Organizing Chapter Meetings

Meeting Formula

There are a variety of meeting formulas that have been used by existing local chapters; the most traditional of which is an evening speaker meeting. For this type of meeting, the chapter leader will organize one or more speakers to present on one or more topics in a lecture or question & answer format. Needless to say, chapters have adapted this formula in many ways to suit their members or geographic area. Meetings have been organized over breakfast, lunch, or dinner as well as at a bar having a conversation over drinks. Some chapters serve food during the meeting or after the meeting on site, others will invite meeting attendees to a cafe, bar, or restaurant nearby for food and drinks after the meeting. Meetings have been organized as social or networking events, roundtables, panel discussions, or even as a remote presentation.

Chapter leaders are encouraged to try a variety of formats to determine what will be the most successful for their audience and area. Also, it may work best to have a variety of formats throughout the year depending on the speaker and meeting space availability.

Virtual meetings may not be ideal to encourage networking and community building within your local chapter, but they are certainly a good alternative when the chapter is not able to find a venue or having trouble bringing in a speaker. OWASP has a GotoMeeting account already available for chapter leaders (paid by the Foundation and provided for free for the chapters). If you would like to set up a meeting or obtain the GotoMeeting login credentials, contact us.

Before - Planning the Meeting

In order of importance,* these are the key pieces to holding a chapter meeting:

  1. Great speakers / topics
  2. Venue
  3. Date
  4. Promotion

While the order of importance has been debated by chapter leaders, the general consensus appears above. Additional pieces (discussed more below) that some chapter leaders have said are “key” in their regions: sponsors and attendees. The list above is meant to be a starting place and a list of essential items for planning your meeting; it is assumed that once you have these items in place people will attend the meeting and sponsorship will follow thereafter.

Getting a Speaker

OWASP chapters are encouraged to get local speakers. Your chapter may also use international speakers, but you will quickly need funds to cover travel costs if the speakers cannot pay for the travel themselves.

One technique for bringing in international speakers is to coordinate your meeting with another event that the speaker may be attending or speaking at nearby. The intended speaker may be willing to arrive early or extend their trip by a day or two to speak at your local meeting.

Also, the OWASP Speakers Project is available to help local chapters or application security conferences to find OWASP related speakers.https://www.owasp.org/index.php/Category:OWASP_Speakers_Project

If you have found an international speaker who is not able to pay for the travel themselves, and your chapter does not have the funds to cover the travel costs, you may be able to apply for “OWASP on the Move” funds (outlined below).

Speaker Agreement

Many chapters do not have every speaker sign the OWASP [Speaker Agreement] as part of their agreement or confirmation for the event. However, if you think OWASP values and principles may be an issue or are concerned that the speaker does not understand the terms of the arrangement, you may consider sending them this speaker agreement: https://www.owasp.org/index.php/Speaker_Agreement

Meeting Venue

There are an infinite number of possibilities for a meeting location - local college, business, library, or even a restaurant or pub. Plan as far in advance as possible - good meeting spaces are often available at little or no cost (local colleges and universities are often willing to give meeting space for free), but they fill up quickly.

Also, it is important to consider accessibility when looking at locations: Where will the attendees park? What is the average travel time for attendees? Is there a security checkpoint? What happens if attendees have not pre-registered, can they still attend? Can you serve food at this location?

While having a permanent or stable meeting location for your chapter meetings may be convenient for planning, it is also important to consider any conflict of interest (or appearance of conflict of interest) your meeting venue may convey. For example: vendor neutrality is one of the core values of OWASP, but this doesn’t necessarily mean that a vendor cannot host a local chapter meeting. As long as the meeting is free and open and doesn’t violate other OWASP principles, a vendor’s office space may be a great location to hold a meeting. That being said, holding every meeting at this vendor’s office to the exclusion of other available and willing venues, may give an appearance of impropriety.

Setting a Date and Time

Most OWASP meetings are currently held during the week (Monday through Friday). Additionally, while meetings have traditionally been held in the evening, an increasing number of local chapters have found success in hosting breakfast (early morning) or lunch events.

When setting your meeting date and time, be sure to consider:

Posting Meeting Info on the Website

General information about what should be on a chapter’s wiki page can be found under “administration” below. As soon as you know the time, date, and location of your meeting, be sure to post it to your chapter’s wiki page. Additionally, most chapters post information about the upcoming meeting such as: meeting agenda, speaker background, summary of the topic(s) to be covered by the speaker/meeting.

