Rules of Procedure

Chapter Handbook (draft WIP)

Draft WIP note: This old Chapter Handbook from 2017 is severely in need of an update, and is considered in draft form and informative at best. If you can, please assist the Chapter Committee with an update to remove policy statements (because they don’t belong here) and improve guidance for new and existing leaders. The update should document the lifecycle of a meeting or local event or activity, all policies and procedures must be removed to prevent confusion, and the official ones simply explained to a lay audience. All other Handbook copies other than this draft Handbook are null and void and have no standing as a handbook or policy. This is to prevent confusion whilst this guidebook is updated.

Policy directive: HANDBOOKS ARE NOT POLICY. The Chapter Handbook has never had any policy precedence, and must be considered only as guidance and leading practices. Any policy statements - outdated or not - in this handbook that conflict with current policies, restrictions, or procedures are superceded by the 2020 Chapters Policy and the Expenses and Reimbursements Policy and other published policies, such as the temporary COVID restrictions and Code of Conduct. If in any doubt, published and approved policies always have had precedence over the Handbook. The 2017 era Chapter Handbook is inoperable at best and harmful or confusing at worst, as it’s so utterly divorced from past and current practices, and completely out of synchronization with 2020 Chapters and Expenses Policy, current chapter leader practices, does not describe virtual events, nor temporary COVID restrictions, nor Foundation procedures that implement the Chapters and Expenses and other policies. When updating guidance or explaining published policies or procedures, this handbook must adhere with policy and Foundation procedures and not duplicate the policies or procedures but buttress them. Once this Handbook has been updated, the Chapter Committee will remove this statement for another that will also indicate that the Chapter Handbook is a set of best practices and guidance for Chapter leaders, and not policy.

The purpose of the OWASP Chapter Handbook is to provide chapter leaders with a central place to find information about starting a chapter, organizing a chapter meeting, handling their chapter finances, and many other topics that come up in the course of running a chapter. While there are a few hard and fast rules that chapter leaders must follow, this handbook is primarily composed of suggestions and best practices that have worked for other successful chapter leaders. That said, what works for some chapters may not work for others, and this handbook should not limit the scope of possibilities for running a strong and thriving chapter.

Chapter 1: Handbook Overview

The Purpose of OWASP Chapters

OWASP Chapters exist to raise awareness of the OWASP mission, making application security visible, at the local level. The OWASP Foundation encourages anyone with an interest in furthering the OWASP mission at the local level to either get involved in their local OWASP chapter, or if one doesn’t exist, start a new OWASP chapter. Local chapter outreach is one of the most significant ways that individuals learn about the organization and become connected to the OWASP community. Therefore, enabling local chapter leaders and volunteers to not only hold meetings, but also contribute to projects, organize training and events, and find new ways to evangelize about application security in their city or region becomes a key to the success and growth of the much larger global organization.

Chapter 2: Mandatory Chapter Rules

Organize Free and Open Meetings

Chapter meetings must be free and open to anyone for everyone to attend, regardless of whether the attendee is a paid member. All chapter run channels of communication must be free and open either as a matter of course as with social media like Twitter, Facebook, and MeetUp or through archives as with discussion platforms like Slack, Mailing Lists and Google Groups.

Hold a minimum of 4 chapter meetings or events each year

There are a variety of meeting “formats” or events that may be used to fulfill this requirement. Most chapters host a series of in-person meetings with 1-3 talks about security and time to network. Successful chapters usually supplement these types of meetings with specialty events like virtual meetings, social hours, hackathons, study groups, and contests like capture the flag. Chapters that represent an entire state, region, or country usually host a smaller number of larger events in various locations throughout their geographic range. Possibilities for meeting formats and events are are nearly limitless.

Give official notice on the website and chapter mailing list

Chapter meetings must be posted on the Chapter’s page on the OWASP website and a meeting announcement must be sent out to the OWASP mailing list [insert discourse pg]) to notify the OWASP community of each upcoming meeting. Also, the meeting must be listed on the OWASP Global Events Calendar. All chapter social media accounts must be linked on the website page. If you are using MeetUp chapter leaders should consider joining the Foundation’s MeetUp pro account to take advantage of the ability to simply update the MeetUp page and have your information mirrored on the OWASP Calendar and your website page (Available in late 2017).

Abide by OWASP principles and code of ethics

The OWASP Core Purpose, Values, Principles, and Code of Ethics are posted on the About OWASP website page. Breaches of the Code of Ethics may result in the Foundation taking disciplinary action, including replacing chapter leadership or revoking membership.

Protect the privacy of the chapter’s local contacts

The privacy of chapter members and meeting attendees must be protected at all times. You should not disclose names, email addresses, or other identifying information about OWASP members or meeting attendees. Only aggregate statistics can be referenced. Sponsors should not have access to member lists; however, they may ask attendees to share contact information voluntarily, for example via submitting business cards voluntarily for a raffle.

Maintain vendor neutrality (act independently)

In order to preserve OWASP’s non-profit status and open, non-commercial principles it is important that no commercially-oriented “sales pitch” talks are given at OWASP events, be they chapter meetings or conferences. Such talks are not only against OWASP principles, they also blur the line between OWASP and commercial entities, thus diluting the OWASP brand name and agnostic status globally.

To avoid sales pitches please adhere to the following guidelines:

  • Limit discussion of meeting sponsors to 5 minutes at either the beginning or end of each chapter meeting.
  • Limit branded slides to the first slide
  • You may allow a small information booth in the room for the meeting, but it should not be placed at the sign in table or anywhere else the attendees must pass through to get to the meeting. At the same time, it should not be so out of the way as to be useless. Anybody that observes chapter leaders that are not following these basic rules is urged to report it to us.

Spend any Chapter funds in accordance with OWASP goals, code of ethics and principles

Chapter funds should be used for your chapter and must be spent in line with the OWASP Foundation goals, principles, and code of ethics. Accordingly, chapter finances should be handled in a transparent manner. OWASP defines transparency as:

  • Keeping a public record of all requests for funding, who proposed the request, relevant discussions, votes around funding, and request approval/denial in a publicly accessible location. We suggest on your website page.
  • If a request for funding has been approved for one chapter or project, then it can be considered an acceptable expense for all chapters or projects which have funds to cover the expense in full. For more rules regarding handling chapter funds, see section 4.7 on Handling Money.

Chapter Oversight

OWASP Chapters and Chapter Leaders are overseen on an operational basis by the Foundation Staff and, ultimately, the Global OWASP Board. Overall activities must comply with bylaws, policies and handbooks, and code of ethics. If the Foundation Staff or Global OWASP Board determines that an OWASP Chapter Leader has not complied with these rules, their status as an OWASP Chapter Leader may be revoked. Additionally, OWASP administrative access (including the leader’s owasp.org email address) may be immediately revoked.

