March 2024 In Person Meeting Day 2

Meeting Details

• Date: 19 March 2024
• Time: 0900 US Eastern, UTC 1300 convert
• Location: JFK Marriott, New York, NY
• Call-in: Zoom Meeting

Agenda

CALL TO ORDER

The following members were present:

• Avi Douglen
• Bil Corry
• Kevin Johnson
• Matt Tesauro
• Ricardo Griffith
• Steve Springett
• Sam Stepanyan
• Andrew van der Stock

CONFLICT OF INTEREST AND ANTI-TRUST STATEMENT

As the Board consists of individuals from many competing organizations, OWASP and its Board shall abide by all applicable anti-trust and competition laws. To avoid any perceived or actual conflict of interest, or anti-trust concerns under US federal, state, or regulations, only the published agenda shall be discussed or voted upon, or amended as below. If there are any conflicts of interest, Board members are expected to disclose the conflict of interest and must recuse themselves from discussion and voting.

• OWASP Conflict of Interest Policy
• Director’s Commitment Agreement

CHANGES TO THE AGENDA

Changes to the agenda - unless otherwise prohibited by anti-trust or competition laws - including adding, altering, or tabling of motions is permitted by following Roberts Rules of Order (RONR 12th Ed) 41:63, which requires an affirmative two-thirds vote.

Minutes of the OWASP Meeting on the 18th - Agenda for the 19th

“Avi reported on the discussions from the previous day, providing a comprehensive recap.”

Events 

Events - Global

Background: Our Global Events are not currently maximising their potential to reach our goals, partly because we have not defined goals for the global events. We will discuss the purpose of these events, constraints, and goals. We will try to plan an approach to recreate the global events in their own image, with the specific goals in mind. 

“In the discussion on Global Events, the group recognized that the events were not fully achieving their potential due to undefined goals and objectives. Bill opened the conversation with suggestions for potential locations across the US, Canada, Mexico, and LATAM, while also noting the challenges faced in Asia, particularly in Singapore. The importance of recording and possibly live-streaming events was agreed upon for wider access. Avi questioned the primary objectives behind these events, leading to a discussion on strategies for growth, including pricing adjustments to incentivize membership and participation. Concerns were raised by Kevin about the potential impact of recording on presentation quality. The group considered incorporating various additional activities into the events, such as corporate dinners, project showcases, and career fairs. Historical changes in event hosting from chapter-led to staff-managed were noted, alongside the need for consistent locations and quality. The conversation also touched on the potential of hybrid events, the importance of media and promotional materials from past events, and the exploration of new formats to enhance engagement.”

Action Items:

• Develop a Reboot Plan for Global Events, considering:
• Defined goals and objectives.
• Suitable locations and the challenges of global diversity.
• Pricing strategies to increase attendance and membership.
• The format of events to include online options and ensure quality recordings.
• Inclusion of additional activities to enrich event offerings.

“The recommendation was presented and the board deliberated on the idea to reduce the ticket price as a strategy to increase attendance. It was noted that such a measure could potentially attract additional sponsors. However, the board acknowledged the inherent risk of not recouping costs associated with this approach.

The board discussed strategies to increase event attendance and sponsorship, debating the merits of reducing ticket prices and enhancing the value proposition for sponsors. Kevin suggested higher pricing to better communicate sponsorship benefits and proposed introducing an expert, Brittany, to advise on sponsorship strategies. Avi advocated for a dynamic pricing strategy based on customer satisfaction and emphasized the importance of including students in the audience for their long-term advocacy potential. The discussion also touched on the need to evolve global AppSec events to meet changing objectives, with a focus on broadening the audience to include governmental cybersecurity leaders. The necessity of improving the attendee experience, particularly for speakers, was acknowledged, with proposals for a feedback mechanism similar to ISC2 and better preparation facilities. The board plans to direct these strategic considerations to staff for implementation, aiming for impactful changes. Sam proposed an action item to send surveys to presenters and trainers to gather feedback for future event improvements.”

Events - Location and EU

“During the discussion on event locations and strategy, Kevin suggested key attributes for board consideration, focusing on enhancing accessibility, ensuring cost-effectiveness, maintaining scalability, incorporating local personas for attractiveness, and leveraging local OWASP community support. Andrew was tasked with researching and proposing a strategy for Global AppSec Events to be held in a consistent location within each region annually, aiming for predictability and strategic alignment. This proposal requires OWASP staff to identify and recommend suitable locations for board approval, emphasizing the importance of consistency and optimal selection to meet the organization’s objectives.”