Catering

Many chapters provide food or refreshments before, during, or after their meeting. This is not a necessity for a chapter meeting, but something extra you might consider if you have the funds in your chapter account or are able to get a sponsor to cover costs (or provide food directly). It is also possible for meeting attendees to split the cost if they want food at the meeting; however, no one can be excluded from a meeting based on their ability or willingness to pay for food. Meetings must remain free and open.

If you need to decide on the amount of food ahead of time, line up the refreshment logistics based on RSVP’d attendees.

Sponsors & Affiliates

In order to organize events, an OWASP chapter often needs to find sponsors. These sponsors may provide meeting facilities, refreshments, etc. While sponsorship is good, it is important to avoid the commercialization pitfalls that may accompany it.

The following is specifically prohibited:

So what can sponsors get?

At the local level there are options for both Local Chapter Supporters (90/10 split with the Foundation, 90% directly supporting the local chapter) as well as Single Meeting Supporters.

Meeting Promotion

Here are some tips that chapter leaders can use to promote their meeting (and increase meeting attendance):

RSVPs

Posting your meeting on the chapter’s wiki page and emailing an announcement to the chapter’s mailing list are the prime methods of letting people know about OWASP meetings. Some other useful methods are:

Meeting invitations/announcements should contain a request to forward it to other interested parties.

You might also want to use event invites instead of e-mail messages. These services provide different advantages such as integration with the attendee calendar and RSVP management, but on the other hand might seem more commercial and obtrusive.

You can send event invites using the following tools:

OWASP Merchandise

The OWASP Foundation can provide you with OWASP books, shirts, pens, lanyards, flyers, or other materials that you might need to jump-start your next meeting. The cost of these items will be billed to your local chapter. If you would like OWASP Merchandise for your meeting or local event, but do not have the funds to cover it, you request that the costs be covered by the Global Chapters Committee. Requests can be submitted through the OWASP Merchandise Request Form.

Rocksports has also set up an OWASP Storefront to show items they have available and many OWASP books have been made available through Lulu.

Screening Presentations

In order to ensure that presentations remain vendor neutral and don’t turn into platforms for a sales pitch, it is recommended that you screen the presentations before the meeting. This may also be a good time to remind your speaker about the terms of the Speaker Agreement (or make sure they understand what is expected of them).

Remote Participation

The OWASP Foundation has an account with http://www.gotomeeting.com that is free for chapters to use. Account requests can be requested through the http://sl.owasp.org/contactus and details on using GoToMeeting can be found here: https://www.owasp.org/index.php/Chapter_Leader_Handbook/GoToMeeting. As soon as you have scheduled the meeting date and time, the remote participation can also be scheduled so you can include details on your chapter’s wiki page or in your emails.

Speaker Gifts

Although it is not necessary, giving speakers a small token of appreciation such as an OWASP t-shirt, mug, or pen set is encouraged.

During the Meeting

Meeting Set-Up

Arrive early! Ensure that everything for the meeting space is set up before the first attendees will be arriving. Here are a few things you may need to set up or prepare:

Video Recording

If you have the equipment, you may want to consider recording a video of your meeting and posting for members who were not able to attend the meeting. This is also a nice resource for chapter leaders or event organizers to use in the future to screen a speaker or learn about his/her style. The OWASP Speaker Agreement includes authorization for the speaker’s presentation to be recorded and posted. If you plan to record the meeting, you should make sure the speaker is aware and has agreed to the reproduction of his/her presentation.

Time Management

Spread tasks across many individuals in order to ensure that your meeting runs smoothly and all of the tasks before, during, and after the meeting are handled in a timely fashion. There are usually people that attend the meetings who are willing to want to help the chapter be successful, but are not able to commit to a chapter leadership role - that doesn’t mean they aren’t willing to help out on a meeting-by-meeting basis.

Meeting Content

Job announcements: Some chapters encourage recruiters or other individuals who are hiring in their area to come for their meeting and make the job announcement in person. At the beginning of the meeting they ask anyone who is hiring to stand up and introduce themselves and who they are looking for. Then at a break or after the meeting, attendees can get in touch with them. This encourages recruiters/employers to invest a small amount of time in your chapter (attending the meeting) and also gives both the person hiring and the people looking for jobs the benefit of face-to-face contact.

