Earlier this month, Salted Hash reported that OWASP had ended their co-marketing agreement with the RSA Conference, and that a noted OWASP board member had canceled training that was to be held at the show.
These events were tied to a lengthy and heated debate among OWASP members, over a Reuters story that linked the conference's namesake, RSA (the security arm of EMC), to the NSA.
According to Reuters, RSA accepted a $10 million dollar payout in order to use Dual EC_DRBG, a fatally flawed pseudo random number generator (PRNG) that was strongly influenced by the NSA, in their products. The NSA then used the fact that Dual EC_DRBG was being used by RSA as leverage when the agency went to the NIST for approval.
Understandably, this caused many OWASP members to express concern, unsure if the OWASP name should be tied to such news - even if it's by proxy due to being visible at a conference with a shared name. While RSA is a great opportunity for organizations like OWASP, the fallout from the Reuters story led the organization to distance itself from the conference. Thus, after a vote, the co-marketing agreement with the RSA Conference was terminated.
Prior to that, Eoin Keary moved to cancel his classes for personal reasons, noting at the time that he felt he couldn't "put my head in the sand and attend an event hosted by an organisation which may be linked to erosion of software security, individual privacy and possible freedom."
Now, OWASP has taken a second look at the training. The organization has issued a media advisory that says classes will be held off-site during the show, and are free to RSA Conference attendees or anyone who wishes to attend. In a statement, addressing the RSA debate as well as their previous actions, the organization said:
"The reports about large-scale intelligence activities targeting Internet communication and applications and possible attempts to undermine cryptographic algorithms leave us deeply concerned. We knew about the interception of targeted individuals and other monitoring activities, however, the scale of recently reported activities and the possibility of active undermining of the security of deployed applications are alarming."
The statement also quoted Eoin Keary, who added: "OWASP cannot stand by and let the erosion of security occur; it is against our mission."
As such, the training will return. On Monday, February 24, from 2pm to 5pm, OWASP will conduct training at Jillian's, a popular spot for may RSA Conference attendees, as it's just across the street from Mascone.
"Presented by Jim Manico and Eoin Keary, this intensive boot camp focuses on the most common web application security problems, including aspects of both the OWASP Top Ten and the MITRE Top 25. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code and understand fixes."
Additional details are on the OWASP blog.