February 2021 Videoconference

Meeting Details

• Date: Februrary 23, 2021
• Time: 12PM US Eastern, UTC 1700 convert
• Location: Remote
• Call-in: Zoom Meeting

Agenda

CALL TO ORDER - Attendance

Board Members

• Sherif Mansour (Chair)
• Vandana Verma Sehgal (Vice Chair)
• Grant Ongers (Treasurer)
• Bil Corry (Secretary)
• Martin Knobloch
• Owen Pendlebury
• Joubin Jabbari

Guests

• Andrew van der Stock
• Tom Pappas
• Dawn Aitken
• Emily Berman
• Harold Blankenship
• Lisa Jones
• Alonna Stock
• Kelly Santalucia

CHANGES TO THE AGENDA

APPROVAL OF MINUTES

• Previous Meeting Minutes

Emergency Board meeting on AppSec Australia (Sunday January 31, 7 am)

Present: Martin Knobloch, Grant Ongers, Owen Pendlebury, Vandana Verma, Bil Corry, Sherif Mansour (significant communications issues)

Motion “Resolved, the Board permits the AppSec Australia organizers to run AppSec Australia as a regional event in 2021. Exemptions to policy will need to be approved on a case by case basis.”

Sponsor: Martin Knobloch Second: Grant Ongers

Martin: Yay
Grant: Yay
Owen: Yay
Vandana: Yay
Bil: Yay

Motion passes.

REPORTS

Staff reports, including Executive Director and Finance can be found after the agenda.

Organizational KPIs

KPI	            February        Delta
Members         3495            4.54%
Visitors        688,902         -21.80%
OSD SLA met     83.30%          -12.50%
NSFR SLA met    84.90%          2.85%
YTD net income  $ (31,948)      $ (48,181)
Current cash    $ 1,211,366     $ (216,857)

Finance Summary

• February Financial Package

e-Votes to read into minutes

Motion to update links and financial packages in previously approved minutes

Background: A number of meetings were held early, and we did not receive any financial packages to review. I’ve discovered that at least one of the minutes is incorrectly linked.

• Pull Request

Motion: “Resolved, that for the sake of financial transparency, the Foundation is permitted to alter the minutes from previous meetings to ensure the correct financials and recordings are included in each month, and to ensure all links are functional. Any altered minutes will be presented for review in the February 2020 general meeting.”

• Sponsor: Grant Ongers
• Second: Vandana Verma

Vote:

• e-Vote to correct financials, links in all 2020 minutes

Sherif Mansour:  Yes
Vandana Verma:   Yes
Bil Corry:       Yes
Grant Ongers:    Yes
Martin Knobloch: Yes
Owen Pendlebury: Yes
Joubin Jabbari:  Yes

Motion passes

NEW BUSINESS

Motion to approve the updated Chapter Policy

Background The Chapter policy has been completely re-written to:

• Document the current policies for the full lifecycle of a chapter for the first time, so chapters can be managed to policy, including how to create, maintain chapter leadership, revive inactive chapters, and finally decomission them
• Document the roles of the Chapter Committee and the Foundation
• Student chapters are defined for the first time, permitting chapters to exist with the assistance of at least one acadmic co-leader, and permitting multiple student chapters in a single city, which is not true of city chapters
• Regional chapters are also defined for the first time, but as “city” chapters until such time as regional chapter policy can be formalized. Defining regional chapters as city chapters allows existing active regional chapters to access expenses and other Foundation services within policy for the first time. No dormant or new regional chapters will be approved under this version of the policy.
• Expunged all unique chapter policies, differences, references of outdated policies, procedures, or chapter handbook guidance (e.g. how to host a meeting, expenses, and travel policies are all removed), and references to outdated Board resolutions and so on.
• Lastly, the chapter policy now contains a section on how sanctioned countries or sanctioned leaders are governed in case of sanctions by a country where an OWASP Foundation entity operates, which replaces ad hoc actions taken in the past. The goal is to provide consistency and certainty for members, projects, and chapters, whilst protecting the Foundation from regulatory or legal action, and to ensure that as soon as sanctions are lifted, policy allows the restoration of membership and chapters as permitted.

