[Owasp-leaders] [Owasp-board] OWASP Board decision that I don't agree with

psiinon psiinon at gmail.com
Mon Jan 6 08:48:43 UTC 2014


I stand corrected :)

And will be interested to hear if we are financially supporting RSAC.

Cheers,

Simon


On Sun, Jan 5, 2014 at 12:08 PM, Tobias <tobias.gondrom at owasp.org> wrote:

>  Hi Simon,
>
> just to clarify on one of your assumptions in your email, as I learned
> this info on the board mailing-list last night, correcting my initial
> (wrong) assumption that everyone would be attending RSA just as "individual
> volunteers":
>
> - RSA approached OWASP if we (owasp) would deliver free training/awareness
> session.
> - All contractual agreements were signed by OWASP and not by us as
> individuals. -> OWASP training.
> http://lists.owasp.org/pipermail/owasp-board/2014-January/012845.html
> - "we are delivering the training as OWASP."
> "OWASP was approached by RSA."
> http://lists.owasp.org/pipermail/owasp-board/2014-January/012823.html
> - "this is a RSA association slot. The whole point is to officially
> represent OWASP at RSA...."
> http://lists.owasp.org/pipermail/owasp-board/2014-January/012848.html
> - this is as "formal reps of OWASP for this event."
> http://lists.owasp.org/pipermail/owasp-board/2014-January/012859.html
>
> Not sure whether that would be relevant for any of your comments?
>
> All the best, Tobias
>
>
> Ps.: regarding your remark about whether "OWASP is financially sponsoring
> an event": as board member, I have initiated a request for info with Sarah
> to clarify the extend of OWASPs financial arrangements for RSA.
>
>
>  <http://lists.owasp.org/pipermail/owasp-board/2014-January/012823.html>
> On 05/01/14 11:05, psiinon wrote:
>
>  Heres my take on this:
>
> OWASP _should_ get involved in politics - thats where the big decisions
> are made. Organizations like OWASP can have a much greater impact than a
> set of 'concerned individuals'.
>
> OWASP should _not_ 'ban' volunteers from presenting / training etc at any
> event unless it is clearly at odds with the OWASP mission, eg a 'cracker'
> event.
>
> Volunteers presenting / training at an event does not indicate that OWASP
> as an organization supports the past (alleged) actions of the event
> organizers. OWASP financially sponsoring an event would be a different
> matter.
>
> The fact that the volunteers we are discussing are board member is
> irrelevant - we all represent OWASP when we appear under the OWASP banner.
>
> I dont think this is a clear cut case (as can be seen by the opposing
> views on this thread), and so the decision should be made by those
> individuals.
>
>  I have no problem with people attempting to sway these individuals either
> way on this thread, but I'm confident they will make the right decision for
> them and I dont think that will reflect badly on OWASP the organization
> which ever way they choose.
>
>  Feel free to disagree with any of those opinions ;)
>
>  Simon
>
>
> On Sun, Jan 5, 2014 at 8:51 AM, Jim Manico <jim.manico at owasp.org> wrote:
>
>>  Josh,
>>
>>
>>
>> This training is for RSA Badge types: “Full Conference, Explorer Expo,
>> Explorer Expo Plus, Exhibitor, Press, Speaker”.
>>
>>
>>
>> The minimum someone would have to pay to attend this is 75$ right now,
>> other than press and other speakers get in for free.
>>
>>
>>
>> -      Jim
>>
>>
>>
>>
>>
>> *From:* Josh Sokol [mailto:josh.sokol at owasp.org]
>> *Sent:* Saturday, January 04, 2014 5:04 PM
>> *To:* Eoin Keary
>> *Cc:* Jim Manico; Abbas Naderi; Kanwal Singh (WebMentors); Nishant Johar
>> (EMOBX); OWASP Foundation Board List; Ravdeep Sodhi; OWASP Leaders
>> *Subject:* Re: [Owasp-board] [Owasp-leaders] OWASP Board decision that I
>> don't agree with
>>
>>
>>
>> My apologies in the delay in responding to this.  I've been on the road
>> all day today and will be slow to respond tomorrow as well.
>>
>> First off, let me admit that while my term hadn't officially begun yet, I
>> am one of the Board members who encouraged Jim and Eoin to move forward
>> with the training.  My rationale for this was simple; OWASP's mission is to
>> make software security visible, so that individuals and organizations
>> worldwide can make informed decisions about true software security risks.
>> The core of this statement being VISBILITY.  We need to find and take
>> advantage of as many ways as possible to raise the visibility of security
>> risks.  Our mission says nothing about making political statements.  It
>> says nothing about ethical business practices.  Our mission can certainly
>> be amended to reflect other imperatives, if so desired by our membership,
>> but until that day we need to prevent mission scope creep.
>>
>> Now, since our mission is making software security visible, we simply
>> have to ask ourselves if we better serve this mission by:
>>
>> 1) Performing a free training at a major conference, thereby increasing
>> our exposure to people who haven't heard of OWASP before and enlightening
>> them to software security risks that they likely were not aware of before.
>>
>> 2) Taking a stance against a company where some evidence may imply that
>> they took a bribe to sacrifice security in one of their products.
>>
>> Let me be clear on #2.  I don't agree that what RSA did is right, if it
>> is true.  In fact, I have made the explicit decision to not do business
>> with RSA in my day job because there are many other options out there and
>> it's just not worth the risk.  But my passive decision to not purchase from
>> RSA is very different than OWASP reneging on our agreement and making a
>> public statement about their ethics.
