<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">I know. That was what I was referring
      to. <br>
      <br>
      However, that feature in SM is either bound through personalised
      invitation emails or ties the identity just to an IP address,
      which is not a safe nor good criteria to establish identity. <br>
      <br>
      Cheers, Tobias<br>
      <br>
      <br>
      On 15/01/14 16:00, Mark Miller wrote:<br>
    </div>
    <blockquote
cite="mid:CA+=41AS+VYtMBvtJxFuB20ypUeaT79d=XSZwb-9xN9Vn6Kr8Ww@mail.gmail.com"
      type="cite">
      <div dir="ltr">SurveyMonkey has a setting for "Can Only Vote
        Once". I'm using that on the survey I am currently running (<a
          moz-do-not-send="true"
href="http://trustedsoftwarealliance.com/2013/12/12/survey-developers-and-application-security-who-is-responsible/">shameless
          plug goes here</a>) and even had a complaint this morning that
        someone couldn't vote twice, so I know it's working :-)</div>
      <div class="gmail_extra"><br>
        <br>
        <div class="gmail_quote">On Wed, Jan 15, 2014 at 10:50 AM,
          Tobias <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:tobias.gondrom@owasp.org" target="_blank">tobias.gondrom@owasp.org</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000">
              <div>Hi Mark, <br>
                <br>
                we have a full Surveymonkey account for OWASP as well. <br>
                So we could use it. <br>
                But with both, with Google Survey and Surveymonkey, the
                key challenge is how to avoid duplicates. <br>
                In Surveymonkey that only works if you send everyone a
                personalised invite, in Google you could use the owasp
                email address as identifier. Both have their problems.
                :-( <br>
                So if you have any ideas on how to solve the "avoid
                double votes"-problem with minimal effort for the voter,
                please let me know. <br>
                <br>
                Cheers, Tobias<br>
                <br>
                <br>
                Ps.: we should definitely look into if there are any
                problems keeping every member from having her/his owasp
                email address. <br>
                <div>
                  <div class="h5"> <br>
                    <br>
                    <br>
                    On 15/01/14 15:29, Mark Miller wrote:<br>
                  </div>
                </div>
              </div>
              <div>
                <div class="h5">
                  <blockquote type="cite">
                    <div dir="ltr">I am using Survey Monkey for various
                      projects, so let me know if that will be a viable
                      option for future polls or surveys. -- Mark</div>
                    <div class="gmail_extra"><br>
                      <br>
                      <div class="gmail_quote">On Wed, Jan 15, 2014 at
                        7:35 AM, psiinon <span dir="ltr"><<a
                            moz-do-not-send="true"
                            href="mailto:psiinon@gmail.com"
                            target="_blank">psiinon@gmail.com</a>></span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0
                          0 0 .8ex;border-left:1px #ccc
                          solid;padding-left:1ex">
                          <div dir="ltr">
                            <div>
                              <div>
                                <div>
                                  <div>
                                    <div>
                                      <div>
                                        <div>
                                          <div>
                                            <div>
                                              <div>I've just closed the
                                                poll "Should OWASP give
                                                developer training at
                                                RSA?".<br>
                                              </div>
                                              It was somewhat overtaken
                                              by events, but I still
                                              think it was useful.<br>
                                              <br>
                                            </div>
                                            A couple of points to note:<br>
                                            <br>
                                          </div>
                                          The stats I've published on <a
                                            moz-do-not-send="true"
                                            href="https://www.owasp.org/index.php/Polls"
                                            target="_blank">https://www.owasp.org/index.php/Polls</a>
                                          are different to those on the
                                          Google Poll summary.<br>
                                        </div>
                                        This is because I've removed
                                        duplicate votes - unfortunately
                                        Google Polls dont prevent
                                        duplicate votes and the summary
                                        isnt updated if you remove the
                                        duplicates. Please let me know
                                        if I've made a mistake anywhere.
