[Owasp-leaders] OWASP Board decision that I don't agree with

Konstantinos Papapanagiotou konstantinos at owasp.org
Sun Jan 5 17:59:04 UTC 2014

This kind of democracy might have worked in ancient Athens (with pros and
cons) but nowadays we have a BoD and a CEO for such kind of decisions.


On Sunday, January 5, 2014, L. Gustavo C. Barbato wrote:

> Keeping discussing philosophy and high ideals, we will never reach a
> consensus in the time frame we need, so let's let democracy wins the debay.
> On 05/01/2014, at 11:38, Josh Sokol <josh.sokol at owasp.org> wrote:
> A key differentiator when we did this free training at AppSecUSA in Austin
> and LASCON 2013 is that it was 100% free and open to all.  No conference
> pass was required to participate.  Since that is not the case here, and
> since the training is only open to RSA attendees, then I think this
> demonstrates a much closer tie between OWASP and RSA than I would like to
> see.  I like the idea of approaching BSides SF and seeing if maybe they
> would be interested in hosting this training for free for the community at
> large.  If we can do that, then I think its the true win here as we get the
> visibility to satisfy our mission and we remove the negative stigma of
> being associated with RSA.
> I would diaagree, however, that visibility is only a means to an end.
> Since its in our mission statement, all of our activities and
> prioritizations are required, by law, to follow that.  And if we ever reach
> the point where everyone, everywhere, knows about application security,
> then we can close up shop and move on.  There is no compromising the end
> goal here because, per the mission statement, visibility is the end goal.
> I'm sorry if that compromises your principals Sastry but its the truth
> about OWASP as a non-profit.
> ~josh
> On Jan 5, 2014 12:32 AM, "Sastry Tumuluri" <sastry.tumuluri at owasp.org>
> wrote:
> 1. The immediate focus on RSAC:
> No matter how we rationalize, the fact is that we (OWASP) have
> options. This, at worst, is one missed opportunity. So let us not, in
> our relentless pursuit of VISIBILITY, compromise on principles.
> VISIBILITY is a means to an end (better security, more secure software
> -- which in itself is likely a never-ending activity). Let us not
> compromise on the end-goal while chasing the means.
> Short term gains (of reaching some developers) will easily be lost if
> we take the low road. Even 300 more "aware" developers are for naught
> if, based on RSAC acceptance, just one more company feels that the
> risks of trucking with NSA/GCHQ and compromising underlying
> foundations are acceptable.
> Is it our job/charter to "convey such a message"? I believe so.
> Conversely, can we say "we merely advocate tech principles and
> educate... this is not for us"? If we want to be treated as a
> responsible member of the ecosystem, we can't duck like that.
> Related, but a slightly different perspective: Robert Graham's blog
> post on this:
> http://blog.erratasec.com/2014/01/why-we-have-to-boycott-rsa.html
> 2. The tough world of principles, ethics, etc:
> Jim Manico raised a very pertinent point regarding sending mixed
> messages (=> recognition-of and consistency-in-applying our
> principles). It isn't easy.
> Funding goes to the very heart of neutrality and ethics. So it is not
> so tangential, after all. I know we shouldn't accept funds or even
> projects from NSA, GCHQ, etc. Whether DHS is to be painted by the same
> brush, I don't know (depends on internal structure, etc.). Let the
> more knowledgeable people decide on this.
> Chasing "quick results at any cost" and then splitting hairs on
> legality and rationalizations will not paint us black; but will surely
> park us firmly in the gray areas of ethics. Is that what we want?
> Cheers,
> ==Sas3==
> On Sun, Jan 5, 2014 at 8:33 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > My apologies in the delay in responding to this.  I've been on the road
> all
> > day today and will be slow to respond tomorrow as well.
> >
> > First off, let me admit that while my term hadn't officially begun yet,
> I am
> > one of the Board members who encouraged Jim and Eoin to move forward with
> > the training.  My rationale for this was simple; OWASP's mission is to
> make
> > software security visible, so that individuals and organizations
> worldwide
> > can make informed decisions about true software security risks.  The
> core of
> > this statement being VISBILITY.  We need to find and take advantage of as
> > many ways as possible to raise the visibility of security risks.  Our
> > mission says nothing about making political statements.  It says nothing
> > about ethical business practices.  Our mission can certainly
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140105/7a6508f1/attachment.html>

More information about the OWASP-Leaders mailing list