[Owasp-leaders] [Owasp-board] OWASP Board decision that I don't agree with

Larry Conklin larry.conklin at owasp.org
Sun Jan 5 18:52:06 UTC 2014


+1


On Sun, Jan 5, 2014 at 11:58 AM, <tonyuv at owasp.org> wrote:

>  Can we stop with the sensationalism?  JKF, MLK used Dante's quote for
> serious social dividing issues, not on depicting whether a training talk on
> secure dev should take place with RSAC - a marketing department driven feat
> by a very large company known as EMC - owners of RSA Security LLC.
>
> if you want to go down this 'moral' road, let your conscience know you're
> passing judgment against an entity that is alleged.  Spending your time and
> efforts on alleged involvements that none of us are 100% certain, detracts
> us from our stewardship on teaching others on how to secure their
> applications, but no matter how much YOU think your understood vision of
> the world thinks of OWASP's association with RSA, it dwarfs in comparison
> that have no idea on how to properly handle sessions, do output encoding,
> perform CRUD exercises on application users, etc.
>
> So what do we know? We know people want to get trained at this
> conference.  We know that logistics have been made for training.  We know
> last year we reached others. We also know what we can say in regards to the
> matter.  Knowing the trainers, I have no doubt they will have the balls to
> say what they need to say when they have the floor.  The rest is
> speculation.
>
> Even my own comments on that the WIDER InfoSec community, not the hundreds
> of blog disciples but the THOUSANDS worldwide that just want to do work and
> improve their craft, professionals, even my own comment is speculation
> .....to say that they wouldn't care. Maybe I'm wrong - I hope I'm wrong - and
> a unison of InfoSec and privacy professionals do actually take note and we
> find ourselves in a fury of controversy, but I'm pretty sure I'm not but I
> lessen my own comments to equate to a lot of the comments made against to
> say this.  Its just an opinionated statement.
>
> And one last point....ironically, the post from Errata Security (man, Graham
> must be loving this free press coverage, how timely) has really good
> rebuttals to the ~250 that weighed in on the topic.
>
> Look mom, i'm a security 'researcher' now! (see below) (SOURCE:
> https://news.ycombinator.com/item?id=7013032 - THX Rory!)
>
> *
> <https://news.ycombinator.com/reply?id=7015335&whence=%69%74%65%6d%3f%69%64%3d%37%30%31%33%30%33%32>*
>
> <https://news.ycombinator.com/vote?for=7015249&dir=up&whence=%69%74%65%6d%3f%69%64%3d%37%30%31%33%30%33%32>
> *aortega* <https://news.ycombinator.com/user?id=aortega> 7 hours ago |
> *link* <https://news.ycombinator.com/item?id=7015249>
>
> What about Microsoft Bluehat, Google I/O, Yahoo, Apple, etc. all security
> vendors that collaborated with NSA. And that's only with the 5% leaked
> documents revealed.
>
> What about vendors that implemented Dual_EC_DRBG years after the
> vulnerability was known?
>
> *http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval....*<http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html>
>
> See that link, Symantec and Cisco implemented it last month.
>
> I believe you will end up having to boycott 90% of US corporations.
> Tony UV
> *From:* epsylon-owasp <roberto.merida at owasp.org>
> *Sent:* Sunday, January 5, 2014 12:55 PM
> *To:* Bev Corwin <bev.corwin at owasp.org>
> *Cc:* Kanwal Singh (WebMentors) <kanwalsb at gmail.com>, Ravdeep Sodhi<ravdeep.sodhi at ecoretechnos.com>,
> OWASP Leaders <owasp-leaders at lists.owasp.org>, Nishant Johar (EMOBX)<nj at emobx.com>
>
> "The hottest places in hell are reserved for those who, in times of great
> moral crisis, maintain their neutrality."
>
> -- John F. Kennedy
>
> On 05/01/14 18:38, Bev Corwin wrote:
>
> For the record, my 2 cents: I support this "OWASP without borders", non
> political approach:
>
>  "OWASP is a vendor-neutral, community-driven organization and its
> participation in any conference or program does not means endorsement or
> approval of any kind for products or business practices. OWASP
> participation is meant to 'make security visible' as stated in the OWASP
> chart. OWASP repudiates all activities that can decrease the security of IT
> systems."