Chapter Leader Perks

We know that being a Chapter Leader is a lot of work–even when your chapter has multiple leaders. As thanks for your contribution OWASP offers the following perks for every leader who has served for 6 months and hosted at least one event:

  • All chapter leaders can opt-in to Honorary Membership
  • All Chapter are provided with three passes for use by their leaders who have fulfilled the above requirements
  • At each Global AppSec Training event there will be 2 seats in each training event for leaders to have on a first come-first served basis.
  • Any leader who attends the in person Leader meetings can receive a special leader’s only shirt (first come-first served, limited quantities)

Chapters are not mini organizations, instead they are akin to branches. While you can develop your chapter to meet the needs of your audience and therefore have great freedom, your chapter is not an independent legal entity. Chapters cannot sign contracts, hold independent insurance, or hold funds independently of the Foundation. Chapters must abide by the code of conduct, Foundation bylaws, the Core Purpose, Core Values, and the Chapter Leader Handbook. If any of these are contradictory please abide by the document preceding it in the above list. If you are confused, you can contact the Community Manager through email, slack, or the contact us page.

Chapter 3: How to Start a Chapter

Start-up Information

The following information should be provided in an application (should be Chapter Request Form) to start or restart an OWASP Chapter:

  • List of the people that are founding the chapter. Each founding member(s) must submit:
    • Statement regarding their professional background or resume, and
    • Statement of why he or she wants to be an OWASP Leader.
  • The geographical area city to be covered by the new chapter. Chapter names should represent the immediate city or region that is being served. It is also required that the chapter leader(s) work or live in the immediate geographical area. (should be 50 miles)
  • Acknowledgement that founding member(s) read, understands, and agrees to the terms of the Chapter Handbook.
  • While it is not mandatory, a good understanding of English will help with communication within the OWASP global community. Requests to start or restart an OWASP Chapter may be initiated through the Chapter Request form. If at any time you wish to leave your position as leader or add a new leader the same form may be used by selecting “Modify Chapter Leadership” from the drop down menu.

New Chapter Approval Process

After receiving the above information via the online form, an OWASP employee will give a cursory check of the above items to ensure new chapter leaders are serious and understand their commitment. Upon review of requester’s credentials and resolution of any potential conflicts, the applicant can move forward as a chapter leader. A chapter website page and Meetup group mailing list will be set up for the new leader(s) and the chapter leader(s) will be given an OWASP email account and password to operate as the administrator of the new chapter mailing list.

Chapter Naming

The format used for naming a chapter is: OWASP [Insert City, Region, or Country Name of Chapter]. For example: OWASP Austin, OWASP London, OWASP Malaysia.

It is not necessary to specify your chapter is a “local” chapter, because by definition any chapter is “local”. When registering your chapter name on Linkedin, Meetup, Twitter, or any other social media site this naming convention must be followed as it makes sorting and finding chapters easier. Where the Foundation owns an account with the same service, it is advisable to follow, join, or otherwise link the chapter’s account to the Foundation’s.

Geographic Area

An OWASP chapter organizes OWASP activity in a given geographical area.(city. A person or a group (the “founding members”) can request to start a new chapter in a geographical area city not currently served by an OWASP group Chapter.

One key to a successful OWASP chapter is selecting the right geographical area city. Naturally, the geographical area city should not overlap with an existing chapter. OWASP chapters promote face-to-face meetings and the geographical area city covered should be no more than a reasonable travel for a meeting. On the other hand, the area should be large enough to serve enough people who are interested in web application security and enough people to be active in the chapter.

If a chapter is to cover a regional or national area, there should be a plan in place to serve all applicable areas. For instance, both OWASP Germany and OWASP Italy serve an entire nation by hosting larger conference-like meetings in multiple cities throughout the year. In this way AppSec professionals from the entire geographic region have access. For example, it would not be acceptable to host OWASP Germany only in a single city and ignore the other regions where a OWASP Chapter is desired.

Chapter 4: Chapter Administration

OWASP.org Email Accounts

Owasp.org email accounts are provided for paid OWASP members, Chapter Leaders, and Project Leaders. If you do not have one and fall into one of these categories, submit your request through the contact us form.

It is recommended that chapter leaders use their owasp.org email account for all OWASP related matters. There are a number of reasons for this including: a separation between your contributions for OWASP and other volunteer or paid work you may do, eliminating the appearance of conflict of interest (by using a work email address for OWASP matters), and protecting your personal privacy. The email address of chapter leaders is listed both on the chapter website page (a means of contact) as well as the administrator of the chapter mailing list. Using an owasp.org email address prevents your personal email address from being listed on a public site.

Your OWASP email account is also linked to your Google Drive account. You can use it to access or build community documents as needed.

OWASP Website

Maintaining the website is the most basic aspect of promoting an OWASP chapter. This is the place where people will be directed when looking at our list of meeting locations by geographic region: and one of the main ways for prospective members or sponsors to find your chapter.

Part of holding free and open chapter meetings is making the information about your meetings (time and place) freely available and accessible. Therefore it is imperative that the information is posted on your website page as soon as the meeting is set. People must not be required to pay or sign up for a service to learn about your meetings.

The local chapter website page must include at least:

  • Information about the chapter leadership, including best way to contact.
  • Link to the chapter’s mailing list. Meetup
  • Information about future and historical events.
  • The presentations given in past meetings. - I don’t think is being done

Other promotional services such as LinkedIn, Facebook, Twitter, Ning, Meetup, etc. are useful to inform people about your local chapter and its activities; however, the OWASP Chapter website Page must be the authoritative information source at all times. Some services will have an official alternative. One example of this is MeetUp Pro which will has an api that will allow you to mirror the meeting information you post on your MeetUp Pro account to your website page and the OWASP Events Calendar (Coming 2017).

If you have not already created a user account on our web site to edit your chapter’s website page, please do so. To ensure uniformity and ease of reading on the website, OWASP has a set of guidelines for designing your website page.

Local Domain Names

Many leaders wish to purchase a local domain name for their OWASP chapter, and this domain should point to the chapter web page on the website and vice versa.

A few countries (such as China) have not been able to access the website and therefore the local domain name is used as the main source of information about OWASP for the country. If an exception is permitted, every effort must be made to announce changes to leadership and upcoming meetings on the chapter website page so that the global site information is up to date. If all else fails, you can do this by submitting a case through the Contact Us form.

Chapter leaders are free to register local domain names and submit the expense for reimbursement from their chapter’s account. To maintain brand cohesion all domain names must be “OWASP [Chapter location]” If additional paperwork or authorization is needed for the registration, submit your request through the Contact Us form. You must notify the Foundation through this same form if you have registered the name to help us keep track of what domain names have been purchased by OWASP.

Mailing Lists

The chapter mailing list should be used to inform list members about local OWASP activities. In addition to chapter meetings, which should all be posted to the list, many chapters use their list as a way to communicate information about upcoming security events, projects the chapter is working on, or AppSec-related issues

Chapter leaders will be given the administrative password for their chapter mailing list and will be responsible for moderation of the list. If additional moderators need to be added to your list, please feel free to add them as needed. Should a post need to be moderated, you will receive an email from your list requesting approval.

When a person is listed as an administrator of a mailing list they will receive all email sent to the OWASP leader’s list. Please add all (additional) chapter leaders to the administrative area on the mailing list so that they will receive timely communication from the community.