>>
>> So, given these two options, my gut is that OWASP's mission will be best
>> served by #1.  It doesn't mean that we're supporting RSA.  It doesn't mean
>> that we agree with unethical business practices.  It just means that we are
>> doing the best we can to make application security visible.  If that means
>> piggy-backing on the massive marketing effort they put into the conference
>> or the infrastructure that supports it, I'm ok with that.  I understand
>> that others may object to this on ethical grounds, and that's fine, but as
>> a non-profit organization, we have a mandate to stay true to our mission,
>> not to speak out against whatever the latest security headline is.
>>
>> I do have one question about this training for clarification.  The
>> training is FREE for anyone who would like to attend and not just for RSA
>> attendees, correct?  My assumption is the former, but if the latter, this
>> changes things significantly in my opinion.
>>
>> ~josh
>>
>>
>>
>> On Sat, Jan 4, 2014 at 5:40 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>
>> Good point.
>> Bottom line is we want people to build secure code. Delivering this
>> message under the same roof as RSA does not dilute the quality of the class
>> delivered.
>> There is no black and white, only shades of grey :)
>>
>>
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>>
>>   On 4 Jan 2014, at 23:36, Jim Manico <jim.manico at owasp.org> wrote:
>>
>> > Another issue that is tangential.
>> >
>> > We are applying for several big money DHS grants. These help keep the
>> foundation running.
>> >
>> > Should be reject all of these grants because of the Snowden affair? It
>> we abort RSA but continue to take DHS money, then we send a mixed message.
>> >
>> > Aloha,
>> > Jim
>> >
>> >> I strongly support Sastry on this one.
>> >>
>> >> You might be participating as individuals, but people see you guys as
>> the OWASP Board, and that’s something that many of us don’t like to be the
>> image of OWASP.
>> >>
>> >> Thanks
>> >> -Abbas
>> >> On Jan 4, 2014, at 1:18 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>> >>
>> >>> To be clear, there was no recorded vote on this but a debate.
>> >>>
>> >>> I started the debate after reading about Mikko. (Even though I was
>> delivering the training with Jim and it is my material).
>> >>>
>> >>> The majority of board of OWASP feels getting involved in politics is
>> wrong and wanted to push ahead with the training.
>> >>>
>> >>> So if feelings are strong we need to vote on this ASAP? as leaders of
>> OWASP. A formal board vote? Executive decision from Sarah, our executive
>> director.
>> >>>
>> >>>
>> >>>
>> >>> Eoin Keary
>> >>> Owasp Global Board
>> >>> +353 87 977 2988
>> >>>
>> >>>
>> >>> On 4 Jan 2014, at 16:48, Sastry Tumuluri <sastry.tumuluri at owasp.org>
>> wrote:
>> >>>
>> >>>> Friends,
>> >>>>
>> >>>> Please see the following full conversation on twitter:
>> >>>> https://twitter.com/EoinKeary/status/419111748424454145
>> >>>>
>> >>>> Eoin Keary and Jim Manico (both OWASP board members) will be
>> presenting/conducting 4 hrs of free-of-cost AppSec training at the RSA
>> Conference, 2014. Michael Coates, Chairman of the OWASP Board is also said
>> to be present. Apparently, this was discussed at the OWASP board level; and
>> the board has decided to go ahead, keeping in mind the benefit to the
>> attending developers.
>> >>>>
>> >>>> As you are aware, RSA is strongly suspected (we'll never be 100%
>> sure, I'm afraid) of being complicit with NSA in enabling fatal weakening
>> of crypto products. RSA has issued a sort of a denial that only deepens the
>> mistrust. As a protest, many leading speakers are cancelling their talks at
>> the upcoming RSAC 2014. Among them are (to my knowledge) Mikko Hypponen,
>> Jeffrey Carr and Josh Thomas.
>> >>>>
>> >>>> At such a time, I am saddened by the OWASP board decision to support
>> RSAC by their presence. At a time when they had the opportunity to let the
>> world know how much they care for the Information Security profession
>> (esp., against weakening crypto); and how much they care about the privacy
>> of people (against NSA's unabashed spying on Americans & non-Americans
>> alike), the board has copped out using a flimsy rationalization ("benefit
>> of (a few) developers", many of who would rethink their attendance had
>> OWASP and more organizations didn't blink!").
>> >>>>
>> >>>> I'm sure there was a heated debate. I'm sure all angles were
>> considered. However, this goes too deep for me to take it as "better men
>> than me have considered and decided". As a matter of my personal values, if
>> the situation doesn't change, I would no longer wish to continue as the
>> OWASP Chapter Lead. Please let me know if any of you would like to take
>> over from me.
>> >>>>
>> >>>> I will also share my feelings with fellow chapter members at our
>> next chapter meeting on Jan 21st. Needless to say, no matter how things go,
>> I remain committed to the principles of our open and open-source infosec
>> community.
>> >>>>
>> >>>> Best regards,
>> >>>>
>> >>>> ==Sas3==
>> >>> _______________________________________________
>> >>> OWASP-Leaders mailing list
>> >>> OWASP-Leaders at lists.owasp.org
>> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> OWASP-Leaders mailing list
>> >> OWASP-Leaders at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
>
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>


-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140106/28aecee2/attachment-0001.html>


More information about the OWASP-Leaders mailing list