                                        FYI I just counted individuals
                                        latest votes.<br>
                                        <br>
                                      </div>
                                      While I think the poll was useful
                                      it has shown up some significant
                                      disadvantages of using Google
                                      Polls for this sort of thing.<br>
                                    </div>
                                    We have to make the polls either
                                    open to everyone or restricted to
                                    those people with OWASP email
                                    accounts.<br>
                                    I didnt want to do the former as I
                                    thought it was important to find out
                                    what OWASP members thought, not the
                                    internet as a whole.<br>
                                  </div>
                                  What I didnt realize at the time was
                                  that OWASP email addresses are
                                  reserved for chapter/project leaders,
                                  which meant that most OWASP members
                                  were not able to vote :(<br>
                                </div>
                                Sorry about that.<br>
                                <br>
                              </div>
                              I'm going to let the other poll run its
                              course, but I'm not planning on starting
                              any new polls using Google Polls as I
                              think they dont give us what we need.<br>
                            </div>
                            <div>Hopefully we'll have a better solution
                              before too long that will allow us to
                              easily canvas the opinions of all OWASP
                              members - I think thats something that
                              will be very beneficial to the
                              organization.<br>
                              <br>
                              Simon<br>
                            </div>
                          </div>
                          <div class="gmail_extra"><br>
                            <br>
                            <div class="gmail_quote">On Thu, Jan 9, 2014
                              at 5:15 PM, Dirk Wetter <span dir="ltr"><<a
                                  moz-do-not-send="true"
                                  href="mailto:dirk@owasp.org"
                                  target="_blank">dirk@owasp.org</a>></span>
                              wrote:<br>
                              <blockquote class="gmail_quote"
                                style="margin:0 0 0 .8ex;border-left:1px
                                #ccc solid;padding-left:1ex">Am
                                01/05/2014 12:47 PM, schrieb Rory
                                McCune:<br>
                                > Hi all,<br>
                                ><br>
                                > Long thread is long.  I'd make a
                                couple of point on this.<br>
                                ><br>
                                > 1. I'm not sure I'd say that RSA
                                completely denies what's been said, to
                                me their statement was written very
                                "carefully", not to deny that the NSA
                                paid them $10 million to make
                                Dual_EC_DRBG the default RNG in BSAFE.
                                 All you need to have for RSAs statement
                                to be true and the allegations to be
                                true is that they didn't have the
                                "intention" of weakening their product
                                i.e. they did take the money they did
                                set the default algorithm but it wasn't
                                their intention to weaken their
                                security.<br>
                                ><br>
                                > If they had wanted to deny the
                                allegations they could just have said
                                "the NSA did not pay us $10 million to
                                make that the default RNG" would have
                                been clear and unambiguous, the fact
                                they didn't makes a reasonably strong
                                implication that they did.<br>
                                <br>
                                thx, for this point. One should
                                definitely read those statements very
                                carefully. There<br>
                                pops another example up in my head but
                                that's too far off to mention here.
                                Completely<br>
                                denying would also sound different to
                                me. The term INTENTION is not
                                appropriate the way<br>
                                it's being used at least.<br>
                                <br>
                                But also the response from RSA in
                                September 2013 is remarkable: "RSA
                                determined it appropriate<br>
                                to issue an advisory to all our RSA
                                BSAFE [..]  customers recommending they
                                choose one of<br>
                                the different cryptographic
                                Pseudo-Random Number Generators (PRNG)
                                built into the RSA BSAFE<br>
                                toolkit". Acknowledged it's broken, but
                                all RSA does is a recommendation --
                                what?<br>
                                <br>
                                To keep in mind: Since a long time
                                Dual_EC_DRBG crypto community knew it's
                                broken! Read this<br>
                                from almighty Bruce ;-) in 2007: <a
                                  moz-do-not-send="true"
href="https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html"
                                  target="_blank">https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html</a><br>
                                "But today there's an even bigger stink
                                brewing around Dual_EC_DRBG. In an
                                informal presentation (.pdf)<br>
                                at the CRYPTO 2007 conference in August,
                                Dan Shumow and Niels Ferguson showed
                                that the algorithm<br>
                                contains a weakness that can only be
                                described as a backdoor.". That was no
                                reason for BSAFE after<br>
                                that to ship DUAL_EC_DRBG other than
                                .... you do the math.<br>
                                <br>
                                <br>
                                Cheers,<br>
                                <br>
                                Dirk<br>
                                <br>
                                ><br>
                                > 2. A point from earlier in the
                                thread that not attending would only be
                                noticed in the Infosec community.  Not
                                sure that's the case. Definitely on
                                developer heavy sites like <a