>
>  Bev
>
>
>
> On Sun, Jan 5, 2014 at 12:29 PM, Lucas Ferreira <lucas.ferreira at owasp.org>wrote:
>
>> Hello everyone,
>>
>>  while I personally would rather not see OWASP in RSA, I have to admit
>> that I was there last year and saw the room full of people when Eoin and
>> Manico did their training. I agree this is a great opportunity.
>>
>>  I also feel that the more hardcore security and crypto people will be
>> less present at RSAC this year and this increases the possibility of
>> reaching out of the community. This means that if we have a full room this
>> year, we will probably have more non-security people that last year.
>>
>>  So I was at the same time more willing to say the talk should be
>> cancelled but worrying about loosing such an opportunity. To me we could
>> get a more balanced approach if the training clearly included a disclaimer
>> that we do not endorse any activity that can jeopardize the security of IT
>> systems. This would make it clear that we are not in the conference because
>> we endorse or believe RSA, but because the presentation would help OWASP in
>> fulfilling its mission.
>>
>>  Anyway, when we had presentations at RSAC in the past, it was not be be
>> seen as if OWASP endorsed RSA products. AFAIK, we have OWASP presentations
>> in vendor-organized conferences and are still vendor-neutral. To me, this
>> is a sign that, in the past, doing a presentation was not seen as an
>> endorsement from OWASP.
>>
>>  In the case of RSAC, I would still like to see a clear disclaimer. It
>> could be something like:
>>
>>  "OWASP is a vendor-neutral, community-driven organization and its
>> participation in any conference or program does not means endorsement or
>> approval of any kind for products or business practices. OWASP
>> participation is meant to 'make security visible' as stated in the OWASP
>> chart. OWASP repudiates all activities that can decrease the security of IT
>> systems."
>>
>>  Regards,
>>
>>  Lucas
>>
>>
>> On Sun, Jan 5, 2014 at 8:54 AM, L. Gustavo C. Barbato <
>> lgbarbato at owasp.org> wrote:
>>
>>>  Keeping discussing philosophy and high ideals, we will never reach a
>>> consensus in the time frame we need, so let's let democracy wins the debay.
>>>
>>> On 05/01/2014, at 11:38, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>
>>>   A key differentiator when we did this free training at AppSecUSA in
>>> Austin and LASCON 2013 is that it was 100% free and open to all.  No
>>> conference pass was required to participate.  Since that is not the case
>>> here, and since the training is only open to RSA attendees, then I think
>>> this demonstrates a much closer tie between OWASP and RSA than I would like
>>> to see.  I like the idea of approaching BSides SF and seeing if maybe they
>>> would be interested in hosting this training for free for the community at
>>> large.  If we can do that, then I think its the true win here as we get the
>>> visibility to satisfy our mission and we remove the negative stigma of
>>> being associated with RSA.
>>>
>>> I would diaagree, however, that visibility is only a means to an end.
>>> Since its in our mission statement, all of our activities and
>>> prioritizations are required, by law, to follow that.  And if we ever reach
>>> the point where everyone, everywhere, knows about application security,
>>> then we can close up shop and move on.  There is no compromising the end
>>> goal here because, per the mission statement, visibility is the end goal.
>>> I'm sorry if that compromises your principals Sastry but its the truth
>>> about OWASP as a non-profit.
>>>
>>> ~josh
>>> On Jan 5, 2014 12:32 AM, "Sastry Tumuluri" <sastry.tumuluri at owasp.org>
>>> wrote:
>>>
>>>> 1. The immediate focus on RSAC:
>>>> No matter how we rationalize, the fact is that we (OWASP) have
>>>> options. This, at worst, is one missed opportunity. So let us not, in
>>>> our relentless pursuit of VISIBILITY, compromise on principles.
