No matter how we rationalize, the fact is that we (OWASP) have
>> options. This, at worst, is one missed opportunity. So let us not, in
>> our relentless pursuit of VISIBILITY, compromise on principles.
>>
>> VISIBILITY is a means to an end (better security, more secure software
>> -- which in itself is likely a never-ending activity). Let us not
>> compromise on the end-goal while chasing the means.
>>
>> Short term gains (of reaching some developers) will easily be lost if
>> we take the low road. Even 300 more "aware" developers are for naught
>> if, based on RSAC acceptance, just one more company feels that the
>> risks of trucking with NSA/GCHQ and compromising underlying
>> foundations are acceptable.
>>
>> Is it our job/charter to "convey such a message"? I believe so.
>> Conversely, can we say "we merely advocate tech principles and
>> educate... this is not for us"? If we want to be treated as a
>> responsible member of the ecosystem, we can't duck like that.
>>
>> Related, but a slightly different perspective: Robert Graham's blog
>> post on this:
>> http://blog.erratasec.com/2014/01/why-we-have-to-boycott-rsa.html
>>
>> 2. The tough world of principles, ethics, etc:
>> Jim Manico raised a very pertinent point regarding sending mixed
>> messages (=> recognition-of and consistency-in-applying our
>> principles). It isn't easy.
>>
>> Funding goes to the very heart of neutrality and ethics. So it is not
>> so tangential, after all. I know we shouldn't accept funds or even
>> projects from NSA, GCHQ, etc. Whether DHS is to be painted by the same
>> brush, I don't know (depends on internal structure, etc.). Let the
>> more knowledgeable people decide on this.
>>
>> Chasing "quick results at any cost" and then splitting hairs on
>> legality and rationalizations will not paint us black; but will surely
>> park us firmly in the gray areas of ethics. Is that what we want?
>>
>> Cheers,
>>
>> ==Sas3==
>>
>> On Sun, Jan 5, 2014 at 8:33 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>> > My apologies in the delay in responding to this.  I've been on the road
>> all
>> > day today and will be slow to respond tomorrow as well.
>> >
>> > First off, let me admit that while my term hadn't officially begun yet,
>> I am
>> > one of the Board members who encouraged Jim and Eoin to move forward
>> with
>> > the training.  My rationale for this was simple; OWASP's mission is to
>> make
>> > software security visible, so that individuals and organizations
>> worldwide
>> > can make informed decisions about true software security risks.  The
>> core of
>> > this statement being VISBILITY.  We need to find and take advantage of
>> as
>> > many ways as possible to raise the visibility of security risks.  Our
>> > mission says nothing about making political statements.  It says nothing
>> > about ethical business practices.  Our mission can certainly be amended
>> to
>> > reflect other imperatives, if so desired by our membership, but until
>> that
>> > day we need to prevent mission scope creep.
>> >
>> > Now, since our mission is making software security visible, we simply
>> have
>> > to ask ourselves if we better serve this mission by:
>> >
>> > 1) Performing a free training at a major conference, thereby increasing
>> our
>> > exposure to people who haven't heard of OWASP before and enlightening
>> them
>> > to software security risks that they likely were not aware of before.
>> >
>> > 2) Taking a stance against a company where some evidence may imply that
>> they
>> > took a bribe to sacrifice security in one of their products.
>> >
>> > Let me be clear on #2.  I don't agree that what RSA did is right, if it
>> is
>> > true.  In fact, I have made the explicit decision to not do business
>> with
>> > RSA in my day job because there are many other options out there and
>> it's
>> > just not worth the risk.  But my passive decision to not purchase from
>> RSA
>> > is very different than OWASP reneging on our agreement and making a
>> public
>> > statement about their ethics.
>> >
>> > So, given these two options, my gut is that OWASP's mission will be best
>> > served by #1.  It doesn't mean that we're supporting RSA.  It doesn't
>> mean
>> > that we agree with unethical business practices.  It just means that we
>> are
>> > doing the best we can to make application security visible.  If that
>> means
>> > piggy-backing on the massive marketing effort they put into the
>> conference
>> > or the infrastructure that supports it, I'm ok with that.  I understand
>> that
>> > others may object to this on ethical grounds, and that's fine, but as a
>> > non-profit organization, we have a mandate to stay true to our mission,
>> not
>> > to speak out against whatever the latest security headline is.
>> >
>> > I do have one question about this training for clarification.  The
>> training
>> > is FREE for anyone who would like to attend and not just for RSA
>> attendees,
>> > correct?  My assumption is the former, but if the latter, this changes
>> > things significantly in my opinion.
>> >
>> > ~josh
>> >
>> >
>> > On Sat, Jan 4, 2014 at 5:40 PM, Eoin Keary <eoin.keary at owasp.org>
>> wrote:
>> >>
>> >> Good point.
>> >> Bottom line is we want people to build secure code. Delivering this
>> >> message under the same roof as RSA does not dilute the quality of the
>> class
>> >> delivered.
>> >> There is no black and white, only shades of grey :)
>> >>
>> >>
>> >> Eoin Keary
>> >> Owasp Global Board
>> >> +353 87 977 2988
>> >>
>> >>
>> >> On 4 Jan 2014, at 23:36, Jim Manico <jim.manico at owasp.org> wrote:
>> >>
>> >> > Another issue that is tangential.
