Monday, October 13, 2014

Report of complaint against OWASP Board members

Report of complaint against OWASP Board members

Community Update:  OWASP Complaint & Resolution per Whistle Blower Policy

October 10. 2014.   Early this year a complaint was filed against several members of the
OWASP board by a former OWASP employee. The complaint was raised internally in April,
2014 and an official complaint was also filed with the Arizona EEOC in June 2014.

Purpose: The Purpose of this update is to provide the OWASP community with transparency
about this issue, to summarize the actions taken by the OWASP Compliance Officer and Board
of Directors, and to demonstrate our commitment to our Code of Conduct and Whistle Blower
Policy and our respect for privacy concerns of all members of our community.

Summary of Complaint & Resolution:

The complaint cited several concerns including:
Issue 1: Complaint against a single Board member for breach of the OWASP Code of Conduct.

Issue 2: Complaint against OWASP Foundation for discrimination for Sex and National origin. 
This was later filed with the Arizona EEOC (Equal Employment Opportunity Commission). 

Issue 3: Complaint against 3 individual Board members for discrimination due to sexual or
national origin and a complaint against 1 of those for misuse of OWASP funds.

OWASP Investigation Process
OWASP has established several policies to handle situations like this including whistleblower
policy, privacy policy, anti-retaliation policy and a code of conduct policy. The role of the
Compliance Officer is to objectively investigate the issue, reach out to all parties involved,
create a statement of facts and provide this report to the board. The board reviews this
confidential information and then makes a determination of action. Additional information on the
OWASP policies can be found here.

During the investigation the Compliance Officer interviewed each of the people named in the
complaint (listed below), the foundation employee in charge of accounting and bookkeeping,
and the chairman of the board.

The former OWASP employee who made the claim declined to be interviewed or provide any
additional information or evidence beyond the original accusations.

These claims were handled in several parallel processes. First, per standard human resource
policies and the OWASP whistleblower policy these claims were reviewed by OWASP. Second,
the OWASP legal counsel was notified and asked to investigate the nature of the complaint to
protect the privacy of the individual as well as individual Board members. 

Since several Board members were named in the complaint, the OWASP Compliance officer
was assigned the task of interviewing all concerning parties, and providing a neutral, 3rd party
report based on those interviews. Also, legal counsel was asked to prepare for discussions with
Report of complaint against OWASP Board members the Arizona EEOC.  Legal counsel was asked for recommendations concerning the complaint against the Foundation, as well as against individual Board Members of OWASP based on evidence they gained from interviews and research.

Resolution by Claim
1.  The claim against 1 Board member for breach of OWASP code of conduct was
determined to be valid.  Disparaging remarks against an OWASP employee were made
on a public forum.  The Board member has apologized on the public forum.  

Outcome - The OWASP Compliance Officer has reviewed this situation and
believes no further action is necessary against the individual Board Member. The
violation of the code of conduct has been recorded and a public apology was
issued. It has also been noted that any future violations of the code of conduct
would require an escalation in response.

2.  The claim filed with the Arizona EEOC against the OWASP Foundation for discrimination
was declined because OWASP employs less than the required number of employees
covered by the statutes. 
Interviews and investigation by the OWASP Compliance Officer determined the claim to
be unfounded due to lack of evidence and witnesses. 

3.  The claim against 3 Board members for discrimination and against 1 Board Member for
misuse of OWASP funds was determined to be unfounded.  No evidence was brought
forward to validate the complaints of the claimant.

The OWASP Board has recognized the seriousness of the accusations and therefore to ensure
that all OWASP board members are acutely aware of their responsibilities and expectations
when dealing with members of the OWASP staff, community or the public, the board has agreed
that all OWASP board members will complete annual anti-harassment training. This will be
required of all board members starting with the 2015 board.

In summary, there is no outstanding or ongoing legal activity against OWASP related to these
events. The Compliance Officer noted that during the early stages of this complaint, the
OWASP Board operated in a fragmentary and occasionally unprofessional manner.  Additional
training for Board members on Human Resource practice and policy is scheduled to help
eliminate this problem going forward. The balance of this document describes the detail findings
of our independent Compliance Officer and it is intended to provide transparency and bring
closure to this issue for our community.

