September 2021 Videoconference

Meeting Details

  • Date: 28 September 2021
  • Time: 12PM US Eastern, UTC 1700 convert
  • Location: Remote
  • Call-in: Zoom Meeting

Agenda

CALL TO ORDER

CHANGES TO THE AGENDA

APPROVAL OF MINUTES

REPORTS

Staff reports, including Executive Director and Finance can be found after the agenda.

Organizational KPIs

KPI             September       Delta
Members         4936            250 new members (inc 118 new Lifetimes!)
Visitors        5.84M           1.74M extra page views
YTD net income  $-144K USD      -20K USD
Cash assets     $1.12M USD      +7.7K USD

KPI Summary

Finance Summary

e-Votes to read into minutes

Motion to change Honorary Lifetime Membership to Distinguished Lifetime Membership

Background Previously, Honorary membership was self-nominated, and voted on by the Board. Honorary membership was seen as a way to obtain complimentary membership, which is now provided using self-service complimentary membership. The Board wishes to change honorary membership to recognize outstanding, extraordinary, and lengthy selfless service to the OWASP Community, and to celebrate a few outstanding individuals each year. This change elevates Honorary membership to be that honor.

Motion “Resolved, the bylaws shall be amended to change “Honorary Lifetime Membership” to “Distinguished Lifetime Member” per the following pull request.”

Sponsor: Joubin Jabbari Second: Vandana Verma

Sherif Mansour:     Yay
Vandana Verma:      Yay
Bil Corry:          Yay
Grant Ongers:       Yay
Martin Knobloch:    Yay
Owen Pendlebury:    No vote
Joubin Jabbari:     Yay

Vote PASSES 6/0, carried as 2/3rd majority passed the resolution for a bylaw change.

Motion to grant five Distinguished Lifetime Members

Background: OWASP’s 20th Anniversary Celebration event is fast approaching. The Board wishes to recognize individuals who have performed outstanding extradordinary long standing service to the OWASP Community with Distinguished Lifetime Membership. A plaque will be granted to the awardees, and a history of their contributions written up in concert with the individuals so that OWASP’s history and key contributors can be recognized by the wider public.

Motion: “Resolved, the OWASP Board grants the following individuals Distinguished Lifetime Membership for outstanding and extensive service to the OWASP Community.

  • Mark Curphey, OWASP Founder
  • Jeff Williams, OWASP Foundation co-founder, OWASP Top 10 founder & leader for 15 years
  • Dave Wichers, OWASP Foundation co-founder, OWASP Top 10 founder & leader for 15 years
  • Matteo Meucci, OWASP early contributor and Italy chapter leader from inception
  • Fiona Collins, Long time compliance committee member”

  • Sponsor: Sherif Mansour
  • Second: Grant Ongers

Vote

Sherif Mansour:     Yay
Vandana Verma:      Yay
Bil Corry:          Yay
Grant Ongers:       Yay
Martin Knobloch:    Yay
Owen Pendlebury:    Yay
Joubin Jabbari:     Yay

NEW BUSINESS

Motion to approve Projects Policy

Background: This policy is modelled after the chapter policy, which was approved in January 2021. It documents the lifecycle of a project, and for the first time, how projects can exit OWASP if they so choose. This draft policy, in conjuction with the draft Expenses and recent Grants and Awards and Scholarships policies, replaces the old Project spending policy, which will be removed completely after this approval.

Motion: “Resolved, the revised Projects Policy is approved, effective September 28 2021.”