Some other suggestions:

  • It is frowned upon by the OWASP Community to “spam” OWASP mailing lists regarding conferences in other regions. For example, it would be inappropriate for someone hosting a non-OWASP conference in India to send emails to multiple mailing lists outside of India.
  • The best way to prevent “spam” from your chapter’s mailing list is to enable list moderation. This can be done by logging into the mailing list administrative interface and clicking on “Privacy Options” and “Sender filter.” There are options for moderating posts by both mailing list subscribers and nonsubscribers.
  • The subject of posting job leads to a chapter’s mailing list is handled differently by each chapter. Some chapters encourage it as long as the jobs are local and security related, others frown upon it, instead encouraging the people hiring to stand up and promote their openings in person at the chapter meetings.
  • For discussion details: see “[Owasp-leaders] Job Leads on Chapter Mailing Lists?”
  • OWASP has a Jobs Board on LinkedIn. OWASP does not endorse commercial products or services and provides this listing for the benefit of the community. If you have additional questions or would like to post a job opening to this page visit our LinkedIn Jobs page.

Social Media

Similar to the OWASP chapter mailing lists, social media under the “OWASP” Chapter name should be used to inform subscribers about OWASP activities as well as communicate information about upcoming security events, projects the chapter is working on, or other appsec-related issues. Social media used under the OWASP chapter name, must abide by the OWASP Principles and Code of Ethics. Additionally, anyone who posts or moderates OWASP branded social media must sign and abide by the Social Media Agreement.

While the chapter leader or member that sets up the account will hold the password and be the official “owner” of the account, this account login information with other members of the leadership team and with the Foundation. When new leadership takes over, the information must be handed over to the new leader(s).

Note that, the chapter page on the OWASP website is the official representation of the chapter. Therefore, communication on social media platforms complement rather than replace the website page. Chapter members cannot be required to sign up for any social media account to get access to meeting notices. Do keep any new event or activity announcements up to date on the website page, per section 4.2. It is important that any social media platform the chapter uses be openly accessible, regularly maintained and updated with accurate information. Should the chapter choose to leave a platform, it should close the social media account and alert the Foundation using the Contact Us form.

Ideas for social media platforms used by current OWASP chapters (it is not necessary for each chapter to have an account with each of these platforms – choose the forum that will be best for your geographic area and audience):

  • Delicious
  • Digg
  • Eventbrite
  • Facebook
  • Flickr
  • LinkedIn
  • MeetUp
  • Twitter If the chapter opens an account on a service that the Foundation also uses, is advisable that the chapter follow the Foundation account.

Organizing Your Contacts

It is recommended that each chapter have a central database (you have access to the tools to maintain this in your force portal) in which to organize their contacts and other important information. This can be a comprehensive list of mailing list subscribers, LinkedIn group members, local affiliations (and point of contact within the organization), and sponsors (past, current, future). This will not only help when it is time to pass chapter management onto a new person, but also with direct mailings (which often generate more results than “list” mailings) and finding future venues, sponsors, or even speakers. See also “Recruiting List Members.”

When using the contact database, remember to abide by our privacy rule. Member contact lists may not be distributed outside of chapter leadership.

Handling Money

Chapter funds should be used for your chapter and must be spent in line with the OWASP Foundation purpose, goals, principles, and code of ethics. Accordingly, chapter finances should be handled in a transparent manner as described in Chapter 2

A chapter should have a treasurer who is in charge of money. This person can be (and often is) the leader. His/her name should be communicated to the Community Manager so we can update our official records. Some key guidelines about managing your chapter budget:

  • Any Chapter which has a $0 or low bank account can ask for a grant. The funding request must include specifically what you wish to spend the money on. Any amount in your chapter account will first be subtracted from the request. For example, if you ask for $100 to pay for refreshments but have $40 in your account, we may give you a grant of $60. Needing a grant does not guarantee the OWASP Foundation will provide a grant. Pre-approval is required to ensure an expense is covered, especially if there’s a chance of it exceeding a chapters’s total funds.
  • Any Chapter with more than $5,000 at the end of the year must submit a budget for the use of these monies or risk the surplus being put in the general outreach fund
  • Some ways of using funds require prior approval (see below).
  • All discussions about using funds, requests for funds, and budgets must be linked to transparently on the chapter website or in the chapter list archives.
  • Chapters have the right to ask for large budget items from the board during the annual budget creation (Prior to November first) (see below).

Spending Guidelines

For the following common expenses, if the expenditure is under $500, Chapter Leaders can consider their purchase “white-listed” for reimbursement out of the chapter’s account, provided that the chapter has the necessary funds in its account:

  • Meeting venue rental
  • Refreshments for a meeting
  • Promotion of a meeting
  • OWASP Merchandise

If, however, the expense does not fall under one of the above categories or is greater than $500, a second signer (another chapter leader or board member) must sign off on the purchase. While travel for speakers is a common expense and may fall under $500, some chapters still prefer to have a second signer to avoid the appearance of conflict of interest. Similarly, a donation of money out of the chapter’s account back to the Foundation, requires a second signer. The exact details of the reimbursement process can be found under Reimbursement Process Details.

From an administrative perspective, OWASP has a responsibility to show its supporters that their donations (via members, sponsorship or other) are being used properly - in support of the OWASP mission. Visit the OWASP Funding page under “Additional Resources” to see your chapter’s current funding balance. Exceptions to the guidelines can be brought to the Staff for potential approval and tracking.

Additional Expense Policies

A chapter is free to adopt any additional procedure for authorizing expenses as long as it is also authorized by the treasurer (or leader) and documented on the website with all other chapter specific policies. The treasurer (or leader) must, in addition to any bookkeeping required by local authorities, keep a list of expenses made. This list should be made public on the website with the budget.

Reimbursement Process

The recommended process for paying for chapter-related expenses is to pay for the expense out of pocket and submit the receipt through the OWASP reimbursement request form to get your money back. This is a standardized reimbursement procedure for OWASP. When your request is submitted, an authorization request will be sent to the appropriate chapter leaders for approval. You will not receive your reimbursement until the approval has been received. In case of doubt if an expense is in line with the OWASP principles, get advice from the Community Manager.

Chapter Budgets

Chapters do not hold their own money, it is held in trust for them by the OWASP Foundation. However Chapters can track their balances using the Chapter funding totals provided on the OWASP Funding page and write a budget for the use of funds where desired. However all chapters with more than $5,000 in their account by October 1st must submit a budget prior to November 1 for inclusion in the Foundation budget for the following calendar year. The budget should identify how they plan to spend the money in their account over the course of the next year. A future projection budget can be included as well for forecasted spending within the next 2 years. Unbudgeted funds may be diverted to other chapters, or Community Engagement Funding accounts if the chapter cannot be contacted or a budget is not received prior to January 1.

Separate from the aforementioned budgeting process for chapter and project accounts, any OWASP Leader can create a budget and provide it to the OWASP Board prior to November 1 for inclusion in the Foundation budget planning process. The budget will be reviewed by the Executive Director and Board and, if approved, incorporated into the overall OWASP Foundation budget for the following year. This would effectively set aside the funds to use at the appropriate period of time, in the future, with no further approvals necessary. Money that is budgeted in this manner, that wasn’t spent during the calendar year, would be returned back to the OWASP Foundation general funds.