A key focus is on serving the needs of our members and the wider community by ensuring that dormant or inactive chapters are revived rather than disbanded.

• Revised Chapter Policy
• Revised Chapter Policy Consolidated Feedback

Motion “Resolved, the revised Chapter policy is approved, effective February 23, 2021.”

• Sponsor: Vandana Verma
• Second: Joubin Jabbari

Motion to approve the 2021 Budget

Background: Each year, the Foundation sets a budget to match its operating plan and priorities. This year is slightly different, with a survival mode budget. This budget has the lowest expectation of income and expenses for many years, with the expectation that as the vaccination rollout proceeds, life can start to get back to normal, and we might be able to exceed this budget. If that doesn’t happen, this budget has a very slim profit, and with careful stewardship of our funds throughout the year, there’s every likelihood that we will not make a loss. The major risk is events: the previous events director did not prepare a formal budget, and many of the events had to change. Therefore, we envisage there might be some ad hoc requests for event budgets to allow events to go ahead where the Foundation thinks they will be profitable. The only planned events are LASCON and AppSec Australia, both regional AppSec Days events. Lastly, this budget assumes that there will be finance reform, and therefore makes allowances for limited awards & scholarships, grants, and expenses.

Motion: “Resolved, the 2021 OWASP Foundation budget is formally approved.”

• Sponsor: Sherif Mansour
• Second: Vandana Verma

Motion to alter the signing authority of the Executive Director

Background: Currently, the Executive Director is authorized to approve a variable amount of funds each quarter without notifying or asking the Board. Although the intent was to ensure the Board was not involved in day to day operational activities, it is somewhat confusing. On more than a few occasions, our accountants have asked for approvals where none were required, and in another case, a couple of expenses were right on the limit and surprised the previous Chair and Treasurer when approved within this policy, but without providing a heads up. There are very few unbudgeted expenses of over $10,000 USD, and therefore, to enhance transparency and oversight, and to simplify the signing authority for all involved, the following signing authority limits are sought to be changed:

Change:

~The Executive Director, in conjunction with either the Board Chair or the Treasurer may jointly authorize spending on a particular transaction (including integrated or related transactions) exceeding the limits set forth below, up to the approved Quarterly Plan.~ ~- Legally binding contractual arrangements, $ 500,000~ ~- General Operational Spending (including but not limited to, payroll, expenses, and accounts payable), $ 500,000~ ~- Transferring funds between and managing OWASP bank accounts and other financial accounts $ 100,000~ ~- Grant making authority $ 100,000~ ~- Purchasing equipment and assets $ 10,000~

to

Budgeted or Discretionary per transaction (or related transactions), grant making, awards and scholarships, expense approvals, legally binding contractual arrangements, and purchasing assets:

• $0 - $10,000 Executive Director can sign and approve without second approver
• $10,000 to $250,000 Executive Director and Treasurer or Chair can sign and approve without Board approval
• $250,000 or more requires an affirmative Board vote

Signing authority:

• Transferring funds between and managing OWASP bank accounts and other financial accounts $ 250,000
• Budgeted General Operational Spending (including but not limited to, payroll, expenses, and accounts payable), $ 500,000

The intent is that any unplanned discretionary approvals still remains within 10% of the quarterly plan, so if we have a quarterly plan of $250k, the ED will continue to have a discretionary power to spend up to $25k per quarter before requiring Board approval to continue with unplanned expenses. We have used that recently for legal fees.

Motion: “Resolved, the updated limits in the Signing Authority policy are approved, and shall take effect February 23, 2021.”

