[Owasp-leaders] OWASP Board decision that I don't agree with

Dinis Cruz dinis.cruz at owasp.org
Mon Jan 6 09:54:27 UTC 2014

Exactly , and if we go down that road, we would end up banning owasp from
owasp :)
On 6 Jan 2014 03:02, "Wong Onn Chee" <ocwong at usa.net> wrote:

>  Hi Tobias,
> My vote as follow:
> 1. "Should OWASP give a developer training at the RSA conference?"
> Choice: Yes
> 2. Should OWASP make a public statement to the effect that
> subverting/weakening crypto is a bad idea.
> Choice: Yes
> Disclosure: I am the OWASP Singapore chapter lead and Singapore is
> complicit with NSA as part of their global surveillance network, something
> I am not so proud of.
> After reading the valid comments by fellow leaders, let me share my $0.02
> on this topic.
> The disclosed abuses by NSA perhaps arise from the kneejerk reactions to
> the unfortunate 9/11 incidents.
> Overly broad powers were given to certain bodies without proper oversight
> or governance, all in the name of national security.
> Now, with 20/20 hindsight, the downside of all these kneejerk reactions
> are unravelling in front of our eyes.
> Similarly, if we start OWASP down this slippery slope of empowering OWASP
> to blacklist support for a particular entity (similar to the 9/11 kneejerk
> reactions), will such powers be open to abuse?
> Why stop at RSA? How about Google, Microsoft and Yahoo? How about Siemens
> (stuxnet)? How about Huawei?
> How about countries deemed to be the top sources of webapp attacks?
> Should we ban chapters in those countries and withdraw any official
> engagement with these countries?
> Where do we stop?
> One can say that we can adopt an open "democratic" process to avoid abuses.
> But all of us have seen abuses through lobbying by special interest groups
> at international level, such as ISO (Remember the OOXML fast track
> episode?), UN (Security Council where excessive powers are placed in a
> minority group) etc.
> My view is that OWASP should not start something that may lead to possible
> future abuses.
> Blacklisting support for entities subjectively goes against the OPEN
> principle (the first word of OWASP) upon which OWASP was founded on.
> Nevertheless, I am for making official statements/stands that OWASP is
> against anything that weakens software security.
> But instead of slamming the doors on the "guilty" parties, why not embrace
> them and encourage them to be more open and be more secure?
> This brings us closer to the founding principles of OWASP.
> Thank you for spending time to read my ranting above.
> Cheers and have a safe 2014! :-)
> Best Regards
> Onn Chee
> "I say all security vulnerabilities are software-based. Prove me wrong if you dare"
> On 06/01/2014 07:38, Tobias wrote:
> Hi Gustavo,
> following the conversation here, I have seen so far the following
> proposals from community members:
> a) offer the training at the RSA conference unchanged under the brand of
> b) offer the training at the RSA conference unchanged under the brand of
> OWASP and OWASP makes a public statement that OWASP thinks weakening crypto
> is a bad idea. (personal note: btw. RSA should have no problem with that as
> they officially deny any such activities...)
> c) give the training as individuals and not as OWASP (not sure whether
> that would at all be possible at this point)
> d) try to move to a different venue (not sure whether that would be
> possible or financially viable)
> e) cancel the training.
> Any more proposals? Anything I missed?
> As best would be to have as few options as possible and only realistic
> ones, we should check with Sarah whether c and d are realistic at all, as
> we could then reduce the choice to between a/b and e.
> Or in the form of two choices:
> 1. "Should OWASP give a developer training at the RSA conference?"  -
> Choice: Yes/No
> 2. Should OWASP make a public statement to the effect that
> subverting/weakening crypto is a bad idea. - Choice: Yes/No
> Thanks and all the best, Tobias
> Tobias Gondrom
> OWASP Global Board Member
> On 05/01/14 22:50, L. Gustavo C. Barbato wrote:
> Dinis,
>    That's what I am talking about. Perhaps, my english is not good enough
> to be understood.
>     The question would be simple with only two possible answers, Yes or
> No: "Should OWASP participate on RSA's conference?"
>  Thanks,
> Gustavo.
> On 05/01/2014, at 20:43, Dinis Cruz <dinis.cruz at owasp.org> wrote:
>   I think a vote would be good , but the key is making sure the
> question(s) are neutral and balanced (ie the outcome of the vote is very
> dependent on how the question(s) are asked)
> And as I said many times before, the Center of gravity for OWASP should be
> with its leaders (and community) and not with the board, so a vote is a
> good way to make sure the leader's voice is heard (on related topic I also
> think that votes should be 'on the record' and public). Note : if we are
> going to have a thread about voting, its better to change the email thread
> subject
> On 5 Jan 2014 22:36, "L. Gustavo C. Barbato" <lgbarbato at owasp.org> wrote:
>>  Have you ever heard about plesbicite?
>>  This discussion is one example: we have given power to board members to
>> take decision on behalf of our community. So if they want to present, in
>> your belief, they can go ahead without this useless thread discussion.
