October 2020 Board Minutes

MEETING DETAILS
AGENDA

Call to Order


Board Members

  • Owen Pendlebury
  • Sherif Mansour
  • Martin Knobloch
  • Gary Robinson
  • Grant Ongers
  • Vandana Verma (was present; amended and approved in November’s Board meeting)

Guests

  • Andrew van der Stock
  • Mike McCamon
  • Tom Pappas
  • Dawn Aitken
  • Kelly Santalucia
  • Emily Berman
  • Harold Blankenship
  • Lisa Jones (arrived at 12:37 pm)
  • various community members

Changes to the Agenda
N/A

Approval of Minutes

Chair: Are there any corrections or further corrections to the minutes?

Motion: “There being no corrections to the minutes, the minutes are approved as read. Sherif Mansour motions, Martin Knobloch seconds”


Previous Meeting Minutes


Vote:

  • Martin Knobloch - Yes
  • Owen Pendlebury - Yes
  • Grant Ongers - Yes
  • Gary Robinson - Yes
  • Sherif Mansour - Yes

    Passes: 5-0”
REPORTS

Organizational KPIs

KPI	            October	         Delta
Members         3,230            2.85%
Visitors        626,251          16.72%
OSD SLA met     93.10%           -7.41% (not a comparable month)
NSFR SLA met    65.30%           -36.91% (not a comparable month)
YTD net income  September books not closed
Cash assets     September books not closed

KPI Summary Last Six Months

Financial Summary

As the September books are not yet closed, Tom Pappas will discuss the 2019 Audit Report with the Board.

From Tom Pappas:

We can once we have the completed and submitted 2019 990 (it should be ready next week), put the 2019 combined financial statement report and the 2019 990 up on the website.

As has been the case for the 2013 and 2016 Audits the 2019 Audit was no different in that we received the highest grade possible, an “unqualified” opinion from the CPA’s on the Finances and Accounting of the Foundation.

What is a little different this year is we also did not receive any adjusting entries, meaning there were no issues or items worth adjusting for 2019. Also as has been customary in our prior audits, the CPA’s during their work on the 2019 Audit found no material internal control issues with the Foundation.

We should all be very proud with the “clean” outcome of our 2019 audit.

As always if anyone has any questions please let me know, but this is a true testament to the hard work of the OWASP Staff and Virtual.

Take care and be safe

Action: Staff to review password setups

Executive Director Summary

October has been a very busy month for the Foundation.

  • AppSec Virtual has been very successful, and will likely lead to more large scale platformed events in 2021 (see Events update)
  • Board Source board education was procured and the Board invited to training.
  • Legal review of our contracts, bylaws and other activities is concluding.
  • Six more policies are ready for review.
  • Trademark program has been started, and a board vote requested (see below).
  • The 2021 Budget planning cycle has started, with calls for budgets from Committees. The Board is encouraged to submit budget requests.
  • Work has started on executing the Operating Plan, particularly around expense policy reform. Town halls will be coming soon, and I encourage the Board to attend.
  • A new project management tool was procured to help drive completion and accountability for outcomes.

To leave more time for the Board to take questions from the public and to get through all the business, feel free to ask me any questions in relation to finance reform, event strategy, and the budget after this meeting, as they are due at the November Board meeting.

E-VOTES

e-Vote to formally adopt Robert’s Rules of Order, Newly Revised 12th Edition

Motion: “Resolved, the Foundation is directed to create or update any necessary bylaw or policies that govern Board meetings and any associated informative documents to state that Robert’s Rules of Order, Newly Revised (12th ed.) are adopted for OWASP Board Meetings and Special Meetings. Projects, Chapters, and Committees can adopt RONR (12th ed.) for their meetings if they so choose, but it is not required by the Foundation.”

The Board directs the Foundation to add a new clause to Section 3 of the OWASP Bylaws:

“Section 3.1x ADOPTION OF ROBERTS RULES OF ORDER

The rules contained in the current edition of Robert’s Rules of Order Newly Revised (12th ed.) shall govern the OWASP Foundation Board and special meetings in all cases to which they are applicable and in which they are not inconsistent with the bylaws, and any special rules of order the Board may adopt.”

The Foundation is directed to add consistent language to all relevant Board governance policies and Board governance informational pages.

