[Owasp-leaders] OWASP Access Management Policy

Larry Conklin larry.conklin at owasp.org
Fri Nov 11 16:18:45 UTC 2016


Bev,
We don't have membership cards. We might have had one a long time ago and
you may even have one. I don't and I have never seen one. But more to the
point OWASP doesn't require membership.  We are an organization with around
45,000 volunteers and who has less than 3000 actual members. I could be off
on these numbers. All membership gets you is the ability to vote for board
members.

Larry

On Fri, Nov 11, 2016 at 10:09 AM, Bev Corwin <bev.corwin at owasp.org> wrote:

> Hello everyone,
>
> It is common for our meetup hosts to require names that match gov't ID
> cards for meetup events. I do not see how that is a problem for an open
> organization. Open doesn't require anonymity. OWASP has membership cards
> and membership numbers. What if people registered with their member number
> instead of their name?
>
> Best wishes,
> Bev
>
>
> On Thu, Nov 10, 2016 at 11:15 PM, Elizabeth Belousov <
> elizabeth.belousov at owasp.org> wrote:
>
>> Respectfully disagree in principal on the first paragraph. But that what
>> are discussions for.
>>
>> I wouldn't hold to the photo requirement. Having truthful identities is
>> more important.
>>
>> If you feel that you can round the rough edges and make the policy less
>> aggressive, please take a crack at it.
>>
>> I don't mind to put both versions up for a discussion or vote.
>>
>> Appreciate your participation.
>> ----------
>> Regards,
>>
>> *Liz Belousov*
>> Volunteer* | *OWASP Foundation
>> NYC chapter
>>
>>
>> On Nov 10, 2016, at 21:31, Justin Ferguson <justin.ferguson at owasp.org>
>> wrote:
>>
>> I don't actually have a problem with the paragraph that Larry pulled out;
>> there are very legit reasons that an ID might be necessary for meeting
>> attendance - though I don't believe it should ever be an OWASP-mandated
>> requirement, but if it's a venue requirement, well, it happens.   My issue
>> is with the first paragraph.  I would personally rather see a permissive
>> model, with a policy that says "anyone who posts offensive content on OWASP
>> social media groups will be immediately removed".  Requiring a photo for
>> your profile seems specifically onerous - there are people who may be
>> perfectly fine with showing up at an event in person, but don't want their
>> photo and name associated online, for any of a number of legitimate
>> reasons.
>>
>> I apologize if I'm coming across as overly negative; I don't mean to.  I
>> just feel that OWASP should be as welcoming as possible to all members, and
>> I don't think policies like this are a great step in that direction.
>>
>> JF
>>
>> --
>> Justin Ferguson
>> OWASP-Kansas City
>> Chapter Leader
>>
>> On Thu, Nov 10, 2016 at 7:47 PM Elizabeth Belousov <
>> elizabeth.belousov at owasp.org> wrote:
>>
>> Please join the discussion.
>>
>>
>> I'd like to underline that the clause picked by Larry contains "may"
>> —means "optional". The clause is based on ALREADY existing practice in
>> NY/NJ and rather declarative NOT prescriptive.
>>
>> Anonymity is very valued among cyber sec indeed. However, we didn’t
>> enroll to OWASP anonymously. Based on that fact alone I would not build an
>> argument around anonymity vs Access Management (oranges vs. apples). If you
>> allow anonymous user access to your online tool, this policy doesn’t change
>> it.
>>
>> This policy is not about mandating a state issued ID for attendance, it
>> asks to provide members truthful info about their identities.
>>
>> People who attend OWASP face-to-face meetings do not cover their
>> identities; people who follow them through meetup and such do. Please see
>> the screenshot attached.
>>
>> (A side note, it was a very obvious case, how many other synthetic
>> identities shadowing OWASP folks.)
>>
>> ----------
>> Regards,
>>
>> *Liz Belousov*
>> Volunteer* | *OWASP Foundation
>> NYC chapter
>>
>>
>>
>> On Thu, Nov 10, 2016 at 7:04 PM, Justin Ferguson <
>> justin.ferguson at owasp.org> wrote:
>>
>> I'm inclined to agree with Larry for the most part.   In the security
>> world, anonymity tends to be valued, and asking members to register for all
>> meetings with positive identification would have chilling effects on
>> attendance at my chapter, at least.  Obviously, hosting an event at a
>> facility which requires a guest list is a different story, and that, IMO,
>> would be up to the potential member to make a decision between the value of
>> the meeting vs. their anonymity for a specific meeting.
>>
>> Additionally, there are a number of "gotchas" with a policy like this -
>> vis-a-vis the problems that came up with Google's "Real Names" policy for
>> Google Plus, and the issues with people whose IDs might not match their
>> preferred identity (i.e. transgender members).   My inclination is that
>> this is something that would have the potential to turn away members, and
>> it would not be something I would want to implement at my chapter.
>>
>> I understand social media can be a tough thing to manage, but it seems
>> like the optimal solution might be to either engage more trusted members
>> for monitoring of social media for inappropriateness, or (depending on the