• Sponsor: Grant Ongers
• Second: Vandana Verma

Motion to register WIPO trademarks

Background: OWASP’s EU trademarks are nearly completed after a lengthy dispute with an European power firm. With the decision to make trademarks one of the most important deliverable in 2021, I would like to purchase of trademarks under the Madrid WIPO mechanism. Outside of places where we have trademarks already, this would extend any registered trademark we hold in up to 123 countries, and provide the presence of our filing and registration dates of our original trademarks. In all likelihood, we would only register these marks in countries where we have done significant business in the past, or plan to do so in the future.

For more information:

• https://www.wipo.int/madrid/en/
• https://www.wipo.int/finance/en/madrid.html

I have set aside $12500 in the as yet unapproved 2021 Budget for this purpose, so passing this vote should be budget neutral, but as there might be more fees later in the year relating to legal templates and review, I would like your blessing to move forward with the registration of the following marks:

OWASP(tm)
OWASP logo
AppSec Days(tm)
Global AppSec(tm)

I believe the cost to be no more than $15k, and it might take a while for these to be granted.

Under normal times, this could easily be an operational matter: the trademark program is already approved (Feb 2019 trademark program approved, Sept 2020 - 2021 Operating Plan approved, Nov 20 - Branding Policy approved), and $15k is currently covered by my 2020 discretion limits.

Motion: “Resolved, in order to advance the priority OWASP Trademark program, the OWASP Foundation is permitted to register four key trademarks under the WIPO Madrid mechanism, with a budget to not exceed $15k USD.”

• Sponsor: Grant Ongers
• Second: Bil Corry

Motion to formalize e-votes

Background: The operation of e-votes has been informal and ad hoc, and yet supported unofficially by our existing bylaws, and used extensively by the OWASP Board. As e-votes become more important to the operation of the Board, such as passing uncontroversial consent packages, e-Votes should be formalized. The process shall be documented by the OWASP Foundation as a procedure, with the following parameters: votes shall be motioned, sponsored and seconded prior to a 7 day simultaneous discussion and e-Vote period. The Board will be encouraged to discuss before casting their vote, and may change their vote prior to the e-Vote deadline in case discussion brings to light new information. At the conclusion of the e-Vote, the Foundation shall publish the result of the e-Vote (other than sensitive executive e-Votes) and published in minutes for the next Board meeting.

Motion: “Resolved, the Board directs the OWASP Foundation to amend the bylaws within 30 days to clarify that e-Voting is explicitly permitted as follows, with a process to be documented by the OWASP Foundation, with oversight from the OWASP Board on the operation of votes and e-votes:

“Any action that may be taken by the Board of Directors at a meeting may be taken without a meeting if consent in writing, setting forth the action so to be taken, shall be agreed to before such action by a majority of the directors. Such consent can be provided by email, an electronic vote, or other mechanism as agreed upon by the Board.”

• Sponsor: Grant Ongers
• Second: Vandana Verma

Motion to permit consent packages for small bylaw changes

Small inconsequential changes should not necessarily tie up precious Board meeting time, permits the OWASP Foundation to adopt small changes to bylaws, such as spelling or grammar or small corrections, as e-vote consent packages without going through the community review process. Substantive change would continue to be addressed via the community review process.

Motion: “Resolved, the Board amends the Implementation of Bylaw or Policy Changes policy to permit and formalize the minor changes process.

“Minor changes The OWASP Foundation, in consultation with the OWASP Chair or other Board officers, is permitted to create or accept small inconsequential changes or pull requests to approved bylaws and policies. All such changes shall be reported in the agenda at the following Board meeting to provide Board oversight. The Board may request that the changes be reversed at that meeting.”

• Sponsor: Joubin Jabbari
• Second: Sherif Mansour

COMMENTS, ANNOUNCEMENTS, AND OTHER BUSINESS

Discussion of gendered language

Joubin Jabbari has prepared a pull request to amend the bylaws to eliminate gendered language, and wishes to discuss the matter with the Board to permit a vote at the March Board meeting.

• Pull request to eliminate gendered language

Education Committee presentation

I have asked the Education committee and their two projects (the Application Security Curriculum, and the How To Get into AppSec) to present their current standing and the things that they need from the Board. I’ve told them slides (no more than 3 slides, with a Where we are, Where are we going, and What do we need), and to be prepared to ask for things they want from us and to tell us the things they are going to deliver. They are putting those together as I type this… but will present them in March.

