[Owasp-leaders] [Owasp-board] OWASP Board decision that I don't agree with
epsylon-owasp
roberto.merida at owasp.org
Sun Jan 5 17:55:27 UTC 2014
"The hottest places in hell are reserved for those who, in times of
great moral crisis, maintain their neutrality."
-- John F. Kennedy
On 05/01/14 18:38, Bev Corwin wrote:
> For the record, my 2 cents: I support this "OWASP without borders",
> non political approach:
>
> "OWASP is a vendor-neutral, community-driven organization and its
> participation in any conference or program does not means endorsement
> or approval of any kind for products or business practices. OWASP
> participation is meant to 'make security visible' as stated in the
> OWASP chart. OWASP repudiates all activities that can decrease the
> security of IT systems."
>
> Bev
>
>
>
> On Sun, Jan 5, 2014 at 12:29 PM, Lucas Ferreira
> <lucas.ferreira at owasp.org <mailto:lucas.ferreira at owasp.org>> wrote:
>
> Hello everyone,
>
> while I personally would rather not see OWASP in RSA, I have to
> admit that I was there last year and saw the room full of people
> when Eoin and Manico did their training. I agree this is a great
> opportunity.
>
> I also feel that the more hardcore security and crypto people will
> be less present at RSAC this year and this increases the
> possibility of reaching out of the community. This means that if
> we have a full room this year, we will probably have more
> non-security people that last year.
>
> So I was at the same time more willing to say the talk should be
> cancelled but worrying about loosing such an opportunity. To me we
> could get a more balanced approach if the training clearly
> included a disclaimer that we do not endorse any activity that can
> jeopardize the security of IT systems. This would make it clear
> that we are not in the conference because we endorse or believe
> RSA, but because the presentation would help OWASP in fulfilling
> its mission.
>
> Anyway, when we had presentations at RSAC in the past, it was not
> be be seen as if OWASP endorsed RSA products. AFAIK, we have OWASP
> presentations in vendor-organized conferences and are still
> vendor-neutral. To me, this is a sign that, in the past, doing a
> presentation was not seen as an endorsement from OWASP.
>
> In the case of RSAC, I would still like to see a clear disclaimer.
> It could be something like:
>
> "OWASP is a vendor-neutral, community-driven organization and its
> participation in any conference or program does not means
> endorsement or approval of any kind for products or business
> practices. OWASP participation is meant to 'make security visible'
> as stated in the OWASP chart. OWASP repudiates all activities that
> can decrease the security of IT systems."
>
> Regards,
>
> Lucas
>
>
> On Sun, Jan 5, 2014 at 8:54 AM, L. Gustavo C. Barbato
> <lgbarbato at owasp.org <mailto:lgbarbato at owasp.org>> wrote:
>
> Keeping discussing philosophy and high ideals, we will never
> reach a consensus in the time frame we need, so let's let
> democracy wins the debay.
>
> On 05/01/2014, at 11:38, Josh Sokol <josh.sokol at owasp.org
> <mailto:josh.sokol at owasp.org>> wrote:
>
>> A key differentiator when we did this free training at
>> AppSecUSA in Austin and LASCON 2013 is that it was 100% free
>> and open to all. No conference pass was required to
>> participate. Since that is not the case here, and since the
>> training is only open to RSA attendees, then I think this
>> demonstrates a much closer tie between OWASP and RSA than I
>> would like to see. I like the idea of approaching BSides SF
>> and seeing if maybe they would be interested in hosting this
>> training for free for the community at large. If we can do
>> that, then I think its the true win here as we get the
>> visibility to satisfy our mission and we remove the negative
>> stigma of being associated with RSA.
>>
>> I would diaagree, however, that visibility is only a means to
>> an end. Since its in our mission statement, all of our
>> activities and prioritizations are required, by law, to
>> follow that. And if we ever reach the point where everyone,
>> everywhere, knows about application security, then we can
>> close up shop and move on. There is no compromising the end
>> goal here because, per the mission statement, visibility is
>> the end goal. I'm sorry if that compromises your principals
>> Sastry but its the truth about OWASP as a non-profit.
