[Owasp-leaders] [Owasp-community] OWASP Access Management Policy

Bil Corry bil.corry at owasp.org
Fri Nov 11 18:47:34 UTC 2016


Can we get a thread started on the Governance list that has the proposed
text and the background/context of why it's being proposed?

http://lists.owasp.org/pipermail/governance/


- Bil

On Fri, Nov 11, 2016 at 9:36 AM, Bev Corwin <bevcorwin at gmail.com> wrote:

> Hi Larry,
>
> Yes, I realize that this is true about OWASP membership, and points well
> taken. Paid members have membership cards that you can download from your
> membership account. You bring up an important point, and something that
> I've often wondered about: What are the benefits to being an OWASP paid
> member, with a membership number, and for voting purposes vs. being an
> unpaid member. There are, as you point out, many benefits for unpaid
> members. Are there any real benefits in being a paid OWASP member? In any
> case, it would be interesting to explore this idea of how an anonymous
> participant could appropriately participate without any registration,
> anonymously, or under alias, but realistically, most building security
> policies require photo IDs these days. Perhaps we should consider having
> "public" events that do not require ID, too? But as far as being an "open"
> organization, my sense of OWASP is that we are "open" because do not
> exclude anyone from participation, however, in some cases, we would require
> their name and photo ID for participation. I do not see that as
> exclusionary. If that were the case, all OWASP events would likely need to
> have "public" open meetings in public places that do not require photo IDs.
>
> Best wishes,
> Bev
>
>
> On Fri, Nov 11, 2016 at 11:18 AM, Larry Conklin <larry.conklin at owasp.org>
> wrote:
>
>> Bev,
>> We don't have membership cards. We might have had one a long time ago and
>> you may even have one. I don't and I have never seen one. But more to the
>> point OWASP doesn't require membership.  We are an organization with around
>> 45,000 volunteers and who has less than 3000 actual members. I could be off
>> on these numbers. All membership gets you is the ability to vote for board
>> members.
>>
>> Larry
>>
>> On Fri, Nov 11, 2016 at 10:09 AM, Bev Corwin <bev.corwin at owasp.org>
>> wrote:
>>
>>> Hello everyone,
>>>
>>> It is common for our meetup hosts to require names that match gov't ID
>>> cards for meetup events. I do not see how that is a problem for an open
>>> organization. Open doesn't require anonymity. OWASP has membership cards
>>> and membership numbers. What if people registered with their member number
>>> instead of their name?
>>>
>>> Best wishes,
>>> Bev
>>>
>>>
>>> On Thu, Nov 10, 2016 at 11:15 PM, Elizabeth Belousov <
>>> elizabeth.belousov at owasp.org> wrote:
>>>
>>>> Respectfully disagree in principal on the first paragraph. But that
>>>> what are discussions for.
>>>>
>>>> I wouldn't hold to the photo requirement. Having truthful identities is
>>>> more important.
>>>>
>>>> If you feel that you can round the rough edges and make the policy less
>>>> aggressive, please take a crack at it.
>>>>
>>>> I don't mind to put both versions up for a discussion or vote.
>>>>
>>>> Appreciate your participation.
>>>> ----------
>>>> Regards,
>>>>
>>>> *Liz Belousov*
>>>> Volunteer* | *OWASP Foundation
>>>> NYC chapter
>>>>
>>>>
>>>> On Nov 10, 2016, at 21:31, Justin Ferguson <justin.ferguson at owasp.org>
>>>> wrote:
>>>>
>>>> I don't actually have a problem with the paragraph that Larry pulled
>>>> out; there are very legit reasons that an ID might be necessary for meeting
>>>> attendance - though I don't believe it should ever be an OWASP-mandated
>>>> requirement, but if it's a venue requirement, well, it happens.   My issue
>>>> is with the first paragraph.  I would personally rather see a permissive
>>>> model, with a policy that says "anyone who posts offensive content on OWASP
>>>> social media groups will be immediately removed".  Requiring a photo for
>>>> your profile seems specifically onerous - there are people who may be
>>>> perfectly fine with showing up at an event in person, but don't want their
>>>> photo and name associated online, for any of a number of legitimate
>>>> reasons.
>>>>
>>>> I apologize if I'm coming across as overly negative; I don't mean to.
