[Owasp-leaders] [Owasp-board] OWASP Board decision that I don't agree with

psiinon psiinon at gmail.com
Tue Jan 7 17:51:35 UTC 2014

_Very_ interesting results from the poll so far, and not what I expected
from the comments on this thread:

Got an OWASP email account and want to be included? Vote via

And if you're planning on voting then please do so asap - the board needs
to make a decision about this very soon and the more people who vote the
better they can understand how most people feel about this!


On Tue, Jan 7, 2014 at 12:14 PM, Azeddine Islam Mennouchi <
azeddine.mennouchi at owasp.org> wrote:

> After a long reading through your replies this is what I think
> We are consuming too much time and energy in a loop discussion all the
> replies from all of you guys goes to 3 to 4 points that Tobias has already
> resumed
> Since I joined this community 2 years ago I've never seen a thread with
> this amount of replies and it was a good discussion in the begining but now
> we are repeating the same sentences without taking a clear decision
> I think that the poll idea is the best option as far as I can see so we
> can have a -statisticlly- clear view of all the opinions
> Regards Islam,
> Le 7 janv. 2014 11:26, "psiinon" <psiinon at gmail.com> a écrit :
> OK, I've created an OWASP Polls page on the wiki:
>> https://www.owasp.org/index.php/Polls and added the first poll, about
>> the RSA training of course!
>> Sorry if you dont like the questions I chose, thats just the way it goes
>> ;)
>> As the page says: "OWASP Polls are a way of getting the 'pulse' of the
>> OWASP community - they should not be considered 'binding'."
>> Simon
>> On Mon, Jan 6, 2014 at 10:17 PM, Michael Coates <michael.coates at owasp.org
>> > wrote:
>>> All,
>>> First, I'm very happy to see a thoughtful conversation on this issue.
>>> Kudos to Eoin for raising for initial thoughts and also Sastry for kick
>>> starting the larger conversation. While this may be a step away from our
>>> normal efforts on projects and other materials, it's important to be able
>>> to discuss various viewpoints like this.
>>> This is certainly a complex issue. We have an accusation made within a
>>> news outlet based on leaked data. We have an organization denying the
>>> claim. We have numerous pieces of circumstantial data and also a series of
>>> unrelated and significant leaks that cause us to question much of what may
>>> be happening.
>>> *Here's the summary of my thoughts:*
>>> 1. OWASP shouldn't attempt to pass judgement on organizations - RSA or
>>> other - especially based solely on accusations.  We're not an investigative
>>> body, it's not in our mission or an area we should spend significant time.
>>> 2. We should provide free training at RSA or any other event that
>>> gathers developers and security professionals. This doesn't imply support
>>> of their actions and our goal is to spread security awareness anywhere we
>>> can. Let's go to the event and specifically talk about crypto and what you
>>> should and shouldn't do.
>>> 3. We should not co-market at this time. The claims are significant and
>>> we shouldn't publicly endorse RSA through co-marketing since this is an
>>> open issue and we don't know all the information at this time.
>>> 4. Since our training is part of the co-marketing agreement we may lose
>>> the opportunity to provide the training. I am ok with this risk.
>>> *The details*
>>> The larger question is where should OWASP focus our time and efforts.
>>> What battles do we fight, which are great causes but not something where we
>>> get involved, and which do we pass on. In nearly every situation it's an
>>> easy item to solve by looking at our mission statement. The purpose of a
>>> mission statement is not to state what's right and wrong or good and bad,
>>> but instead to specify what it is we do.
>>> *Make application security visible so that people and organizations can
>>> make informed decisions about application security risks*
>>> From our mission statement I believe there is a very strong argument
>>> that we should take advantage of any opportunity where security and
>>> developers have gathered to provide security training and awareness.
>>> *Is RSA guilty? Have they been charged? Are they ethically in the wrong?*The
>>> fact of the matter is, anything we say in response to these questions will
>>> be our opinions based on information (valid or not) that we've gathered. We
>>> can engage in significant debate and even vote on a result as to what we
>>> believe. However, this will simply enable us to be a jury with limited
>>> information.
>>> The reason I mention this is that RSA discussion, while it appears cut
>>> and dry, still has only partial information. Imagine a situation even more
>>> contentious with significant data points on both sides of the argument.
>>> These discussions may be security related, they may be interesting, but in
>>> the end our organization is not about investigations or trials.
>>> If we are to pass an ethical argument against RSA then we are also
>>> committing to similar ethical evaluations of other events where we present.
>>> That approach is not part of our mission and will undoubtedly result in
>>> even more situations that result in division and distraction from our
>>> primary goal.
>>> *Should we distance OWASP or stand with RSA and co-market?*
>>> We have previously arranged a co-marketing agreement with RSA (see Sarah
>>> Baso's details of this earlier in the thread). This includes commitments
>>> and benefits from both parties.
>>> While I do think we should take a neutral stance and present at RSA,
>>> given the current information and lack of resolution on the matter, I don't
>>> think we should actively endorse RSA until additional information is made
>>> public and the issue is laid to rest.
>>> Since the terms of the agreement include the ability for OWASP to host
>>> the free training, there is a risk that canceling our end of the contract
>>> we may lose the ability to present. This is a risk and I feel it's the
>>> right decision to make.
>>> *Where do we go from here?*
>>> The above is my opinion as a member of OWASP and a representative of the
>>> OWASP board. I'm happy we've had the opportunity for many in our community
>>> to voice their opinion and thoughts.
>>> Given the importance of this issue I think a board vote is appropriate.
>>> There is no single decider on these issues. As elected members from the
>>> community, armed with significant discussion and opinions from our
>>> community, we can move towards a vote. All vote results are public and I'll
>>> encourage other board members to articulate their thoughts for the
>>> community too.
>>> --
>>> Michael Coates
>>> Chair of OWASP Board
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders

OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140107/3d11c168/attachment.html>

More information about the OWASP-Leaders mailing list