March 2024 In Person Meeting Day 3
Meeting Details
- Date: 20 March 2024
- Time: 0900 US Eastern, UTC 1300 convert
- Location: JFK Marriott, New York, NY
- Call-in: Zoom Meeting
Agenda
CALL TO ORDER
The following members were present:
- Avi Douglen
- Bil Corry
- Kevin Johnson
- Matt Tesauro
- Ricardo Griffith
- Steve Springett
- Sam Stepanyan
- Andrew van der Stock
CONFLICT OF INTEREST AND ANTI-TRUST STATEMENT
As the Board consists of individuals from many competing organizations, OWASP and its Board shall abide by all applicable anti-trust and competition laws. To avoid any perceived or actual conflict of interest, or anti-trust concerns under US federal, state, or regulations, only the published agenda shall be discussed or voted upon, or amended as below. If there are any conflicts of interest, Board members are expected to disclose the conflict of interest and must recuse themselves from discussion and voting.
“Kevin disclosed his involvement in an IT certification development project, noting the opportunity for AppSec (Application Security) integration or notification within this context.”
CHANGES TO THE AGENDA
Changes to the agenda - unless otherwise prohibited by anti-trust or competition laws - including adding, altering, or tabling of motions is permitted by following Roberts Rules of Order (RONR 12th Ed) 41:63, which requires an affirmative two-thirds vote.
Recap 19th / Agenda 20th
“Avi recapped the discussions from the previous day, highlighting a list of action items that emerged from those discussions. Additionally, Avi announced a modification to the day’s schedule, opting to eliminate some sessions in order to conclude the meeting earlier than initially planned.”
Certification / Accreditation
Background: Over the years, various suggestions have been made regarding an OWASP certification programme. However, there are many ways of interpreting what such a programme might mean, including accreditation and pre-vetting, and we cannot achieve them all. Confusion has often confounded these discussions, and so clarity is needed regarding what specifically we mean by this. We will discuss benefits, constraints, investment cost, and operational overhead.
Expected outputs:
- Definition of intent, to later be expanded into a workplan and associated policies
“In the meeting, Sam proposed an OWASP Certified Secure Developer certification, emphasizing practical labs for developers at all levels. Ricardo sought clarification on the target demographic, which Sam defined broadly, while Avi anticipated high training demand. Previous discussions highlighted the need for a clearer certification path, and Kevin inquired about developing psychometrics, with a third party possibly involved in question creation. Steve insisted on OWASP’s final approval on questions to maintain standards. Avi proposed expanding the curriculum to include secure code design, and Kevin highlighted a potential conflict of interest with external providers, suggesting separation between exam creation and training provision. Steve queried about the syllabus, leading to Sam clarifying its inclusion in the presentation. The board contemplated formal approval of the certification concept, proposing a working group for detailed planning, with a Q4 deadline for a comprehensive proposal and a Q2 milestone for a draft. Steve suggested consulting companies like PearsonVue for cost assessment, ensuring financial feasibility for the certification’s implementation.”
Motion for OWASP Training Provision at External Conferences and Events
Motion Proposal: The motion, “Provision of Training at External Conferences and Events by OWASP,” seeks to create policies or guidelines governing OWASP’s engagement in delivering training at conferences and events that are not hosted by OWASP itself.
Procedure Initiation by Avi: Avi has tasked Kevin with the detailed drafting of this motion, which is to be forwarded to the Secretary for official review. Subsequently, a vote on the motion will be conducted among board members who did not participate in its drafting, to ensure a fair and unbiased evaluation.
Marketing (and Advertising, and social media)
Background: We have recently engaged a marketing agency to execute our marketing plan. Now, we just need to provide them with one…
This needs to be a cohesive plan that includes branding, specific marketing material, targeted advertising, social media plan, and so on. This marketing plan needs to account for the various parts of the organization that need to be better marketed, such as:
- Membership
- Corporate supporters
- Conference attendees
- Conference sponsors
- Projects - users (individual and corporate)
- Projects - sponsors
- Etc.
Expected outputs:
- Marketing plan (or an approach to create one)
- Brief for Marketing (aka Communications) Committee
“Andrew presented a comprehensive marketing strategy to the board, focusing on enhancing OWASP’s visibility, community engagement, and member attraction through targeted marketing efforts. The strategy includes campaigns aimed at key demographics, plans to foster a more active membership, and outreach activities to gain new supporters. The presentation sparked discussions, with Ricardo inquiring about the status of specific to-do items and Andrew providing updates on their progress, including some completed last year and others ongoing, with expectations from the marketing company. Avi suggested hiring a paid intern for task completion, while Andrew emphasized quality work standards.