Money not Tracked by the Foundation

Chapter leaders cannot accept finances/funds through their own bank accounts. OWASP Foundation (US) and OWASP Inc. (Europe) have been created for the purpose of handling funds. Other countries have hired third party companies to handle their finances. If OWASP funds will be handled by a third party, notify the OWASP Foundation in advance to make sure any necessary paperwork is completed.

If a sponsor pays a vendor directly (for signage, food, venue, etc.), then this is a transaction that the Foundation does not need to track. However, if the sponsor needs a receipt or record of the transaction (for tax or other purposes), the money WILL need to go through the Foundation.

To avoid the appearance of impropriety, direct all potential donors to the Donate button on your chapter website page or to an approved third party processor.

Charging for Events

It is against OWASP’s core values and principles to charge people to attend chapter meetings. However, a chapter may decide to charge for a training, or local conference. If your chapter is charging a fee for training, event, or conference, the registration must go through the Foundation’s account on your chosen registration platform. Learn more by using the Contact Us form.

Any event that charges an admission fee or requires more than $1000 foundation funds must be submitted to the OCMS System and approved by the Executive Director. To host an event, please read the How to Host a Conference page.

Insurance

The OWASP Foundation carries insurance coverage that is sufficient for most meetings. If you need a certificate of insurance or have additional questions about insurance, please submit your request through the Contact Us form.

(Signing) Contracts

Chapter leaders are not authorized to sign contracts or enter into any legal agreements on behalf of the OWASP Foundation. If a signed contract is needed to guarantee your meeting venue or another service you would like for your chapter, please contact us for approval.

Chapter 5: Governance

Chapter Leadership

Chapter leaders serve as the main point of contact for the local chapter and are responsible for ensuring that the local chapter fulfills its requirements, including planning at least two meetings per year.

  • An Active Chapter Leader is responsive to all requests within a reasonable amount of time, generally within 5-7 business days. Chapter leaders must have their name and contact information clearly available on the Chapter website page.
  • Preferably, a chapter should have as many organizers as possible. Running a successful chapter requires concerted effort all year long, and these duties should be split between whoever is willing to volunteer to take the load. A single chapter leader has proven to be an anti-pattern for successful chapters and high performing chapters often have three or more co-organizers that meet regularly to plan. In order to promote checks and balances, there are some benefits given explicitly to chapters with multiple leaders. The most important of these is that every chapter with at least 2 leaders is given access to a minimum starting annual budget of $500. You can read more about budgets in section four.
  • Chapter Leader (or Coordinator): Every chapter must nominate a Chapter Leader, who is the central point of contact for the chapter and responsible to the OWASP Board. We suggest (but do not require) that leaders rotate every 24 months to allow for new ideas and to spread the workload. Leadership can be in the form of a few people who work by consensus, a leader with an advisory board, or, if you must, a single leader. In case of dispute over the leader role, your leadership board may rotate over the 24 month term. If there are multiple candidates and no rotation agreement, elections should be held for a 24 months term (see elections below).
  • Board: Chapters are free to decide on the number of role holders, their titles, how they are selected and for how long. In case there are multiple candidates for a specific role, and no restructuring, rotation or teaming works, elections for the role should be held for a 24 months term.
    • We recommend that a chapter would have also a board with at least 3 members, each one having a specific role. Common roles:
      • Organization: Secretary, PR/Marketing, Web, Membership, Finance & Meetings/Conferences
      • Content: Education, Industry, Projects
  • Any long term change in how governance is handled must be decided either by consensus or votes. All paid or honorary members affiliated with your chapter must have sufficient notice and opportunity to take part in the discussion and decision making process. It is incumbent upon the current leaders or actors urging the change to make sure this happens. Unless otherwise stated, OWASP assumes that the leadership and chapter are governed by consensus. Any changes in this structure must be posted on the website whether it is a simple decision like “We work by consensus” and “We vote every 2 years” or a complex governance document like some of our chapters have.
  • Your chapter page, must clearly identify who is the current leadership for the chapter or on the board of the chapter, including their phone numbers and/or email addresses. Additionally, post information on how people can get involved with the chapter planning, leadership, or decisions. What are your plans for the upcoming year? Are you looking for help with something particular? When are your elections held?

Transferring Leadership

In the course of time, a leader may want to move on and leave his/her role. While this chapter provides guidelines to the technical process to follow, we found in the past that the actual challenge is finding the new leader, especially in chapters that lack a board. We strongly suggest that a chapter leader who wants to stop would try to find a successor among the active members of the chapter. Such a process has the best chance of ensuring the continuous success of the chapter. Please let us know of your wish to leave the job and let us help you in finding a successor.

When a new leader is to be added to your team or a current leader is leaving you must fill out the change of leadership form to complete the activity. Chapter leadership is an agreement with the OWASP Foundation to take on responsibilities as well as privileges; records of who is in what role need to be up to date.

Chapter Elections

It is always advisable to avoid elections. Running a chapter is a hard, volunteer job and sharing the load is always advisable. Since the chapter leader role structure is flexible, choosing the defined chapter structure (such as a board of leaders who work by consensus) may help to avoid elections. However, if there is a lack of agreement between chapter members on structure, roles or any other issues an election for a role or a poll on any other subject may be required: A poll on a subject will be held if 10% of the chapter members request it. Elections for a role will be held if there are multiple candidates for a role at the end of the term for the role. Chapters that either choose to hold regular or one off elections as well as those that are driven to elections due to disagreement have the ability to request to use the Foundation’s Simply Voting or Surveymonkey services as their balloting system.

How should elections be held?

OWASP does not enforce any procedure for elections and polls. However all elections must meet the OWASP core value of “Openness.” To this end, in the absence of a previously agreed upon process that is publicly accessible all elections must be announced on the chapter mailing list and all paid and honorary members must have the opportunity to vote. When structuring an election in the absence of an established process, an agreement on procedure between candidates or suggestion makers is sufficient. If such an agreement is not reached, the following procedure should be followed:

  • The subject and options for vote alongside the names of the people requiring the vote would be submitted to the OWASP Foundation.
  • The OWASP Foundation will request confirmation by email from the people requiring the vote.
  • Once confirmed, the OWASP Foundation will send the ballot to the chapter members setting a deadline.
  • One results are in, the OWASP Foundation will notify chapter members of the results.

This procedure for election heavily involves the OWASP Foundation as we feel that if the chapter cannot get to an agreement even as to how to hold elections, central intervention is required.

Chapter Bylaws

While there is no requirement for Chapters to have their own bylaws or recommended template, if you do create bylaws, you should incorporate the following information as it applies in your country or region:

  • The Open Web Application Security Project (OWASP) is a not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
  • Reference to the OWASP Foundation Bylaws, the primary governing document for the OWASP, as well as this Handbook. Where there is conflict between chapter bylaws and the Foundation’s bylaws or handbook the Foundation’s Bylaws and Handbooks take precedence. Should any Handbook conflict with the Foundation’s Bylaws, the Bylaws take precedence.

Chapter by-laws that currently exist have been posted in one central place on the website - https://www.owasp.org/index.php/Local_Chapter_ByLaws. If your chapter has by-laws already or adopts by-laws in the future, please post them to the website on the Local Chapter ByLaws page, or submit them through the contact us form.