Motion on the Renaming of Global AppSec Events

Motion: Resolved, the Global AppSec Events shall be renamed according to the region, e.g. Global AppSec USA, Global AppSec EU, Global AppSec Asia.

Sponsor: Avi
Seconded by: Kevin

Vote:

• Avi Douglen: Yes
• Bil Corry: Yes
• Kevin Johnson: Yes
• Matt Tesauro: Yes
• Ricardo Griffith: Yes
• Steve Springett: Yes
• Sam Stepanyan: Yes

Outcome: The motion was passed unanimously 7-0.

Presentation of European Entities

## Belgium Entity

Closure of Belgium Entity

“The board announced the shutdown of the Belgium entity due to operational challenges, including the absence of essential documents like the registration certificate and Martin Knobloch’s resignation effective 21 days post-February 13, 2024, amidst concerns over Adrian Wrinkles’s eligibility due to his non-EU residency. With Knobloch as the sole bank account holder, the entity faces urgency in tax filing for 2023 and is considering transferring bookkeeping to an EU-based service amid legal requirements for local directorship. The Executive Director (ED) seeks legal advice for the closure and plans to meet with Wrinkles for a resolution, exploring legal consultation with his cousin Eddie and inquiring about document retrieval from the national bank. The effort to shut down has been active for two months, highlighting the complex nature of wrapping up operations, including fulfilling director requirements temporarily with complimentary memberships and ensuring compliance with Belgian law.”

Netherland Entity

Discussion on Establishing a Netherlands Entity

“The board reviewed the proposition of establishing a Netherlands entity, considering U.S. bylaw resolutions, registered office costs, and solicitor advice. The entity promises VAT benefits, Euro invoicing, access to grants, facilitation of EU donations, and staffing flexibility. Despite these advantages, the board advised against forming an EU entity due to financial, tax, and strategic considerations, opting to keep the option open for future evaluation. Concerns were raised about long-term benefits and clarifications on voting requirements highlighted Andrew van der Stock’s Power of Attorney as sufficient for decisions on European entities without further board votes.”

Proposed Immediate Actions:

• Halt all proceedings with incorporation solicitors for the entity’s formation.
• End the agreement with Regus for office space provision.

Events - Local and Outreach

Background: Based on the previous Global Events discussion, we might want to change how we run local/regional AppSec Days events, for example encouraging and supporting them more. 

Similarly, we will discuss how we approach 3rd party conferences (e.g. RSA, Blackhat/Defcon, PyCon, Kubecon, etc.) for outreach and marketing. 

Expected outputs: 

• Updated process for AppSec Days
• Outreach plan for 3rd party conferences

Updated process for AppSec Days

“The board engaged in discussions about enhancing the strategy for local events to increase engagement and accessibility, focusing on lowering attendance fees to attract more supporters and developers. Avi inquired about the frequency and management of these events, with a suggestion towards staff-led initiatives for effective control. The conversation also touched upon the operational changes required to support this shift, leading to a broader discussion on the benefits of virtual events as proposed by Sam. Virtual events were recognized for their reduced administration needs, clear benefits for sponsors, and potential for significant revenue generation, alongside operational considerations such as staff time and technology recommendations like StreamVR for an enhanced experience.”

Action Items:

• Develop a comprehensive playbook for organizing and executing virtual events, ensuring consistency and quality.
• Research and propose a strategy for the regionalization of events to optimize their geographical distribution, assigned to Andrew.
• Enhance marketing and promotional efforts for OWASP conferences, with a focus on improving communication, increasing membership - benefits, and emphasizing education.
• Consider operational support mechanisms like “events in a box” for facilitating local event organization by chapters.
• Explore innovative platforms like Gather Town to enhance engagement in virtual meet-ups and educational initiatives.