From you all; I want you to be aware that they are going to ask for money - or the ability to go after funding in the form of grants. The former appears to be impossible (at least in the budget that we’ll be talking about at this meeting), and the latter will require us to figure out how to make those things happen. There will be no vote called - nor will there be any need for decisions made - but this will start a timer for us to figure this all out. So please start those considerations now.

A process for the funding of committees and getting grants linked to outcomes from them

A discussion led by Grant Ongers in relation to the previous topic (see also the new draft Grant policy)

• Draft Grant Policy (WIP)

ADJOURNMENT

Adjournment motion

The next general Board meeting is on March 23, at 12 pm US Eastern Time.

• https://owasp.org/www-board/meetings/202103.html

“It is moved, and seconded to adjourn. Those in favor, say “aye””

Sponsor: Sherif Mansour Second: TBA

Staff Reports

Executive Director

The Board and ED have had a busy month with the second day of strategy meetings being highly successful. The outcomes from that day are still being worked upon, including the trademark issue you see above. The priorities for me this month have been:

• Finalize the 2021 Budget
• Finalizing the Finance Reform policies for public comment
• Starting up the trademark Program
• AppSec Australia and the Australian entity

The planning of AppSec Australia and the entity continue to drag on. There was an emergency Board meeting (see minutes) that returned the event to the local organizers as a regional event to provide them with more latitude than a global event. The Australian entity is required to apply for grants in the first case, and eventually to provide tax invoices for those who need it, and to ensure that our P&L for this event if it exceeds the GST limits, is handled transparently and legally. I have been chasing tax / employment lawyers, and hope to have an answer for you by the Board meeting on the type of Australian entity we need to register, if volunteers might be considered employees or contractors, and how best to manage payments to contractors / volunteers to get the event hosted. We are awaiting a budget from AppSec Australia organizers, who appear to be waiting for the entity. We will proceed in parallel, as we need the budget and exemptions as much as they wish to have an entity. I hope to have this entirely resolved by the end of February.

Lastly, Alonna is nearly due and may not be present at the March Board meeting. Alonna is a valued member of our team, and has been putting in a huge amount of effort and time to get our virtual events documented, planned, and a few have already happened, such as the inaugural Brain Break. Alonna will be taking planned maternity leave, and likely to be back in June or early July. I wish to thank Alonna for all her hard work these last few months admist all the turmoil.

Finance

Attached please find the preliminary OWASP Combined (Converted to USD for all reports) financial pkg for Jan 2021 which represents financial performance for the 1st month of Fiscal year 2021. I have included the 2021 UNAPPROVED budget As a comparison until it is approved, hopefully in the Feb 21 Board meeting. I have also altered the Boards summary to match the categories that the new FY 21 budget highlights. Finally I have included a YOY Balance sheet which we will review at the Board call next week.

Income Statement:

Revenue: On an accrual basis, total revenue, YTD was $44.9K as compared to the budget of $55.8K. The results are Worse by $10.9K, with Conference income being $4K ahead of the 2021 UNAPPROVED budget, as well as Membership income being $12.6K behind Budget, offsetting the other revenue lines that were under budget (Treademarks, Merch and Donations).

Expenses: Total spending YTD 2021 is LESS than budget by $11.8K due to Chapters and Conference expenses are UNDER budget by $14.9K as well as Projects and Outreach , offset by the overspending in G&A, Fundraising, EDU and WIA ( minimal overages).

Net Income/Loss: YTD 2021 Net income, on a combined Accrual basis is Negative $37.9K which is WORSE than the YTD 2021 UNAPPROVED budget of negative $31.9> by Negative $6K .