  • Sponsor: Sherif Mansour
  • Second: Vandana Verma

Motion to approve Events Policy

Background: The updated Events policy is part of Event reform that is necessary to allow all parts of OWASP - leaders, local and regional chapters, projects, and committees to run events under the same policy. This policy defines Event leaders as first class leaders of OWASP, with an owasp.org email and access to complimentary membership. It also defines the separate P&L nature of events, formalizing what has always been true, but never stated before. It also defines a seed budget, ($0 required during this approval) to allow bootstrapping of new events and a seed repayment schedule so that events can become self-sustaining and thus lead to new events being created. Lastly, it details how events can direct their portion of the net profits to our mission, and raises the net profit split from 40% to 80%. The new policy defines how events can formally raise exemption requests for a single event with the Board if they disagree with the policy, for the Board’s consideration. It also defines a new event type, OWASPx, which will be built by the Foundation after approval to permit members and non-profits to establish OWASP branded events in return for a brand license fee with relevant usage and quality restrictions outlined in the OWASPx program and trademark license agreement. Additionally, new, more generous trainer splits with a revised speaker agreement to reflect these splits are included for reference. These are operational and do not require Board approval, but are provided for your consideration.

Motion: “Resolved, the revised Events Policy is approved, effective September 28 2021.”

  • Sponsor: Joubin Jabbari
  • Second: Grant Ongers

Background The bylaws and policies have quite a number of basic spelling mistakes and grammar errors. This consent package has been reviewed by Joubin and Grant, and is ready to be applied. It does not change the policies or bylaws in any appreciable way.

Motion “Resolved, the consent package to apply spelling and grammar fixes to the bylaws and policies is approved.”

Motion to change bylaws to adopt Chapter policy

Background The current bylaws refer to a long deprecated guideline document, as if it is adopted policy, which it is not. This change would remove the old document and also bring the naming of chapter leadership into line with our current chapter policy of not having a “local chapter board”, which is currently undefined in the bylaws and chapter policy.

Motion: “Resolved, that the Board by a two-thirds majority approves a change to the bylaws to adopt the approved Chapter policy for guidance for Chapter leadership, and to bring chapter leadership naming in line with current OWASP policy and practices.”

Change Section 5.02 from

“The chapter leader and local chapter board has to manage the local chapter according to the guidance and rules defined in the Chapter Leader Handbook. “

to

“Local chapter leadership has to manage the local chapter according to the policies defined in the latest approved Chapter Policy.”

  • Sponsor: Vandana Verma
  • Second: Joubin Jabbari

Motion to change election policy dates to nearest business day

Background: During the prep for this year’s election, the initial Call for Candidates, whilst released on time on August 15, fell on a Sunday. Not only did Dawn have to spend her Sunday working, this is not an ideal day to make a major announcement that has extensive consequences for the Board itself and may result in low numbers of potential candidates, or if applied to the vote itself, obtaining membership in time, or voting.

This motion will have the effect of announcing the Call for Candidates on a Monday if August 15 fell on a Sunday, or a Friday if August 15 falls on a Saturday, and so on. This will permit us to promote these deadlines or activities to a much wider audience than if announced on a weekend, and reduce the need for the staff to work on their days off.

Motion: “Resolved, the Board adopts the following change to the election policy to adjust dates that fall on a weekend to be the nearest business day.”

Change

“The timeline will include notices, important dates, and milestones.”

to

“On the nearest business day, the timeline will include notices, important dates, and milestones to be gazetted on the OWASP website prior to the election process starting each year.”

  • Sponsor: Sherif Mansour
  • Second: Vandana Verma

COMMENTS, ANNOUNCEMENTS, AND OTHER BUSINESS

ADJOURNMENT

Adjournment motion

The next general Board meeting is on October 26, at 12 pm US Eastern Time.

“It is moved, and seconded to adjourn. Those in favor, say “aye””

Sponsor: Sherif Mansour Second: TBA


Staff Reports

Executive Director

The 20th Anniversary has been all consuming, and so I apologize for the late staff reports, including my own. I beg forgiveness, because we are really kicking community and financial goals.

