[Owasp-leaders] [Owasp-board] OWASP Board decision that I don't agree with

epsylon-owasp roberto.merida at owasp.org
Sun Jan 5 17:55:27 UTC 2014


"The hottest places in hell are reserved for those who, in times of
great moral crisis, maintain their neutrality."

-- John F. Kennedy

On 05/01/14 18:38, Bev Corwin wrote:
> For the record, my 2 cents: I support this "OWASP without borders",
> non political approach:
>
> "OWASP is a vendor-neutral, community-driven organization and its
> participation in any conference or program does not means endorsement
> or approval of any kind for products or business practices. OWASP
> participation is meant to 'make security visible' as stated in the
> OWASP chart. OWASP repudiates all activities that can decrease the
> security of IT systems."
>
> Bev
>
>
>
> On Sun, Jan 5, 2014 at 12:29 PM, Lucas Ferreira
> <lucas.ferreira at owasp.org <mailto:lucas.ferreira at owasp.org>> wrote:
>
>     Hello everyone,
>
>     while I personally would rather not see OWASP in RSA, I have to
>     admit that I was there last year and saw the room full of people
>     when Eoin and Manico did their training. I agree this is a great
>     opportunity.
>
>     I also feel that the more hardcore security and crypto people will
>     be less present at RSAC this year and this increases the
>     possibility of reaching out of the community. This means that if
>     we have a full room this year, we will probably have more
>     non-security people that last year.
>
>     So I was at the same time more willing to say the talk should be
>     cancelled but worrying about loosing such an opportunity. To me we
>     could get a more balanced approach if the training clearly
>     included a disclaimer that we do not endorse any activity that can
>     jeopardize the security of IT systems. This would make it clear
>     that we are not in the conference because we endorse or believe
>     RSA, but because the presentation would help OWASP in fulfilling
>     its mission.
>
>     Anyway, when we had presentations at RSAC in the past, it was not
>     be be seen as if OWASP endorsed RSA products. AFAIK, we have OWASP
>     presentations in vendor-organized conferences and are still
>     vendor-neutral. To me, this is a sign that, in the past, doing a
>     presentation was not seen as an endorsement from OWASP.
>
>     In the case of RSAC, I would still like to see a clear disclaimer.
>     It could be something like:
>
>     "OWASP is a vendor-neutral, community-driven organization and its
>     participation in any conference or program does not means
>     endorsement or approval of any kind for products or business
>     practices. OWASP participation is meant to 'make security visible'
>     as stated in the OWASP chart. OWASP repudiates all activities that
>     can decrease the security of IT systems."
>
>     Regards,
>
>     Lucas
>
>
>     On Sun, Jan 5, 2014 at 8:54 AM, L. Gustavo C. Barbato
>     <lgbarbato at owasp.org <mailto:lgbarbato at owasp.org>> wrote:
>
>         Keeping discussing philosophy and high ideals, we will never
>         reach a consensus in the time frame we need, so let's let
>         democracy wins the debay.
>
>         On 05/01/2014, at 11:38, Josh Sokol <josh.sokol at owasp.org
>         <mailto:josh.sokol at owasp.org>> wrote:
>
>>         A key differentiator when we did this free training at
>>         AppSecUSA in Austin and LASCON 2013 is that it was 100% free
>>         and open to all.  No conference pass was required to
>>         participate.  Since that is not the case here, and since the
>>         training is only open to RSA attendees, then I think this
>>         demonstrates a much closer tie between OWASP and RSA than I
>>         would like to see.  I like the idea of approaching BSides SF
>>         and seeing if maybe they would be interested in hosting this
>>         training for free for the community at large.  If we can do
>>         that, then I think its the true win here as we get the
>>         visibility to satisfy our mission and we remove the negative
>>         stigma of being associated with RSA.
>>
>>         I would diaagree, however, that visibility is only a means to
>>         an end.  Since its in our mission statement, all of our
>>         activities and prioritizations are required, by law, to
>>         follow that.  And if we ever reach the point where everyone,
>>         everywhere, knows about application security, then we can
>>         close up shop and move on.  There is no compromising the end
>>         goal here because, per the mission statement, visibility is
>>         the end goal.  I'm sorry if that compromises your principals
>>         Sastry but its the truth about OWASP as a non-profit.