While local chapters operate, for the most part, independently from the OWASP Foundation, they are not stand alone legal entities. Local OWASP Chapters are essentially small local “arms” or “branches” of the OWASP Foundation and must abide by any legal and financial duties or responsibilities imposed on the OWASP Foundation. Furthermore, local chapters and chapter leaders are governed by the OWASP Foundation through the Executive Director and the Global OWASP Board.

Disputes

When there is a problem at the local level, at what point does the global organization step in? Chapters are encouraged to handle disputes locally, within their own governance structures. However, what should a chapter leader (or other community member) do if there appears to be a violation of OWASP principles or ethics? Or what if someone feels that the chapter leader him or herself is not following the handbook?

If you feel that a chapter leader is not acting in accordance with the chapter handbook, please follow the following hierarchy in escalating your concern:

  • Bring your concern to the attention of the chapter leader or chapter board. If possible, make an attempt to handle the issue locally.
  • If you are unable to resolve at the local level, please contact the Community Manager through the contact us form.
  • If the Community Manager is not able to handle your concern or you would like to challenge the feedback/decision of the Community Manager, the concern can be raised with the Global OWASP Board.
  • If you feel an Code of Ethics violation has occurred, you may review the Whistleblower Policy for instructions on how to file a complaint.

Chapter 6: Chapter Activity

Chapter Activity Requirements

Chapters must hold at least 4 meetings per year. Virtual meetings held via GotoMeeting or other online forum, do count towards this activity requirement as long as the event is free and open to attendees.

Inactive Chapters

A chapter will be tagged as inactive if they have not hosted a meeting or event in over a year. Additionally any chapter leaders will be removed from their position.

If a leader has abandoned their chapter (left without finding a replacement leader) and no one has stepped up to take on the role, the chapter may also be tagged as inactive.

Reporting an inactive chapter - If you think a chapter is inactive and are interested in helping out, we recommend reaching out to the chapter leader or board listed on the chapter’s website page as a starting point. They may welcome you to take over the reins or let you know the status of the chapter.

Every effort will be made to reach out to the chapter leader before a chapter is marked inactive. Chapter leaders will be given seven days to respond before the chapter is marked inactive.

If a chapter appears to be inactive, or in danger of becoming inactive, and the chapter leader is unresponsive or unwilling to accept support, please report it to us via the contact form so that we can follow up. If you feel the current leadership is not performing up to OWASP standards or have other concerns about chapter leadership, refer to Section 5.6: Disputes for resolution procedures. Confidentiality will be maintained where possible.

Restarting an Inactive Chapter

The process for restarting an inactive chapter is the same as starting a new chapter. Instead of a new website page and mailing list being created, however, the new chapter leader will be listed on the existing website page and given administrative access to the mailing list.

Call for Help

Don’t be afraid to ask for help. Many chapter leaders have been in a situation where they wish they had more guidance on raising money, finding venues, finding speakers, attracting more members, and even handling conflicts within the chapters. Many OWASP chapters have set up regional lists to facilitate communication with leaders in their close vicinity or regarding local issues.

Also, the OWASP Operational Team is available to support chapters and help generate solutions. They can be reached through the contact us form. The OWASP Community Manager has a wealth of knowledge and resources available for your assistance.

Chapter 7: Organizing Chapter Meetings

Meeting Formula

There are a variety of meeting formulas that have been used by existing local chapters; the most traditional of which is an evening speaker meeting. For this type of meeting, the chapter leader will organize one or more speakers to present on one or more topics in a lecture or question & answer format. Needless to say, chapters have adapted this formula in many ways to suit their members or geographic area. Meetings have been organized over breakfast, lunch, or dinner as well as at a bar having a conversation over drinks. Some chapters serve food during the meeting or after the meeting on site, others will invite meeting attendees to a cafe, bar, or restaurant nearby for food and drinks after the meeting. Meetings have been organized as social or networking events, roundtables, panel discussions, or even as a remote presentation.

Chapter leaders are encouraged to try a variety of formats to determine what will be the most successful for their audience and area. Also, it may work best to have a variety of formats throughout the year depending on the speaker and meeting space availability.

Virtual meetings may not be ideal to encourage networking and community building within your local chapter, but they are certainly a good alternative when the chapter is not able to find a venue or having trouble bringing in a speaker. OWASP has a GotoMeeting account already available for chapter leaders (paid by the Foundation and provided for free for the chapters). If you would like to set up a meeting or obtain the GotoMeeting login credentials, contact us.

Before - Planning the Meeting

In order of importance,- these are the key pieces to holding a chapter meeting:

  1. Great speakers / topics
  2. Venue
  3. Date
  4. Promotion

While the order of importance has been debated by chapter leaders, the general consensus appears above. Additional pieces (discussed more below) that some chapter leaders have said are “key” in their regions: sponsors and attendees. The list above is meant to be a starting place and a list of essential items for planning your meeting; it is assumed that once you have these items in place people will attend the meeting and sponsorship will follow thereafter.

Getting a Speaker

OWASP chapters are encouraged to get local speakers. Your chapter may also use international speakers, but you will quickly need funds to cover travel costs if the speakers cannot pay for the travel themselves.

One technique for bringing in international speakers is to coordinate your meeting with another event that the speaker may be attending or speaking at nearby. The intended speaker may be willing to arrive early or extend their trip by a day or two to speak at your local meeting.

Also, the OWASP Speakers Project is available to help local chapters or application security conferences to find OWASP related speakers.

If you have found an international speaker who is not able to pay for the travel themselves, and your chapter does not have the funds to cover the travel costs, you may be able to apply for “OWASP on the Move” funds (outlined below).

Speaker Agreement

Many chapters do not have every speaker sign the OWASP [Speaker Agreement] as part of their agreement or confirmation for the event. However, if you think OWASP values and principles may be an issue or are concerned that the speaker does not understand the terms of the arrangement, you may consider sending them the OWASP Speaker Agreement.

Meeting Venue

There are an infinite number of possibilities for a meeting location - local college, business, library, or even a restaurant or pub. Plan as far in advance as possible - good meeting spaces are often available at little or no cost (local colleges and universities are often willing to give meeting space for free), but they fill up quickly.

Also, it is important to consider accessibility when looking at locations: Where will the attendees park? What is the average travel time for attendees? Is there a security checkpoint? What happens if attendees have not pre-registered, can they still attend? Can you serve food at this location?

While having a permanent or stable meeting location for your chapter meetings may be convenient for planning, it is also important to consider any conflict of interest (or appearance of conflict of interest) your meeting venue may convey. For example: vendor neutrality is one of the core values of OWASP, but this doesn’t necessarily mean that a vendor cannot host a local chapter meeting. As long as the meeting is free and open and doesn’t violate other OWASP principles, a vendor’s office space may be a great location to hold a meeting. That being said, holding every meeting at this vendor’s office to the exclusion of other available and willing venues, may give an appearance of impropriety.

Setting a Date and Time

Most OWASP meetings are currently held during the week (Monday through Friday). Additionally, while meetings have traditionally been held in the evening, an increasing number of local chapters have found success in hosting breakfast (early morning) or lunch events.

