August 2020 Videoconference

Meeting Details

AGENDA

CALL TO ORDER

CHANGES TO THE AGENDA

APPROVAL OF MINUTES

REPORTS

Organizational KPIs

KPI	            August	         Delta
Members         3,179 	        -40 fewer members
Visitors	      179,304         -374,696 visitors
OSD SLA met	    100.0%           8.0% better than last month
NFSR SLA met    90.6%	          -2.4% worse than last month
YTD net income  $ (168,300.00)	 $ (56,472.00)
Cash assets     $ 1,431,894.00 	 $ (33,120.00)

KPI Summary Last Six Months

Financial Report

Net Income/Loss: YTD 2020 Net income, on a combined Accrual basis is <-$168.3K >which is BETTER than the YTD 2020 budget/Zforecast of negative -<297.7K> by $129.5K or $74.8K BETTER than the June 2020 positive variance of $54.7K. We are now starting to see the affects noted in the Zforecast and the forecasted reduced revenue due to the loss of in person events, which we have come to rely on.

Executive Director Report (draft)

OLD BUSINESS

Motion to investigate and update Board training

Background: Recent events have shown that the Board needs to have access and use modern Board training materials.

Motion: “It is resolved to instruct the OWASP Foundation to refresh the OWASP BoD learning material requirements. Going forward the foundation can regularly review and recommend changes to BoD learning materials. The updated materials will need to be approved by the sitting board at the time, and all current/new board members for 2021 onwards will need to take on the required learning material.”

Sponsor: Sherif Mansour Second: Grant Ongers

Motion: to change bylaws preventing Foundation funds being used to pay for Foundation memberships

Motion: “It is resolved that to address the Compliance Committee’s recommendation that Foundation funds not be used for membership and that any such paid membership (if any exists) shall constitute a non-voting membership. As this will affect the eligibility of AppSec Cali 2020 attendees who were granted membership paid by the Foundation, this amendment will be effective November 1, 2020.

Amend section 3.02 (Qualifications) by adding the following italic text:

Foundation funds should not be used to pay for membership. Foundation paid memberships of any class, from any funding source including conferences, chapters, projects, donations, etc, shall not constitute paid membership nor possess voting rights.”

Sponsor: TBA Second: TBA

Previous Doodle: https://doodle.com/poll/ua8s8qbehwcumb44 (now invalid)

NEW BUSINESS

Motion to amend or create a policy to formally adopt Robert’s Rules of Order

Motion: “The Foundation is directed to create or update any necessary bylaw or policies that govern Board meetings and any associated informative documents to state that Robert’s Rules of Order are adopted for OWASP Board Meetings and Special Meetings. Projects, Chapters, and Committees can adopt RRO for their meetings if they so choose, but it is not required by the Foundation.”

Add a new clause to Section 3:

“Section 3.1x ADOPTION OF ROBERTS RULES OF ORDER

The rules contained in the current edition of Robert’s Rules of Order Newly Revised, or the new edition due to be published September 1, 2020, shall govern the OWASP Foundation Board meetings in all cases to which they are applicable and in which they are not inconsistent with the bylaws, and any special rules of order the Board may adopt.”

The Foundation is directed to add consistent language to all relevant Board governance policies and Board governance informational pages.

Sponsor: Owen Pendlebury Second: Sherif Mansour

Motion to formally adjourn the Special Board Meeting of August 11, 2020

Motion: “It is resolved that after technical issues cut short the Special Meeting before adjournment, the Board motions that the Special Board Meeting of August 11, 2020 is formally adjourned.”

Sponsor: Owen Pendlebury Second: Sherif Mansour

Motion to postpone AppSec Dublin

Motion: “It is resolved that in light of the uncertainties around the COVID pandemic, the Foundation is authorized to make best efforts to postpone to 2022 or cancel the contract under force majeure the Dublin event booking, for the least fees possible. If the Dublin event is postponed to 2022, Berlin will become the 2023 location for an EU based Global AppSec. A replacement virtual event may be authorized by the Board after the conclusion of the October 2020 AppSec Days Virtual event, depending on financial performance.”