>>
>>         ~josh
>>
>>         On Jan 5, 2014 12:32 AM, "Sastry Tumuluri"
>>         <sastry.tumuluri at owasp.org
>>         <mailto:sastry.tumuluri at owasp.org>> wrote:
>>
>>             1. The immediate focus on RSAC:
>>             No matter how we rationalize, the fact is that we (OWASP)
>>             have
>>             options. This, at worst, is one missed opportunity. So
>>             let us not, in
>>             our relentless pursuit of VISIBILITY, compromise on
>>             principles.
>>
>>             VISIBILITY is a means to an end (better security, more
>>             secure software
>>             -- which in itself is likely a never-ending activity).
>>             Let us not
>>             compromise on the end-goal while chasing the means.
>>
>>             Short term gains (of reaching some developers) will
>>             easily be lost if
>>             we take the low road. Even 300 more "aware" developers
>>             are for naught
>>             if, based on RSAC acceptance, just one more company feels
>>             that the
>>             risks of trucking with NSA/GCHQ and compromising underlying
>>             foundations are acceptable.
>>
>>             Is it our job/charter to "convey such a message"? I
>>             believe so.
>>             Conversely, can we say "we merely advocate tech
>>             principles and
>>             educate... this is not for us"? If we want to be treated as a
>>             responsible member of the ecosystem, we can't duck like that.
>>
>>             Related, but a slightly different perspective: Robert
>>             Graham's blog
>>             post on this:
>>             http://blog.erratasec.com/2014/01/why-we-have-to-boycott-rsa.html
>>
>>             2. The tough world of principles, ethics, etc:
>>             Jim Manico raised a very pertinent point regarding
>>             sending mixed
>>             messages (=> recognition-of and consistency-in-applying our
>>             principles). It isn't easy.
>>
>>             Funding goes to the very heart of neutrality and ethics.
>>             So it is not
>>             so tangential, after all. I know we shouldn't accept
>>             funds or even
>>             projects from NSA, GCHQ, etc. Whether DHS is to be
>>             painted by the same
>>             brush, I don't know (depends on internal structure,
>>             etc.). Let the
>>             more knowledgeable people decide on this.
>>
>>             Chasing "quick results at any cost" and then splitting
>>             hairs on
>>             legality and rationalizations will not paint us black;
>>             but will surely
>>             park us firmly in the gray areas of ethics. Is that what
>>             we want?
>>
>>             Cheers,
>>
>>             ==Sas3==
>>
>>             On Sun, Jan 5, 2014 at 8:33 AM, Josh Sokol
>>             <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>>             > My apologies in the delay in responding to this.  I've
>>             been on the road all
>>             > day today and will be slow to respond tomorrow as well.
>>             >
>>             > First off, let me admit that while my term hadn't
>>             officially begun yet, I am
>>             > one of the Board members who encouraged Jim and Eoin to
>>             move forward with
>>             > the training.  My rationale for this was simple;
>>             OWASP's mission is to make
>>             > software security visible, so that individuals and
>>             organizations worldwide
>>             > can make informed decisions about true software
>>             security risks.  The core of
>>             > this statement being VISBILITY.  We need to find and
>>             take advantage of as
>>             > many ways as possible to raise the visibility of
>>             security risks.  Our
>>             > mission says nothing about making political statements.
>>              It says nothing
>>             > about ethical business practices.  Our mission can
>>             certainly be amended to
>>             > reflect other imperatives, if so desired by our
>>             membership, but until that
>>             > day we need to prevent mission scope creep.
>>             >
>>             > Now, since our mission is making software security
>>             visible, we simply have
>>             > to ask ourselves if we better serve this mission by:
>>             >
>>             > 1) Performing a free training at a major conference,
>>             thereby increasing our
>>             > exposure to people who haven't heard of OWASP before
>>             and enlightening them
>>             > to software security risks that they likely were not
>>             aware of before.
>>             >
>>             > 2) Taking a stance against a company where some
>>             evidence may imply that they
>>             > took a bribe to sacrifice security in one of their
>>             products.
>>             >
>>             > Let me be clear on #2.  I don't agree that what RSA did
>>             is right, if it is
>>             > true.  In fact, I have made the explicit decision to
>>             not do business with
>>             > RSA in my day job because there are many other options
>>             out there and it's
>>             > just not worth the risk.  But my passive decision to
>>             not purchase from RSA
>>             > is very different than OWASP reneging on our agreement
>>             and making a public
>>             > statement about their ethics.