Sponsor: Owen Pendlebury Second: Sherif Mansour

Vote: https://doodle.com/poll/9pivsn4cc35zy2bz

  • Owen Pendlebury - Yes
  • Sherif Mansour - Yes
  • Vandana Verma - Yes
  • Richard Greenberg - Yes
  • Martin Knobloch - Yes
  • Grant Ongers - Yes
  • Gary Robinson - Did not vote

PASSES 6-0 (1 no vote)

e-Vote to operationalize temporary infractions of Code of Conduct

Motion: “Resolved, that the Foundation shall draw up a policy to operationalize rapid, escalating, and time limited responses to continued breaches of the OWASP Code of Conduct by participants and members. If the behavior is continuous, unlawful, or egregious, the policy should refer to and rely upon the existing bylaw governing the Board’s power to revoke membership.

The following should be added to the Code of Conduct policy to enable sanctions:

Sanctions

The Executive Director can suspend participation in OWASP for 30 days for perceived or actual breaches of the OWASP Code of Conduct or US law. Depending on the severity of the breach, the member or participant can accept the 30-day suspension, or in serious cases, the member or participant will be referred to the Compliance Committee for a decision regarding their ongoing participation or membership by the OWASP Board at the next available Board meeting.

For first time Code of Conduct breaches where no violation of US law has occurred: The member or participant can agree to comply with a temporary suspension imposed by the Executive Director of all OWASP participation for no more than 30 days. Membership will not be extended to cover the suspension.

For repeat or serious breaches of the Code of Conduct, or where a participant has been charged with a crime, the Executive Director must suspend the member, refer the matter to the Compliance Committee, who will make an independent evaluation on if the Board should strip leadership, revoke participation, or membership privileges. The period of suspension will remain in place until after the Board votes on the matter.

If the Board decides to take no action, full participation can resume immediately. If the participant is a member, their membership will be extended by the period of the suspension served.

Transparency and Oversight

To provide transparency and oversight of sanctions, the Executive Director will inform the Board privately of the actions being taken under these sanctions, informing the Compliance Committee as required, and providing recommendations from the Compliance Committee to the Board and scheduling a vote as necessary.

Discussion Link

Sponsor: Grant Ongers Second: Richard Greenberg

Vote: https://doodle.com/poll/vwakbg36mnwqbiqu

  • Owen Pendlebury - Yes
  • Sherif Mansour - Yes
  • Vandana Verma - Yes
  • Richard Greenberg - Yes
  • Martin Knobloch - Yes
  • Grant Ongers - Yes
  • Gary Robinson - Did not vote

PASSES 6-0 (1 no vote)

e-Vote to grant complimentary Membership to active leaders

Background: At the special Board meeting held on September 12th, 2020, the Board had a lengthy discussion on granting complimentary Membership to active leaders. The Board decided to give complementary leadership to active leaders and clarify honorary membership criteria after some additional debate. The Foundation cannot operationalize comprehensive complimentary Membership without automation.

Conflict of Interest Disclosure: As this Motion grants complimentary Membership to active leaders, to avoid conflicts of interest, Directors may not receive complimentary Membership during their term, and must maintain their paid Membership when it comes due. The effective date is such that it will not affect the current election, and thus Martin Knobloch is not conflicted. During the discussion, please discuss the perceived or actual conflicts of interest.

Motion: “Resolved, the Board directs the Foundation to provide automated complimentary Membership to the top 5 active leaders of chapters, projects, events, and committees, effective November 1st, 2020, and monthly after that. Honorary Membership will become an award made by the Board, and changed to be for five years in recognition of extraordinary service to the OWASP Community. Regional pricing will be made available to all classes of paid Membership.

The following bylaw amendment is required to support this change in membership model:

SECTION 4.01 Membership Classes

There shall be the following classes of OWASP members: Corporate, Individual, Complementary, Honorary, and Student.

SECTION 4.02 Qualifications

Individual, Corporate, and Student Membership may be granted to any individual or organization that supports the Foundation’s mission and purpose, is in good standing subject to our Code of Ethics, and pays the dues as set by the Board of Directors. The Foundation may, at its discretion, offer monthly, annual, two-year, and Lifetime memberships. Regional pricing is available to all paid membership classes.

