RSA, NSA, OWASP

Last week OWASP has had a vigorous debate on if OWASP should cancel planned secure code training at the RSA conference. I was (and still am) in favor of not canceling the secure code training. Debate surrounded the issue of RSA and its relationship with NSA. More specifically did RSA per request of NSA weaken its cryptology products to allow NSA better access to be able to unencrypted encrypted data encrypted with RSA products? These allegations came about because of documents leaked by Eric Snowden. At present time I know of no organization or individual who has confirmed if the allegations are true, partially true, false, or a government mandate that RSA had to fulfill.

I do know that OWASP’s main core value is to present unfretted security information to everyone.

What I don’t know is if OWASP had not cancelled its training would that have put a mark against OWASP as being able to continue its main core value of delivering unfretted security information to everyone and still be vendor impartial and have no ramifications to its brand name by co-marketing with RSA. I would have hoped the individuals attending the course could easily have made that distinction for themselves that OWASP and RSA are very different originations with each having its own values.

I think it’s sad that OWASP caved into media hype as to RSA and NSA relationship. I am also disappointed by RSA for not dealing the speaker cancellations in a positive way and for not being more open then they have been with their relationship with NSA. I do support OWASP and the speakers who cancelled their speaking engagements.

I think there is a larger discussion that was not raised completely. That discussion centers on our individual need for privacy and the real need by Law enforcement and governments to be able to gather information to make us secure and safe. This discussion is made harder by the fact that what is or is not privacy differs between individuals, cultures (American, European, Middle East, and Asian), and governments.

Current surveillance program being conducted by NSA is a direct response by Terrorist attack on 9/11 in New York. That attack 2,977 innocent people lost their lives. The mindset of this for need of surveillance was further embedded into American mindset by the Boston marathon attack where three spectators were killed and more than 200 people (men, women and children) were injured.

So this discussion needs to be kept in scope of what the NSA is doing is trying to do is prevent more deaths of our civilian population and reducing the fear of terrorism. Because of the secret nature of NSA we really will never know the results of these efforts to a large degree. That prevents us from having absolute confidence of the good and bad of organizations like NSA and its partners, governmental and others. This lack of confidence is not uncommon. We unfortunately we have a long history of individuals or groups within organizations abusing their power and we have just as long of uncovering the abuse. The difference here is our government has needs to keep part of its activities secret. While at the same time giving us the confidence that it has the oversight in place and abuse is not happening. Not a simple task.

One last thing, encryption; does encryption equal privacy? I have written a blog post talking about this every issue. American courts have upheld law enforcement request for suspects to give up encryption keys, etc. I want law enforcement and my government to be able to decrypt files by terrorist, pedophiles, and other bad guys/governments, however I also realize this can be very slippery slope.

Recap:
Unknowns… The benefits or fallout of OWASP doing or not doing secure code training at RSA conference is unknown. * The RSA and NSA relationship is largely unknown. We don’t know if RSA weaken its cryptology products per NSA request.

Facts… Secure training is very much needed. OWASP is a premier leader of making unfretted secure information open and available to anyone. With the Target data breach reaching over 70 million accounts the need for secure coding training needs to be at the forefront of all development teams.

Hopes… 

• I think OWASP if it has the bandwidth should offer free secure coding to any organizations that has had a large data breach. The organizations with the data breach will pay for trainers expense; travel cost and provides the venue for the training. That would be a win-win solution for everyone, OWASP, consumers, businesses.

• I would also like to see OWASP bring together, politicians, law enforcement, legal experts (defense, prosecuting, judicial), legal scholars on all levels (community, state and federal), for open panel discussions on privacy issues. OWASP has the opportunity to lead in the privacy arena giving everyone accurate information on privacy for individual’s, communities and discuss issues of NSA surveillance both positive and negative. This could be done here in America and in other countries. That would be very cool! Also it would be a win-win solution for everyone.

Resources:

• http://blogs.csoonline.com/security-industry/2914/owasp-terminates-marketing-agreement-rsa-conference-board-member-cancels-class-out-protest?source=CSONLE_nlt_salted_hash_2014-01-10
• http://voixsecurity.blogspot.com/2012/02/stored-communications-act.html
• http://voixsecurity.blogspot.com/2013/07/cost-of-data-breach.html