>> >> >
>> >> > We are applying for several big money DHS grants. These help keep the
>> >> > foundation running.
>> >> >
>> >> > Should be reject all of these grants because of the Snowden affair?
>> It
>> >> > we abort RSA but continue to take DHS money, then we send a mixed
>> message.
>> >> >
>> >> > Aloha,
>> >> > Jim
>> >> >
>> >> >> I strongly support Sastry on this one.
>> >> >>
>> >> >> You might be participating as individuals, but people see you guys
>> as
>> >> >> the OWASP Board, and that’s something that many of us don’t like to
>> be the
>> >> >> image of OWASP.
>> >> >>
>> >> >> Thanks
>> >> >> -Abbas
>> >> >> On Jan 4, 2014, at 1:18 PM, Eoin Keary <eoin.keary at owasp.org>
>> wrote:
>> >> >>
>> >> >>> To be clear, there was no recorded vote on this but a debate.
>> >> >>>
>> >> >>> I started the debate after reading about Mikko. (Even though I was
>> >> >>> delivering the training with Jim and it is my material).
>> >> >>>
>> >> >>> The majority of board of OWASP feels getting involved in politics
>> is
>> >> >>> wrong and wanted to push ahead with the training.
>> >> >>>
>> >> >>> So if feelings are strong we need to vote on this ASAP? as leaders
>> of
>> >> >>> OWASP. A formal board vote? Executive decision from Sarah, our
>> executive
>> >> >>> director.
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>> Eoin Keary
>> >> >>> Owasp Global Board
>> >> >>> +353 87 977 2988
>> >> >>>
>> >> >>>
>> >> >>> On 4 Jan 2014, at 16:48, Sastry Tumuluri <
>> sastry.tumuluri at owasp.org>
>> >> >>> wrote:
>> >> >>>
>> >> >>>> Friends,
>> >> >>>>
>> >> >>>> Please see the following full conversation on twitter:
>> >> >>>> https://twitter.com/EoinKeary/status/419111748424454145
>> >> >>>>
>> >> >>>> Eoin Keary and Jim Manico (both OWASP board members) will be
>> >> >>>> presenting/conducting 4 hrs of free-of-cost AppSec training at
>> the RSA
>> >> >>>> Conference, 2014. Michael Coates, Chairman of the OWASP Board is
>> also said
>> >> >>>> to be present. Apparently, this was discussed at the OWASP board
>> level; and
>> >> >>>> the board has decided to go ahead, keeping in mind the benefit to
>> the
>> >> >>>> attending developers.
>> >> >>>>
>> >> >>>> As you are aware, RSA is strongly suspected (we'll never be 100%
>> >> >>>> sure, I'm afraid) of being complicit with NSA in enabling fatal
>> weakening of
>> >> >>>> crypto products. RSA has issued a sort of a denial that only
>> deepens the
>> >> >>>> mistrust. As a protest, many leading speakers are cancelling
>> their talks at
>> >> >>>> the upcoming RSAC 2014. Among them are (to my knowledge) Mikko
>> Hypponen,
>> >> >>>> Jeffrey Carr and Josh Thomas.
>> >> >>>>
>> >> >>>> At such a time, I am saddened by the OWASP board decision to
>> support
>> >> >>>> RSAC by their presence. At a time when they had the opportunity
>> to let the
>> >> >>>> world know how much they care for the Information Security
>> profession (esp.,
>> >> >>>> against weakening crypto); and how much they care about the
>> privacy of
>> >> >>>> people (against NSA's unabashed spying on Americans &
>> non-Americans alike),
>> >> >>>> the board has copped out using a flimsy rationalization ("benefit
>> of (a few)
>> >> >>>> developers", many of who would rethink their attendance had OWASP
>> and more
>> >> >>>> organizations didn't blink!").
>> >> >>>>
>> >> >>>> I'm sure there was a heated debate. I'm sure all angles were
>> >> >>>> considered. However, this goes too deep for me to take it as
>> "better men
>> >> >>>> than me have considered and decided". As a matter of my personal
>> values, if
>> >> >>>> the situation doesn't change, I would no longer wish to continue
>> as the
>> >> >>>> OWASP Chapter Lead. Please let me know if any of you would like
>> to take over
>> >> >>>> from me.
>> >> >>>>
>> >> >>>> I will also share my feelings with fellow chapter members at our
>> next
>> >> >>>> chapter meeting on Jan 21st. Needless to say, no matter how
>> things go, I
>> >> >>>> remain committed to the principles of our open and open-source
>> infosec
>> >> >>>> community.
>> >> >>>>
>> >> >>>> Best regards,
>> >> >>>>
>> >> >>>> ==Sas3==
>> >> >>> _______________________________________________
>> >> >>> OWASP-Leaders mailing list
>> >> >>> OWASP-Leaders at lists.owasp.org
>> >> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >> _______________________________________________
>> >> >> OWASP-Leaders mailing list
>> >> >> OWASP-Leaders at lists.owasp.org
>> >> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >> >
>> >> _______________________________________________
>> >> Owasp-board mailing list
>> >> Owasp-board at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-board
>> >
>> >
>> >
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140105/293c82df/attachment-0001.html>


More information about the OWASP-Leaders mailing list