When setting your meeting date and time, be sure to consider:

  • Will your anticipated venue will be available?
  • Will you be able to find a speaker for this date and time (many chapters will book the speaker first and then choose a date and time that works for him or her)?
  • Have you allowed sufficient travel time for attendees that are coming from work?
  • Are there any local or regional events or holidays that will conflict?

Posting Meeting Info on the Wiki

General information about what should be on a chapter’s website page can be found under “administration” below. As soon as you know the time, date, and location of your meeting, be sure to post it to your chapter’s website page. Additionally, most chapters post information about the upcoming meeting such as: meeting agenda, speaker background, summary of the topic(s) to be covered by the speaker/meeting.

Catering

Many chapters provide food or refreshments before, during, or after their meeting. This is not a necessity for a chapter meeting, but something extra you might consider if you have the funds in your chapter account or are able to get a sponsor to cover costs (or provide food directly). It is also possible for meeting attendees to split the cost if they want food at the meeting; however, no one can be excluded from a meeting based on their ability or willingness to pay for food. Meetings must remain free and open.

If you need to decide on the amount of food ahead of time, line up the refreshment logistics based on RSVP’d attendees.

Sponsors & Affiliates

In order to organize events, an OWASP chapter often needs to find sponsors. These sponsors may provide meeting facilities, refreshments, etc. While sponsorship is good, it is important to avoid the commercialization pitfalls that may accompany it. The following is specifically prohibited:

  • Providing sponsors with a list of people registering for or attending any event. This might even be illegal in certain countries due to privacy laws. The sponsor can collect leads in itself, for example by offering a prize for people providing contact details.
  • Providing the sponsor with a commercial or product centric presentation slot.

So what can sponsors get?*

  • Many thanks, and hopefully a very good feeling of helping the community.
  • A table top style mini booth where they can put up a “roll up” poster or two and hand out your brochures and freebies. This might not be possible in certain meeting facilities.
  • Logo on the local chapter or event page.
  • All of the OWASP sponsorship options are detailed on the OWASP Sponsors page

At the local level there are options for both Local Chapter Supporters (90/10 split with the Foundation, 90% directly supporting the local chapter) as well as Single Meeting Supporters.

Meeting Promotion

Here are some tips that chapter leaders can use to promote their meeting (and increase meeting attendance):

  • At a minimum, the date, time, location, speaker, and topic should be listed on your chapter’s website page and an email announcement sent out to your chapter’s mailing list.
  • When sending out direct meeting invitations, use google calendar invites through your @owasp.org email account. General email assumes that people will read it in a timely manner and will remember to place it onto their calendar. By using the google calendar invitations, this task is done for them.
  • Make sure that your upcoming meeting is broadcast through a variety of channels. In addition to posting the meeting to your chapter’s website page and mailing list, consider blogging or tweeting about it, as well as posting it on social networking sites such as LinkedIn, Facebook, Meetup, and myowasp.
  • Post your event to sites such as Yahoo Events and partner with other user groups to cross-market (i.e. ISSA, .Net SIG, Java SIG, SIM, DAMA).
  • Acknowledge the fact that even if people cannot physically attend, they may be able to participate remotely.
  • Many people are tired and hungry, especially after a long day at work. While you cannot cure tiredness, you can at least try to feed your attendees. Pizza is cheap and it is relatively easy to find a sponsor.
  • Make sure the topics you choose are broadly applicable and not just targeted at one group (i.e. penetration testers, software developers). Part of making web application security visible requires you to choose (or solicit) speakers that appeal to IT executives, enterprise architects, business analysis, legal and compliance, etc. If a particular group does happen to be the “target audience” at a meeting, try to change things up for your next meeting.

RSVPs

Posting your meeting on the chapter’s website page and emailing an announcement to the chapter’s mailing list are the prime methods of letting people know about OWASP meetings. Some other useful methods are:

  • Ask your speakers to send invites to their circle
  • Ask people on the list to forward to people in their organization.
  • Use your own personal contacts. Since OWASP is not a commercial organization, this would be usually acceptable by your business contacts. Again, this might actually help you keep in touch with them.

Meeting invitations/announcements should contain a request to forward it to other interested parties.

You might also want to use event invites instead of e-mail messages. These services provide different advantages such as integration with the attendee calendar and RSVP management, but on the other hand might seem more commercial and obtrusive.

You can send event invites using the following tools:

  • Meetup
  • Direct calendar invites: one can do that using a dedicated Google calendar account.
  • The tool most used by OWASP chapters is: Eventbrite, which is free for non-profits.
  • Others use: Meetup, which while not free is priced very low.
  • Yet others use a meeting Doodle.
  • You can always just use spreadsheets to track the individuals that reply to your email invitations.

Note! Whatever tool you use, personally responding to each person who has RSVPed greatly increase the rate of people who actually attend. Just write back “Great! see you in the meeting” or whatever fits your local culture and is short.

OWASP Merchandise

The OWASP Foundation can provide you with OWASP books, shirts, pens, lanyards, flyers, or other materials that you might need to jump-start your next meeting. The cost of these items will be billed to your local chapter. If you would like OWASP Merchandise for your meeting or local event, but do not have the funds to cover it, you request that the costs be covered by the Global Chapters Committee. Requests can be submitted through the OWASP Merchandise Request Form. Rocksports has also set up an OWASP Storefront to show items they have available and many OWASP books have been made available through Lulu.

PPT Template

You may want to send your speakers a PowerPoint template to use for their presentations.

Screening Presentations

In order to ensure that presentations remain vendor neutral and don’t turn into platforms for a sales pitch, it is recommended that you screen the presentations before the meeting. This may also be a good time to remind your speaker about the terms of the Speaker Agreement (or make sure they understand what is expected of them).

Remote Participation

The OWASP Foundation has an account with Zoom that is free for chapters to use. As soon as you have scheduled the meeting date and time, the remote participation can also be scheduled so you can include details on your chapter’s website page, meetup, and/or in your emails.

Speaker Gifts

Although it is not necessary, giving speakers a small token of appreciation such as an OWASP t-shirt, mug, or pen set is encouraged.

Communication

The following is a recommended communication schedule for notifying members about an upcoming meeting:

  • Three weeks before the meeting - send meeting invitations and make sure meeting information has been posted to your chapter’s website page.
  • One week before the meeting - send reminders about the meeting to your mailing list and through other social media (LinkedIn, Facebook, Twitter, etc.)
  • Upon registration and again one day before the meeting - send confirmation to people that have signed up to attend the meeting.

During the Meeting

Meeting Set-Up

Arrive early! Ensure that everything for the meeting space is set up before the first attendees will be arriving. Here are a few things you may need to set up or prepare:

  • Registration & badges (if any)
  • OWASP merchandise and signs including banner
  • Remote participation
  • Sponsor booths/tables
  • Catering - Will food or beverages be served before, during, or after your event? Where will the food be located? Who is providing the food? Will someone need to meet the delivery person at the front door of the building?
  • Equipment - projector, sound system, and any special items that may have been requested by the speaker(s)

Video Recording

If you have the equipment, you may want to consider recording a video of your meeting and posting for members who were not able to attend the meeting. This is also a nice resource for chapter leaders or event organizers to use in the future to screen a speaker or learn about his/her style.