                                  moz-do-not-send="true"
                                  href="http://news.ycombinator.com"
                                  target="_blank">news.ycombinator.com</a>
                                <<a moz-do-not-send="true"
                                  href="http://news.ycombinator.com"
                                  target="_blank">http://news.ycombinator.com</a>>

                                the NSA/RSA/Snowden piece has been
                                heavily played and indeed last night
                                when this thread kicked off Errata
                                security's piece on boycotting RSA was
                                the top post on the site.<br>
                                ><br>
                                > 3. An alternative to training at
                                RSA that's been mentioned a couple of
                                times, i.e. doing it at a different
                                venue, seems plausible.  Would it maybe
                                be possible to do it as B-Sides SF which
                                happens at the same time ?<br>
                                ><br>
                                > 4. A good point earlier about the
                                DHS grants.  If we're happy with that,
                                then it seems tricky to say that we're
                                not happy with this.<br>
                                ><br>
                                > Cheers<br>
                                ><br>
                                > Rory<br>
                                ><br>
                                ><br>
                                > On Sun, Jan 5, 2014 at 8:45 AM, Jim
                                Manico <<a moz-do-not-send="true"
                                  href="mailto:jim.manico@owasp.org"
                                  target="_blank">jim.manico@owasp.org</a>
                                <mailto:<a moz-do-not-send="true"
                                  href="mailto:jim.manico@owasp.org"
                                  target="_blank">jim.manico@owasp.org</a>>>

                                wrote:<br>
                                ><br>
                                >     By the way everyone, RSA
                                completely denies these allegations.<br>
                                ><br>
                                ><br>
                                ><br>
                                >     …“we also categorically state
                                that we have never entered into any
                                contract or engaged in any project with
                                the intention of weakening RSA’s
                                products, or introducing potential
                                ‘backdoors’ into our products for
                                anyone’s use.” - <a
                                  moz-do-not-send="true"
                                  href="https://blogs.rsa.com/news-media-2/rsa-response/"
                                  target="_blank">https://blogs.rsa.com/news-media-2/rsa-response/</a><br>
                                ><br>
                                <br>
                                ><br>
                                ><br>
                                ><br>
                                >     It’s tough to know who to trust
                                these days, but I do want to put RSA’s
                                official comment on the table for
                                consideration.<br>
                                ><br>
                                ><br>
                                ><br>
                                >     Cheers,<br>
                                ><br>
                                >     -          Jim<br>
                                ><br>
                                ><br>
                                ><br>
                                >     *From:*Josh Sokol [mailto:<a
                                  moz-do-not-send="true"
                                  href="mailto:josh.sokol@owasp.org"
                                  target="_blank">josh.sokol@owasp.org</a>
                                <mailto:<a moz-do-not-send="true"
                                  href="mailto:josh.sokol@owasp.org"
                                  target="_blank">josh.sokol@owasp.org</a>>]<br>
                                >     *Sent:* Saturday, January 04,
                                2014 5:04 PM<br>
                                >     *To:* Eoin Keary<br>
                                >     *Cc:* Jim Manico; Abbas Naderi;
                                Kanwal Singh (WebMentors); Nishant Johar
                                (EMOBX); OWASP Foundation Board List;
                                Ravdeep Sodhi; OWASP Leaders<br>
                                >     *Subject:* Re: [Owasp-board]
                                [Owasp-leaders] OWASP Board decision
                                that I don't agree with<br>
                                ><br>
                                ><br>
                                ><br>
                                >     My apologies in the delay in
                                responding to this.  I've been on the
                                road all day today and will be slow to
                                respond tomorrow as well.<br>
                                ><br>
                                >     First off, let me admit that
                                while my term hadn't officially begun
                                yet, I am one of the Board members who
                                encouraged Jim and Eoin to move forward
                                with the training.  My rationale for
                                this was simple; OWASP's mission is to
                                make software security visible, so that
                                individuals and organizations worldwide
                                can make informed decisions about true
                                software security risks.  The core of
                                this statement being VISBILITY.  We need
                                to find and take advantage of as many
                                ways as possible to raise the visibility
                                of security risks.  Our mission says
                                nothing about making political
                                statements.  It says nothing about
                                ethical business practices.  Our mission
                                can certainly be amended to reflect
                                other imperatives, if so desired by our
                                membership, but until that day we need
                                to prevent mission scope creep.<br>
                                ><br>
                                >     Now, since our mission is
                                making software security visible, we
                                simply have to ask ourselves if we
                                better serve this mission by:<br>
                                ><br>
                                >     1) Performing a free training
                                at a major conference, thereby
                                increasing our exposure to people who
                                haven't heard of OWASP before and
                                enlightening them to software security
                                risks that they likely were not aware of
                                before.<br>
                                ><br>
                                >     2) Taking a stance against a
                                company where some evidence may imply
                                that they took a bribe to sacrifice
                                security in one of their products.<br>
                                ><br>
                                >     Let me be clear on #2.  I don't
