[Owasp-leaders] OWASP Election

Milton Smith milton.smith at owasp.org
Sat Oct 10 00:26:56 UTC 2015


I believe there is a "war on security" but let me explain.  Policy 
makers are beginning their security journey.  They think they understand 
security but they really don't and they are making mistakes 10-15 years 
ago like we all did.  As a result, trends or themes are developing 
across industry that don't serve our members best interests,

1) Increasingly security researchers are targeted and considered like 
"whistleblowers".  Example(s): TPP agreement, pen-testing cars or your 
home printer in the future could put you in jail, reporting vulns

2) Poor use of regulation to protect devices/services from security 
researchers.  Example(s): DRM, FCC, preventing OpenWRT/DD-WRT 

3) Security tools and vulnerabilities becoming controlled.  Example(s): 
Wassenaar Arrangement, export of multi-use software in jeopardy, HP 
sponsorship dropped/PWN2Own security conference cancelled

4) Purposeful weakening of security controls.  Example(s): Backdoors, 
cryptography restrictions

Much of this battle is waging on US soil but make no mistake decisions 
in the US impact all nations.  Decisions by policy makers have a real 
impact on what we do and our future.  I'm not recommending we become 
like EFF.com or that we should enter the privacy dog fight.  But I do 
feel it's time for OWASP to mature and become a trusted partner/advisor 
to industry and governments.  Otherwise, we must wait another 10-15 
years while policy makers make their mistakes and learn security like we 

I'm not suggesting action at the moment but I am suggesting we consider 
educating/advising in these broader areas in our discussions for growing 
OWASP moving forward.  I'm not sure what type of organization we need to 
be to do this but working security top down as well as bottom up will 
better serve everyone.

Milton Smith

On 9 Oct 2015, at 5:51, Andrew van der Stock wrote:

> As most of you know, I have been around OWASP since nearly the start. 
> I was
> not in Mark's apartment like so many claim, but I have been around an 
> awful
> long time. I say this not to blow my own horn, but to remind newer 
> folks
> that we've been here before, and it sucked. BIG TIME.
> I don't know that many of you know why OWASP split into to two 
> factions
> back in the day when WASC was formed. Those scars from that split are 
> just
> about all healed up now, but we and all those who left lost way more 
> from
> the split than you can ever imagine. That split was over many reasons, 
> but
> one of the many concerns was if we were to be independent and vendor
> neutral, or more about vendors using OWASP for commercial gains. WASC, 
> and
> more recently SAFEcode, were/are the vendor version of OWASP. They 
> have
> negligible mind share. We must learn from the past, and not repeat 
> those
> mistakes.
> I personally believe that there is no, nada, zilch, reason to convert 
> to a
> (c)6 as we are not a guild or the CPA.
> We have had excellent growth as a 501(c)3.
> We have low membership fees, and as a consequence, we by design don't 
> offer
> a lot of immediate give backs or membership benefits
> We don't require membership to participate. That has served us really 
> well.
> Some of our best leaders and best projects have come from outside 
> We have excellent relations with organisations, charities, corporates 
> and
> governments all over the world as an impartial setter of standards and 
> an
> oracle of high quality knowledge
> We have excellent relations with vendors because we are not competing 
> in
> any way with them
> I like the fact that we are not allowed to agitate for political 
> parties or
> positions. It means that the deep divisions seen recently in Twitter 
> in
> infosec peeps doesn't affect us
> I like the fact that we are not allowed to donate to political 
> parties. We
> are a GLOBAL organisation, not a US organisation.
> I like the fact that we have to spend our funds on primarily our 
> mission,
> which is outreach and getting outside the echo chamber. Membership 
> fees
> allows us to conduct that outreach
> I like the fact that we have a vibrant chapter scene all over the 
> world.
> Changing to 503(c)6 doesn't change this at all. We are ALREADY doing 
> great
> things for our members
> We are not the local Rotary or Lions club. They do great work, but 
> they
> aren't us.
> We are not the auto club, we do not come and fix your computers.
> We are not the CPA, we don't certify anyone. I don't think (c)3 stops 
> us
> doing this if we start in the future
> Changing over will cost us thousands in legal fees, and open us up to 
> all
> sorts of partisan crap that we've only just managed to heal in the 
> last 5
> years. I welcome all of the folks from WASC and SAFEcode as they have
> important contributions to make, and hope they will make them here at
> OWASP. There is more alike between us than any of our differences.
> I am not for this change, and as my term extends over the next year, I 
> will
> be voting against this change if it ever comes to a vote.
> Let's stay impartial, let's build OWASP as a GLOBAL brand, renowned 
> for our
> openness, transparency and independence, and let's think about where 
> we
> really need to be instead of wasting member's funds on legal fees.
> thanks,
> Andrew
> On Fri, Oct 9, 2015 at 10:27 PM, Mike Goodwin <mike.goodwin at owasp.org>
> wrote:
>> I've spent quite a bit of time reading up on this stuff now, and my
>> opinion is the same as Bev's - stay as 501(c)3 but consider a 
>> subsidiary
>> body of another type.
>> My reasons, partly taken from this as the source document
>> <http://www.irs.gov/pub/irs-tege/eotopick03.pdf>:
>> - 501(c)6 is about running on behalf of members interests (page K-4 
>> of
>> the source document). When I look at the attendees of my chapter and 
>> think
>> about the (intended) users of my project, many of them are not OWASP
>> members. While membership would be good, I want to continue to serve 
>> them
>> regardless of their membership status. 501(c)3 seems to be necessary 
>> for
>> this
>> - 501(c)6 appears to specifically require members to have a business
>> interest in common and excludes amateurs (pages K-9 and K-11). This 
>> would
>> seem to exclude current members who are hobbyists.
>> - I am an admirer of Mozilla. Their structure, if I understand it
>> properly, is a 501(c)3 parent (the Mozilla Foundation)
>> <https://www.mozilla.org/en-US/foundation/about/> that has a wholly
>> owned subsidiary (the Mozilla Corporation). In their case, the 
>> subsidiary
>> is a taxable corporation that serves the mission of the parent - I'm 
>> not
>> expert enough to know whether a 501(c)6 subsidiary would do the same 
>> job.
>> On the last point, it seems to me that Mozilla have a lot of
>> characteristics that I would like to see in OWASP:
>> - Their main web site is slick and great
>> - Firefox is a jewel in the open source crown
>> - The MDN website is a superb resource
>> - They indirectly support OWASP ZAP by employing Simon - I have heard
>> Simon say he would find it very difficult to maintain his current 
>> level of
>> effort on ZAP without the support of Mozilla (@Simon - please correct 
>> me if
>> I'm misrepresenting you)
>> - They achieve this with 10.5k (active) Mozillans compared to 42k
>> (active?) members of OWASP. Presumably though, they have many more
>> employees (of the wholly owned corporation?) than OWASP.
>> Best regards,
>> Mike
>> On 8 October 2015 at 22:43, Bev Corwin <bev.corwin at owasp.org> wrote:
>>> Chiming in here.....Having read through this discussion, going to 
>>> bite
>>> the bait and submit my 2 cents: I think that it is a mistake and a 
>>> waste of
>>> time and resources to convert OWASP Foundation from a 501(c)3 to a 
>>> 501(c)6.
>>> I'm not even sure if it would be allowable by IRS. I tend to think 
>>> not, but
>>> I'm not an expert by any means. However, regardless, I do think that 
>>> Tom
>>> brings other valuable leadership qualities to the table, commitment, 
>>> and
>>> enthusiasm, therefore, I believe that he would make a good board 
>>> member,
>>> but it is not a good plan to make a conversion, IMHO. I'd prefer to 
>>> see the
>>> new board authorize a committee to create a separate OWASP 
>>> Professional
>>> Association 501(c)6, an entirely new organization. Honestly, it will 
>>> be
>>> easier than trying to convert the existing organization, and will 
>>> also
>>> allow those who care more about the charitable nature of OWASP 
>>> Foundation
>>> 501(c)3 to continue our good work. I would also support the creation 
>>> of a
>>> new 501(c)6 OWASP Professional Association, and oppose this idea of
>>> converting any organization from one type to another, in large part,
>>> because most organizations typically fail at such efforts, and end 
>>> up doing
>>> more damage than good, completely destroying the organization. If 
>>> you can
>>> show me one successful conversion of a 501(c)3 to a 501(c)6 or vice 
>>> verse,
>>> I will happily reconsider my position. I would greatly prefer to see 
>>> Foundation 501(c)3 continue to operate as such, while continually 
>>> improving
>>> in the charitable organization space, and appropriately and legally 
>>> support
>>> the development of a new 501(c)6 OWASP Professional Association, 
>>> external
>>> and independent, with separate boards, staff, etc. Thank you. Best 
>>> wishes,
>>> Bev
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list