>>>> I just feel that OWASP should be as welcoming as possible to all members,
>>>> and I don't think policies like this are a great step in that direction.
>>>>
>>>> JF
>>>>
>>>> --
>>>> Justin Ferguson
>>>> OWASP-Kansas City
>>>> Chapter Leader
>>>>
>>>> On Thu, Nov 10, 2016 at 7:47 PM Elizabeth Belousov <
>>>> elizabeth.belousov at owasp.org> wrote:
>>>>
>>>> Please join the discussion.
>>>>
>>>>
>>>> I'd like to underline that the clause picked by Larry contains "may"
>>>> —means "optional". The clause is based on ALREADY existing practice in
>>>> NY/NJ and rather declarative NOT prescriptive.
>>>>
>>>> Anonymity is very valued among cyber sec indeed. However, we didn’t
>>>> enroll to OWASP anonymously. Based on that fact alone I would not build an
>>>> argument around anonymity vs Access Management (oranges vs. apples). If you
>>>> allow anonymous user access to your online tool, this policy doesn’t change
>>>> it.
>>>>
>>>> This policy is not about mandating a state issued ID for attendance, it
>>>> asks to provide members truthful info about their identities.
>>>>
>>>> People who attend OWASP face-to-face meetings do not cover their
>>>> identities; people who follow them through meetup and such do. Please see
>>>> the screenshot attached.
>>>>
>>>> (A side note, it was a very obvious case, how many other synthetic
>>>> identities shadowing OWASP folks.)
>>>>
>>>> ----------
>>>> Regards,
>>>>
>>>> *Liz Belousov*
>>>> Volunteer* | *OWASP Foundation
>>>> NYC chapter
>>>>
>>>>
>>>>
>>>> On Thu, Nov 10, 2016 at 7:04 PM, Justin Ferguson <
>>>> justin.ferguson at owasp.org> wrote:
>>>>
>>>> I'm inclined to agree with Larry for the most part.   In the security
>>>> world, anonymity tends to be valued, and asking members to register for all
>>>> meetings with positive identification would have chilling effects on
>>>> attendance at my chapter, at least.  Obviously, hosting an event at a
>>>> facility which requires a guest list is a different story, and that, IMO,
>>>> would be up to the potential member to make a decision between the value of
>>>> the meeting vs. their anonymity for a specific meeting.
>>>>
>>>> Additionally, there are a number of "gotchas" with a policy like this -
>>>> vis-a-vis the problems that came up with Google's "Real Names" policy for
>>>> Google Plus, and the issues with people whose IDs might not match their
>>>> preferred identity (i.e. transgender members).   My inclination is that
>>>> this is something that would have the potential to turn away members, and
>>>> it would not be something I would want to implement at my chapter.
>>>>
>>>> I understand social media can be a tough thing to manage, but it seems
>>>> like the optimal solution might be to either engage more trusted members
>>>> for monitoring of social media for inappropriateness, or (depending on the
>>>> social network in question) turn on some form of moderation.
>>>>
>>>> Justin Ferguson
>>>> OWASP-Kansas City
>>>> Chapter Leader
>>>>
>>>>
>>>>
>>>> On Thu, Nov 10, 2016 at 5:43 PM Larry Conklin <larry.conklin at owasp.org>
>>>> wrote:
>>>>
>>>> Elizabeth, I hope others pick up on this thread. I really think you are
>>>> going way outside of the boundaries of open organization.
>>>>
>>>> I worked in Seattle for 10 months and attended .Net User group at their
>>>> Redmond campus. I did not have to provide any identification at all to
>>>> attend. There was no pre screening at all.
>>>>
>>>> As a past president of Tulsa .Net Users group we have held meetings in
>>>> several buildings. Never once did we prescreen or require identification.
>>>>
>>>> I just recently attended a Google Tech Fest in DC hosted by Capital One
>>>> in Capitals One's new office complex. I was never asked for any
>>>> identification.
>>>>
>>>> Larry
>>>>
>>>> On Thu, Nov 10, 2016 at 3:12 PM, Elizabeth Belousov <
>>>> elizabeth.belousov at owasp.org> wrote:
>>>>
>>>> Larry,
>>>>
>>>> Thanks for your comments.
>>>>
>>>> "Open" does not mean "anonymous".
>>>>
>>>> It is very common that a hosting organization has a security
>>>>  department that prescreens all visitors.
>>>>
>>>> Let's say you are hosting OWASP chapter meeting at Microsoft, you are
>>>> REQUIRED to provide security with the list of attendees: first and last
>>>> name.
>>>>
>>>> Personally, I was asked for a photo ID at Goldman, BofA, MongoDB for