Sponsor: Owen Pendlebury Second: Sherif Mansour

Motion to affirm that the Board of Directors will review and adhere to the OWASP Board Code of Conduct

Motion: “It is resolved that the OWASP Board affirms that they have previously signed, and will again review and recommit to the requirements laid out in the OWASP Board Code of Conduct, including all sections: Code of Conduct, Board Conduct with One Another, Board Conduct with Staff, and Board Conduct with the public., Board Conduct with other organizations, Sanctions, Principles of Proper Conduct, and Checklist for Monitoring Conduct.”

Sponsor: Grant Ongers Second: Owen Pendlebury

COMMENTS, ANNOUNCEMENTS, AND OTHER BUSINESS

Background Commentary on Compliance Committee Ruling on Richard Greenberg vote

The Executive Director initiated a Compliance Committee ruling on the result of the Richard Greenberg vote, in part to confirm that the vote is valid (it is), and what the minutes should say (see the minutes for the special meeting), and if we need to formally adjourn the previous special meeting (we should). Additionally, this contentious vote found additional issues with our bylaws, such as we do not formally adopt the Robert’s Rules of Order (RRO), which may have changed the vote outcome slightly, but certainly would have assisted in a clean vote that the Board could have gotten behind as one.

The Compliance Committee report on this vote recommmends the Board discuss and consider adopting the following recommendations:

  • Our bylaws and policies make no mention of Robert’s Rules of Order (RRO). The manner of running our Board meetings currently does not require nor is necessarily consistent with RRO, even though we have done so in the past and assumed this is the case. In my view, this led to a highly contentious vote that had irregulatories under RRO, which sections 7.01 - 7.04 model. In my view, this would have led the Richard Greenberg vote to be (3-2) and thus still passed, but without all the confusion and community disquiet that resulted. I have made a motion that OWASP should adopt RRO formally in policy and bylaws for Board.
  • No proxy voting. The State of Delaware (where OWASP was incorporated in 2004) does not permit Board proxy voting. As a result of this ruling, Martin’s proxy votes in last month’s minutes will need to be marked as “Absent” in the minutes, and he will not be considered as part of the quorum of the special meeting. As a result of removing proxy votes, no vote in the special meeting changed result. Additionally, I reviewed other votes that have occured historically. None of those that I could find were changed as a result of this law. The Compliance Committee recommends that proxy voting to be discussed by the Board, but subsequent emails suggests proxy voting cannot be added under Delaware charity law. I will ask our counsel who are currently reviewing our bylaws for a definitive answer on this.
  • The Board should formally adjourn the special meeting if we are adhering to RRO, which I have made a motion above in New Business.
  • The Board should vote on if the vote was conflicted, and what, if anything, should happen as a result. Instead, I have recommended, and several Board members agree, that we should simply move on and vote to affirm the Board’s adherence to the Board Code of Conduct.

I would strongly encourage the Board to vote on the latter motion to finally allow the issue to be put behind us, get behind the result as one, allow the community to heal, and move on to more important topics, such as OWASP’s very survival.

Introduction of two independent directors

The OWASP Board has historically and currently been made up of many leaders of OWASP. No matter how impassioned they are about application security, our Directors historically do not necessarily have the independance, legal, or governance experience of US 501 (c) 3 not for profit boards, or fully understand the legal implications of all relevant Delaware and Federal tax laws and regulations that are necessary for a Board to make sound decisions.

The Board should discuss adding two new Independent directors to improve governance, such as legal counsel with not for profit expertise, a Compliance Committee member or similar. This would raise the size of the Board to 9. The Independant Directors should be appointed by the incoming 2021 Board by the appointment process, but not necessarily be subject to the incoming changes to appointment term limits as each incoming Board may wish to appoint the same legal counsel year on year, for example. If 9 votes is too unweildly, a future board may want to consider reducing the number of Board seats back to 7 over time by removing 1 open Director slot per election in 2021 and 2022, whilst retaining the two independant directors.