>>>>
>>>> VISIBILITY is a means to an end (better security, more secure software
>>>> -- which in itself is likely a never-ending activity). Let us not
>>>> compromise on the end-goal while chasing the means.
>>>>
>>>> Short term gains (of reaching some developers) will easily be lost if
>>>> we take the low road. Even 300 more "aware" developers are for naught
>>>> if, based on RSAC acceptance, just one more company feels that the
>>>> risks of trucking with NSA/GCHQ and compromising underlying
>>>> foundations are acceptable.
>>>>
>>>> Is it our job/charter to "convey such a message"? I believe so.
>>>> Conversely, can we say "we merely advocate tech principles and
>>>> educate... this is not for us"? If we want to be treated as a
>>>> responsible member of the ecosystem, we can't duck like that.
>>>>
>>>> Related, but a slightly different perspective: Robert Graham's blog
>>>> post on this:
>>>> http://blog.erratasec.com/2014/01/why-we-have-to-boycott-rsa.html
>>>>
>>>> 2. The tough world of principles, ethics, etc:
>>>> Jim Manico raised a very pertinent point regarding sending mixed
>>>> messages (=> recognition-of and consistency-in-applying our
>>>> principles). It isn't easy.
>>>>
>>>> Funding goes to the very heart of neutrality and ethics. So it is not
>>>> so tangential, after all. I know we shouldn't accept funds or even
>>>> projects from NSA, GCHQ, etc. Whether DHS is to be painted by the same
>>>> brush, I don't know (depends on internal structure, etc.). Let the
>>>> more knowledgeable people decide on this.
>>>>
>>>> Chasing "quick results at any cost" and then splitting hairs on
>>>> legality and rationalizations will not paint us black; but will surely
>>>> park us firmly in the gray areas of ethics. Is that what we want?
>>>>
>>>> Cheers,
>>>>
>>>> ==Sas3==
>>>>
>>>> On Sun, Jan 5, 2014 at 8:33 AM, Josh Sokol <josh.sokol at owasp.org>
>>>> wrote:
>>>> > My apologies in the delay in responding to this.  I've been on the
>>>> road all
>>>> > day today and will be slow to respond tomorrow as well.
>>>> >
>>>> > First off, let me admit that while my term hadn't officially begun
>>>> yet, I am
>>>> > one of the Board members who encouraged Jim and Eoin to move forward
>>>> with
>>>> > the training.  My rationale for this was simple; OWASP's mission is
>>>> to make
>>>> > software security visible, so that individuals and organizations
>>>> worldwide
>>>> > can make informed decisions about true software security risks.  The
>>>> core of
>>>> > this statement being VISBILITY.  We need to find and take advantage
>>>> of as
>>>> > many ways as possible to raise the visibility of security risks.  Our
>>>> > mission says nothing about making political statements.  It says
>>>> nothing
>>>> > about ethical business practices.  Our mission can certainly be
>>>> amended to
>>>> > reflect other imperatives, if so desired by our membership, but until
>>>> that
>>>> > day we need to prevent mission scope creep.
>>>> >
>>>> > Now, since our mission is making software security visible, we simply
>>>> have
>>>> > to ask ourselves if we better serve this mission by:
>>>> >
>>>> > 1) Performing a free training at a major conference, thereby
>>>> increasing our
>>>> > exposure to people who haven't heard of OWASP before and enlightening
>>>> them
>>>> > to software security risks that they likely were not aware of before.
>>>> >
>>>> > 2) Taking a stance against a company where some evidence may imply
>>>> that they
>>>> > took a bribe to sacrifice security in one of their products.
>>>> >
>>>> > Let me be clear on #2.  I don't agree that what RSA did is right, if
>>>> it is
>>>> > true.  In fact, I have made the explicit decision to not do business
>>>> with
>>>> > RSA in my day job because there are many other options out there and
>>>> it's
>>>> > just not worth the risk.  But my passive decision to not purchase
>>>> from RSA
>>>> > is very different than OWASP reneging on our agreement and making a
>>>> public
>>>> > statement about their ethics.