Present an OWASP Update: Always cover the OWASP mission and goals at each meeting to reinforce it to the attendees of why and what the purpose of the chapter is. Explain the web application security problem in a general way to attract a large crowd and to educate the new members and guests.

OWASP Conferene Recap: Additionally, if you or any of your chapter members have recently attended an OWASP conference or other event, this is a good time for a short (5-10 minutes) presentation about the event.

One or more speakers:if you have a general time frame for the speaker(s), make sure to let them know. Also, if you will be having more than one speaker, consider whether you will have a short break between them for attendees to stretch their legs and get refreshments, or whether you will want the change-over time to be quick (and attendees remain in their seats).

Collecting CPE Forms

Send out CPE credits to attendees that requested them or explain to them that ISC2 (as a example) is a self certify – if organizations such as those want to designate someone to collect and validate they are welcome to do so, but that is not a responsibility of OWASP Chapter Leaders.

Collecting Feedback

Collect feedback on the speaker from attendees:

Networking/Social Events

There are a variety of ways to incorporate networking or social interactions into your meeting format. While some chapters designate specific meetings for networking and socializing (no speaker, just meet at a local restaurant or pub), it is more common to allow time for socializing after the meeting. Some meeting venues will be able to host this, but more than likely you will want to relocate to a restaurant or bar nearby. Consider asking the speaker(s) to join you so that guests can have an opportunity for follow up conversations. This time also fosters building a local OWASP community where the guests get to know each other and what is going on in the local appsec community.

After the Meeting

Review event, lessons learned, what can be improved with the other chapter leaders or board members. Go over any feedback collected at the meeting.

Meeting Minutes (and Photos)

Post meeting minutes to document what was covered at the meeting, including any announcements or decisions that were made. Pictures from the meeting are also encouraged.

Posting Presentations and Recordings

In addition to any meeting minutes and photos, try to collect the presentation from the speaker to post on the chapter’s wiki page.

If you took a video recording of the meeting, you should post that as well. Vimeo is commonly used to host the uploaded video, which can then be linked to your chapter page.

Follow-up Communication

Once you post meeting materials such as minutes, pictures, presentation, or video to your chapter wiki page, send a follow up email to meeting guests thanking them for attending, letting them know about the next meeting (if you have the information), and directing them to the material on your wiki page.

If you collected any new email addresses, this will also be a confirmation that you have added their name to the mailing list.

Certificate of Attendance

It is not standard practice for OWASP to issue Certificates of Attendance for Chapter Meetings. Your chapter nominating someone hold onto a meeting sign-in sheet after each meeting. Meeting attendees are still responsible for submitting their own CPEs, but then the Chapter Leader (or whoever is keeping track of the sign-in sheets) can go back and audit against the chapter’s sign-in sheet if (ISC)2 or another organization audits them.

Organizing Local Events

In addition to holding meetings, you may want to grow and promote your chapter by organizing a larger event such as an OWASP Day, Training Day, or Regional Roadshow. Many of the considerations for these events are similar to that for a meeting, just on a larger scale.

Additionally, you will need to consider whether there will be any cost for attendees? Options include: free for anyone, free for members (so individuals would have to purchase a membership to attend), cost for everyone but discounted for members, or same cost for everyone. The best way to plan for these events is to look at what some chapters have done in the past and try and talk to the chapter leader or event organizer who was involved.

Please register your event through the OWASP Conference Management System (OCMS), which will help OWASP track events not only hosted by OWASP but also sponsored or supported by Foundation funds. The Global Chapters Committee and Global Conferences Committee are also willing to help with your event planning.

Local OWASP Days

Many OWASP Chapters (or a group of chapters in the same region) have planned an OWASP Day which consists of a full day of talks about AppSec and sometimes and additional day of training, provided for little or no cost. The primary goals of OWASP Days are to educate people and raise awareness about application security, not make money.Previous OWASP Days include New Zealand Day, BeNeLux Day, and German OWASP Day.

OWASP Training Days

OWASP Training Days are full day training courses that are free for members (so non-members can attend by paying the $50 fee to becoming members). The course aims to educate people about OWASP Projects by providing a selection of mature and enterprise ready projects together with practical examples of how to use them. Training Materials: https://www.owasp.org/index.php/OWASP_Training, Material downloads: http://code.google.com/p/owasp-training/downloads/list

Regional Roadshows

OWASP Regional Roadshows consist of one or more speakers visiting multiple chapters in a region (touring) either as speakers for chapter meetings or to provide training. These Roadshows help Chapter Leaders bring in great international speakers as well as generate awareness in their areas around Application Security and OWASP. Previous Roadshows include LATAM and EU Tours.

