[Owasp-leaders] [Owasp-board] OWASP Board decision that I don't agree with

Dinis Cruz dinis.cruz at owasp.org
Tue Jan 7 18:24:59 UTC 2014

This is really, really cool

I really like the level of transparency that we have with:

* results analysis in
* individual results<https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0AmN7t2D5ENBddFhrNGw2d29wdDhJeUo2VWR5OEtINkE#gid=0>

So ...  it looks like there is some consensus on the need to have a public
statement on this issue :)


On 7 January 2014 17:51, psiinon <psiinon at gmail.com> wrote:

> _Very_ interesting results from the poll so far, and not what I expected
> from the comments on this thread:
> https://docs.google.com/a/owasp.org/forms/d/1CB2J1uo6ggVHjMRPrpaHw4goy3NX0Z5NH82w1poW3wk/viewanalytics
> Got an OWASP email account and want to be included? Vote via
> https://www.owasp.org/index.php/Polls
> And if you're planning on voting then please do so asap - the board needs
> to make a decision about this very soon and the more people who vote the
> better they can understand how most people feel about this!
> Simon
> On Tue, Jan 7, 2014 at 12:14 PM, Azeddine Islam Mennouchi <
> azeddine.mennouchi at owasp.org> wrote:
>> After a long reading through your replies this is what I think
>> We are consuming too much time and energy in a loop discussion all the
>> replies from all of you guys goes to 3 to 4 points that Tobias has already
>> resumed
>> Since I joined this community 2 years ago I've never seen a thread with
>> this amount of replies and it was a good discussion in the begining but now
>> we are repeating the same sentences without taking a clear decision
>> I think that the poll idea is the best option as far as I can see so we
>> can have a -statisticlly- clear view of all the opinions
>> Regards Islam,
>> Le 7 janv. 2014 11:26, "psiinon" <psiinon at gmail.com> a écrit :
>> OK, I've created an OWASP Polls page on the wiki:
>>> https://www.owasp.org/index.php/Polls and added the first poll, about
>>> the RSA training of course!
>>> Sorry if you dont like the questions I chose, thats just the way it goes
>>> ;)
>>> As the page says: "OWASP Polls are a way of getting the 'pulse' of the
>>> OWASP community - they should not be considered 'binding'."
>>> Simon
>>> On Mon, Jan 6, 2014 at 10:17 PM, Michael Coates <
>>> michael.coates at owasp.org> wrote:
>>>> All,
>>>> First, I'm very happy to see a thoughtful conversation on this issue.
>>>> Kudos to Eoin for raising for initial thoughts and also Sastry for kick
>>>> starting the larger conversation. While this may be a step away from our
>>>> normal efforts on projects and other materials, it's important to be able
>>>> to discuss various viewpoints like this.
>>>> This is certainly a complex issue. We have an accusation made within a
>>>> news outlet based on leaked data. We have an organization denying the
>>>> claim. We have numerous pieces of circumstantial data and also a series of
>>>> unrelated and significant leaks that cause us to question much of what may
>>>> be happening.
>>>> *Here's the summary of my thoughts:*
>>>> 1. OWASP shouldn't attempt to pass judgement on organizations - RSA or
>>>> other - especially based solely on accusations.  We're not an investigative
>>>> body, it's not in our mission or an area we should spend significant time.
>>>> 2. We should provide free training at RSA or any other event that
>>>> gathers developers and security professionals. This doesn't imply support
>>>> of their actions and our goal is to spread security awareness anywhere we
>>>> can. Let's go to the event and specifically talk about crypto and what you
>>>> should and shouldn't do.
>>>> 3. We should not co-market at this time. The claims are significant and
>>>> we shouldn't publicly endorse RSA through co-marketing since this is an
>>>> open issue and we don't know all the information at this time.
>>>> 4. Since our training is part of the co-marketing agreement we may lose
>>>> the opportunity to provide the training. I am ok with this risk.
>>>> *The details*
>>>> The larger question is where should OWASP focus our time and efforts.
>>>> What battles do we fight, which are great causes but not something where we
>>>> get involved, and which do we pass on. In nearly every situation it's an
>>>> easy item to solve by looking at our mission statement. The purpose of a
>>>> mission statement is not to state what's right and wrong or good and bad,
>>>> but instead to specify what it is we do.
>>>> *Make application security visible so that people and organizations can
>>>> make informed decisions about application security risks*
>>>> From our mission statement I believe there is a very strong argument
>>>> that we should take advantage of any opportunity where security and
>>>> developers have gathered to provide security training and awareness.
>>>> *Is RSA guilty? Have they been charged? Are they ethically in the
>>>> wrong?*The fact of the matter is, anything we say in response to these
>>>> questions will be our opinions based on information (valid or not) that
>>>> we've gathered. We can engage in significant debate and even vote on a
>>>> result as to what we believe. However, this will simply enable us to be a
>>>> jury with limited information.
>>>> The reason I mention this is that RSA discussion, while it appears cut
>>>> and dry, still has only partial information. Imagine a situation even more
>>>> contentious with significant data points on both sides of the argument.
>>>> These discussions may be security related, they may be interesting, but in
>>>> the end our organization is not about investigations or trials.
>>>> If we are to pass an ethical argument against RSA then we are also
>>>> committing to similar ethical evaluations of other events where we present.
>>>> That approach is not part of our mission and will undoubtedly result in
>>>> even more situations that result in division and distraction from our
>>>> primary goal.
>>>> *Should we distance OWASP or stand with RSA and co-market?*
>>>> We have previously arranged a co-marketing agreement with RSA (see
>>>> Sarah Baso's details of this earlier in the thread). This includes
>>>> commitments and benefits from both parties.
>>>> While I do think we should take a neutral stance and present at RSA,
>>>> given the current information and lack of resolution on the matter, I don't
>>>> think we should actively endorse RSA until additional information is made
>>>> public and the issue is laid to rest.
>>>> Since the terms of the agreement include the ability for OWASP to host
>>>> the free training, there is a risk that canceling our end of the contract
>>>> we may lose the ability to present. This is a risk and I feel it's the
>>>> right decision to make.
>>>> *Where do we go from here?*
>>>> The above is my opinion as a member of OWASP and a representative of
>>>> the OWASP board. I'm happy we've had the opportunity for many in our
>>>> community to voice their opinion and thoughts.
>>>> Given the importance of this issue I think a board vote is appropriate.
>>>> There is no single decider on these issues. As elected members from the
>>>> community, armed with significant discussion and opinions from our
>>>> community, we can move towards a vote. All vote results are public and I'll
>>>> encourage other board members to articulate their thoughts for the
>>>> community too.
>>>> --
>>>> Michael Coates
>>>> Chair of OWASP Board
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> --
>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140107/72fee658/attachment-0001.html>

More information about the OWASP-Leaders mailing list