>>>> >
>>>> > So, given these two options, my gut is that OWASP's mission will be
>>>> best
>>>> > served by #1.  It doesn't mean that we're supporting RSA.  It doesn't
>>>> mean
>>>> > that we agree with unethical business practices.  It just means that
>>>> we are
>>>> > doing the best we can to make application security visible.  If that
>>>> means
>>>> > piggy-backing on the massive marketing effort they put into the
>>>> conference
>>>> > or the infrastructure that supports it, I'm ok with that.  I
>>>> understand that
>>>> > others may object to this on ethical grounds, and that's fine, but as
>>>> a
>>>> > non-profit organization, we have a mandate to stay true to our
>>>> mission, not
>>>> > to speak out against whatever the latest security headline is.
>>>> >
>>>> > I do have one question about this training for clarification.  The
>>>> training
>>>> > is FREE for anyone who would like to attend and not just for RSA
>>>> attendees,
>>>> > correct?  My assumption is the former, but if the latter, this changes
>>>> > things significantly in my opinion.
>>>> >
>>>> > ~josh
>>>> >
>>>> >
>>>> > On Sat, Jan 4, 2014 at 5:40 PM, Eoin Keary <eoin.keary at owasp.org>
>>>> wrote:
>>>> >>
>>>> >> Good point.
>>>> >> Bottom line is we want people to build secure code. Delivering this
>>>> >> message under the same roof as RSA does not dilute the quality of
>>>> the class
>>>> >> delivered.
>>>> >> There is no black and white, only shades of grey :)
>>>> >>
>>>> >>
>>>> >> Eoin Keary
>>>> >> Owasp Global Board
>>>> >> +353 87 977 2988
>>>> >>
>>>> >>
>>>> >> On 4 Jan 2014, at 23:36, Jim Manico <jim.manico at owasp.org> wrote:
>>>> >>
>>>> >> > Another issue that is tangential.
>>>> >> >
>>>> >> > We are applying for several big money DHS grants. These help keep
>>>> the
>>>> >> > foundation running.
>>>> >> >
>>>> >> > Should be reject all of these grants because of the Snowden
>>>> affair? It
>>>> >> > we abort RSA but continue to take DHS money, then we send a mixed
>>>> message.
>>>> >> >
>>>> >> > Aloha,
>>>> >> > Jim
>>>> >> >
>>>> >> >> I strongly support Sastry on this one.
>>>> >> >>
>>>> >> >> You might be participating as individuals, but people see you
>>>> guys as
>>>> >> >> the OWASP Board, and that's something that many of us don't like
>>>> to be the
>>>> >> >> image of OWASP.
>>>> >> >>
>>>> >> >> Thanks
>>>> >> >> -Abbas
>>>> >> >> On Jan 4, 2014, at 1:18 PM, Eoin Keary <eoin.keary at owasp.org>
>>>> wrote:
>>>> >> >>
>>>> >> >>> To be clear, there was no recorded vote on this but a debate.
>>>> >> >>>
>>>> >> >>> I started the debate after reading about Mikko. (Even though I
>>>> was
>>>> >> >>> delivering the training with Jim and it is my material).
>>>> >> >>>
>>>> >> >>> The majority of board of OWASP feels getting involved in
>>>> politics is
>>>> >> >>> wrong and wanted to push ahead with the training.
>>>> >> >>>
>>>> >> >>> So if feelings are strong we need to vote on this ASAP? as
>>>> leaders of
>>>> >> >>> OWASP. A formal board vote? Executive decision from Sarah, our
>>>> executive
>>>> >> >>> director.