The OWASP Speaker Agreement includes authorization for the speaker’s presentation to be recorded and posted. If you plan to record the meeting, you should make sure the speaker is aware and has agreed to the reproduction of his/her presentation.

Time Management

Spread tasks across many individuals in order to ensure that your meeting runs smoothly and all of the tasks before, during, and after the meeting are handled in a timely fashion. There are usually people that attend the meetings who are willing to want to help the chapter be successful, but are not able to commit to a chapter leadership role - that doesn’t mean they aren’t willing to help out on a meeting-by-meeting basis.

Meeting Content

Job announcements: Some chapters encourage recruiters or other individuals who are hiring in their area to come for their meeting and make the job announcement in person. At the beginning of the meeting they ask anyone who is hiring to stand up and introduce themselves and who they are looking for. Then at a break or after the meeting, attendees can get in touch with them. This encourages recruiters/employers to invest a small amount of time in your chapter (attending the meeting) and also gives both the person hiring and the people looking for jobs the benefit of face-to-face contact.

*- Present an OWASP Update**: Always cover the OWASP mission and goals at each meeting to reinforce it to the attendees of why and what the purpose of the chapter is. Explain the web application security problem in a general way to attract a large crowd and to educate the new members and guests.

OWASP Conferene Recap: Additionally, if you or any of your chapter members have recently attended an OWASP conference or other event, this is a good time for a short (5-10 minutes) presentation about the event.

One or more speakersJ:if you have a general time frame for the speaker(s), make sure to let them know. Also, if you will be having more than one speaker, consider whether you will have a short break between them for attendees to stretch their legs and get refreshments, or whether you will want the change-over time to be quick (and attendees remain in their seats).

Collecting CPE Forms

Send out CPE credits to attendees that requested them or explain to them that ISC2 (as a example) is a self certify – if organizations such as those want to designate someone to collect and validate they are welcome to do so, but that is not a responsibility of OWASP Chapter Leaders.

Collecting Feedback

Collect feedback on the speaker from attendees:

  • There are a number of sites available that have feedback templates or allow you to build your own survey: formsite.com, surveymonkey.com, zoomerang.com, Google form, etc.
  • A speaker feedback form developed by the NYC/NJ Metro Chapter is also available for you to use. The NYC/NJ Metro Chapter distributes copies to meeting attendees and asks them to complete them and hand them back in at the end of the meeting. Then the chapter leader (or another person willing to keep track of feedback) quickly adds the totals up to get an idea of which speakers they would like to ask back again to present.
  • This is also a good time to capture potential topics or speakers for upcoming chapter meetings. What would meeting attendees like to learn about? Is anyone at the meeting willing to give a presentation in the future?

Networking/Social Events

There are a variety of ways to incorporate networking or social interactions into your meeting format. While some chapters designate specific meetings for networking and socializing (no speaker, just meet at a local restaurant or pub), it is more common to allow time for socializing after the meeting. Some meeting venues will be able to host this, but more than likely you will want to relocate to a restaurant or bar nearby. Consider asking the speaker(s) to join you so that guests can have an opportunity for follow up conversations. This time also fosters building a local OWASP community where the guests get to know each other and what is going on in the local appsec community.

After the Meeting

Review event, lessons learned, what can be improved with the other chapter leaders or board members. Go over any feedback collected at the meeting.

Meeting Minutes (and Photos)

Post meeting minutes to document what was covered at the meeting, including any announcements or decisions that were made. Pictures from the meeting are also encouraged.

Posting Presentations and Recordings

In addition to any meeting minutes and photos, try to collect the presentation from the speaker to post on the chapter’s website page.

If you took a video recording of the meeting, you should post that as well. Vimeo is commonly used to host the uploaded video, which can then be linked to your chapter page.

Follow-up Communication

Once you post meeting materials such as minutes, pictures, presentation, or video to your chapter website page, send a follow up email to meeting guests thanking them for attending, letting them know about the next meeting (if you have the information), and directing them to the material on your website page.

If you collected any new email addresses, this will also be a confirmation that you have added their name to the mailing list.

Certificate of Attendance

It is not standard practice for OWASP to issue Certificates of Attendance for Chapter Meetings. Your chapter nominating someone hold onto a meeting sign-in sheet after each meeting. Meeting attendees are still responsible for submitting their own CPEs, but then the Chapter Leader (or whoever is keeping track of the sign-in sheets) can go back and audit against the chapter’s sign-in sheet if (ISC)2 or another organization audits them.

Chapter 8: Organizing Local Events

In addition to holding meetings, you may want to grow and promote your chapter by organizing a larger event such as an OWASP Day, Training Day, or Regional Roadshow. Many of the considerations for these events are similar to that for a meeting, just on a larger scale.

Additionally, you will need to consider whether there will be any cost for attendees? Options include: free for anyone, free for members (so individuals would have to purchase a membership to attend), cost for everyone but discounted for members, or same cost for everyone. The best way to plan for these events is to look at what some chapters have done in the past and try and talk to the chapter leader or event organizer who was involved.

Please register your event through the OWASP Conference Management System (OCMS), which will help OWASP track events not only hosted by OWASP but also sponsored or supported by Foundation funds. The Global Chapters Committee and Global Conferences Committee are also willing to help with your event planning.

Local OWASP Days

Many OWASP Chapters (or a group of chapters in the same region) have planned an OWASP Day which consists of a full day of talks about AppSec and sometimes and additional day of training, provided for little or no cost. The primary goals of OWASP Days are to educate people and raise awareness about application security, not make money.Previous OWASP Days include New Zealnd Day, BeNeLux Day, and German OWASP Day.

OWASP Training Days

OWASP Training Days are full day training courses that are free for members (so non-members can attend by paying the $50 fee to becoming members). The course aims to educate people about OWASP Projects by providing a selection of mature and enterprise ready projects together with practical examples of how to use them.

Regional Roadshows

OWASP Regional Roadshows consist of one or more speakers visiting multiple chapters in a region (touring) either as speakers for chapter meetings or to provide training. These Roadshows help Chapter Leaders bring in great international speakers as well as generate awareness in their areas around Application Security and OWASP. Previous Roadshows include LATAM and EU Tours.

Chapter 9: Growing and Promoting your Chapter

Setting Goals

Some of the most successful chapters have clearly defined both their short term (achievable within 1 year) and long term goals (achievable in more than 1 year), and set forth a plan to achieve those goals. Goals may include the number of meetings you want to have in a year, certain topics you hope to cover in your meetings, an OWASP Project your chapter members want to contribute to, or even a dollar amount your chapter hopes to have in their local chapter account.

Surveys

Surveying chapter members is a good way to learn how to improve or change your meetings to better meet their needs. While you can collect information about specific speakers and presentations at the end of each meeting (see “Collecting Feedback” above); additionally, give chapter members a chance each year to evaluate the past year and speak about expectations for the upcoming year. You can hand out paper copies at a meeting or even email out the survey to your chapter mailing list.