Complimentary Membership may be offered on an opt-in and automated basis to the top 5 active leaders of any chapter, project, event, or committee that supports the Foundation’s mission and purpose, is in good standing subject to our Code of Ethics, and has been in the top 5 position continuously for six months prior to applying for complimentary membership. Complimentary Membership is valid for one year. Leaders do not need to accept any offer of complementary leadership. Complementary members in good standing for 12 months may stand for the Board, but if elected, must maintain good standing with paid Membership. Directors who are eligible through the above criteria must not accept Complimentary Membership during their term and maintain good standing with paid Membership.

Honorary Membership is equivalent to Individual Membership and valid for five years. Honorary Membership shall be determined and approved solely by a majority vote of the Board of Directors for long-standing and extraordinary services to the OWASP Community.

All membership classes are eligible to vote in elections.

  • Sponsor: Sherif Mansour
  • Second: Owen Pendlebury

Vote: https://doodle.com/poll/hsakmgetm5yr8wa2

  • Owen Pendlebury - Yes
  • Sherif Mansour - Yes
  • Vandana Verma - Yes
  • Gary Robinson - Yes
  • Richard Greenberg - Yes
  • Martin Knobloch - Yes
  • Grant Ongers - Yes

PASSES 7-0

OLD BUSINESS

Motion to approve a new Committee policy

Background: The Committees 2.0 policy doesn’t give clear guidance on many topics, including formation, activity, expenses, programs, fidiciary duties, and has a lot of extraneous informational text in there that properly belongs in a Committee Handbook. This policy brings the formation into line with a standing committee documented in RONR 12th Edition 50:7, and makes sure committees are responsible for coming up with a program of works and delivering outcomes, and not just as an advisory board.

Motion: “It is resolved that to promote the creation of additional core committees to enumerate the powers devolved to Committees, with appropriate checks and balances to comply with legal, tax and other regulations and safeguards to protect the Foundation and Board, that the following Committee policy is approved. Existing Committees will transition to the governance model of this Committee policy. OWASP’s bylaws should be amended to allow the devolution of certain Board responsibilities and activities to committees as follows:

Change from

SECTION 5.01 Committees

Establishment. The Board of Directors may, by resolution adopted by a majority of the Directors in office, establish one or more Advisory Boards or Committees. Committees will be held to the core purpose and core values as outlined in Sections 1.02 and 1.03. Committees will be structured according to the guidelines in Policy and Procedure.

to

SECTION 5.01 Committees

Establishment. The Board of Directors may, by resolution adopted by a majority of the Directors in office, establish one or more Board sub-committees (e.g, fundraising, finance, audit, or executive), Advisory Boards, or Committees. These will be held to the core purpose and core values as outlined in Sections 1.02 and 1.03. Committees are formed and governed by the Committees Policy, and are limited the Charter's purpose and scope. As a Committee Charter might devolve powers currently held by the Board or the Foundation to the Committee, any such devolution to a Committee will require a 2/3rd majority vote.

Sponsor: Owen Pendlebury Second: Sherif Mansour

Vote:

  • Owen Pendlebury - Yes
  • Sherif Mansour - Yes
  • Martin Knobloch - Yes
  • Grant Ongers - Yes
  • Gary Robinson - Yes

Passes: 5-0

NEW BUSINESS

Motion to approve reviewed policies

Motion: “Resolved, that the following six reviewed policies are approved. The Foundation shall upload the approved text within 30 days of this vote to the OWASP policy website:

Feedback for these policies has been published to the global-board list and can be found at https://owasp.org/www-staff/projects/202010-policy-review.html Owen Pendlebury motions, Grant Ongers seconds

Vote:

  • Sherif Mansour - Yes
  • Owen Pendlebury - Yes
  • Grant Ongers - Yes
  • Martin Knobloch - Yes
  • Gary Robinson - Yes

Passes: 5-0

Motion to comply with US Government sanctions

Background: Our lawyers reviewed the recent issue with leadership of a project after a member from a sanctioned country was accused of illegal activities, which led them to being listed in the FBI’s Most Wanted list. The lawyers recommended the OWASP Foundation, as a United States 501 (c)(3) not for profit, has a duty to comply with US Government sanctions, which means severing relations with sanctioned countries and individuals. After an internal review, this will affect 9 members, 1 project, and 1 chapter.

