[Owasp-leaders] OWASP Access Management Policy

Justin Ferguson justin.ferguson at owasp.org
Fri Nov 11 02:31:02 UTC 2016


I don't actually have a problem with the paragraph that Larry pulled out;
there are very legit reasons that an ID might be necessary for meeting
attendance - though I don't believe it should ever be an OWASP-mandated
requirement, but if it's a venue requirement, well, it happens.   My issue
is with the first paragraph.  I would personally rather see a permissive
model, with a policy that says "anyone who posts offensive content on OWASP
social media groups will be immediately removed".  Requiring a photo for
your profile seems specifically onerous - there are people who may be
perfectly fine with showing up at an event in person, but don't want their
photo and name associated online, for any of a number of legitimate
reasons.

I apologize if I'm coming across as overly negative; I don't mean to.  I
just feel that OWASP should be as welcoming as possible to all members, and
I don't think policies like this are a great step in that direction.

JF

-- 
Justin Ferguson
OWASP-Kansas City
Chapter Leader

On Thu, Nov 10, 2016 at 7:47 PM Elizabeth Belousov <
elizabeth.belousov at owasp.org> wrote:

Please join the discussion.


I'd like to underline that the clause picked by Larry contains "may" —means
"optional". The clause is based on ALREADY existing practice in NY/NJ and
rather declarative NOT prescriptive.

Anonymity is very valued among cyber sec indeed. However, we didn’t enroll
to OWASP anonymously. Based on that fact alone I would not build an
argument around anonymity vs Access Management (oranges vs. apples). If you
allow anonymous user access to your online tool, this policy doesn’t change
it.

This policy is not about mandating a state issued ID for attendance, it
asks to provide members truthful info about their identities.

People who attend OWASP face-to-face meetings do not cover their
identities; people who follow them through meetup and such do. Please see
the screenshot attached.

(A side note, it was a very obvious case, how many other synthetic
identities shadowing OWASP folks.)

----------
Regards,

*Liz Belousov*
Volunteer* | *OWASP Foundation
NYC chapter



On Thu, Nov 10, 2016 at 7:04 PM, Justin Ferguson <justin.ferguson at owasp.org>
wrote:

I'm inclined to agree with Larry for the most part.   In the security
world, anonymity tends to be valued, and asking members to register for all
meetings with positive identification would have chilling effects on
attendance at my chapter, at least.  Obviously, hosting an event at a
facility which requires a guest list is a different story, and that, IMO,
would be up to the potential member to make a decision between the value of
the meeting vs. their anonymity for a specific meeting.

Additionally, there are a number of "gotchas" with a policy like this -
vis-a-vis the problems that came up with Google's "Real Names" policy for
Google Plus, and the issues with people whose IDs might not match their
preferred identity (i.e. transgender members).   My inclination is that
this is something that would have the potential to turn away members, and
it would not be something I would want to implement at my chapter.

I understand social media can be a tough thing to manage, but it seems like
the optimal solution might be to either engage more trusted members for
monitoring of social media for inappropriateness, or (depending on the
social network in question) turn on some form of moderation.

Justin Ferguson
OWASP-Kansas City
Chapter Leader



On Thu, Nov 10, 2016 at 5:43 PM Larry Conklin <larry.conklin at owasp.org>
wrote:

Elizabeth, I hope others pick up on this thread. I really think you are
going way outside of the boundaries of open organization.

I worked in Seattle for 10 months and attended .Net User group at their
Redmond campus. I did not have to provide any identification at all to
attend. There was no pre screening at all.

As a past president of Tulsa .Net Users group we have held meetings in
several buildings. Never once did we prescreen or require identification.

I just recently attended a Google Tech Fest in DC hosted by Capital One in
Capitals One's new office complex. I was never asked for any identification.

Larry

On Thu, Nov 10, 2016 at 3:12 PM, Elizabeth Belousov <
elizabeth.belousov at owasp.org> wrote:

Larry,

Thanks for your comments.

"Open" does not mean "anonymous".

It is very common that a hosting organization has a security  department
that prescreens all visitors.

Let's say you are hosting OWASP chapter meeting at Microsoft, you are
REQUIRED to provide security with the list of attendees: first and last
name.

Personally, I was asked for a photo ID at Goldman, BofA, MongoDB for
attending OWASP meetings. Did not violate my privacy and freedoms.


----------
Regards,

*Liz Belousov*
Volunteer* | *OWASP Foundation
NYC chapter


On Nov 10, 2016, at 14:54, Larry Conklin <larry.conklin at owasp.org> wrote:

I should have wrote "Doesn't sound like an open organization to me"

On Thu, Nov 10, 2016 at 2:52 PM, Larry Conklin <larry.conklin at owasp.org>
wrote:

Elizabeth
Who came up with this rule?....and why is it necessary?...Does sound like
an open organization to me. Is this a world-wide rule?
*For the on-site events attendance, OWASP members and non-members may be
asked to present their state issued photo identification card (passport,
driver license, e.g.).*

Larry

On Thu, Nov 10, 2016 at 10:16 AM, Elizabeth Belousov <
elizabeth.belousov at owasp.org> wrote:

It was a long overdue on my part. Last night at NY chapter meeting the
topic was brought up to the discussion, which spurred me to think of OWASP
Top 10 Compliance.

Below:

-- The background of the proposal

-- OWASP Access Management Policy
<https://drive.google.com/a/owasp.org/file/d/0B2w4JBsaD0LFTDYzSlk2WFNnelk/view?usp=sharing>
(also linked via Google drive)

*****************************

Dear OWASP leaders:



I’m writing you to solicit your feedback about the OWASP Access Management
Policy that I recommend for adoption.



Background. Earlier this year, there were several graphic violence/hatred
content incidents on NY/NJ Meetup page. In order to monitor OWASP social
media pages for inappropriate profile images, I proposed adopting the OWASP
access management policy that would allow profile reconciliation based on
the truthful information provided by OWASP followers and members.



The access management policy would allow to:



- Minimize or eliminate the presence of synthetic or anonymous OWASP
followers;

- Facilitate to physical access according to security standards of the
hosting sites;

- Drive meeting attendance by collaborating with real people.



Looking forward to your feedback!


*****************************
Regards,

*Liz Belousov*
NYC chapter Volunteer* | *OWASP Foundation



*OWASP Access Management Policy*



The OWASP members or non-members that would like to participate in the
OWASP chapter activities (events, webinars, onsite and online forums [e.g.
by posting comments]) must use their real identities: first name, last
name, and an image that corresponds to that identity [a headshot image].



For the on-site events attendance, OWASP members and non-members may be
asked to present their state issued photo identification card (passport,
driver license, e.g.).



The OWASP local chapters reserve a right to exclude from event registration
and consequently the onsite or online participation those individuals who
do not comply with the OWASP Access Management requirement.



The OWASP maintains privacy of chapter members and meeting attendees
according to the Mandatory Chapter Rules (cited below).



[“The privacy of chapter members and meeting attendees should be protected
at all times. You should not disclose names, email addresses, or other
identifying information about OWASP members or meeting attendees. Only
aggregate statistics can be referenced. Sponsors should not have access to
member lists; however, they may ask attendees to share contact information
voluntarily, for example via submitting business cards voluntarily for a
raffle.”]


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders




_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161111/5dd7d29c/attachment-0001.html>


More information about the OWASP-Leaders mailing list