I wish to thank Kelly Santalucia, Dawn Aitken, and RMK Productions for putting on a really successful 20th Anniversary Celebration. We had around 5000 registrations, and heavy viewing throughout the 24 hours of the event. We will be doing content marketing of the videos to our members as a member benefit shortly once the videos have been edited and uploaded, and released publicly by the end of the year. I watched many of the sessions, and I was particularly affected by Mark Curphey’s keynote. I will share that video with the Board, because it marks exactly the course I’ve been navigating for OWASP, and I think he has some solid “inside but outside” counsel for the Board and the community I wish to discuss sooner than later.

In events finance news, I have signed RMK Productions for AppSec Global November 2021. The cost is similar to the 20th Anniversary is within the budget that the Board approved last year. The signing authority changes means that the invoices will need to be co-approved by either Grant or Sherif.

We held a Lifetime Membership drive, which has been very successful, with 118 new Lifetime Memberships, for a revenue of $45k that we have ten years to make up with new one, two and lifetime members. I think this is achievable if we stay on course with our policy and community reform, getting back to our community being deeply centered in everything we do. We have blown through our 4000 member goal set out in the September 2020 Operating Plan, with 4,936 members as of 27th September 2021. This is an increase of 1,778 new members, or an increase of 56.3% since I joined on June 29, 2020. This is without a doubt, a high water mark for OWASP membership at any point in our history.

Our finances are doing significantly better than budgeted due to the incredible support of our community, our Corporate Members and Event Sponsors, and of course our members. I wish to thank everyone deeply for their continued support of OWASP.

I think this demonstrates that getting the Foundation’s community spirit back, setting the right policies, involving the community deeply in everything we do, and stamping down hard on toxic behavior and very occasionally on specific individuals has really helped OWASP thrive. I make zero apologies for coming down hard on toxic behavior or on individuals who wish us harm, because they were killing OWASP before and actively harming our mission. Let’s be positive, let’s move forward, and build our impact for our mission. A well engaged and positive community, with leadership that doesn’t bow to the loudest negative voices, demonstrably leads to fantastic outcomes for everyone.

Lastly, it’s that time of the year again where we need to put together the 2022 budget. I will be reaching out to candidates to find out if they have any measures that will require funding, and invite successful candidates to finesse a draft so that the new Board can approve the 2022 budget as their first piece of business in the January 2022 Board meeting.

Some of the bigger issues that I would like the new Operating Plan and budget to address are:

  • An end to end customer experience review. We MUST review our business processes and fully embed our new policies in our operating procedures and automation to improve customer experience, reduce costs, improve self-service, and free up staff for high value activities. For example, wherever there is friction with our community, and it’s not a guardrail to protect the community, our core values, the OWASP Foundation or its finances, or our ability to do our mission, the friction must be removed with great vigor as it is a vampiric negative drain on community spirit, takes resources and emotional energy away from actually important activities, and diminishes the execution of our mission, which relies on the goodwill of volunteers. Unnecessary friction is the enemy of volunteerism and it must be eradicated unless there’s a very good reason for it
  • Documenting our business requirements, evaluating, and migrating to an off the shelf association management platform to improve customer experience, reduce our costs and improve productivity
  • Documenting our event business requirements, evaluating, and adopting an integrated events platform to reduce our costs and improve the productivity and customer experience of events, and to reduce the number of systems we need users to register and use
  • Formal marketing budget. We need to start planning a return to in person events, even though it doesn’t feel that way right now. As such, we need to start figuring out bulk swag, a swag policy (chapters don’t need swag to operate, but when approved, how do they get it locally, where do they get the artwork, and what will be the limits?). I want to start a retention marketing plan to ensure that we use our massive increase in membership numbers to grow the organization for organic growth, and use a marketing push for inorganic growth in the developer and AppSec Leadership personas.

Finance

Attached please find the preliminary OWASP Combined (Converted to USD for all reports) financial pkg for Aug 2021 which represents financial performance through the 8th month of Fiscal year 2021. I have included the 2021 Approved budget which I have spread on a monthly basis.