                                agree that what RSA did is right, if it
                                is true.  In fact, I have made the
                                explicit decision to not do business
                                with RSA in my day job because there are
                                many other options out there and it's
                                just not worth the risk.  But my passive
                                decision to not purchase from RSA is
                                very different than OWASP reneging on
                                our agreement and making a public
                                statement about their ethics.<br>
                                ><br>
                                >     So, given these two options, my
                                gut is that OWASP's mission will be best
                                served by #1.  It doesn't mean that
                                we're supporting RSA.  It doesn't mean
                                that we agree with unethical business
                                practices.  It just means that we are
                                doing the best we can to make
                                application security visible.  If that
                                means piggy-backing on the massive
                                marketing effort they put into the
                                conference or the infrastructure that
                                supports it, I'm ok with that.  I
                                understand that others may object to
                                this on ethical grounds, and that's
                                fine, but as a non-profit organization,
                                we have a mandate to stay true to our
                                mission, not to speak out against
                                whatever the latest security headline
                                is.<br>
                                ><br>
                                >     I do have one question about
                                this training for clarification.  The
                                training is FREE for anyone who would
                                like to attend and not just for RSA
                                attendees, correct?  My assumption is
                                the former, but if the latter, this
                                changes things significantly in my
                                opinion.<br>
                                ><br>
                                >     ~josh<br>
                                ><br>
                                ><br>
                                ><br>
                                >     On Sat, Jan 4, 2014 at 5:40 PM,
                                Eoin Keary <<a moz-do-not-send="true"
                                  href="mailto:eoin.keary@owasp.org"
                                  target="_blank">eoin.keary@owasp.org</a>
                                <mailto:<a moz-do-not-send="true"
                                  href="mailto:eoin.keary@owasp.org"
                                  target="_blank">eoin.keary@owasp.org</a>>>

                                wrote:<br>
                                ><br>
                                >         Good point.<br>
                                >         Bottom line is we want
                                people to build secure code. Delivering
                                this message under the same roof as RSA
                                does not dilute the quality of the class
                                delivered.<br>
                                >         There is no black and
                                white, only shades of grey :)<br>
                                ><br>
                                ><br>
                                ><br>
                                >         Eoin Keary<br>
                                >         Owasp Global Board<br>
                                >         <a moz-do-not-send="true"
                                  href="tel:%2B353%2087%20977%202988"
                                  value="+353879772988" target="_blank">+353
                                  87 977 2988</a>
                                <tel:%2B353%2087%20977%202988><br>
                                ><br>
                                >         On 4 Jan 2014, at 23:36,
                                Jim Manico <<a moz-do-not-send="true"
                                  href="mailto:jim.manico@owasp.org"
                                  target="_blank">jim.manico@owasp.org</a>
                                <mailto:<a moz-do-not-send="true"
                                  href="mailto:jim.manico@owasp.org"
                                  target="_blank">jim.manico@owasp.org</a>>>

                                wrote:<br>
                                ><br>
                                >         > Another issue that is
                                tangential.<br>
                                >         ><br>
                                >         > We are applying for
                                several big money DHS grants. These help
                                keep the foundation running.<br>
                                >         ><br>
                                >         > Should be reject all
                                of these grants because of the Snowden
                                affair? It we abort RSA but continue to
                                take DHS money, then we send a mixed
                                message.<br>
                                >         ><br>
                                >         > Aloha,<br>
                                >         > Jim<br>
                                >         ><br>
                                >         >> I strongly support
                                Sastry on this one.<br>
                                >         >><br>
                                >         >> You might be
                                participating as individuals, but people
                                see you guys as the OWASP Board, and
                                that’s something that many of us don’t
                                like to be the image of OWASP.<br>
                                >         >><br>
                                >         >> Thanks<br>
                                >         >> -Abbas<br>
                                >         >> On Jan 4, 2014, at
                                1:18 PM, Eoin Keary <<a
                                  moz-do-not-send="true"
                                  href="mailto:eoin.keary@owasp.org"
                                  target="_blank">eoin.keary@owasp.org</a>
                                <mailto:<a moz-do-not-send="true"
                                  href="mailto:eoin.keary@owasp.org"
                                  target="_blank">eoin.keary@owasp.org</a>>>

                                wrote:<br>
                                >         >><br>
                                >         >>> To be clear,
                                there was no recorded vote on this but a
                                debate.<br>
                                >         >>><br>
                                >         >>> I started the
                                debate after reading about Mikko. (Even
                                though I was delivering the training
                                with Jim and it is my material).<br>
                                >         >>><br>
                                >         >>> The majority
                                of board of OWASP feels getting involved
                                in politics is wrong and wanted to push
                                ahead with the training.<br>
                                >         >>><br>
                                >         >>> So if feelings
                                are strong we need to vote on this ASAP?
