[Owasp-leaders] [Owasp-board] OWASP Board decision that I don't agree with

Azeddine Islam Mennouchi azeddine.mennouchi at owasp.org
Tue Jan 7 12:14:48 UTC 2014

After a long reading through your replies this is what I think
We are consuming too much time and energy in a loop discussion all the
replies from all of you guys goes to 3 to 4 points that Tobias has already
Since I joined this community 2 years ago I've never seen a thread with
this amount of replies and it was a good discussion in the begining but now
we are repeating the same sentences without taking a clear decision
I think that the poll idea is the best option as far as I can see so we can
have a -statisticlly- clear view of all the opinions

Regards Islam,
Le 7 janv. 2014 11:26, "psiinon" <psiinon at gmail.com> a écrit :

> OK, I've created an OWASP Polls page on the wiki:
> https://www.owasp.org/index.php/Polls and added the first poll, about the
> RSA training of course!
> Sorry if you dont like the questions I chose, thats just the way it goes ;)
> As the page says: "OWASP Polls are a way of getting the 'pulse' of the
> OWASP community - they should not be considered 'binding'."
> Simon
> On Mon, Jan 6, 2014 at 10:17 PM, Michael Coates <michael.coates at owasp.org>wrote:
>> All,
>> First, I'm very happy to see a thoughtful conversation on this issue.
>> Kudos to Eoin for raising for initial thoughts and also Sastry for kick
>> starting the larger conversation. While this may be a step away from our
>> normal efforts on projects and other materials, it's important to be able
>> to discuss various viewpoints like this.
>> This is certainly a complex issue. We have an accusation made within a
>> news outlet based on leaked data. We have an organization denying the
>> claim. We have numerous pieces of circumstantial data and also a series of
>> unrelated and significant leaks that cause us to question much of what may
>> be happening.
>> *Here's the summary of my thoughts:*
>> 1. OWASP shouldn't attempt to pass judgement on organizations - RSA or
>> other - especially based solely on accusations.  We're not an investigative
>> body, it's not in our mission or an area we should spend significant time.
>> 2. We should provide free training at RSA or any other event that gathers
>> developers and security professionals. This doesn't imply support of their
>> actions and our goal is to spread security awareness anywhere we can. Let's
>> go to the event and specifically talk about crypto and what you should and
>> shouldn't do.
>> 3. We should not co-market at this time. The claims are significant and
>> we shouldn't publicly endorse RSA through co-marketing since this is an
>> open issue and we don't know all the information at this time.
>> 4. Since our training is part of the co-marketing agreement we may lose
>> the opportunity to provide the training. I am ok with this risk.
>> *The details*
>> The larger question is where should OWASP focus our time and efforts.
>> What battles do we fight, which are great causes but not something where we
>> get involved, and which do we pass on. In nearly every situation it's an
>> easy item to solve by looking at our mission statement. The purpose of a
>> mission statement is not to state what's right and wrong or good and bad,
>> but instead to specify what it is we do.
>> *Make application security visible so that people and organizations can
>> make informed decisions about application security risks*
>> From our mission statement I believe there is a very strong argument that
>> we should take advantage of any opportunity where security and developers
>> have gathered to provide security training and awareness.
>> *Is RSA guilty? Have they been charged? Are they ethically in the wrong?*The
>> fact of the matter is, anything we say in response to these questions will
>> be our opinions based on information (valid or not) that we've gathered. We
>> can engage in significant debate and even vote on a result as to what we
>> believe. However, this will simply enable us to be a jury with limited
>> information.
>> The reason I mention this is that RSA discussion, while it appears cut
>> and dry, still has only partial information. Imagine a situation even more
>> contentious with significant data points on both sides of the argument.
>> These discussions may be security related, they may be interesting, but in
>> the end our organization is not about investigations or trials.
>> If we are to pass an ethical argument against RSA then we are also
>> committing to similar ethical evaluations of other events where we present.
>> That approach is not part of our mission and will undoubtedly result in
>> even more situations that result in division and distraction from our
>> primary goal.
>> *Should we distance OWASP or stand with RSA and co-market?*
>> We have previously arranged a co-marketing agreement with RSA (see Sarah
>> Baso's details of this earlier in the thread). This includes commitments
>> and benefits from both parties.
>> While I do think we should take a neutral stance and present at RSA,
>> given the current information and lack of resolution on the matter, I don't
>> think we should actively endorse RSA until additional information is made
>> public and the issue is laid to rest.
>> Since the terms of the agreement include the ability for OWASP to host
>> the free training, there is a risk that canceling our end of the contract
>> we may lose the ability to present. This is a risk and I feel it's the
>> right decision to make.
>> *Where do we go from here?*
>> The above is my opinion as a member of OWASP and a representative of the
>> OWASP board. I'm happy we've had the opportunity for many in our community
>> to voice their opinion and thoughts.
>> Given the importance of this issue I think a board vote is appropriate.
>> There is no single decider on these issues. As elected members from the
>> community, armed with significant discussion and opinions from our
>> community, we can move towards a vote. All vote results are public and I'll
>> encourage other board members to articulate their thoughts for the
>> community too.
>> --
>> Michael Coates
>> Chair of OWASP Board
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140107/a7ad6093/attachment.html>

More information about the OWASP-Leaders mailing list