>>             >
>>             > So, given these two options, my gut is that OWASP's
>>             mission will be best
>>             > served by #1.  It doesn't mean that we're supporting
>>             RSA.  It doesn't mean
>>             > that we agree with unethical business practices.  It
>>             just means that we are
>>             > doing the best we can to make application security
>>             visible.  If that means
>>             > piggy-backing on the massive marketing effort they put
>>             into the conference
>>             > or the infrastructure that supports it, I'm ok with
>>             that.  I understand that
>>             > others may object to this on ethical grounds, and
>>             that's fine, but as a
>>             > non-profit organization, we have a mandate to stay true
>>             to our mission, not
>>             > to speak out against whatever the latest security
>>             headline is.
>>             >
>>             > I do have one question about this training for
>>             clarification.  The training
>>             > is FREE for anyone who would like to attend and not
>>             just for RSA attendees,
>>             > correct?  My assumption is the former, but if the
>>             latter, this changes
>>             > things significantly in my opinion.
>>             >
>>             > ~josh
>>             >
>>             >
>>             > On Sat, Jan 4, 2014 at 5:40 PM, Eoin Keary
>>             <eoin.keary at owasp.org <mailto:eoin.keary at owasp.org>> wrote:
>>             >>
>>             >> Good point.
>>             >> Bottom line is we want people to build secure code.
>>             Delivering this
>>             >> message under the same roof as RSA does not dilute the
>>             quality of the class
>>             >> delivered.
>>             >> There is no black and white, only shades of grey :)
>>             >>
>>             >>
>>             >> Eoin Keary
>>             >> Owasp Global Board
>>             >> +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>>             >>
>>             >>
>>             >> On 4 Jan 2014, at 23:36, Jim Manico
>>             <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>>             >>
>>             >> > Another issue that is tangential.
>>             >> >
>>             >> > We are applying for several big money DHS grants.
>>             These help keep the
>>             >> > foundation running.
>>             >> >
>>             >> > Should be reject all of these grants because of the
>>             Snowden affair? It
>>             >> > we abort RSA but continue to take DHS money, then we
>>             send a mixed message.
>>             >> >
>>             >> > Aloha,
>>             >> > Jim
>>             >> >
>>             >> >> I strongly support Sastry on this one.
>>             >> >>
>>             >> >> You might be participating as individuals, but
>>             people see you guys as
>>             >> >> the OWASP Board, and that's something that many of
>>             us don't like to be the
>>             >> >> image of OWASP.
>>             >> >>
>>             >> >> Thanks
>>             >> >> -Abbas
>>             >> >> On Jan 4, 2014, at 1:18 PM, Eoin Keary
>>             <eoin.keary at owasp.org <mailto:eoin.keary at owasp.org>> wrote:
>>             >> >>
>>             >> >>> To be clear, there was no recorded vote on this
>>             but a debate.
>>             >> >>>
>>             >> >>> I started the debate after reading about Mikko.
>>             (Even though I was
>>             >> >>> delivering the training with Jim and it is my
>>             material).
>>             >> >>>
>>             >> >>> The majority of board of OWASP feels getting
>>             involved in politics is
>>             >> >>> wrong and wanted to push ahead with the training.
>>             >> >>>
>>             >> >>> So if feelings are strong we need to vote on this
>>             ASAP? as leaders of
>>             >> >>> OWASP. A formal board vote? Executive decision
>>             from Sarah, our executive
>>             >> >>> director.
>>             >> >>>
>>             >> >>>
>>             >> >>>
>>             >> >>> Eoin Keary
>>             >> >>> Owasp Global Board
>>             >> >>> +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>>             >> >>>
>>             >> >>>
>>             >> >>> On 4 Jan 2014, at 16:48, Sastry Tumuluri
>>             <sastry.tumuluri at owasp.org
>>             <mailto:sastry.tumuluri at owasp.org>>
>>             >> >>> wrote:
>>             >> >>>
>>             >> >>>> Friends,
>>             >> >>>>
>>             >> >>>> Please see the following full conversation on
>>             twitter:
>>             >> >>>>
>>             https://twitter.com/EoinKeary/status/419111748424454145
>>             >> >>>>
>>             >> >>>> Eoin Keary and Jim Manico (both OWASP board
>>             members) will be
>>             >> >>>> presenting/conducting 4 hrs of free-of-cost
>>             AppSec training at the RSA
>>             >> >>>> Conference, 2014. Michael Coates, Chairman of the
>>             OWASP Board is also said
>>             >> >>>> to be present. Apparently, this was discussed at
>>             the OWASP board level; and
>>             >> >>>> the board has decided to go ahead, keeping in
>>             mind the benefit to the
>>             >> >>>> attending developers.