Detail Report on the Nature of the Complaint and Results of Compliance Officer

Claim of inappropriate public review of staff performance, violating the Board Code of Conduct
Investigation confirmed that Jim Manico did violate the Board Code of Conduct, section Board
Conduct with Foundation Staff that states: 

Never publicly criticize an individual employee - Board should never express concerns
about the performance of a Foundation employee in public. Comments about staff
performance should only be made to the Executive Director through private
correspondence or conversation. 

Jim violated this code of conduct when he sent emails to a public mailing list in March, 2014 that
criticized her performance (Thread: OWASP Project Manager Report: March 28, 2014). Board
leadership reminded Jim of his obligations under the Code of Conduct.  On April 4th, Jim
publicly apologized for this comments on the same public mailing list.

Outcome: The board agrees with the assessment of the Compliance Officer and Jim sincerely
regrets having made the comment.  The violation of the code of conduct has been recorded and
a public apology was issued. No further action is necessary.  It has also been noted that any
future violations of the code of conduct would require an escalation in response.

Claim of discrimination, that negative actions and retaliation were taken due to her gender and
national origin  

Claimed against Jim Manico, Eoin Keary and Josh Sokol both individually and as
representatives of the OWASP Foundation.  An EEOC complaint was filed with the State of
Arizona on June 5, 2014. On September 5, 2014 the EEOC complaint was closed with the 
status “The Respondent employs less than the required number of employees or is not
otherwise covered by the statutes.”

Investigation by the Compliance officer confirmed that the claim was unfounded due to lack of
evidence or witnesses. Nevertheless, the compliance officer was requested to investigate this
claim. The compliance officer’s investigation of all available information and interviews did not
reveal any actions of retaliation or any actions relating to gender or national origin.
Outcome: Claim was unfounded, no action necessary.  

Complaint against 3 individual Board members for discrimination due to sexual or national origin
and a complaint against 1 of those for misuse of OWASP funds.

This Complaint has been made via email on a public OWASP mailing list and is broken down
into 3 separate claims:

  • Issue 1:  Claim of breach of Code of Conduct and inappropriate sexual comments by Jim Manico.
Investigation by the compliance officer stated that the claimed sexual comment was part of a
verbal conversation that took place between both parties in a public setting, at an evening
cocktail party, with others present. 
Report of complaint against OWASP Board members
As noted above the former OWASP employee declined to provide additional information other
than the claimed inappropriate comment. As a result the claim of verbally sexual harassment
cannot be judged properly without the both parties state the context of the occasion of the
statement and the preceding that evening.

Outcome: To ensure that all OWASP board members are acutely aware of their responsibilities
and expectations when dealing with members of the operations team, OWASP community and
the public, the board has agreed that all OWASP board members will complete annual anti-harassment training. This will be required of all board members starting with the 2015 board.
This training requirement is in addition to all current required onboarding activities listed here.

  • Issue 2: Discrimination of the former employee due the employee’s sexual or national origin or retaliation by Josh Sokol, Jim Manico and Eoin Keary.
Investigation by the Compliance Officer of the claims of discrimination by interviewing the
involved parties, reviewing conversations between the employee and the accused Board
members as well as OWASP members who have worked with the accused Board members. 

As noted above the former OWASP employee declined to provide additional information other
than the claimed discrimination. As a result it is not possible to validate the reasons why the
former employee felt discriminated or any specific actions of discrimination by the accused
board members.

Outcome: There has been no proof of any of discrimination by the accused OWASP board
members towards the employee.

  • Issue 3:  Claim of financial mismanagement of OWASP funds against Eoin Keary.
Investigation by the Compliance Officer about access to funds and actual use of those funds
confirmed that this claim was unfounded.  Interviews with the involved parties show the
complaint was based on a misunderstanding about OWASP financial policy by the claimant. 
Eoin Keary does not have access to any of the financial systems and the OWASP foundation
funds are only accessible to OWASP President, Treasurer, Executive Director and Bookkeeper. 
A two-person, two-step approval process is required for release of payments. 