                                as leaders of OWASP. A formal board
                                vote? Executive decision from Sarah, our
                                executive director.<br>
                                >         >>><br>
                                >         >>><br>
                                >         >>><br>
                                >         >>> Eoin Keary<br>
                                >         >>> Owasp Global
                                Board<br>
                                >         >>> <a
                                  moz-do-not-send="true"
                                  href="tel:%2B353%2087%20977%202988"
                                  value="+353879772988" target="_blank">+353
                                  87 977 2988</a>
                                <tel:%2B353%2087%20977%202988><br>
                                >         >>><br>
                                >         >>><br>
                                >         >>> On 4 Jan 2014,
                                at 16:48, Sastry Tumuluri <<a
                                  moz-do-not-send="true"
                                  href="mailto:sastry.tumuluri@owasp.org"
                                  target="_blank">sastry.tumuluri@owasp.org</a>
                                <mailto:<a moz-do-not-send="true"
                                  href="mailto:sastry.tumuluri@owasp.org"
                                  target="_blank">sastry.tumuluri@owasp.org</a>>>

                                wrote:<br>
                                >         >>><br>
                                >         >>>> Friends,<br>
                                >         >>>><br>
                                >         >>>> Please see
                                the following full conversation on
                                twitter:<br>
                                >         >>>> <a
                                  moz-do-not-send="true"
                                  href="https://twitter.com/EoinKeary/status/419111748424454145"
                                  target="_blank">https://twitter.com/EoinKeary/status/419111748424454145</a><br>
                                >         >>>><br>
                                >         >>>> Eoin Keary
                                and Jim Manico (both OWASP board
                                members) will be presenting/conducting 4
                                hrs of free-of-cost AppSec training at
                                the RSA Conference, 2014. Michael
                                Coates, Chairman of the OWASP Board is
                                also said to be present. Apparently,
                                this was discussed at the OWASP board
                                level; and the board has decided to go
                                ahead, keeping in mind the benefit to
                                the attending developers.<br>
                                >         >>>><br>
                                >         >>>> As you are
                                aware, RSA is strongly suspected (we'll
                                never be 100% sure, I'm afraid) of being
                                complicit with NSA in enabling fatal
                                weakening of crypto products. RSA has
                                issued a sort of a denial that only
                                deepens the mistrust. As a protest, many
                                leading speakers are cancelling their
                                talks at the upcoming RSAC 2014. Among
                                them are (to my knowledge) Mikko
                                Hypponen, Jeffrey Carr and Josh Thomas.<br>
                                >         >>>><br>
                                >         >>>> At such a
                                time, I am saddened by the OWASP board
                                decision to support RSAC by their
                                presence. At a time when they had the
                                opportunity to let the world know how
                                much they care for the Information
                                Security profession (esp., against
                                weakening crypto); and how much they
                                care about the privacy of people
                                (against NSA's unabashed spying on
                                Americans & non-Americans alike),
                                the board has copped out using a flimsy
                                rationalization ("benefit of (a few)
                                developers", many of who would rethink
                                their attendance had OWASP and more
                                organizations didn't blink!").<br>
                                >         >>>><br>
                                >         >>>> I'm sure
                                there was a heated debate. I'm sure all
                                angles were considered. However, this
                                goes too deep for me to take it as
                                "better men than me have considered and
                                decided". As a matter of my personal
                                values, if the situation doesn't change,
                                I would no longer wish to continue as
                                the OWASP Chapter Lead. Please let me
                                know if any of you would like to take
                                over from me.<br>
                                >         >>>><br>
                                >         >>>> I will
                                also share my feelings with fellow
                                chapter members at our next chapter
                                meeting on Jan 21st. Needless to say, no
                                matter how things go, I remain committed
                                to the principles of our open and