>>
>> ~josh
>>
>> On Jan 5, 2014 12:32 AM, "Sastry Tumuluri"
>> <sastry.tumuluri at owasp.org
>> <mailto:sastry.tumuluri at owasp.org>> wrote:
>>
>> 1. The immediate focus on RSAC:
>> No matter how we rationalize, the fact is that we (OWASP)
>> have
>> options. This, at worst, is one missed opportunity. So
>> let us not, in
>> our relentless pursuit of VISIBILITY, compromise on
>> principles.
>>
>> VISIBILITY is a means to an end (better security, more
>> secure software
>> -- which in itself is likely a never-ending activity).
>> Let us not
>> compromise on the end-goal while chasing the means.
>>
>> Short term gains (of reaching some developers) will
>> easily be lost if
>> we take the low road. Even 300 more "aware" developers
>> are for naught
>> if, based on RSAC acceptance, just one more company feels
>> that the
>> risks of trucking with NSA/GCHQ and compromising underlying
>> foundations are acceptable.
>>
>> Is it our job/charter to "convey such a message"? I
>> believe so.
>> Conversely, can we say "we merely advocate tech
>> principles and
>> educate... this is not for us"? If we want to be treated as a
>> responsible member of the ecosystem, we can't duck like that.
>>
>> Related, but a slightly different perspective: Robert
>> Graham's blog
>> post on this:
>> http://blog.erratasec.com/2014/01/why-we-have-to-boycott-rsa.html
>>
>> 2. The tough world of principles, ethics, etc:
>> Jim Manico raised a very pertinent point regarding
>> sending mixed
>> messages (=> recognition-of and consistency-in-applying our
>> principles). It isn't easy.
>>
>> Funding goes to the very heart of neutrality and ethics.
>> So it is not
>> so tangential, after all. I know we shouldn't accept
>> funds or even
>> projects from NSA, GCHQ, etc. Whether DHS is to be
>> painted by the same
>> brush, I don't know (depends on internal structure,
>> etc.). Let the
>> more knowledgeable people decide on this.
>>
>> Chasing "quick results at any cost" and then splitting
>> hairs on
>> legality and rationalizations will not paint us black;
>> but will surely
>> park us firmly in the gray areas of ethics. Is that what
>> we want?
>>
>> Cheers,
>>
>> ==Sas3==
>>
>> On Sun, Jan 5, 2014 at 8:33 AM, Josh Sokol
>> <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>> > My apologies in the delay in responding to this. I've
>> been on the road all
>> > day today and will be slow to respond tomorrow as well.
>> >
>> > First off, let me admit that while my term hadn't
>> officially begun yet, I am
>> > one of the Board members who encouraged Jim and Eoin to
>> move forward with
>> > the training. My rationale for this was simple;
>> OWASP's mission is to make
>> > software security visible, so that individuals and
>> organizations worldwide
>> > can make informed decisions about true software
>> security risks. The core of
>> > this statement being VISBILITY. We need to find and
>> take advantage of as
>> > many ways as possible to raise the visibility of
>> security risks. Our
>> > mission says nothing about making political statements.
>> It says nothing
>> > about ethical business practices. Our mission can
>> certainly be amended to
>> > reflect other imperatives, if so desired by our
>> membership, but until that
>> > day we need to prevent mission scope creep.
>> >
>> > Now, since our mission is making software security
>> visible, we simply have
>> > to ask ourselves if we better serve this mission by:
>> >
>> > 1) Performing a free training at a major conference,
>> thereby increasing our
>> > exposure to people who haven't heard of OWASP before
>> and enlightening them
>> > to software security risks that they likely were not
>> aware of before.
>> >
>> > 2) Taking a stance against a company where some
>> evidence may imply that they
>> > took a bribe to sacrifice security in one of their
>> products.