Outreach plan for 3rd party conferences

“Summary of Discussion on Support Documentation for Local Volunteers

Kevin proposed creating comprehensive support documentation for local volunteers to overcome operational limitations, including artwork for banners to be locally printed for conference representation. Avi suggested the outreach community should undertake the creation and distribution of such documentation. Avi also highlighted the inefficiency in the co-marketing agreement process, advocating for its review and improvement. Sam pointed out the underlying issue of staff availability, recommending a Service Level Agreement (SLA) to set clear expectations. Further clarifications on co-marketing agreements were provided by Avi and Andrew, noting the lack of clear guidance for volunteers representing OWASP at conferences. The board agreed on the necessity to simplify procedures for easier implementation. Kevin clarified the criteria for requiring agreements based on the need for discount codes, and Avi deferred the discussion on organizational focus areas to the next meeting.”

Action Items:

• Andrew to discuss with Dawn for clarification on procedural aspects related to conference representation and co-marketing agreements.
• Explore the development of comprehensive support documentation for local volunteers by the outreach community.
• Review and aim to simplify the process associated with signing co-marketing agreements.

Projects

Management of Projects Summary

“The Board discussed taking a proactive approach to project management, portfolio curation, and resource allocation, aiming to update the list of Flagship projects and establish a consistent process for updates. Andrew highlighted challenges in communicating available resources and the need for flagship projects in critical areas, proposing that the project committee identifies these gaps. Steve mentioned the response to an open letter indicating projects’ resource estimates, suggesting further review for accuracy. The successful launch of an OWASP project website and social media presence was discussed, with recommendations for systematic website infrastructure and social media support. Avi pointed out the under-utilization of available resources by projects, suggesting a lack of awareness among project leaders. A call to return to the agenda was made by Kevin to keep the meeting on track, emphasizing adherence to the scheduled timeline.”

Action Items:

• The project committee to identify gaps in flagship projects and communicate these effectively.
• Review the meeting recording to accurately capture projects’ resource estimates.
• Systematically provide website infrastructure and social media support for OWASP projects.
• Increase awareness among project leaders about available resources to ensure full utilization.

Project Funding

“The board delved into project-specific fundraising strategies, such as donations, sponsors, grants, partnerships, and commercial models, aiming to integrate these into the fundraising plan and update policies accordingly. The discussion opened with Bil suggesting a focus on supporting projects, while Avi sought clarification on support mechanisms. Kevin raised concerns about the level of control OWASP should maintain over projects, leading to recommendations for documenting procedures on benign neglect and project approval processes. A gap in communication was identified when Kevin revealed his project’s eligibility for AWS resource reimbursement was unknown to him, underscoring the need for better informing project leaders about available support. Bil noted the absence of the Projects Committee in these critical discussions. Kevin and Steve were assigned to work with the Projects Committee on proposals for funding mechanisms and support, with a plan to present their findings for board approval. Avi suggested creating a list of resources for projects to improve transparency, while Steve highlighted the committee’s role in identifying flagship projects for funding discussions.”

Action Items:

• Collaborate with the Projects Committee to propose funding mechanisms and support structures for projects.
• Develop a comprehensive list of available resources to support project leaders.
• Document procedures for project approval and management concepts like benign neglect for clarity.
• The Projects Committee to recommend flagship projects for funding discussion and allocation.

Summary of Flagship Projects List and Process Discussion

“During the discussion, several directors expressed a keen interest in the topic of Flagship projects, underlining its significance to the board’s agenda. Avi presented the current list of OWASP Flagship Projects as it appears on the OWASP website for the board’s consideration and evaluation. Steve observed that the criterion for a project being designated as a Flagship has evolved from merely reflecting its maturity to representing its strategic importance to OWASP and its overarching goals.”

Summary of Discussion on Flagship Projects and Review Process

“The meeting focused on the significance of Flagship projects, with several directors expressing their interest. Avi provided an overview of the current Flagship Projects listed on the OWASP projects page, while Steve noted that Flagship status now signifies strategic importance rather than merely project maturity. Andrew suggested delegating the review and determination of Flagship status to the Project Committee, citing the board’s limited capacity for such evaluations. Steve and Bil agreed, recognizing the Committee’s expertise. Ricardo emphasized the necessity of a clear process for reviewing Flagship status, suggesting the Project Committee recommend projects for the board to make informed funding decisions.”

Action Items:

• Kevin and Steve to communicate the board’s decisions and the requirement for a structured review process to the Project Committee for implementation.