Steve highlighted Vinode’s interest in marketing and proposed a standardized marketing solution to simplify engagement for flagship projects, offering templates and customizable webpages. Sam introduced the idea of using case studies to demonstrate the effectiveness and broad applicability of OWASP solutions across various industries. A dialogue between Avi and Steve confirmed the potential of the “in a box” solution for chapters, underscoring its scalability and versatility. Furthermore, Sam urged board members to support marketing efforts by engaging with OWASP content on their personal social media accounts, aiming to amplify outreach and community engagement.”
Motions:
RESOLVED: Board members that work for or are paid directly or indirectly by organizations that provide services, products, or platforms that profits or commercializes open source projects, directly or indirectly, do not have a de facto conflict of interest as long as the usage meets the requirements of the open-source license selected by the open source project. The Conflict of Interest policy shall be amended to include this clarification.
Motion Support:
First: Steve Springett
Second: Ricardo Griffith
Voting Outcome:
- Avi Douglen: Recused
- Bil Corry: Recused
- Kevin Johnson: Recused
- Matt Tesauro: Recused
- Ricardo Griffith: Yes
- Steve Springett: Yes
- Sam Stepanyan: Recused
Motion Result:
The motion was unanimously passed with a vote of 2-0.
RESOLVED: Board members that are paid directly or indirectly to perform training do not have a de facto conflict of interest with OWASP or OWASP events. The Conflict of Interest policy shall be amended to include this clarification.
Motion Support:
First:
Second:
Voting Outcome:
- Avi Douglen: Recused
- Bil Corry: Recused
- Kevin Johnson: Recused
- Matt Tesauro: Recused
- Ricardo Griffith: Yes
- Steve Springett: Yes
- Sam Stepanyan: Recused
Motion Result:
The motion was unanimously passed with a vote of 2-0.
RESOLVED: Board members that are paid, directly or indirectly, or volunteer to speak at events, both private and public, do not have a de facto conflict of interest with OWASP or OWASP events. The Conflict of Interest policy shall be amended to include this clarification.
Motion Support:
First: Bil Corey
Second: Ricardo Griffith
Voting Outcome:
- Avi Douglen: Recused
- Bil Corry: Yes
- Kevin Johnson: Recused
- Matt Tesauro: Recused
- Ricardo Griffith: Yes
- Steve Springett: Recused
- Sam Stepanyan: Abstain
Motion Result:
The motion was passed with a vote of 2-1.
Committees
Background: A significant part of our organizational structure are Committees, however with a few exceptions these are not sufficiently leveraged. We will discuss the purpose, benefit, and structure of Committees, as well as required non-existent committees and how to create them. We will also renew assignments of Board and Staff Liaisons to each committee.
Expected outputs:
- Committees list and Liaisons
“Avi stressed the importance of committees operating independently from the board, noting a lack of utilization and the need for more committees. He proposed an Event Committee to focus on organizing events for better community engagement. A Mindmap presented outlined the current committee structure and potential development areas. Existing committees include the OWASP Chapter, Education and Training, and Project Committees. Ricardo provided updates on committee actions since September 2023, highlighting the absence of a Funding Committee and the ineffectiveness of the Diversity, Equality, and Inclusion Committee. Discussions suggested merging closely aligned committees for efficiency, with contrasting views on which committees to merge.
The onboarding process for joining a committee was questioned, leading to a proposal for a clear policy update. Suggestions were made to enhance the Chapter Committee by involving individuals with specific expertise. Leadership emphasized focusing on strategic objectives, with a need for more resources and volunteers for the Education Committee identified to achieve its goals. Avi also highlighted the need for educating committees on their roles and creating or updating charters to define their objectives clearly. A new action item requires committee members to establish or review charters, aiming for operational clarity and effectiveness. The summary encapsulates discussions on improving committee structure, engagement, and efficiency at OWASP.”
ADJOURNMENT
Adjournment motion
The next general Board meeting is on 26 March 2024, at 12 pm US Eastern Time.
“It is moved, and seconded to adjourn. Those in favor, say “aye””
Sponsor: Avi Douglen Second: Kevin Johnson