I have also altered the Board summary to match the categories that the new FY 21 budget highlights.

Income Statement:

  • Revenue: On an accrual basis, total revenue, YTD was$493.2K as compared to the budget of$487.7K. The results are Better by $5.5K, with Conference, Memberships and Donations, being over budget by $28.9K and $.5K and $31.9K, respectively. While merchandise, and trademark income were a combined <$46.7K> below budget YTD. On a quarterly basis combined Actual was Lower than budget by $101.1K due to having to reclass Corp Memberships on an accrual basis to recognized Paid Corp memberships based on “earned” recognition. This will resolve itself as the year moves on, with some of the recognized revenue moving into 2022 based on the “term” of each Corp member.

  • Expenses: Total spending YTD 2021 is $639.1K which is LESS than they YTD Expense budget of $782.1K by$27K with only G&A over Budget by $14.4K due to Underbudgeting Benefits/Taxes/Insperity fee, Legal fees, Unbudgeted Professional Development. This is due to the Forgiveness of the PPP Loan of $112.7K which we received in Aug 2021 and have been able to take it as a reduction in Payroll costs.

  • Net Income/Loss: YTD 2021 Net income, on a combined Accrual basis is Negative $145.9K which is Better than the YTD 2021 APPROVED budget of negative <$294.4K> by $148.5K.

Project Funds: US bal is $221.5K, EU bal is $-13.7K.

POINTS of NOTE:

On a VERY good note we have received final confirmation that the PPP loan has been forgiven and the credit has been booked in Aug 2021.

Continuing the narrative theme from previous months, as of 8.31.21 our cash position was $1,199.9K which is UP from 7.31.21 cash bal of $1,192K. Our avg monthly spend for operations is roughly $98K including all payroll, which is still roughly about 12.2 months of reserve, which is very good in the current environment. If we remove AP which totals $27.5K (which is about a third of a month of reserve taking, us to an estimated 12 months of Oper. reserve, again a good number, if we factor in the $150K of open AR that takes us to over 13 months. If we also factor in the $200K of Projects that is roughly 2 months of Operating reserves leaving at the end of Aug 2021 with 11 months of Operating reserve, or holding steady to previous months. On a better note, deferred revenue, is up $201K from last month at $554K for events and Corp membership that occur later in 2021. which is a little over five months of reserve.

Through Aug 2021 we are tracking a better than budget by $148.5K, and we need to keep working on revenue while keeping costs down, while we are still in this no travel environment.

Chapters and Membership

  • 5 Chapters with the Chapter Committee for review. Spreadsheet as requested by the Committee.
  • Cluj leaders and I have a plan and timeframe to transition over to the Pro Meetup group.

Membership 9/24/2021 at 11:45 am EST Slack Member report.

total members: 4936    this month:528
    one: 3090    two:1048
    lifetime: 736    student:0
    complimentary: 62    honorary:0

20th Anniversary Lifetime Memberships Drive

As of 9/27/2021: 118 new,$45k revenue

    91 @\$450 
    27 @\$180

Chapters

258 Chapters
14 Student Chapters
17 New Chapters created in the past 60 days.

Events and Corporate Support

No Events report due to the 20th Anniversary. If there are significant issues with Events or Corporate Support, I will inform the Board separately.

Operations

  • Global Board of Directors Election is on schedule
  • Waspy Awards are completed and announced during the 20th Anniversary
    • Outstanding Innovator - Bjoern Kimminch
    • Outstanding Community Supporter - Tanya Janca
    • Outstanding Educator - Tanya Janca
    • Outstanding Project or Project Leader - OWASP ZAP - Rick Mitchell, Ricardo Pereira

Projects and Technology

Projects

Project Committee working on vendor neutrality policy to present to Foundation Project promotion is rebooted

Count: 229 Last 60 Days: 5

Technology

Refactored nightly build functions for improved reliability Subscriptions modifications to fix added years