[Owasp-leaders] [Owasp-board] OWASP Board decision that I don't agree with

Michael Coates michael.coates at owasp.org
Mon Jan 6 22:17:50 UTC 2014


First, I'm very happy to see a thoughtful conversation on this issue. Kudos
to Eoin for raising for initial thoughts and also Sastry for kick starting
the larger conversation. While this may be a step away from our normal
efforts on projects and other materials, it's important to be able to
discuss various viewpoints like this.

This is certainly a complex issue. We have an accusation made within a news
outlet based on leaked data. We have an organization denying the claim. We
have numerous pieces of circumstantial data and also a series of unrelated
and significant leaks that cause us to question much of what may be

*Here's the summary of my thoughts:*
1. OWASP shouldn't attempt to pass judgement on organizations - RSA or
other - especially based solely on accusations.  We're not an investigative
body, it's not in our mission or an area we should spend significant time.
2. We should provide free training at RSA or any other event that gathers
developers and security professionals. This doesn't imply support of their
actions and our goal is to spread security awareness anywhere we can. Let's
go to the event and specifically talk about crypto and what you should and
shouldn't do.
3. We should not co-market at this time. The claims are significant and we
shouldn't publicly endorse RSA through co-marketing since this is an open
issue and we don't know all the information at this time.
4. Since our training is part of the co-marketing agreement we may lose the
opportunity to provide the training. I am ok with this risk.

*The details*
The larger question is where should OWASP focus our time and efforts. What
battles do we fight, which are great causes but not something where we get
involved, and which do we pass on. In nearly every situation it's an easy
item to solve by looking at our mission statement. The purpose of a mission
statement is not to state what's right and wrong or good and bad, but
instead to specify what it is we do.

*Make application security visible so that people and organizations can
make informed decisions about application security risks*
>From our mission statement I believe there is a very strong argument that
we should take advantage of any opportunity where security and developers
have gathered to provide security training and awareness.

*Is RSA guilty? Have they been charged? Are they ethically in the wrong?*The
fact of the matter is, anything we say in response to these questions will
be our opinions based on information (valid or not) that we've gathered. We
can engage in significant debate and even vote on a result as to what we
believe. However, this will simply enable us to be a jury with limited

The reason I mention this is that RSA discussion, while it appears cut and
dry, still has only partial information. Imagine a situation even more
contentious with significant data points on both sides of the argument.
These discussions may be security related, they may be interesting, but in
the end our organization is not about investigations or trials.

If we are to pass an ethical argument against RSA then we are also
committing to similar ethical evaluations of other events where we present.
That approach is not part of our mission and will undoubtedly result in
even more situations that result in division and distraction from our
primary goal.

*Should we distance OWASP or stand with RSA and co-market?*
We have previously arranged a co-marketing agreement with RSA (see Sarah
Baso's details of this earlier in the thread). This includes commitments
and benefits from both parties.

While I do think we should take a neutral stance and present at RSA, given
the current information and lack of resolution on the matter, I don't think
we should actively endorse RSA until additional information is made public
and the issue is laid to rest.

Since the terms of the agreement include the ability for OWASP to host the
free training, there is a risk that canceling our end of the contract we
may lose the ability to present. This is a risk and I feel it's the right
decision to make.

*Where do we go from here?*
The above is my opinion as a member of OWASP and a representative of the
OWASP board. I'm happy we've had the opportunity for many in our community
to voice their opinion and thoughts.

Given the importance of this issue I think a board vote is appropriate.
There is no single decider on these issues. As elected members from the
community, armed with significant discussion and opinions from our
community, we can move towards a vote. All vote results are public and I'll
encourage other board members to articulate their thoughts for the
community too.

Michael Coates
Chair of OWASP Board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140106/2b9765d4/attachment.html>

More information about the OWASP-Leaders mailing list