June 2020 Minutes


Call to Order


Board Members

  • Owen Pendlebury
  • Martin Knobloch
  • Richard Greenberg
  • Gary Robinson
  • Vandana Verma
  • Grant Ongers
  • Sherif Mansour (15 minutes late)

Guests

  • Mike McCamon
  • Tom Pappas
  • Dawn Aitken
  • Kelly Santalucia
  • Harold Blankenship
  • Lisa Jones
  • Various community members

Agenda


APPROVAL OF MINUTES

Previous Meeting Minutes

Motion - to approved May 2020 Board Minutes, Owen Pendlebury motions, Martin Knobloch second.

Vote

  • Martin Knobloch - Yes
  • Vandana Verma - Yes
  • Richard Greenberg - Yes
  • Gary Robinson - Yes
  • Grant Ongers - Yes
  • Owen Pendlebury - Yes

Passes: 6-0

REPORTS

Organizational KPIs

  • Membership 3,158 (14 increase from Last Month)
  • Momentum: 609K visitors to website (658K compared to 2019; decrease of 7.5%). Of note wiki traffic is now only 4.9% of all traffic
  • Operations:
    • 85% of Service Desk tickets closed within SLA (worse from 96% last month)
    • 83% of Non-Funding tickets were closed within SLA (worse from 85% last month)
  • Money: $1.9M Cash on hand. YTD Net income is -$91K (compared to budget -$272K which is better by $179K).

Financial

Attached please find the preliminary OWASP Combined (Converted to USD for all reports) financial pkg for May 2020 which represents financial performance for the 5th month of Fiscal year 2020. I have included the 2020 approved budget for the first 4 months and the approved Zforecast for May. All amounts are combined with the EU and converted to USD in these reports. This report is PRELIMINARY as we will be going through and Audit for 2019 and as is customary we will keep the books open for a few months to capture and trailing items:

One other note, while through May 2020 from a Net Income perspective, the Foundation is doing very well, specifically due to the efforts of Mike and the team pulling off the very successful “on line” event, this will not continue due to the uncertain and turbulent nature of the world, which is why the “Z” forecast, voted in at the last board meeting, will start in May 2020. This is particularly evident with the Pandemic effects, as we have noted many times for the past 6 years the Foundation has become an events driven organization and relies heavily on the income from them and with the Pandemic halting travel and in person meetings we need to be VERY cautious as to how we spend the funds of the Foundation as revenue will most certainly trail expenses for the remainder of FY20.

Income Statement:

Revenue: On an accrual basis, total revenue, YTD was $1,061.2K as compared to the budget of $923.9K. The results are BETTER by $137.4K, with Conference income being $278.9K ahead of the 2020 budget, offsetting the other revenue lines that were under budget

Expenses: Total spending YTD 2020 is LESS than budget by $42.3K due to under spending in most of the depts. ( Conference expenses are over budget by $154.8K(Apsec Cali 20, 20 Snofroc , 20 NZ Day and 20 Seasides , and offset by the underspending in all depts except for Professional due to the Trade mark legal efforts.

Net Income/Loss: YTD 2020 Net income, on a combined Accrual basis is <-$91.9K >which is BETTER than the YTD 2020 budget/Zforecast of negative -<$271.7K> by $179.7K or $2K better thank April 2020 close.

Chapter Funds: US bal is $824K which is down $5K from the Apr 20 bal of $829K. EU Ch bal is $59.7K. Also US Proj bal is $186K. (which is UP $1K from Apr 20). EU Proj bal is $-8.4K

POINTS of NOTE:

With regard to Operating cash, the Liabilities (AP, accrued expenses, accrued Payroll, deferred revenue for events such as Apsec EU, Lascon, Apsec US etc that may not happen) of $521K added to the $1,211K of Ch/Proj balances is $1,732K , as compared to the $1,449K of cash, leaves us a Negative Oper. Cash balance of $283K if all the Chapters and Projects spent all their funds. Also Open AR is $271K which is up $94K from the Apr balance of $177K, which would lower the Oper cash deficit it were to all be collected.

