OWASP terminates marketing agreement with RSA Conference. Board member cancels class out of protest.

After a heated internal debate, OWASP has canceled their co-marketing agreement with the RSA Conference. Related to these developments, a board member has canceled their scheduled class in protest of RSA’s dealings with the NSA.

In a statement on Twitter, Eoin Keary, OWASP board member, and known expert in software security and penetration testing, announced that he is cancelling his class on secure coding that was to be held next month at the RSA Conference.

Keary is hopeful that the class could be held elsewhere, including B-Sides San Francisco, a separate security conference that takes place the same week as the RSA Conference. However, at the time this story went to print, that wasn’t a confirmed option.

In a statement via email, Keary told the Hash that his reasoning for canceling the classes were an act of conscience, and a reflection on what his last 10 years at OWASP has meant to him.

“I believe OWASP is a force for fighting the causes if software insecurity. As a board member and individual I can’t put my head in the sand and attend an event hosted by an organisation which may be linked to erosion of software security,individual privacy and possible freedom.

“I feel we are getting to a tipping point in this area. I want my kids to have a right to privacy. I feel corporations are selling  and governments are disrespecting our rights as individuals. I want secure code /technologies developed which protects people’s rights not violates them.

“My training class has been free at RSA such to enable awareness an help developers make informed decisions such like not using crypto which is proven to be weak. I was also asked by the event organisers not to deliver the training with any other organisation whilst in San Fran, this goes against my open values.”

According to emails exchanged on the OWASP mailing list, Keary was initially supportive of the training to be held at the RSA Conference.

“My take, after sleeping on it is we should go ahead as it benefits more people this way. The majority if attendees won’t be RSA employees or NSA for that matter but folks like you and me,” Keary wrote on Jan 5.

However, his change of heart, he told the Hash, came after reading articles in the media, and the statements from other speakers who have already pulled out of the conference. Still, he maintained, the driving factor was conscience.

Late last week, and over the weekend, OWASP members engaged in a lengthy and heated debate surrounding the allegations that emerged within a story from Reuters last month and  whether or not OWASP should participate at the RSA Conference because of them. This participation included both the training class, which at the time it was canceled had about 70 students registered, as well as a co-marketing agreement between OWASP and the RSA Conference.

In December, Reuters reported that RSA took $10 million dollars from the NSA to use Dual EC_DRBG, a fatally flawed pseudo random number generator (PRNG) that was strongly influenced by the NSA, as the default key generation option in their BSafe product. In a statement addressing the story, RSA proclaimed that they’ve “…never entered into any contract or engaged in any project with the intention of weakening RSA’s products…”

However, their statement was worded in a way that didn’t expressly deny the fact that the company took the NSA’s money. As for the NSA-influenced PRNG, Dual EC_DRBG was used by RSA for almost a decade after the agreement with the NSA took place.

The default usage of a flawed PRNG, combined with the $10 million dollar payday, has left many in the security community outraged. On the other side of anger, others maintained that there wasn’t enough evidence of any wrong doing to take a stance one way or another. However, including Keary, nine speakers have protested RSA’s dealings with the NSA and focused their ire on the RSA Conference.

The same general split seen within the security community played out on the OWASP mailing list. However, the topic of association between OWASP and the RSA Conference, and the negative consequences of such an association, had some members worried.

OWASP had entered into a co-marketing agreement with the RSA Conference, and some members felt that such an agreement would hurt OWASP in the long term.

Sarah Baso, Executive Director of OWASP, in an email to the mailing list noted:

“…RSA is undoubtedly a great opportunity for us to spread our mission and raise visibility (which is why we went ahead with the co-marketing contract in the first place), but with the additional information (accusations) about RSA’s behavior, it does call into question whether OWASP should at least pass this year on the co-marketing agreement…”

The co-marketing agreement offered OWASP: A $100 price break on registration rates; Two (2) complementary Delegate passes; Marketing considerations (OWASP would be a Global Association Sponsor and have adverts in the conference program); The 4 hour training class that Keary would later cancel; Three (3) Speaker passes; and 10×10 booth space.

The cost for the sponsorship was approximately $2,000 dollars.

Baso’s inclination was to cancel the agreement, but the issue was put to a vote. In an email to the OWASP mailing list, Tobias Gondrom, who is on the OWASP Global Board, had strong feelings on the matter.

He said that the extensive agreement could be seen as an active endorsement, and that OWASP “should abstain from actively endorsing RSA for the time being, until all facts of the case have been properly examined…”

“In addition to that: I propose that OWASP should prepare and release a press release or public statement that OWASP thinks weakening or undermining crypto is a really bad idea…This press release shall advocate our general OWASP principles and shall _not_ mention RSA, the RSA conference or any other company by name,” Gondrom’s email added.

In an email expressing his opinion, OWASP Co-Founder Dennis Groves said:

I to am disappointed by the allegations against RSA, but currently not enough information is known to hold informed judgment. However the NSA is hurting everyone, and I have to wonder if RSA even had a choice given the situation with Quest communications. A simple statement of our position on cryptography will suffice until we have a better understanding of the situation. We must not be neutral regarding security lest we loose our credibility and trust.

Additionally, Partnerships are very important to OWASP, and we need to tread carefully or we will be forced to walk alone in areas we simply can not afford to be competitive. I believe that if we made a promise we need to keep that promise, to RSA who invested in us, and to the people who invested in this in order to learn to write secure code. I think OWASP should revisit this issue regularly to see if it is still in our best interest to continue the relationship with RSA after the training.

In the end, OWASP voted to terminate the co-marketing agreement.

At the time this story went to print, the proposed press release was not available. I’ve reached out to OWASP for any additional comments.