Outcome: This claim was has proven unfounded. There has been no indication or proof Eion
tried to circumvent or bypass the process described above, nor other financial mismanagement
from his side.

Voting for the 2014 BoD Starts TODAY!

OWASP 2014 Board of Directors Election starts TODAY! Be sure to cast your vote! 

Friday, October 3, 2014


Call For Papers is now open

Want to make a presentation in Amsterdam? Visit the Call For Papers page and send your proposal on time. 
  • Submission of proposals by: 31 December, 2014 (11:59pm GMT)
  • Notification of acceptance: 26 January, 2015
  • Publication of program: 11 February, 2015
  • Conference Date: 21-22 May, 2015
  • Deadline for proposals: 30 November, 2014 (11:59pm GMT)
  • Notification to training providers: by 19 January, 2015, late: ~ +1 week
  • Posted on web site: by 26 January, 2015, late: ~ +1 week
  • Training: 19-20 May, 2015



Dear All, 

We have the pleasure to invite you to the OWASP Ghana 2014 event, themed Ghana CyberSecurity Summit. The event will be held in December 10, 11 2014 in Accra - Ghana. The target audience for the event are testers, developers, auditors, law enforcement authorities, legal authorities, risk managers, executives, management, the press and entrepreneurs within various enterprises.

The event is a two day event and will consist of:·         
Wednesday, December 10th 2014; Conference
Thursday, December 11th 2014; Training & Interactive Engagement with Panellists

We are looking for speakers and trainers from the Security community to share their experience and knowledge with our audience.

We look forward to talk and training submissions over the coming weeks from security practitioners, researchers, thought leaders and developers in the following content areas:
  •  Software/Application Security Defence (Defence & Countermeasures)
  • Software/Application Security Offense (Vulnerabilities & Exploits)
  • Web and Mobile Application Security
  • Cryptography
  • Critical Infrastructure Security
  • Enterprise End to End Security
  • Government Initiatives & Government Case Studies
  • Effective case studies in Policy, Governance, Architecture or Life Cycle
  • OWASP Projects
Should you be interested please contact:

Theodore Sagoe
OWASP Ghana Chapter

Wednesday, October 1, 2014

OWASP Foundation Global Connector

OWASP Global Connector
October 1, 2014 | | | Contact Us | Brought to you by the OWASP Foundation
owasp projects

Featured OWASP Project

OWASP Cornucopia
OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic. The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories.
For more information, please contact the Project Leader, Colin Watson.

Project Announcements

O-Saft Project Graduates to LAB status
The O-Saft Project, an exemplary OWASP project has just graduated from incubator to LAB status. O-Saft is an easy to use tool to show informations about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations.
It's designed to be used by penetration testers, security auditors or server administrators. The idea is to show the important informations or the special checks with a simple call of the tool. However, it provides a wide range of options so that it can be used for comprehensive and special checks by experienced people. Read more about the O-Saft project on the project wiki page.
If you have any questions about the project summit, please contact Jonathan Marcil
Mantra OS: Dharma

The OWASP Mantra OS Project has just released it's third version, Dharma. OWASP Mantra OS is a secure sandboxed operating system built for application testing and fast secure computing, built on a Ubuntu Core. Check out the Mantra OS project page HERE.
The new version can be downloaded via Sourceforge
OWASP iGoat 2.2 released
The OWASP iGoat project is a security learning tool for iOS developers to learn about security weaknesses in iOS -- by breaking things as well as fixing them. New in 2.2 is a certificate pinning exercise.
Download Page
OWASP Reverse Engineering and Code Modification Prevention Project
Apple's release of the iPhone 6 featuring its support for Near Field Communications (NFC) the release of Android 4.4's host-based card emulator reveal a growing trend towards allowing mobile code to do very sensitive things all within the mobile device.