>>>> >> >>>
>>>> >> >>>
>>>> >> >>>
>>>> >> >>> Eoin Keary
>>>> >> >>> Owasp Global Board
>>>> >> >>> +353 87 977 2988
>>>> >> >>>
>>>> >> >>>
>>>> >> >>> On 4 Jan 2014, at 16:48, Sastry Tumuluri <
>>>> sastry.tumuluri at owasp.org>
>>>> >> >>> wrote:
>>>> >> >>>
>>>> >> >>>> Friends,
>>>> >> >>>>
>>>> >> >>>> Please see the following full conversation on twitter:
>>>> >> >>>> https://twitter.com/EoinKeary/status/419111748424454145
>>>> >> >>>>
>>>> >> >>>> Eoin Keary and Jim Manico (both OWASP board members) will be
>>>> >> >>>> presenting/conducting 4 hrs of free-of-cost AppSec training at
>>>> the RSA
>>>> >> >>>> Conference, 2014. Michael Coates, Chairman of the OWASP Board
>>>> is also said
>>>> >> >>>> to be present. Apparently, this was discussed at the OWASP
>>>> board level; and
>>>> >> >>>> the board has decided to go ahead, keeping in mind the benefit
>>>> to the
>>>> >> >>>> attending developers.
>>>> >> >>>>
>>>> >> >>>> As you are aware, RSA is strongly suspected (we'll never be 100%
>>>> >> >>>> sure, I'm afraid) of being complicit with NSA in enabling fatal
>>>> weakening of
>>>> >> >>>> crypto products. RSA has issued a sort of a denial that only
>>>> deepens the
>>>> >> >>>> mistrust. As a protest, many leading speakers are cancelling
>>>> their talks at
>>>> >> >>>> the upcoming RSAC 2014. Among them are (to my knowledge) Mikko
>>>> Hypponen,
>>>> >> >>>> Jeffrey Carr and Josh Thomas.
>>>> >> >>>>
>>>> >> >>>> At such a time, I am saddened by the OWASP board decision to
>>>> support
>>>> >> >>>> RSAC by their presence. At a time when they had the opportunity
>>>> to let the
>>>> >> >>>> world know how much they care for the Information Security
>>>> profession (esp.,
>>>> >> >>>> against weakening crypto); and how much they care about the
>>>> privacy of
>>>> >> >>>> people (against NSA's unabashed spying on Americans &
>>>> non-Americans alike),
>>>> >> >>>> the board has copped out using a flimsy rationalization
>>>> ("benefit of (a few)
>>>> >> >>>> developers", many of who would rethink their attendance had
>>>> OWASP and more
>>>> >> >>>> organizations didn't blink!").
>>>> >> >>>>
>>>> >> >>>> I'm sure there was a heated debate. I'm sure all angles were
>>>> >> >>>> considered. However, this goes too deep for me to take it as
>>>> "better men
>>>> >> >>>> than me have considered and decided". As a matter of my
>>>> personal values, if
>>>> >> >>>> the situation doesn't change, I would no longer wish to
>>>> continue as the
>>>> >> >>>> OWASP Chapter Lead. Please let me know if any of you would like
>>>> to take over
>>>> >> >>>> from me.
>>>> >> >>>>
>>>> >> >>>> I will also share my feelings with fellow chapter members at
>>>> our next
>>>> >> >>>> chapter meeting on Jan 21st. Needless to say, no matter how
>>>> things go, I
>>>> >> >>>> remain committed to the principles of our open and open-source
>>>> infosec
>>>> >> >>>> community.
>>>> >> >>>>
>>>> >> >>>> Best regards,
>>>> >> >>>>
>>>> >> >>>> ==Sas3==
>>>> >> >>> _______________________________________________
>>>> >> >>> OWASP-Leaders mailing list
>>>> >> >>> OWASP-Leaders at lists.owasp.org
>>>> >> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> >> >>
>>>> >> >>
>>>> >> >>
>>>> >> >>
>>>> >> >> _______________________________________________
>>>> >> >> OWASP-Leaders mailing list
>>>> >> >> OWASP-Leaders at lists.owasp.org
>>>> >> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> >> >
>>>> >> _______________________________________________
>>>> >> Owasp-board mailing list
>>>> >> Owasp-board at lists.owasp.org
>>>> >> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>> >
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > OWASP-Leaders mailing list
>>>> > OWASP-Leaders at lists.owasp.org
>>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> >
>>>>
>>>   _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>>
>>   --
>> Homo sapiens non urinat in ventum.
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140105/36af7298/attachment-0001.html>


More information about the OWASP-Leaders mailing list