>>  However, I dont believe this is useless , but a very strategic decision
>> with several point of views already presented here.
>>  That's why I am advocating that we vote as a plebiscite process where
>> board members have the same Power as everybody else here.
>>  Gustavo.
>> On 05/01/2014, at 15:59, Konstantinos Papapanagiotou <
>> konstantinos at owasp.org> wrote:
>>  This kind of democracy might have worked in ancient Athens (with pros
>> and cons) but nowadays we have a BoD and a CEO for such kind of decisions.
>>  Kostas
>> On Sunday, January 5, 2014, L. Gustavo C. Barbato wrote:
>>>  Keeping discussing philosophy and high ideals, we will never reach a
>>> consensus in the time frame we need, so let's let democracy wins the debay.
>>> On 05/01/2014, at 11:38, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>   A key differentiator when we did this free training at AppSecUSA in
>>> Austin and LASCON 2013 is that it was 100% free and open to all.  No
>>> conference pass was required to participate.  Since that is not the case
>>> here, and since the training is only open to RSA attendees, then I think
>>> this demonstrates a much closer tie between OWASP and RSA than I would like
>>> to see.  I like the idea of approaching BSides SF and seeing if maybe they
>>> would be interested in hosting this training for free for the community at
>>> large.  If we can do that, then I think its the true win here as we get the
>>> visibility to satisfy our mission and we remove the negative stigma of
>>> being associated with RSA.
>>> I would diaagree, however, that visibility is only a means to an end.
>>> Since its in our mission statement, all of our activities and
>>> prioritizations are required, by law, to follow that.  And if we ever reach
>>> the point where everyone, everywhere, knows about application security,
>>> then we can close up shop and move on.  There is no compromising the end
>>> goal here because, per the mission statement, visibility is the end goal.
>>> I'm sorry if that compromises your principals Sastry but its the truth
>>> about OWASP as a non-profit.
>>> ~josh
>>> On Jan 5, 2014 12:32 AM, "Sastry Tumuluri" <sastry.tumuluri at owasp.org>
>>> wrote:
>>> 1. The immediate focus on RSAC:
>>> No matter how we rationalize, the fact is that we (OWASP) have
>>> options. This, at worst, is one missed opportunity. So let us not, in
>>> our relentless pursuit of VISIBILITY, compromise on principles.
>>> VISIBILITY is a means to an end (better security, more secure software
>>> -- which in itself is likely a never-ending activity). Let us not
>>> compromise on the end-goal while chasing the means.
>>> Short term gains (of reaching some developers) will easily be lost if
>>> we take the low road. Even 300 more "aware" developers are for naught
>>> if, based on RSAC acceptance, just one more company feels that the
>>> risks of trucking with NSA/GCHQ and compromising underlying
>>> foundations are acceptable.
>>> Is it our job/charter to "convey such a message"? I believe so.
>>> Conversely, can we say "we merely advocate tech principles and
>>> educate... this is not for us"? If we want to be treated as a
>>> responsible member of the ecosystem, we can't duck like that.
>>> Related, but a slightly different perspective: Robert Graham's blog
>>> post on this:
>>> http://blog.erratasec.com/2014/01/why-we-have-to-boycott-rsa.html
>>> 2. The tough world of principles, ethics, etc:
>>> Jim Manico raised a very pertinent point regarding sending mixed
>>> messages (=> recognition-of and consistency-in-applying our
>>> principles). It isn't easy.
>>> Funding goes to the very heart of neutrality and ethics. So it is not
>>> so tangential, after all. I know we shouldn't accept funds or even
>>> projects from NSA, GCHQ, etc. Whether DHS is to be painted by the same
>>> brush, I don't know (depends on internal structure, etc.). Let the
>>> more knowledgeable people decide on this.
>>> Chasing "quick results at any cost" and then splitting hairs on
>>> legality and rationalizations will not paint us black; but will surely
>>> park us firmly in the gray areas of ethics. Is that what we want?
>>> Cheers,
>>> ==Sas3==
>>> On Sun, Jan 5, 2014 at 8:33 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>> > My apologies in the delay in responding to this.  I've been on the
>>> road all
>>> > day today and will be slow to respond tomorrow as well.
>>> >
>>> > First off, let me admit that while my term hadn't officially begun
>>> yet, I am
>>> > one of the Board members who encouraged Jim and Eoin to move forward
>>> with
>>> > the training.  My rationale for this was simple; OWASP's mission is to
>>> make
>>> > software security visible, so that individuals and organizations
>>> worldwide
>>> > can make informed decisions about true software security risks.  The
>>> core of
>>> > this statement being VISBILITY.  We need to find and take advantage of
>>> as
>>> > many ways as possible to raise the visibility of security risks.  Our
>>> > mission says nothing about making political statements.  It says
>>> nothing
>>> > about ethical business practices.  Our mission can certainly
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140106/3e1c673f/attachment-0001.html>

More information about the OWASP-Leaders mailing list