There are very real risks of moving sensitive transactions to a mobile device. Within mobile environments, developers have no control over who can see their code or what the hacker can do with it.
The notion that you should not allow developers to do sensitive things (like financial transactions) in mobile environments just won't cut it anymore. Offline availability requirements and usability requirements are winning over traditional security principles. The good news is that there are ways of doing risky things in these types of uncontrollable environments. The OWASP Reverse Engineering and Code Modification Prevention project is one project that empowers software developers to think about new ways of safely doing sensitive things within mobile environments.
View the OWASP Projects Page to find other projects that address mobile security risks.
CLICK HERE for information on advertising in the next connector

Thank you to our new Corporate Member:

  • NetSuite, Inc.

Global AppSec Events in 2014

europe 2015AppSec EU/Research 2015 (May 18 - 21, 2015, Amsterdam, NL)
CALL FOR PAPERS IS NOW OPEN - Submission Deadline is December 31, 2014

Upcoming Regional Events

Boston Application Security Conference (BASC) (October 18, 2014, Cambridge, MA)

OWASP Romania InfoSec Conference 2014 (October 24, Bucharest, Romania)
Ghana Cybersecurity 2014 (December 10, Acra, Ghana)
German OWASP Day (December 9, Hamburg, Germany)
AppSec California (January 26-29, 2015, Santa Monica, CA)

Partner and Promotional Events

OWASP has partnered with these great events in beginning of 2014 to grow our community and build awareness around software security. If you want to learn more about OWASP's involvement or will be attending and want to help out contact us
3rd International Conference on Forensic Research & Technology(October 6-8, 2014) San Antonio, TX
BSides Colombia(October 8-10, 2014) Bogota, Colombia
EC-Council Hacker Halted(October 12-17, 2014) Atlanta, GA
BlackHat Europe(October 14-17, 2014) Amsterdam,, The Netherlands
Fraud Summit - New York(October 21, 2014) New York, NY
Global APT Defense Summit(October 22, 2014) New York, NY
ISSA International Conference (October 22-23), 2014, Orlando, FL
SECUREAMSTERDAM 2014, (Nov 6), Amsterdam, NE
3rd Annual CISO Asia Summit & Roundtable(November 5-7) Singapore
Fraud Summit - Orlando, (November 6) Orlando, FL
Fraud Summit - Dallas, (December 18) Dallas, TX
Suits & Spooks, (December 14), Singapore.
ICCS(January 5-8, 2015) New York, NY
Social Media

OWASP Foundation Social Media

OWASP YouTube Channel
Google +

2014 Global Board of Directors Election

Candidate Interviews are available
Voting will begin October 13, 2014! Be sure to review the candidate information and interviews before then.
winter of codeOWASP Winter Of Code Sprint Is Underway
The first selection stage of the Winter Code Sprint has finished in September and we are proud to announce 10 new university students around the world will work on OWASP projects during this semester while earning university credits. The second and final stage selection is set for 15th October.


OWASP en Español

OWASP Webcast en Español: Cómo ganar siempre al Poker usando OWASP ZAP
Descripción: WebSocket es parte de la iniciativa de HTML5 que define una API que permite a las páginas web, la comunicación full-duplex y bidereccional a través de un solo conector TCP/HTTP para proporcionar una enorme la reducción del tráfico de red. Se analizará este nuevo protocolo y la foma de analizar el tráfico a través del proxy web OWASP ZAP.
Orador: Cristian Borghello
Time: Monday 6th October at 5pm GMT
CLICK HERE for more information.

Just for Fun

This weeks puzzle
How many people do you need to have the odds be in favor (at least 50% chance) of two people having the same birthday?
Submit your answers here


  • Belfast, Ireland - Europe
  • State College, PA - North America


  • Sacramento, CA - North America
  • Birmingham, AL - North America

Monday, September 29, 2014

Honorary Membership Deadline is Tomorrow!

Tomorrow Tuesday, September 30, 2014 is the DEADLINE to submit your Honorary Membership Form.

Not sure if you qualify?  Visit our Election page to learn more.

Friday, September 26, 2014

Honorary Membership Deadline Sept 30!

The deadline to submit your Honorary Membership form is September 30.  To find out if you qualify please visit our Election page and submit your request here.