Chapter Funds: US bal is $850.1K (up $20.5K) EU Ch bal is $65.1K (Up $1K). Project Funds: US Proj bal is $197.8K (Up $15.1K). EU Proj bal is $-9K

POINTS of NOTE:

Continuing the narrative theme previous months, as of 1.31.21 our cash position was $1, 211.4K. Our avg monthly spend for operations is roughly $82K including all payroll, which is still roughly about 15 months of reserve, which is very good in the current environment. If we remove AP, PPP loan that is $209K which is just over 2.5 months of reserve taking us to an estimated 12.5 months, again a good number. Now the concern is the $1,1,104K of Ch/Proj balances (though the Proj balances are just about $188K).

The Deferred revenue, as we have recognized most of the APSEC US along with APSEC EU and Lascon, and is now $120.7K, or a little over one more month of reserve. We need to make sure that we fulfill the sponsors value proposition, so we do not lose this revenue. So through Jan 2021 we are tracking almost on budget though again we are only one month into FY21. One other note is APSEC CA has traditionally been a lucrative event, we did not hold one, so our cash balance YOY is less than Jan of 2020.

I have the next board call as Tues Feb 23rd and I will be attending along with Marissa Oakley who has begun to work on the OWASP financials with me. Be safe everyone

Chapters and Membership

• The requests coming in are to add the second leader or additional leaders with the new maximum of 5.
• Social Media and direct mail sent to promote membership in conjunction with the events occurring in February and March.

Events and Corporate Support

Brain Break

• Comedian Jeff Shaw
• Fun event that took place Feb 18
• Registrations: 107
• Sponsor: 1 (Micro Focus) paid $5000
• Profit will be available next month

Call to Battle

• 1st of the 4 series is coming up on Feb. 26
• Host: Veracode
• Sponsor: 1 ((Veracode) paid $450
• Next CtB April 9 “OWASP Juice Shop Virtual Escape Room”
• The remaining two CtB’s will be filled within the next 2 weeks. More details coming soon.

Lightning Conference

• Coming up March 15
• 1 confirmed sponsor (Invicti) & 1 sponsor contract sent (GuardSquare) waiting for signature
• Next Lightning Conference May 12 - working to find a featured speaker

2021 Virtual Training

• January hosted 2 training classes
• Selected trainers for May have been notified. Waiting for their acceptance which is due Feb 23. Once they accept, they will be posted and registration will open
• The remaining 2021 submissions are being slotted and submitters will be contacted the week of Feb. 22. The remaining virtual trainings will then be filled, posted, registration open, and promoted.
• A HUGE thank you to Bil and Grant for all your help with these!!

20th Anniversary Event

• Logo chosen
• Event website built more information will be added the week of Feb 23 https://20thanniversary.owasp.org//?utm_source=owasp-web&utm_medium=event-page&utm_campaign=none
• Call for Speakers will open the week of Feb 23
• Call for Reviewers will open the week of Feb 23
• Sponsorship opportunities will open the week of Feb 23

LASCON

• The local team received the updated venue contract this week. They are currently reviewing it before sending it to the Foundation for Andrew to sign. This has been slightly delayed due to the venue and then the unfortunate weather that has hit Texas.
• We hope to have this wrapped up and the venue contract signed by Feb. 26

AppSec Australia 2021

• Meet with Aaron from the local Australia team
• Reviewed budget line by line
• Provided suggestions where they can save money
• Shared with them which line items need to be approved by our Global BoD

*We would like to personally invite and encourage all Board Members to participate in one or more of these events.

**Your help in promoting these events https://owasp.org/events/ is greatly appreciated! :)

Operations

• Virtual - waiting for start date for the new Accounts Payable person, they are in the process of training the individual.
• Merchandise - reviewing drop ship services for OWASP merchandise. I reached out to the community to see if anyone has any experience in setting one up. (Example: company used, shipping costs, etc.)

Projects and Technology

Harold has been heavily impacted by the storm and energy disasters in Texas, and has not yet had time to provide his report. Assuming he has power, he will be on the call if the Board wishes to ask him about any current topics, otherwise, I will get a P&T report to the Board once things settle down.