[Owasp-leaders] [Owasp-board] OWASP Board decision that I don't agree with

psiinon psiinon at gmail.com
Tue Jan 7 10:24:27 UTC 2014

OK, I've created an OWASP Polls page on the wiki:
https://www.owasp.org/index.php/Polls and added the first poll, about the
RSA training of course!

Sorry if you dont like the questions I chose, thats just the way it goes ;)

As the page says: "OWASP Polls are a way of getting the 'pulse' of the
OWASP community - they should not be considered 'binding'."


On Mon, Jan 6, 2014 at 10:17 PM, Michael Coates <michael.coates at owasp.org>wrote:

> All,
> First, I'm very happy to see a thoughtful conversation on this issue.
> Kudos to Eoin for raising for initial thoughts and also Sastry for kick
> starting the larger conversation. While this may be a step away from our
> normal efforts on projects and other materials, it's important to be able
> to discuss various viewpoints like this.
> This is certainly a complex issue. We have an accusation made within a
> news outlet based on leaked data. We have an organization denying the
> claim. We have numerous pieces of circumstantial data and also a series of
> unrelated and significant leaks that cause us to question much of what may
> be happening.
> *Here's the summary of my thoughts:*
> 1. OWASP shouldn't attempt to pass judgement on organizations - RSA or
> other - especially based solely on accusations.  We're not an investigative
> body, it's not in our mission or an area we should spend significant time.
> 2. We should provide free training at RSA or any other event that gathers
> developers and security professionals. This doesn't imply support of their
> actions and our goal is to spread security awareness anywhere we can. Let's
> go to the event and specifically talk about crypto and what you should and
> shouldn't do.
> 3. We should not co-market at this time. The claims are significant and we
> shouldn't publicly endorse RSA through co-marketing since this is an open
> issue and we don't know all the information at this time.
> 4. Since our training is part of the co-marketing agreement we may lose
> the opportunity to provide the training. I am ok with this risk.
> *The details*
> The larger question is where should OWASP focus our time and efforts. What
> battles do we fight, which are great causes but not something where we get
> involved, and which do we pass on. In nearly every situation it's an easy
> item to solve by looking at our mission statement. The purpose of a mission
> statement is not to state what's right and wrong or good and bad, but
> instead to specify what it is we do.
> *Make application security visible so that people and organizations can
> make informed decisions about application security risks*
> From our mission statement I believe there is a very strong argument that
> we should take advantage of any opportunity where security and developers
> have gathered to provide security training and awareness.
> *Is RSA guilty? Have they been charged? Are they ethically in the wrong?*The
> fact of the matter is, anything we say in response to these questions will
> be our opinions based on information (valid or not) that we've gathered. We
> can engage in significant debate and even vote on a result as to what we
> believe. However, this will simply enable us to be a jury with limited
> information.
> The reason I mention this is that RSA discussion, while it appears cut and
> dry, still has only partial information. Imagine a situation even more
> contentious with significant data points on both sides of the argument.
> These discussions may be security related, they may be interesting, but in
> the end our organization is not about investigations or trials.
> If we are to pass an ethical argument against RSA then we are also
> committing to similar ethical evaluations of other events where we present.
> That approach is not part of our mission and will undoubtedly result in
> even more situations that result in division and distraction from our
> primary goal.
> *Should we distance OWASP or stand with RSA and co-market?*
> We have previously arranged a co-marketing agreement with RSA (see Sarah
> Baso's details of this earlier in the thread). This includes commitments
> and benefits from both parties.
> While I do think we should take a neutral stance and present at RSA, given
> the current information and lack of resolution on the matter, I don't think
> we should actively endorse RSA until additional information is made public
> and the issue is laid to rest.
> Since the terms of the agreement include the ability for OWASP to host the
> free training, there is a risk that canceling our end of the contract we
> may lose the ability to present. This is a risk and I feel it's the right
> decision to make.
> *Where do we go from here?*
> The above is my opinion as a member of OWASP and a representative of the
> OWASP board. I'm happy we've had the opportunity for many in our community
> to voice their opinion and thoughts.
> Given the importance of this issue I think a board vote is appropriate.
> There is no single decider on these issues. As elected members from the
> community, armed with significant discussion and opinions from our
> community, we can move towards a vote. All vote results are public and I'll
> encourage other board members to articulate their thoughts for the
> community too.
> --
> Michael Coates
> Chair of OWASP Board
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140107/6564f211/attachment.html>

More information about the OWASP-Leaders mailing list