Adding independant directors allows Directors to come from all parts of the world - a key mission goal - whilst addressing compliance or legal risks that all Directors may unknowingly take on due to their fidicary duties as a Director, or even basic items such as making lawful motions or meeting governance such as Robert’s Rules of Order. This proposal retains our community’s voice they need, but also helps improve governance of OWASP.

If this is agreeable, a motion should be drafted and brought forward to a future board meeting.

ADJOURNMENT

Staff Reports and Documents for reference

Chapters and Members (Lisa)

Honorary Membership Update. Dr Dirk Wetter and Jeremy Long were approved for honorary membership by e-vote. Only 4 people responded to the request for additional information. There are now 290 chapters. 39 chapters have been created in the last 60 days. We have 3,179 members as of 21 August 2020, a slight decrease since July.

Events (Emily & Alonna)

Events report

Sponsorship (Kelly)

Global AppSec 2020 Sponsorship Update

  • 2 new contracts waiting for the countersigned copy to be returned Totaling: $20,000
  • 2 request for invoice to be sent Totaling: $7,500
  • 3 open invoices Totaling: $65,000
  • 23 sold and paid Totaling: $288,000
  • Grand Total: $380,500*

Additionally, I am working with 9 new companies (closely with 5 of them) who are interested but have not yet committed.

Projects (Harold) - SecureFlag will go live on Sunday, 23 August. An email announcement to our members and a social media campaign will follow.

Finance Officer Report

Hello Owen, Sherif, Vandana, Andrew and Mike. Below is the PRELIMINARY write up for July 2020. I included the July 2020 Board summary and Summary Balance sheet as PDF’s, to be put up on the website.

Attached please find the preliminary OWASP Combined (Converted to USD for all reports) financial pkg for July 2020 which represents financial performance for the 6th month of Fiscal year 2020. I have included the 2020 approved budget for the first 4 months and the approved Zforecast for May, June and July. All amounts are combined with the EU and converted to USD in these reports.

One other note, while through July 2020 from a Net Income perspective, the Foundation is doing “ok”, as compared to the first 4 months of the approved Budget and May, June and July of the approved Z forecast, specifically due to the efforts of Mike, Emily and the team pulling off successful “on line” events, this will not continue due to the uncertain and turbulent nature of the world, which is why the “Z” forecast, voted in at the April board meeting, is now being used for comparison purposes. This is particularly evident with the Pandemic effects, as we have noted many times for the past 6 years the Foundation has become an events driven organization and relies heavily on the income from them. With the Pandemic halting travel and in person meetings we need to be VERY cautious as to how we spend the funds of the Foundation as revenue will most certainly trail expenses for the remainder of FY20 and possibly FY2021. Also of concern is the deferred revenue balance of $512K for events that originally were supposed to be in person ( SF and Dublin ) that will now be on line events. So there some “RISK” some of these sponsors, may ask for refunds due to the events being held on line as opposed to in person events as originally planned.

Income Statement:

Revenue: On an accrual basis, total revenue, YTD was $1,256.3K as compared to the budget of $1,201.2K. The results are BETTER by $55.1K, with Conference income being $220.6K ahead of the 2020 budget/Zforecast, offsetting the other revenue lines that were under budget (Membership and Donations).

Expenses: Total spending YTD 2020 is LESS than budget by $74.3K due to under spending in most of the depts. ( Conference expenses are over budget by $110.9K(AppSec Cali 20, 20 Snofroc , 20 NZ Day and 20 Seasides, and offset by the underspending in all depts except for Professional due to the Trade mark legal efforts and the 2019 Audit fees.

Net Income/Loss: YTD 2020 Net income, on a combined Accrual basis is <-$168.3K >which is BETTER than the YTD 2020 budget/Zforecast of negative -<297.7K> by $129.5K or $74.8K BETTER than the June 2020 positive variance of $54.7K. We are now starting to see the affects noted in the Zforecast and the forecasted reduced revenue due to the loss of in person events, which we have come to rely on.