Outreach

Network, network, network! As a chapter leader, outreach is a great way to educate people about OWASP as well as upcoming chapter meetings, lining up speakers, and soliciting sponsors. Here are some ideas for where to start:

  • Use OWASP chapter mailing lists to alert members of meetings and monthly events.
  • Coordinate with other OWASP Chapters in your area - maybe you can piggyback off one of their speakers or combine for a social event.
  • Talk to other security groups, developer groups (Linux, Python, PHO, Ruby, etc.), professional organizations, local CERTS, and hackerspaces in your area (ISSA, ISACA, FBI/Infragard, HTCIA, etc.). Cross-promote and/or join meetings, be a guest speaker and host guest speakers.
  • Host a booth or ask for a speaker slot at local developer/security events. Do a local talk about OWASP Projects that you have been involved or are familiar with.
  • Talk to local higher education institutions. Involve the university and its computer science students - you may be able to host a meeting or speak to a group of students.
  • Hook up with government, industry, and academic contacts in your area to relay the invitation and generate some interest.
  • Find out what companies are active in this domain in your area in order to raise their interest and support.
  • Consider possible press contacts in your area - invite them to a local meeting, event, or send a press release about an upcoming speaker.
  • Ask for help. A successful chapter has several leaders (there are no limits) so share the fun and the pain!

Recruiting List Members

It is extremely important to grow the size of the list. This is the primary source from which people learn about meetings and the larger the list, the more successful the meetings. Needless to say, list members need not be OWASP paying members.

There are three primary methods to add members to the list:

  1. Automatically registering attendees to an event to the list While this may seem unorthodox at first, when done correctly this is the most effective way to enlist new members. Since meeting attendees are usually interested to learn about future meetings, this usually works fine. Just:
    • Enlist all meeting attendees.
    • Send an email to the meeting attendees summarizing the meetings
    • In this email, alongside the usual thanks and the location of the presentations, inform that you enlisted attendees to the list, that the list is mostly just for meeting announcements and that anyone is free to contact you to be removed.
    • Promptly remove who ever ask for it.
    • Be sure to remind the attendees of the meeting that you will be adding them to the mailing list for future meeting announcements.
  2. When you meet people in the security community, mention OWASP. Since OWASP is (hopefully) something you are proud of doing, it usually pops up in professional conversations. If they are interested in OWASP, especially getting involved in at the local level, offer to register the person to the list to get notifications on future meetings. Also, if you have OWASP business cards, consider having your chapter mailing list address printed on it. This will be an easy way to direct people to the right place…. just give them your card! OWASP business cards can be requested and charged to your chapter, provided that the chapter has the necessary funds available, through the OWASP Merchandise Request Form.
  3. Meeting invites. Even if initially sent through the list itself, meeting invites are often forwarded. Add to the invite itself, information on subscribing to the mailing list.

Promotional Materials

Consider putting together a flyer about your Chapter with upcoming speakers, topics, and events, or summarizing your local sponsorship opportunities (more on “Raising Funds” below).

Raising Funds

There are a number of different ways in which to raise money for your chapter.

Paid Individual Memberships - encourage the people who participate in your local chapter and attend your meetings to become a paid OWASP member.

  • Individual supporters pay $50 per year for their membership and the fee is split 60/40 with the Foundation (40% goes to the local chapter or project account designated by the member at the time of joining).
  • All paid memberships are processed through RegOnline - http://www.regonline.com/owasp_membership
  • Some regions (developing countries) of the world may qualify for a discounted membership of $20.

In the past, chapters have used (paid) membership drives to promote OWASP and raise money for their chapter. One approach is to enter all new members (or renewing members) in a raffle for prizes to be selected at your next meeting.

Donations

Donations from 3rd parties can be accepted via the OWASP Donation Form. Accessing the donation form by clicking the DONATE button from a Chapter page will allow donors to be publicly listed as supporters of your chapter. These funds are transferred to OWASP Foundation and then chapter leaders can submit receipts for reimbursement from their chapter’s account. For more information on reimbursement and your chapter account, see the section on Handling Money.

Chapter Sponsors – Local and Global

In order to grow your chapter, it is usually necessary to obtain sponsorship to cover chapter operations. This can come from local businesses or larger companies.

Local chapters get their funding primarily from local sponsorships. Any time you hold an event or conference you can ask companies to sponsor your event. Most of this money is spent on organizing the event including venue, food etc. However, whatever money is left can be used later for other expenses. Donations received from sponsors are shared between the local chapters and the OWASP Foundation.

Generally, all charitable gifts to the OWASP Foundation are unrestricted and will be used at the sole discretion of the organization to fulfill its mission and objectives. Donors have the option to be listed as a Supporter of a Project or Chapter; however, this option does not restrict the gift in anyway whatsoever. More details can be found on the Donations Policy

There are three different sponsorship options:

  1. Single Meeting Supporter
    • Organizations that wish to support OWASP local chapter with donation to enable OWASP Foundation to continue the mission.
    • Benefits include being recognized as a local supporter by posting the company logo on the OWASP Chapter website, and having a table at local chapter meeting to promote application security products/services etc.
    • The dollar amount for this is set by each local chapter.
  2. Local Chapter Supporter - Organizations that are not yet interested in becoming full Organizational Supporters but who have a desire to direct their support in a more regional manner may prefer to become a Chapter Supporter.
    • Benefits include being recognized as a local supporter by posting the company logo on the OWASP Chapter website, and having (1) supporting member vote in elections and on issues that shape the direction of the community.
    • Suggested dollar amounts are $500 (Silver), $1,000 (Gold), and $2,000 (Platinum) per year.

Spawning Other Chapters

Some activities such as conferences, media relations and involvement with legislation and regulatory bodies are nationwide by nature. Such activities should be handled collectively by all chapters in the country and should be led by one of the chapter leaders, either by mutual agreement, election, or if all else fails, appointed by the Community Manager.

Chapter 10: International Aspects

Translation

While knowledge of English is extremely helpful in communicating with the OWASP community around the world, it is certainly not necessary. To support the spread of the OWASP mission regardless of a person’s language, many chapters have worked as a team on translating OWASP Projects, Documentation, or even this Handbook.

Localization

Understanding local culture and habits, and considering them when planning meetings can make a big difference in meeting attendance and the success of your chapter. For example, in some cultures it is not popular or even rude to discuss business over lunch. Thus, an OWASP meeting over lunch would not work very well. On the other hand, some areas have had great success with planning meetings during the lunch hour because it doesn’t cut into people’s “family” time in the evening. Talk to others in your city or region to find out what would work best for them and don’t be constrained by what chapters in other regions are doing.

Adjusted Memberships Fees

Some regions (developing countries) of the world may qualify for a discounted membership of $20. If you are unsure of whether this applies to your chapter or would like to request a discount code, please submit your request through the contact us form.

Material distribution

Some countries or regions may have trouble accessing OWASP tools such as google docs, the OWASP website, or downloadable tools. If these access issues prevent a chapter from adhering to the mandatory chapter rules, they may ask the Global Chapter Committee for an exemption from the policy. Additionally, the OWASP foundation will work with the chapter to find a suitable alternative or workaround such as setting up local mirrors of tools or website.