>> social network in question) turn on some form of moderation.
>>
>> Justin Ferguson
>> OWASP-Kansas City
>> Chapter Leader
>>
>>
>>
>> On Thu, Nov 10, 2016 at 5:43 PM Larry Conklin <larry.conklin at owasp.org>
>> wrote:
>>
>> Elizabeth, I hope others pick up on this thread. I really think you are
>> going way outside of the boundaries of open organization.
>>
>> I worked in Seattle for 10 months and attended .Net User group at their
>> Redmond campus. I did not have to provide any identification at all to
>> attend. There was no pre screening at all.
>>
>> As a past president of Tulsa .Net Users group we have held meetings in
>> several buildings. Never once did we prescreen or require identification.
>>
>> I just recently attended a Google Tech Fest in DC hosted by Capital One
>> in Capitals One's new office complex. I was never asked for any
>> identification.
>>
>> Larry
>>
>> On Thu, Nov 10, 2016 at 3:12 PM, Elizabeth Belousov <
>> elizabeth.belousov at owasp.org> wrote:
>>
>> Larry,
>>
>> Thanks for your comments.
>>
>> "Open" does not mean "anonymous".
>>
>> It is very common that a hosting organization has a security  department
>> that prescreens all visitors.
>>
>> Let's say you are hosting OWASP chapter meeting at Microsoft, you are
>> REQUIRED to provide security with the list of attendees: first and last
>> name.
>>
>> Personally, I was asked for a photo ID at Goldman, BofA, MongoDB for
>> attending OWASP meetings. Did not violate my privacy and freedoms.
>>
>>
>> ----------
>> Regards,
>>
>> *Liz Belousov*
>> Volunteer* | *OWASP Foundation
>> NYC chapter
>>
>>
>> On Nov 10, 2016, at 14:54, Larry Conklin <larry.conklin at owasp.org> wrote:
>>
>> I should have wrote "Doesn't sound like an open organization to me"
>>
>> On Thu, Nov 10, 2016 at 2:52 PM, Larry Conklin <larry.conklin at owasp.org>
>> wrote:
>>
>> Elizabeth
>> Who came up with this rule?....and why is it necessary?...Does sound like
>> an open organization to me. Is this a world-wide rule?
>> *For the on-site events attendance, OWASP members and non-members may be
>> asked to present their state issued photo identification card (passport,
>> driver license, e.g.).*
>>
>> Larry
>>
>> On Thu, Nov 10, 2016 at 10:16 AM, Elizabeth Belousov <
>> elizabeth.belousov at owasp.org> wrote:
>>
>> It was a long overdue on my part. Last night at NY chapter meeting the
>> topic was brought up to the discussion, which spurred me to think of OWASP
>> Top 10 Compliance.
>>
>> Below:
>>
>> -- The background of the proposal
>>
>> -- OWASP Access Management Policy
>> <https://drive.google.com/a/owasp.org/file/d/0B2w4JBsaD0LFTDYzSlk2WFNnelk/view?usp=sharing>
>> (also linked via Google drive)
>>
>> *****************************
>>
>> Dear OWASP leaders:
>>
>>
>>
>> I’m writing you to solicit your feedback about the OWASP Access
>> Management Policy that I recommend for adoption.
>>
>>
>>
>> Background. Earlier this year, there were several graphic
>> violence/hatred content incidents on NY/NJ Meetup page. In order to monitor
>> OWASP social media pages for inappropriate profile images, I proposed
>> adopting the OWASP access management policy that would allow profile
>> reconciliation based on the truthful information provided by OWASP
>> followers and members.
>>
>>
>>
>> The access management policy would allow to:
>>
>>
>>
>> - Minimize or eliminate the presence of synthetic or anonymous OWASP
>> followers;
>>
>> - Facilitate to physical access according to security standards of the
>> hosting sites;
>>
>> - Drive meeting attendance by collaborating with real people.
>>
>>
>>
>> Looking forward to your feedback!
>>
>>
>> *****************************
>> Regards,
>>
>> *Liz Belousov*
>> NYC chapter Volunteer* | *OWASP Foundation
>>
>>
>>
>> *OWASP Access Management Policy*
>>
>>
>>
>> The OWASP members or non-members that would like to participate in the
>> OWASP chapter activities (events, webinars, onsite and online forums [e.g.
>> by posting comments]) must use their real identities: first name, last
>> name, and an image that corresponds to that identity [a headshot image].
>>
>>
>>
>> For the on-site events attendance, OWASP members and non-members may be
>> asked to present their state issued photo identification card (passport,
>> driver license, e.g.).
>>
>>
>>
>> The OWASP local chapters reserve a right to exclude from event
>> registration and consequently the onsite or online participation those
>> individuals who do not comply with the OWASP Access Management requirement.
>>
>>
>>
>> The OWASP maintains privacy of chapter members and meeting attendees
>> according to the Mandatory Chapter Rules (cited below).
>>
>>
>>
>> [“The privacy of chapter members and meeting attendees should be
>> protected at all times. You should not disclose names, email addresses, or
>> other identifying information about OWASP members or meeting attendees.
>> Only aggregate statistics can be referenced. Sponsors should not have
>> access to member lists; however, they may ask attendees to share contact
>> information voluntarily, for example via submitting business cards
>> voluntarily for a raffle.”]
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161111/524bf366/attachment-0001.html>


More information about the OWASP-Leaders mailing list