Chapter Funds: US bal is $829K which is up $5K from the June 20 balance. EU Ch bal is $63K. Also US Proj bal is $186K. (which is also flat from the June 20 bal). EU Proj bal is $-9K

POINTS of NOTE:

With regard to Operating cash, the Liabilities (AP, accrued expenses, accrued Payroll, deferred revenue for events such as AppSec EU, Lascon, AppSec US etc that may not happen) of $615K added to the $1,069K of Ch/Proj balances is $1,684K , as compared to the $1,431.9K of cash, leaves us a Negative Oper. Cash balance of $252.1K, if all the Chapters and Projects spent all their funds ( I have held out the $113K of PPP federal funding as the chance of it being forgiven is fairly high). This Oper cash deficit is $29K MORE than it was at the end of June. Also Open AR is $177K which is down $56K from the June balance of $233K, which when collected would “Almost” balance out the Oper cash deficit. While we are not currently in a “cash” deficit position, we do need to be cognizant that with the continued travel and meeting restrictions on gatherings which has severely affected our events, if we do not make some of this up with our on line offerings ( SF needs to meet or exceed the current estimates) our cash position will worsen as we move through the rest of the fiscal year. I did see the email noting that AppSec Cali has been cancelled as an “in person” event. It would greatly benefit the Foundation if we were to put on a significant “online event” in its place, not only to help with our Cash flow, but being the first event coming out of the Holidays, could be a significant opportunity for us.

At this point in the year with all that is going on while we are still ahead of budget for Net Income we do need to start to focus on next year as the effects of the Pandemic are not estimated to ease, allowing travel and in person meetings until the fall of 2021. To that end we need to make sure we are providing value in our “online” events not only for the registrants but for our sponsors as well.

I have the next board call as Tues Aug 25th 2020 and I will be attending along with Marissa Oakley who has begun to work on the OWASP financials with me. Be safe everyone

Executive Director Report

The operational plan is slowly coming together, based around three themes: “Survive, Refocus on Mission, and Thrive”. I will be making a draft available in the weeks coming. As part of “Survive”, I will be ending or discouraging Foundation activities that have limited mission focus, excessive costs for return on investment, or otherwise is not an essential activity that is either not highly visible nor used by our members. We must concentrate our efforts on executing the “Refocus on mission” - doing new things and getting our message out to developers and our industry, and “Thrive”, where grants, fundraising, and donations are a key goal.

I’ve asked the Board to schedule a virtual face to face Board meeting. I propose this to be 2 x 4 hour sessions held over consecutive days. Hopefully, by the time of the Board meeting, this will be scheduled. I look forward to seeing you all there.

I humbly request the Board focus on strategies for the survival of OWASP and our mission. During our prep call, Sherif proposed the formation of a Board sub-committee or similar to allow the ad hoc participation of the Board, myself, and our community on strategic topics essential for OWASP’s survival. I strongly urge this takes place. I would dearly love the Board to actively discuss their vision for the future of OWASP with myself and the community, so that we can emerge from the pandemic a stronger Foundation, with deep and integrated links with developers and our industry, and a stronger brand.

The Community needs the Board to move on from all of the internally focused drama. We have a number of challenges, including community disquiet regarding Board issues, resistance to reform, push back on the policy review process, and the contents of the draft policies. I would encourage the Board to put the past behind us, and consider if they wish to slow down or pause the policy review process, completely refactor it, or alternatively, come up with a more open source mechanism for policy development. My preference is the latter. We cannot ignore our longest and most productive members and contributors are getting prepared to walk away if we get this wrong. I think it’s time to put a pause, gather community feedback, and not just from those who are the loudest talkers, and re-establish a policy revision mechanism that both achieves reform, but also satisifies our community that they had a real (and not sham) method of developing and approving it.

Regarding policy development, I am writing updated or replacement policies that can give an indication of where the Operating Plan for 2021 will go. The current set revised policies that are causing much distress now are not meeting community expectations, and for root and branch reform of how we fund our mission, I am encouraging devolution to the Community through the Committees 2.0 process to allow the Foundation to focus entirely on survival and being the best Foundation it can for our members, projects, chapters, and committees. However, the Community 2.0 process is flawed, has no guardrails against creating shadow boards, and provides no funding mechanism for Committees. I ask that the Board work with me to reform Committees 2.0 to allow our Community run many of the key programs at OWASP, including a global grant program to replace the expensive and highly contentious “fake balances” that we’ve been saddled with. This will allow OWASP to scale, and for the Community decide how and why the funds the Board makes available each year should be spent. The Foundation must be in the business of enabling more active mission, more active events, more active chapters, more active projects, and far greater outreach, rather than trying to do all of this themselves. This requires automation, which cannot be baked in if the Community fundamentally disagrees with the policies being reviewed.

