Saturday, January 4, 2014

OWASP and the RSA Conference 2014

Update: 
Much has happened since. After a lot of discussion, OWASP Board voted to cancel their co-marketing agreement with RSA for RSA 2014. They also voted to deliver training and talk at the conference, if permitted to do so. 
While my disagreements with the underlying arguments remain, I must admit I am a much bigger fan of OWASP's style of functioning than I was. To put it mildly, I had grossly misunderstood OWASP openness. In retrospect, I wouldn't have used the same strong words as I had, if I were to do it now. 
To preserve what was, and the nature of my misunderstanding, I'm leaving the post below as is. Instead of messing here, I'll write a separate post on the developments.
The OWASP Board apparently decided to participate in RSAC 2014 by way of offering a 4 hour free-of-cost AppSec training. Apparently "developers' benefit won out". 

Here is a twitter conversation on this topic: https://twitter.com/EoinKeary/status/419111748424454145


This was an opportunity for the world's most influential and inspirational AppSec organization to take a principled stand that:


  1. the industry will not stand by and watch the foundations of trust and technology be eroded by patently malicious intent (such as that of subverting crypto products and standards); and
  2. the industry will not stand for unwarranted universal surveillance using national interest and anti-terrorism as flimsy excuses.
However, the wise old men/women of the board have chosen not to take the high road. They didn't say, "what's a few developers' one lost-opportunity when the whole world is reeling?". They didn't say "this will only encourage other pillagers of infosec public trust, assuring them that OWASP and others will find glib rationalizations to look the other side while they earn a few bucks on the side". 

In short, they copped out.[edit: I was under the impression that the decision was made, done, closed. However, in a welcome development, the matter has been re-opened for wider discussion within OWASP. I will update this post when the status changes.]

Update: The OWASP email discussion on this topic is available at: http://lists.owasp.org/pipermail/owasp-leaders/2014-January/010549.html

Relevant blog post: Robert Graham's Why we have to boycott RSA

I've never been invited there as a speaker. My protest and opinion may neither dent RSAC nor OWASP. Yet, I believe it is important for me and other like-minded people to clearly say NO.

As a first step, I've offered (to my co-leads) to step down from the local OWASP Chapter leadership, unless the situation changes. It is a sad day for me, as I worked hard to establish this chapter only recently. We are doing a very important public service. The principles of open community and open source are as dear to me as the InfoSec profession. Yet, I don't believe I can compromise and tell RSA or OWASP that "it's okay".

At this time, I haven't considered any other possible action. I'm looking out for more though. 

No comments:

Post a Comment