At this point in the year with all that is going on while we are $179K ahead of budget for Net Income it will not hold and is why we approved the “Z” forecast to begin in May 2020.

Action - Tom Pappas to setup bi-weekly calls with Vandana (Treasurer).

Action - Martin Knobloch to work to remove inactive individuals from the ING bank account.

Executive Director Report

(see extended version below)

OLD BUSINESS

(1) Motion: To protect the personal safety of our community and Members during global pandemics, the OWASP Foundation and its leaders are permitted to gather or meet in-person only when in compliance with local government restrictions. Furthermore, the community is encouraged to host virtual meetings until such time when in-person gatherings are permitted.

Vote was conducted electronically on May 26-27

  • Martin Knoboch - Yes
  • Vandana Verma - Yes
  • Sherif Mansour - Yes
  • Richard Greenberg - Yes
  • Grant Ongers - Yes
  • Gary Robinson - Yes
  • Owen Pendlebury - Yes

Passed: 7-0

Action - Dawn to add to voting history.

(2) Motion: In accordance with Section 4.02 of the OWASP Foundation Bylaws, the Board of Directors hereby grants a one year Honorary Membership effective today to Chetan Karande, Luiseduardo, Walter Martín Villalba, and Aldo Salas for having provided a benefit to the organization deserving of membership.

Motion - In accordance with Section 4.02 of the OWASP Foundation Bylaws, the Board of Directors hereby grants a one year Honorary Membership effective today to Chetan and Walter Martín Villalba for having provided a benefit to the organization deserving of membership. Owen Pendlebury motions, Richard Greenberg second.

Vote

  • Martin Knobloch - Yes
  • Gary Robinson - Yes
  • Grant Ongers - abstain
  • Richard Greenberg - Yes
  • Vandana Verma - Yes
  • Sherif Manour - Yes
  • Owen Pendlebury - abstain

Passes: 5-0

Action - Staff to come up with guidelines for Honorary Membership.

(3) Update: Resolved that the OWASP Foundation approve the Community Review Process (https://owasp.org/www-policy/operational/community-review-process) and the Executive Director will form a 2020 Policy Review Team to consider Policies as found in the “Rules of Procedure” section of the Foundation’s Policies and Procedures (https://owasp.org/www-policy/).

Motion - Approve the Community Review Process. Grant Ongers motions and Vandana Verma second

Vote

  • Martin Knobloch - Yes
  • Gary Robinson - Yes
  • Richard Greenberg - Yes
  • Vandana Verma - Yes
  • Sherif Mansour - Yes
  • Grant Ongers - Yes
  • Owen Pendlebury - Yes

Passes: 7-0

(4) At the request of the Board, the events team lead by Emily Berman happily shares their 12-18 month Global Event Planning Template for community review.

NEW BUSINESS

Vandana

  1. Motion: Proposal to form a Chapter Committee. Sam had proposed and circulated to the leaders list and have got the votes with no negatives.

Motion - to form a Chapter Committee based on the information Sam Stepanyan provided . Owen Pendlebury motions, Richard Greenberg seconds.

  • Potential Committee Members - staff to review eligibility
  • Sam Stepanyan, Avi Douglen, Justin Ferguson, Kyle Smith, Vlad Styran, Anant Shrivastava, John DiLeo, Haral Tsitsivas, Azzeddine Ramrami, Vandana Verma

Vote

  • Martin Knobloch - Yes
  • Gary Robinson - Yes
  • Richard Greenberg - Yes
  • Vandana Verma - Yes
  • Sherif Mansour - Yes
  • Grant Ongers - Yes
  • Owen Pendlebury - Yes

Passes: 7-0

  1. Budget Z amendments: will be discussed offline •Fundraising Campaign should be moved from Income development Ideas dismissed to Income Development •Under recommendation Page No. 8 - Certificate Program should be removed.

Richard

  1. Discuss Leaders List Moderation. .
  2. Update on how the Foundation will engage global partnerships to promote OWASP and its projects.