Summary of OWASP Projects Website, Promotion, and Cloud Resources Discussion

“During the meeting, it was noted that the OWASP Projects website provides specific instructions to assist project leaders in requesting the promotion of their projects, aiming to facilitate their navigation of promotional opportunities within the OWASP community. Andrew requested that Steve and Kevin prepare a list of projects recommended for promotion or demotion for the April 2024 Global Board Meeting, with Steve confirming their commitment to this task. Additionally, Sam proposed seeking donations of cloud resources from Google and Microsoft to support OWASP’s needs. Matt agreed with the proposal, suggesting a preliminary assessment of required resources before initiating discussions with these companies for donations.”

Projects - Funding

Addendum to Fundraising plan and needed policies

Background: In addition to general fundraising approaches discussed yesterday, we may have additional project-specific means to raise further funds to support a specific project. We will discuss this, and plan how to operationalize and support any of these that are deemed acceptable, e.g.: 

• Donations
• Project sponsors
• Vendor grants 
• Project Partnerships (OWASP Project Partners Program- aka “Harold’s Plan”)
• Commercial profit and entities to enable this (various models) 

Expected outputs: 

• Addendum to Fundraising plan
• Updated policies as needed

“During the meeting, various topics surrounding OWASP projects were discussed, including the OWASP Project Partners Program, funding models, cloud resource donations, and the promotion and demotion of projects. Andrew presented the OWASP Project Partners Program, aiming to familiarize the board with its objectives and operational framework. The discussion also covered the success of certain funding models and the financial mechanism for administering project funds. Avi made inquiries about the specifics of the Partner Program, leading to suggestions for implementing different support levels within the program to accommodate various project needs.

The possibility of securing cloud resource donations from companies like Google and Microsoft was proposed by Sam, with Matt suggesting a preliminary assessment of required resources. The board deliberated on the importance of having a structured process for reviewing and determining the status of Flagship projects, with the Project Committee recommended to play a central role in this process.

Further discussions included the operationalization of DefectDojo’s funding and operations model for other OWASP projects, the challenges associated with it, and the introduction of the “Project-in-a-Box” concept by Steve for enhanced project support. Kevin proposed the creation of an open-core handbook as a guide for successful project strategies.”

Action Items and Considerations:

• Communication back to the Project Committee about decisions and the need for structured processes.
• Evaluation of proposed models like “Project-in-a-Box” and open-core handbook for feasibility within OWASP.
• Consideration of policy requirements to ensure alignment with OWASP’s governance standards.
• Exploration of cloud resource donations following a detailed assessment of needs.
• Development of clear guidelines and criteria for project support to be voted on by the board.

Projects - Emergent Topics

“During the meeting, discussions spanned across various topics pertinent to OWASP projects, notably the OWASP Project Partners Program, diverse funding models, and potential cloud resource donations from major corporations like Google and Microsoft. Andrew led a presentation on the OWASP Project Partners Program to give the board a comprehensive understanding of its goals and operational structure. The conversation also touched upon successful funding models and the approach to managing project funds. Avi inquired about details of the Partner Program, proposing the idea of introducing various support levels to meet different project needs effectively.

Sam’s suggestion to seek cloud resource donations led to Matt’s recommendation for a thorough assessment of resource requirements. The board underscored the necessity of a formal process to review and decide on Flagship project statuses, entrusting this responsibility to the Project Committee.

Further deliberations covered adapting DefectDojo’s model for broader application within OWASP projects, facing inherent challenges, and Steve’s “Project-in-a-Box” initiative aimed at bolstering project support. Kevin’s proposition of an open-core handbook was meant to serve as a comprehensive guide for successful project execution.”

Action Items and Considerations:

• Ensure the Project Committee is informed of decisions and understands the need for structured processes.
• Assess the feasibility of proposed models such as “Project-in-a-Box” and the open-core handbook within the OWASP ecosystem.
• Review policy requirements to maintain congruence with OWASP’s governance and operational standards.
• Conduct a detailed assessment of needs for exploring cloud resource donations from Google and Microsoft.
• Formulate and approve clear guidelines and criteria for project support, to be deliberated by the board.

ADJOURNMENT

Adjournment motion

Day 3 of the In Person Board meeting is on 20 March 2024, at 9 am US Eastern Time.

• March 20 2024

“It is moved, and seconded to adjourn. Those in favor, say “aye””

Sponsor: Avi Douglen Second: Kevin Johnson