>>>> attending OWASP meetings. Did not violate my privacy and freedoms.
>>>>
>>>>
>>>> ----------
>>>> Regards,
>>>>
>>>> *Liz Belousov*
>>>> Volunteer* | *OWASP Foundation
>>>> NYC chapter
>>>>
>>>>
>>>> On Nov 10, 2016, at 14:54, Larry Conklin <larry.conklin at owasp.org>
>>>> wrote:
>>>>
>>>> I should have wrote "Doesn't sound like an open organization to me"
>>>>
>>>> On Thu, Nov 10, 2016 at 2:52 PM, Larry Conklin <larry.conklin at owasp.org
>>>> > wrote:
>>>>
>>>> Elizabeth
>>>> Who came up with this rule?....and why is it necessary?...Does sound
>>>> like an open organization to me. Is this a world-wide rule?
>>>> *For the on-site events attendance, OWASP members and non-members may
>>>> be asked to present their state issued photo identification card (passport,
>>>> driver license, e.g.).*
>>>>
>>>> Larry
>>>>
>>>> On Thu, Nov 10, 2016 at 10:16 AM, Elizabeth Belousov <
>>>> elizabeth.belousov at owasp.org> wrote:
>>>>
>>>> It was a long overdue on my part. Last night at NY chapter meeting the
>>>> topic was brought up to the discussion, which spurred me to think of OWASP
>>>> Top 10 Compliance.
>>>>
>>>> Below:
>>>>
>>>> -- The background of the proposal
>>>>
>>>> -- OWASP Access Management Policy
>>>> <https://drive.google.com/a/owasp.org/file/d/0B2w4JBsaD0LFTDYzSlk2WFNnelk/view?usp=sharing>
>>>> (also linked via Google drive)
>>>>
>>>> *****************************
>>>>
>>>> Dear OWASP leaders:
>>>>
>>>>
>>>>
>>>> I’m writing you to solicit your feedback about the OWASP Access
>>>> Management Policy that I recommend for adoption.
>>>>
>>>>
>>>>
>>>> Background. Earlier this year, there were several graphic
>>>> violence/hatred content incidents on NY/NJ Meetup page. In order to monitor
>>>> OWASP social media pages for inappropriate profile images, I proposed
>>>> adopting the OWASP access management policy that would allow profile
>>>> reconciliation based on the truthful information provided by OWASP
>>>> followers and members.
>>>>
>>>>
>>>>
>>>> The access management policy would allow to:
>>>>
>>>>
>>>>
>>>> - Minimize or eliminate the presence of synthetic or anonymous OWASP
>>>> followers;
>>>>
>>>> - Facilitate to physical access according to security standards of the
>>>> hosting sites;
>>>>
>>>> - Drive meeting attendance by collaborating with real people.
>>>>
>>>>
>>>>
>>>> Looking forward to your feedback!
>>>>
>>>>
>>>> *****************************
>>>> Regards,
>>>>
>>>> *Liz Belousov*
>>>> NYC chapter Volunteer* | *OWASP Foundation
>>>>
>>>>
>>>>
>>>> *OWASP Access Management Policy*
>>>>
>>>>
>>>>
>>>> The OWASP members or non-members that would like to participate in the
>>>> OWASP chapter activities (events, webinars, onsite and online forums [e.g.
>>>> by posting comments]) must use their real identities: first name, last
>>>> name, and an image that corresponds to that identity [a headshot image].
>>>>
>>>>
>>>>
>>>> For the on-site events attendance, OWASP members and non-members may be
>>>> asked to present their state issued photo identification card (passport,
>>>> driver license, e.g.).
>>>>
>>>>
>>>>
>>>> The OWASP local chapters reserve a right to exclude from event
>>>> registration and consequently the onsite or online participation those
>>>> individuals who do not comply with the OWASP Access Management requirement.
>>>>
>>>>
>>>>
>>>> The OWASP maintains privacy of chapter members and meeting attendees
>>>> according to the Mandatory Chapter Rules (cited below).
>>>>
>>>>
>>>>
>>>> [“The privacy of chapter members and meeting attendees should be
>>>> protected at all times. You should not disclose names, email addresses, or
>>>> other identifying information about OWASP members or meeting attendees.
>>>> Only aggregate statistics can be referenced. Sponsors should not have
>>>> access to member lists; however, they may ask attendees to share contact
>>>> information voluntarily, for example via submitting business cards
>>>> voluntarily for a raffle.”]
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> Owasp-community mailing list
>> Owasp-community at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-community
>>
>>
>
> _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-community
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161111/e4755158/attachment-0001.html>


More information about the OWASP-Leaders mailing list