  3. Update on content calendar with storylines, features, and paid/earned promotion.

  4. Strategies to increase value of OWASP membership.

Action - Richard Greenberg to send email to Mike.

  1. Status of LASCON and AppSec SF - tabled

Action - Board and staff to finalize decision on Global AppSec San Francisco. Mike and Emily to submit documentation for options.

COMMENTS, ANNOUNCEMENTS, AND OTHER BUSINESS
  • OWASP and the OPEN WEB APPLICATION SECURITY PROJECT are now Registered Trademarks in the United States. A plan will be devleoped to implement this change for the Foundation.
  • Due to Code of Conduct violations, the OWASP Leaders List ([email protected]) has been set to Moderated Mode.
  • LASCON 2020 will not be presented as an in-person event and the venue has been cancelled. The Organizing Committee will report back to staff their plans for a virtual event.
ADJOURNMENT

Executive Director Report

The virtual AppSec Days - Summer of Security is launching on 23-Jun with 104 attendees. So while this result is below our expectations, staff did a good number of promotions to even reach this number. Apart from discounts for Members, we also offered a $100 price to Lifetime Members which seems to be pretty popular.

Kelly was successful in selling ten corporate sponsors for $50,000 of revenue. Regrettably, one sponsor did cancel citing Code of Conduct violating behavior on our leaders list.

We were unable to offer a SecureFlag CTF offering due to short timing and we’re exploring this for future classes. For the time being we intend to keep the July and August dates knowing the Foundation’s financial position and the need for revenue.

The Global AppSec SF program is complete. The Events team continues to explore options for in-person, hybrid, and virtual options. A recommendation to the board is forthcoming as our deadline to cancel the venue is in late July.

Website

Content migration by Chapters and Projects is ongoing with 91 of 284 Chapters (32%) and 90 of 154 (58%) Projects yet to migrate. Chapter page migration, along with new chapter activity can be monitored at https://owasp.org/chapters/status/

Leaders List

After several complaints of Code of Conduct violations, staff set the Leaders List ([email protected]) to Moderated mode. All new posts to that list are reviewed by staff and if there are no obvious violations, those posts are approved. Since FRI, June 19th ~50 posts have been approved, 1 post was declined for “intentionally injuring or impugning the professional reputation or practice of colleagues, clients, or employers.” It has yet to be decided when the list will return to non-moderated.

Notable Projects

Elections: Staff is working on the 2020 Board Election milestone and timeline. Currently the plan is to open Call for Nominations on 15-August, the election starting on 1-October and ending on 15-October. The plan will be to recommend firm dates for major milestones as opposed to a varying schedule each year. “Membership Day” will be 30-September which will be the date to review the membership roster for eligible voters while also looking back to 30-September of the previous year to certify eligibility of Director candidates.

Action - Dawn to add Board Elections page to website.

Trademark. As previously shared, the USPTO has granted the Registration of OWASP and OPEN WEB APPLICATION SECURITY PROJECT to the OWASP Foundation. Inc. Over the coming months, we will be developing an implementation plan for this change.

Corporate Credit: CapitalOne, without seemingly any notice has cancelled the MasterCard product that the Foundation uses for ongoing and travel expenses. A new solution has been secured for the Foundation through American Express.

Events Tool. A variety of enhancements were added to our Events tool including a real-time Google Sheet of registrations, more advanced handling of complementary discounts, and refund behaviors.

Owasp.org email management automation. We have been doing the feature requirements work for an automation that will suspend owasp.org email accounts. The two conditions for suspension are (1) membership expiration, and (2) resignation of a Leader who is not a member. There is currently no ongoing process to hygiene our email accounts exposing the Foundation to undue risk.

GDPR

This project is ongoing and we had hoped to launch this effort at the beginning of the month. As you may know, our primary email address has nearly 50,000 names on it. While this is impressive, unfortunately there is no record of subscriber opt-in to the list. This is a very big risk for the Foundation. We intend to have run a two-week campaign to that list requesting the opt-in for future emails from the Foundation.

Miscellaneous

  • As always, most major staff projects are all listed with milestones at https://owasp.org/www-staff/