Motion: “Resolved, to comply with US government sanctions, the OWASP Board directs the Foundation to revoke and refund membership dues to any sanctioned country members, disband any sanctioned country chapters, remove any sanctioned country project leadership, and communicate this decision with the community (and all affected participants). Lastly, the Board directs that the Foundation updates all relevant membership and participation policies to reject or prohibit sanctioned country involvement from October 20, 2020 onward until such time as sanctions are lifted. Sherif Mansour motions, Owen Pendlebury seconds”

Vote:

  • Martin Knobloch - Yes
  • Grant Ongers - Yes
  • Gary Robinson - Yes
  • Sherif Mansour - Yes
  • Owen Pendlebury - Yes

Passes: 5-0

Action: to revisit and review the sanctions in the future.

Motion to adopt 2/3rd majority for bylaw and policy changes

Note on 2/3rd vote. Robert’s Rules of Order gives extensive guidance on what two thirds formally means, along with numeric examples in section RONR (12 ed) 44:3, and means:

“A two thirds vote - when the term is unqualified - means at least two thirds of the votes cast by persons entitled to vote, excluding blanks and abstentions, at a regular or properly called meeting. For example (assuming that there are no fractions of votes):

  • If 30 votes are cast, a two thirds vote is 20
  • If 31 votes are cast, a two thirds vote is 21
  • If 32 votes are cast, a two thirds vote is 22
  • If 33 votes are cast, a two thirds vote is 22”

Based upon “recusal” = “abstention”, a board of 7, a two thirds vote would be as follows:

  • If 5 votes are cast, a two thirds vote is 4 votes
  • If 6 votes are cast, a two thirds vote is 4 votes
  • If 7 votes are case, a two thirds vote is 5 votes

Background: Our lawyers reviewed our bylaws, and noted that our simple majority vote is not the industry standard and is too low a bar for significant organizational change. They recommend the adoption of a notice period and 2/3rd majority of the Board for changes to OWASP bylaws and policy changes. Their advice agrees with Robert’s Rules of Order, Newly Revised (12th ed.) section 57, which is used to draft the motion below:

Motion: “Resolved, the Board directs the Foundation to update section 10.01 of the OWASP bylaws to comply with RONR (12th ed.) Section 57:1, by adopting RONR (12th ed.) 56:67:

SECTION 10.01 Amendments

OWASP Bylaws and organizational policies may be amended at any regular meeting of the OWASP Board by an affirmative two thirds vote, provided that the amendment has been submitted in writing at the previous regular meeting, or a public notice is given no later than 7 days prior to the meeting.

Amendments to the these bylaws and organizational policies should comply with RONR 12th Edition 57:1-19.

Sherif Mansour motions, Owen Pendlebury seconds

Vote:

  • Martin Knobloch - Yes
  • Grant Ongers - Yes
  • Owen Pendlebury - Yes
  • Gary Robinson - Yes
  • Sherif Mansour - Yes

Passes: 5-0

Motion to adopt 2/3rd majority for Director and Officer removal

Note on 2/3rd vote. Robert’s Rules of Order gives extensive guidance on what two thirds formally means, along with numeric examples in section RONR (12 ed) 44:3, and means:

“A two thirds vote - when the term is unqualified - means at least two thirds of the votes cast by persons entitled to vote, excluding blanks and abstentions, at a regular or properly called meeting. For example (assuming that there are no fractions of votes):

  • If 30 votes are cast, a two thirds vote is 20
  • If 31 votes are cast, a two thirds vote is 21
  • If 32 votes are cast, a two thirds vote is 22
  • If 33 votes are cast, a two thirds vote is 22”

Based upon “recusal” = “abstention”, a board of 7, a two thirds vote would be as follows:

  • If 5 votes are cast, a two thirds vote is 4 votes
  • If 6 votes are cast, a two thirds vote is 4 votes
  • If 7 votes are case, a two thirds vote is 5 votes

Background: Our lawyers reviewed our bylaws, and note that section 2.04 is unworkable, as it requires an unanimous vote, including potentially the subject of the removal. They recommend adopting the industry standard 2/3rd super majority vote for Director or Officer removal. This is detailed in RONR (12th ed.) 56:29-30.