>> >
>> > Let me be clear on #2. I don't agree that what RSA did
>> is right, if it is
>> > true. In fact, I have made the explicit decision to
>> not do business with
>> > RSA in my day job because there are many other options
>> out there and it's
>> > just not worth the risk. But my passive decision to
>> not purchase from RSA
>> > is very different than OWASP reneging on our agreement
>> and making a public
>> > statement about their ethics.
>> >
>> > So, given these two options, my gut is that OWASP's
>> mission will be best
>> > served by #1. It doesn't mean that we're supporting
>> RSA. It doesn't mean
>> > that we agree with unethical business practices. It
>> just means that we are
>> > doing the best we can to make application security
>> visible. If that means
>> > piggy-backing on the massive marketing effort they put
>> into the conference
>> > or the infrastructure that supports it, I'm ok with
>> that. I understand that
>> > others may object to this on ethical grounds, and
>> that's fine, but as a
>> > non-profit organization, we have a mandate to stay true
>> to our mission, not
>> > to speak out against whatever the latest security
>> headline is.
>> >
>> > I do have one question about this training for
>> clarification. The training
>> > is FREE for anyone who would like to attend and not
>> just for RSA attendees,
>> > correct? My assumption is the former, but if the
>> latter, this changes
>> > things significantly in my opinion.
>> >
>> > ~josh
>> >
>> >
>> > On Sat, Jan 4, 2014 at 5:40 PM, Eoin Keary
>> <eoin.keary at owasp.org <mailto:eoin.keary at owasp.org>> wrote:
>> >>
>> >> Good point.
>> >> Bottom line is we want people to build secure code.
>> Delivering this
>> >> message under the same roof as RSA does not dilute the
>> quality of the class
>> >> delivered.
>> >> There is no black and white, only shades of grey :)
>> >>
>> >>
>> >> Eoin Keary
>> >> Owasp Global Board
>> >> +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>> >>
>> >>
>> >> On 4 Jan 2014, at 23:36, Jim Manico
>> <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>> >>
>> >> > Another issue that is tangential.
>> >> >
>> >> > We are applying for several big money DHS grants.
>> These help keep the
>> >> > foundation running.
>> >> >
>> >> > Should be reject all of these grants because of the
>> Snowden affair? It
>> >> > we abort RSA but continue to take DHS money, then we
>> send a mixed message.
>> >> >
>> >> > Aloha,
>> >> > Jim
>> >> >
>> >> >> I strongly support Sastry on this one.
>> >> >>
>> >> >> You might be participating as individuals, but
>> people see you guys as
>> >> >> the OWASP Board, and that's something that many of
>> us don't like to be the
>> >> >> image of OWASP.
>> >> >>
>> >> >> Thanks
>> >> >> -Abbas
>> >> >> On Jan 4, 2014, at 1:18 PM, Eoin Keary
>> <eoin.keary at owasp.org <mailto:eoin.keary at owasp.org>> wrote:
>> >> >>
>> >> >>> To be clear, there was no recorded vote on this
>> but a debate.
>> >> >>>
>> >> >>> I started the debate after reading about Mikko.
>> (Even though I was
>> >> >>> delivering the training with Jim and it is my
>> material).
>> >> >>>
>> >> >>> The majority of board of OWASP feels getting
>> involved in politics is
>> >> >>> wrong and wanted to push ahead with the training.
>> >> >>>
>> >> >>> So if feelings are strong we need to vote on this
>> ASAP? as leaders of
>> >> >>> OWASP. A formal board vote? Executive decision
>> from Sarah, our executive
>> >> >>> director.
