Strategic Plan 2023 - an update for the open letter


Andrew van der Stock

Friday, March 10, 2023

The Board is conducting the first strategic review and planning since COVID struck in 2020. The Open Letter calls for an update 30 days from publication, and that time is about up. I am writing to fill you in on where we are at and what still needs to be done.

The open letter calls for a response to five points. These points primarily cover projects, but the Board has a fiduciary duty to consider all aspects of OWASP’s mission. So the plan will not just be a response to the five points but a comprehensive strategic plan for OWASP.

The Board has met for over 15 hours so far, covering Board governance and the Foundation, outreach and diversity, our community and chapters, and more. As a result of the discussions, a strategic plan is being formulated and written, but it will be some time before it is complete. The Board intends to meet at least once more in March and potentially once more in person in April. There is a great desire to get it done.

As to the specific points of the letter:

  • Publish a community plan. This is being worked upon now, with a completion date likely in mid to late April based on progress.
  • Governance structure. This is by far the most controversial - our strength is our community. The Board has committed to our Board being democratically elected by our members. It is unclear if the community would support a change to the Board structure that moves away from a community elected Board to a hybrid model, a sister organization, or a partnership with the OpenSSF. This topic has been the subject of many robust discussions with many more to come.
  • Funding. Discussions on this point are in the early stages. That said, if it were easy to spend five times our total annual budget on projects alone, it would have already been done. In 2020 and 2021, OWASP eliminated project and chapter balances and reformed how projects can fund and spend through project grants. In 2022, for the first time in OWASP’s history, projects outspent chapters - and spent nearly double that of chapters. This is a great result, but more needs to be done. If you are interested in fundraising and using grants to further your project, please log a ticket, and let’s get it going.
  • Improved infrastructure. The Board has yet to discuss this point, but I will point out that the OWASP Foundation has access to cloud credits on Azure, GCP, and to a lesser extent, AWS. If your project wants to host itself on OWASP infrastructure, please log a ticket, and let’s figure it out.
  • OWASP Foundation to actively manage the project portfolio and chapters. The Board has yet to discuss this point, but this implies dissolving the Project and Chapter Committees, which are currently tasked with this duty, and reforming the Foundation to take on a more active management role. The OWASP Foundation has just hired a Project intern to help flagship projects mature, such as improving “How to contribute”, good first tasks, and more. I assume the Board will approve a Community Manager once the plan is done.

So there it is - the Board is actively working on a plan for our community, chapters, members, outreach, events, and of course, projects. It will take some time to complete to ensure that all aspects of our mission are represented.