Motion: “Resolved, the OWASP Board directs the Foundation to update bylaws section 2.04 as follows:

SECTION 2.04 Removal

Any officer, contractor, member, or director may be removed by a two thirds vote of the Board of Directors whenever, in its judgment, the best interests of the Foundation will be served thereby, but such removal shall be without prejudice to the contract rights, if any, of the person so removed. Election or appointment of an officer, agent, or director shall not of itself create contract rights, and such appointment shall be terminable at will.

Grant Ongers motions, Vandana Verma seconds

Vote:

  • Martin Knobloch - Yes
  • Grant Ongers - Yes
  • Owen Pendlebury - Yes
  • Gary Robinson - Yes
  • Sherif Mansour - Yes

Passes: 5-0

Subsidiary Motion to change “five years” to “Lifetime” in Complimentary Membership vote

Background: Grant had proposed that with the introduction of complimentary annual membership for active leaders, that Honorary membership would change to become lifetime. The Complimentary Membership e-vote which passed has “five years”, but there are also a number of other references throughout bylaws, policies and operational documentation.

Subsidiary Motion: “Resolved, that Honorary Membership will become a lifetime membership awarded to no more than three members per year, on the basis of extraordinary and sustained contributions to OWASP’s mission over at least a five year period. The Board directs the Foundation to update any mentions of Honorary Membership in bylaws, policies, and operational documentation to reflect this vote. Grant Ongers motions, Owen Pendlebury seconds

Vote:

  • Martin Knobloch - Yes
  • Grant Ongers - Yes
  • Owen Pendlebury - Yes
  • Gary Robinson - Yes
  • Sherif Mansour - Yes

Passes: 5-0

Discussion or vote on trademark business (Mike McCamon)

Background: In early 2019, the Executive Director along with the Board approved a plan to pursue registration of the OWASP marks including OWASP, Open Web Application Security Project, Global AppSec, and AppSec Days. As work continues to progress with registration, the following topic is an update for the Board along with authorization for the Executive Director to fully animate a trademark licensing effort with the market. The slides to be presented can be found in this PDF Presentation

Motion: Resolved that the Executive Director or their designatee develop, implement, and manage a trademark licensing effort with organizations that provide training on OWASP projects, publishers, and event organizers as outlined by staff at the October 2020 Board Meeting. Sherif Mansour motions, Martin Knobloch motions

Vote:

  • Martin Knobloch - Yes
  • Grant Ongers - Yes
  • Owen Pendlebury - Yes
  • Gary Robinson - Yes
  • Sherif Mansour - Yes

Passes: 5-0

COMMENTS, ANNOUNCEMENTS, AND OTHER BUSINESS

Chapters and Membership

  • 9/1/2020 to 10/15/2020 - 49 new Meetup OWASP Chapter groups created
  • 10/13/2020 173 New OWASP members from the Global AppSec Virtual Event
  • 14 New or Re-Opened Chapters

Events

Global AppSec 2020 - Virtual (as of October 15)

1762 Total Attendees 490 Full Conference (171 comps**) 1055 Free 39 2-part training 77 4-part training 20 5-part training 21 CTF

$176,202.75 Gross Income from Ticket and Training Sales ** Speakers and Sponsor Benefits

Operations

  • Reminder to Board members to register for Board Source
  • Board Elections
    • Voting closes on October 30th
    • Results will be announce to candidates on October 31st
    • Results will be announce to the community on November 1st

Projects and Technology

  • 7 new projects in the last 60 days
  • We continue to add automation capabilities
  • Project Committee starting work on new Project Handbook
  • Exploring more items to use as ‘Services’
  • SecureFlag next steps to be determined (AWS running ~= $900USD/mo)
  • Continue improving user experience with JIRA service desk
  • Project Committee working to revamp Project Graduation requirements

Sponsorship

  • Global AppSec 2020 Virtual - Total sponsorships sold $350,857
  • Regional corporate pricing now available, actively looking for regional sponsors
  • Start-up corporate membership now available
  • 3 corp members possibly 4 have taken advantage of the 1x COVID relief pricing of $5k
ADJOURNMENT