>>             >> >>>>
>>             >> >>>> As you are aware, RSA is strongly suspected
>>             (we'll never be 100%
>>             >> >>>> sure, I'm afraid) of being complicit with NSA in
>>             enabling fatal weakening of
>>             >> >>>> crypto products. RSA has issued a sort of a
>>             denial that only deepens the
>>             >> >>>> mistrust. As a protest, many leading speakers are
>>             cancelling their talks at
>>             >> >>>> the upcoming RSAC 2014. Among them are (to my
>>             knowledge) Mikko Hypponen,
>>             >> >>>> Jeffrey Carr and Josh Thomas.
>>             >> >>>>
>>             >> >>>> At such a time, I am saddened by the OWASP board
>>             decision to support
>>             >> >>>> RSAC by their presence. At a time when they had
>>             the opportunity to let the
>>             >> >>>> world know how much they care for the Information
>>             Security profession (esp.,
>>             >> >>>> against weakening crypto); and how much they care
>>             about the privacy of
>>             >> >>>> people (against NSA's unabashed spying on
>>             Americans & non-Americans alike),
>>             >> >>>> the board has copped out using a flimsy
>>             rationalization ("benefit of (a few)
>>             >> >>>> developers", many of who would rethink their
>>             attendance had OWASP and more
>>             >> >>>> organizations didn't blink!").
>>             >> >>>>
>>             >> >>>> I'm sure there was a heated debate. I'm sure all
>>             angles were
>>             >> >>>> considered. However, this goes too deep for me to
>>             take it as "better men
>>             >> >>>> than me have considered and decided". As a matter
>>             of my personal values, if
>>             >> >>>> the situation doesn't change, I would no longer
>>             wish to continue as the
>>             >> >>>> OWASP Chapter Lead. Please let me know if any of
>>             you would like to take over
>>             >> >>>> from me.
>>             >> >>>>
>>             >> >>>> I will also share my feelings with fellow chapter
>>             members at our next
>>             >> >>>> chapter meeting on Jan 21st. Needless to say, no
>>             matter how things go, I
>>             >> >>>> remain committed to the principles of our open
>>             and open-source infosec
>>             >> >>>> community.
>>             >> >>>>
>>             >> >>>> Best regards,
>>             >> >>>>
>>             >> >>>> ==Sas3==
>>             >> >>> _______________________________________________
>>             >> >>> OWASP-Leaders mailing list
>>             >> >>> OWASP-Leaders at lists.owasp.org
>>             <mailto:OWASP-Leaders at lists.owasp.org>
>>             >> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>             >> >>
>>             >> >>
>>             >> >>
>>             >> >>
>>             >> >> _______________________________________________
>>             >> >> OWASP-Leaders mailing list
>>             >> >> OWASP-Leaders at lists.owasp.org
>>             <mailto:OWASP-Leaders at lists.owasp.org>
>>             >> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>             >> >
>>             >> _______________________________________________
>>             >> Owasp-board mailing list
>>             >> Owasp-board at lists.owasp.org
>>             <mailto:Owasp-board at lists.owasp.org>
>>             >> https://lists.owasp.org/mailman/listinfo/owasp-board
>>             >
>>             >
>>             >
>>             > _______________________________________________
>>             > OWASP-Leaders mailing list
>>             > OWASP-Leaders at lists.owasp.org
>>             <mailto:OWASP-Leaders at lists.owasp.org>
>>             > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>             >
>>
>>         _______________________________________________
>>         OWASP-Leaders mailing list
>>         OWASP-Leaders at lists.owasp.org
>>         <mailto:OWASP-Leaders at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>         _______________________________________________
>         OWASP-Leaders mailing list
>         OWASP-Leaders at lists.owasp.org
>         <mailto:OWASP-Leaders at lists.owasp.org>
>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>     -- 
>     Homo sapiens non urinat in ventum.
>
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140105/ce8f72f1/attachment-0001.html>


More information about the OWASP-Leaders mailing list