                                open-source infosec community.<br>
                                >         >>>><br>
                                >         >>>> Best
                                regards,<br>
                                >         >>>><br>
                                >         >>>> ==Sas3==<br>
                                >         >>>
                                _______________________________________________<br>
                                <div>
                                  <div><br>
_______________________________________________<br>
                                    OWASP-Leaders mailing list<br>
                                    <a moz-do-not-send="true"
                                      href="mailto:OWASP-Leaders@lists.owasp.org"
                                      target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                                    <a moz-do-not-send="true"
                                      href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
                                      target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><span><font
                                        color="#888888"><br>
                                      </font></span></div>
                                </div>
                              </blockquote>
                            </div>
                            <span><font color="#888888"><br>
                                <br clear="all">
                                <br>
                                -- <br>
                                <a moz-do-not-send="true"
                                  href="https://www.owasp.org/index.php/ZAP"
                                  target="_blank">OWASP ZAP</a> Project
                                leader<br>
                              </font></span></div>
                          <br>
_______________________________________________<br>
                          OWASP-Leaders mailing list<br>
                          <a moz-do-not-send="true"
                            href="mailto:OWASP-Leaders@lists.owasp.org"
                            target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                          <a moz-do-not-send="true"
                            href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
                            target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                          <br>
                        </blockquote>
                      </div>
                      <br>
                      <br clear="all">
                      <div><br>
                      </div>
                      -- <br>
                      <div dir="ltr">
                        <div style="font-family:arial;font-size:small"><b>Mark
                            Miller, Senior Storyteller</b></div>
                        <div style="font-family:arial;font-size:small"><i><font
                              color="#990000">Curator and Founder,
                              Trusted Software Alliance</font></i></div>
                        <div style="font-family:arial;font-size:small"><i><font
                              color="#990000">Host and Executive
                              Producer, OWASP 24/7 Podcast Channel<br>
                              Community Advocate, Sonatype</font></i></div>
                        <div style="font-family:arial;font-size:small">
                          <br>
                        </div>
                        <div style="font-family:arial;font-size:small"><a
                            moz-do-not-send="true"
                            href="https://www.surveymonkey.com/s/Developers_and_AppSec"
                            target="_blank"><i
                              style="margin:0px;padding:0px;outline:none"><b
style="margin:0px;padding:0px;outline:none"><span
                                  style="margin:0px;padding:0px;outline:none;color:rgb(86,163,203)">Developers

                                  and Application Security: Who is
                                  Responsible?</span></b></i></a><br>
                        </div>
                        <div><br>
                        </div>
                      </div>
                    </div>
                    <br>
                    <fieldset></fieldset>
                    <br>
                    <pre>_______________________________________________
OWASP-Leaders mailing list
<a moz-do-not-send="true" href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a>
<a moz-do-not-send="true" href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
                  </blockquote>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <div><br>
        </div>
        -- <br>
        <div dir="ltr">
          <div style="font-family:arial;font-size:small"><b>Mark Miller,
              Senior Storyteller</b></div>
          <div style="font-family:arial;font-size:small"><i><font
                color="#990000">Curator and Founder, Trusted Software
                Alliance</font></i></div>
          <div style="font-family:arial;font-size:small"><i><font
                color="#990000">Host and Executive Producer, OWASP 24/7
                Podcast Channel<br>
                Community Advocate, Sonatype</font></i></div>
          <div style="font-family:arial;font-size:small">
            <br>
          </div>
          <div style="font-family:arial;font-size:small"><a
              moz-do-not-send="true"
              href="https://www.surveymonkey.com/s/Developers_and_AppSec"
              style="margin:0px;padding:0px;outline:none;font-family:'Helvetica
Neue',arial,sans-serif;font-size:12.727272033691406px;line-height:14.545454025268555px"
              target="_blank"><i
                style="margin:0px;padding:0px;outline:none"><b
                  style="margin:0px;padding:0px;outline:none"><span
                    style="margin:0px;padding:0px;outline:none;color:rgb(86,163,203)">Developers
                    and Application Security: Who is Responsible?</span></b></i></a><br>
          </div>
          <div><br>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
  </body>
</html>