  • Funding NG - root and branch reform of our finances to promote new activity on a global scale, hold those granted funds to account, including scholarships, awards, and travel, and ensure that the Community approves of and participates in the funding and fundraising. For too long, the Community has wanted to expense things that should never have been expensed, but they had no other avenue. We need a much simpler process for expenses that simply trusts but verifies with a lower limit, and a much more open grants process to allow any Leader, Member, Committee or similar apply for mission related funds and get it done. The grants process demands visible, time boxed outcomes, which we can show donors, grant sources, partners, and government agencies, something the current process does not. There are many nuances, including how to permit very large chapters who need > $3k per month to run their chapters, and how sponsorship and donations will work. Some level of relaxing our vendor neutrality principles to avoid having to put in extremely onerous restrictions that are holding back funding.
  • Membership NG - root and branch reform of our membership model. I want to introduce OWASP Reward Points, that through actively doing automatically measurable KPIs, members and leaders can earn complimentary membership and other rewards by doing the things that advance our mission, and to demonstrate value in being a member - even if you earned it through volunteering for us. I would like to see that active project, chapter and committee leaders are able to be rewarded for their hard work, but in return, we can measure their success. This will replace Honorary Membership and meet community expectations regarding “free” leader membership, which has been a huge source of contention. Just like a coffee card, we will need to balance this approach to ensure that the activities contain a wide variety of methods to earning points that also brings activity, positivity, and funds to the Foundation, by gamifying membership.

I do ask that the Board - per the Board of Directors Code of Conduct - after discussing a motion with passion and independence for the benefit of the Foundation you lead rather than any other interests, that once a vote passes the Board comes together as one and supports the vote.

By the time of the Board meeting, I will have investigated access to ongoing Board education. I hope to make this available to all existing Directors, Candidates, and after the election, our new Directors. I would encourage the Board to review your induction materials, our bylaws, the OWASP Board Member Code of Conduct, and Robert’s Rules of Order. If you are missing either of your induction books, please contact Dawn for a new copy, or please expense a e-book purchase. Dawn can send you the book details if you wish to have it in electronic format. Once the new version of the Robert’s Rules of Order comes out in September, I will get a physical copy sent to all Board members for their reference.

The minutes of the Special Board meeting held on August 11, 2020, had to be modified to take into account the lack of proxy voting. This did not affect the outcome of any vote. The major change is that Martin Knobloch is to be marked Absent (with apologies), and to strike his votes from the record. I will be investigating if we could introduce proxy voting, but for now, this means the minutes.

Recently, a milestone payment of $60k was needing to be approved. As this was a budgeted expense in Budget Forecast Z, this was approved by the ED / Chair co-approving the payment under the Signatory Policy 2.0. These amounts were agreed with the original contract signed with the AV company, CEAVCO, back in May. This milestone downpayment allows us to open the registrations and to start the process of speaker recording. The conference budget proposes a potential income of $742,875.00, and potential expenses of $276,868.08, for a budgeted profit of $466,006.92 for AppSec Virtual. A key portion of this profit is due to the AV platform, which covers the recording and editing of speakers’ sessions, registrations, expo, training, keynotes, and the event itself.

In terms of financial risk, we have seen a number of sponsors pull out of AppSec Virtual after a poor Black Hat expo experience for many vendors. I believe our vendor expo platform is better than what I personally experienced at Black Hat. Our events team are working on ways to raise the attractiveness of visiting sponsor booths, especially as all the talks will be available to watch for a 21 day period. We are working on strategies to retain sponsors, including offering a monthly payment model to soften the blow of a huge upfront cost. I will continue to keep you informed.