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>> Eoin Keary
>> >> >>> Owasp Global Board
>> >> >>> +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>> >> >>>
>> >> >>>
>> >> >>> On 4 Jan 2014, at 16:48, Sastry Tumuluri
>> <sastry.tumuluri at owasp.org
>> <mailto:sastry.tumuluri at owasp.org>>
>> >> >>> wrote:
>> >> >>>
>> >> >>>> Friends,
>> >> >>>>
>> >> >>>> Please see the following full conversation on
>> twitter:
>> >> >>>>
>> https://twitter.com/EoinKeary/status/419111748424454145
>> >> >>>>
>> >> >>>> Eoin Keary and Jim Manico (both OWASP board
>> members) will be
>> >> >>>> presenting/conducting 4 hrs of free-of-cost
>> AppSec training at the RSA
>> >> >>>> Conference, 2014. Michael Coates, Chairman of the
>> OWASP Board is also said
>> >> >>>> to be present. Apparently, this was discussed at
>> the OWASP board level; and
>> >> >>>> the board has decided to go ahead, keeping in
>> mind the benefit to the
>> >> >>>> attending developers.
>> >> >>>>
>> >> >>>> As you are aware, RSA is strongly suspected
>> (we'll never be 100%
>> >> >>>> sure, I'm afraid) of being complicit with NSA in
>> enabling fatal weakening of
>> >> >>>> crypto products. RSA has issued a sort of a
>> denial that only deepens the
>> >> >>>> mistrust. As a protest, many leading speakers are
>> cancelling their talks at
>> >> >>>> the upcoming RSAC 2014. Among them are (to my
>> knowledge) Mikko Hypponen,
>> >> >>>> Jeffrey Carr and Josh Thomas.
>> >> >>>>
>> >> >>>> At such a time, I am saddened by the OWASP board
>> decision to support
>> >> >>>> RSAC by their presence. At a time when they had
>> the opportunity to let the
>> >> >>>> world know how much they care for the Information
>> Security profession (esp.,
>> >> >>>> against weakening crypto); and how much they care
>> about the privacy of
>> >> >>>> people (against NSA's unabashed spying on
>> Americans & non-Americans alike),
>> >> >>>> the board has copped out using a flimsy
>> rationalization ("benefit of (a few)
>> >> >>>> developers", many of who would rethink their
>> attendance had OWASP and more
>> >> >>>> organizations didn't blink!").
>> >> >>>>
>> >> >>>> I'm sure there was a heated debate. I'm sure all
>> angles were
>> >> >>>> considered. However, this goes too deep for me to
>> take it as "better men
>> >> >>>> than me have considered and decided". As a matter
>> of my personal values, if
>> >> >>>> the situation doesn't change, I would no longer
>> wish to continue as the
>> >> >>>> OWASP Chapter Lead. Please let me know if any of
>> you would like to take over
>> >> >>>> from me.
>> >> >>>>
>> >> >>>> I will also share my feelings with fellow chapter
>> members at our next
>> >> >>>> chapter meeting on Jan 21st. Needless to say, no
>> matter how things go, I
>> >> >>>> remain committed to the principles of our open
>> and open-source infosec
>> >> >>>> community.
>> >> >>>>
>> >> >>>> Best regards,
>> >> >>>>
>> >> >>>> ==Sas3==
>> >> >>> _______________________________________________
>> >> >>> OWASP-Leaders mailing list
>> >> >>> OWASP-Leaders at lists.owasp.org
>> <mailto:OWASP-Leaders at lists.owasp.org>
>> >> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >> _______________________________________________
>> >> >> OWASP-Leaders mailing list
>> >> >> OWASP-Leaders at lists.owasp.org
>> <mailto:OWASP-Leaders at lists.owasp.org>
>> >> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >> >
>> >> _______________________________________________
>> >> Owasp-board mailing list
>> >> Owasp-board at lists.owasp.org
>> <mailto:Owasp-board at lists.owasp.org>
>> >> https://lists.owasp.org/mailman/listinfo/owasp-board
>> >
>> >
>> >
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> <mailto:OWASP-Leaders at lists.owasp.org>
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> <mailto:OWASP-Leaders at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> <mailto:OWASP-Leaders at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> --
> Homo sapiens non urinat in ventum.
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140105/ce8f72f1/attachment-0001.html>
More information about the OWASP-Leaders
mailing list