[Owasp-leaders] [Owasp-board] OWASP Board decision that I don't agree with

Antonio Fontes antonio.fontes at owasp.org
Mon Jan 6 10:24:14 UTC 2014


My 2 cents (added with all others, someone is getting rich by the minute)...

<meme>"What really grinds my gears is the amount of energy being
involved in this discussion instead of OWASP projects."</meme>


On one side, I see some members/leaders willing to speak at RSAC under
the brand of OWASP. I will probably piss some readers by saying this but
I don't believe in the ethics/neutrality/mission-driven argument that is
being used. The training at RSAC is, from my personal point of view, a
commercial action driven and supported by commercially interested
parties, that happens to offer a very good visibility to OWASP
alongside. Point. Until this point is not openly and honestly expressed,
I am quite certain that the entire debate on this training at RSAC
cannot happen as it is evolving around the wrong questions.

On the other side, I see other members/leaders questioning the potential
risk of a perception, by external people, that OWASP is endorsing RSA.
Or, said differently, that OWASP will miss an opportunity to show the
world it will not endorse unacceptable behavior. While this may seem
ethically correct or "neutral" to the most "principles-driven" leaders,
it is not at all. I believe it is actually even worse than delivering
the training for a simple but MAJOR reason: nothing has been proven  and
I strongly believe it is not OWASP's call to apply any preemptive
judgment on this case.

We are basically receiving information from both Reuters and RSA (looks
to me that other media just quoted Reuters). Both parties are widely
known to be all but independent or transparent. We can have our own
personal opinions but those should stay aside from the debate about
whether or not OWASP should deliver a training at RSAC. I would just
highly recommend avoiding any form of financial support in whatsoever

Those who know me personally clearly know my position on RSA: I fully
boycott any of RSA's products and/or services and they know the exact
reasons behind my position. However, I believe neutrality is not about
having "no opinions": it is about having lots of opinions but not
letting personal views infer with the course of democracy and justice.
If RSA acted illegally, I hope they will be heavily sanctioned for that.
If they willingly collaborated with the NSA as it is reported, and it is
not judged as an infringement of any nature, then it becomes the
responsibility of more than 300 millions citizens who prefer spending
time on TV shows and new smartphones at the cost of living under such
unacceptable Laws, not RSA's. Being neutral means we don't judge but if
a judge says it's illegal, then it is.

In summary:
1) I fully disagree with how OWASP is functioning at the moment.
2) The number of leaders and the amount of energy that is being invested
in responding under this thread is a clear sign that OWASP has a bigger
problem pending than a simple RSAC training question. OWASP core ethics
and principles are being questioned, Leaders are considering/threatening
leaving the foundation and I believe this should have been a CORE FOCUS
at the Board level for more than a year.
3) I think OWASP should give the training at RSAC. See below for a
potential condition to this training...

>From my understanding, Sastry Tumuluri is the one who initiated this
discussion so I will consciously stick to the content of his request.
Sastry asked for a "change" and for a debate, he did not formally ask
for the training to be cancelled (or maybe I missed another message).
The reaction that followed in whether or not the training should be
cancelled is clearly a sign of absence of moderation on the discussion:
there are many other options in-between.

Sastry: the training will probably allocate time to discuss cryptography
issues/risks and emit recommendations.

Would you feel your voice heard and respected if the trainers assured
you personally that they will:
1) allocate time to discuss the NSA/RSA case as an example of risks
surrounding the use of blackboxed cryptographic tools/frameworks
2) allocate time to raise the awareness of the audience on what
limitations they are being exposed to when they deal with cryptography,
in particular the notion of "understanding what is being trusted, and who" ?

Kind regards,

antonio.fontes at owasp.org
Board Leader - OWASP Geneva
Board Member - OWASP Switzerland

More information about the OWASP-Leaders mailing list