Growing and Promoting your Chapter

Setting Goals

Some of the most successful chapters have clearly defined both their short term (achievable within 1 year) and long term goals (achievable in more than 1 year), and set forth a plan to achieve those goals. Goals may include the number of meetings you want to have in a year, certain topics you hope to cover in your meetings, an OWASP Project your chapter members want to contribute to, or even a dollar amount your chapter hopes to have in their local chapter account.

Surveys

Surveying chapter members is a good way to learn how to improve or change your meetings to better meet their needs. While you can collect information about specific speakers and presentations at the end of each meeting (see “Collecting Feedback” above); additionally, give chapter members a chance each year to evaluate the past year and speak about expectations for the upcoming year. You can hand out paper copies at a meeting or even email out the survey to your chapter mailing list.

Outreach

As a chapter leader, outreach is a great way to educate people about OWASP as well as upcoming chapter meetings, lining up speakers, and soliciting sponsors. Here are some ideas for where to start:

There are three primary methods to add members to the list:

  1. Automatically registering attendees to an event to the list While this may seem unorthodox at first, when done correctly this is the most effective way to enlist new members. Since meeting attendees are usually interested to learn about future meetings, this usually works fine. Just:
    • Enlist all meeting attendees.
    • Send an email to the meeting attendees summarizing the meetings
    • In this email, alongside the usual thanks and the location of the presentations, inform that you enlisted attendees to the list, that the list is mostly just for meeting announcements and that anyone is free to contact you to be removed.
    • Promptly remove who ever ask for it.
    • Be sure to remind the attendees of the meeting that you will be adding them to the mailing list for future meeting announcements.
  2. When you meet people in the security community, mention OWASP. Since OWASP is (hopefully) something you are proud of doing, it usually pops up in professional conversations. If they are interested in OWASP, especially getting involved in at the local level, offer to register the person to the list to get notifications on future meetings. Also, if you have OWASP business cards, consider having your chapter mailing list address printed on it. This will be an easy way to direct people to the right place…. just give them your card! OWASP business cards can be requested and charged to your chapter, provided that the chapter has the necessary funds available, through the OWASP Merchandise Request Form.
  3. Meeting invites. Even if initially sent through the list itself, meeting invites are often forwarded. Add to the invite itself, information on subscribing to the mailing list.

Promotional Materials

Consider putting together a flyer about your Chapter with upcoming speakers, topics, and events, or summarizing your local sponsorship opportunities (more on “Raising Funds” below).

Raising Funds

There are a number of different ways in which to raise money for your chapter.

Paid Individual Memberships - encourage the people who participate in your local chapter and attend your meetings to become a paid OWASP member.

In the past, chapters have used (paid) membership drives to promote OWASP and raise money for their chapter. One approach is to enter all new members (or renewing members) in a raffle for prizes to be selected at your next meeting.

Donations

Donations from 3rd parties can be accepted via paypal. These funds are transferred to OWASP Foundation and then chapter leaders can submit receipts for reimbursement from their chapter’s account. For more information on reimbursement and your chapter account, see the section on Handling Money.

Chapter Sponsors – Local and Global

In order to grow your chapter, it is usually necessary to obtain sponsorship to cover chapter operations. This can come from local businesses or larger companies.

Local chapters get their funding primarily from local sponsorships. Any time you hold an event or conference you can ask companies to sponsor your event. Most of this money is spent on organizing the event including venue, food etc. However, whatever money is left can be used later for other expenses. Donations received from sponsors are shared between the local chapters and the OWASP Foundation.

There are three different sponsorship options:

  1. Single Meeting Supporter - Organizations that wish to support OWASP local chapter with donation to enable OWASP Foundation to continue the mission.
    • Benefits include being recognized as a local supporter by posting the company logo on the OWASP Chapter website, and having a table at local chapter meeting to promote application security products/services etc.
    • The dollar amount for this is set by each local chapter.
  2. Local Chapter Supporter - Organizations that are not yet interested in becoming full Organizational Supporters but who have a desire to direct their support in a more regional manner may prefer to become a Chapter Supporter.
    • Benefits include being recognized as a local supporter by posting the company logo on the OWASP Chapter website, and having (1) supporting member vote in elections and on issues that shape the direction of the community.
    • Suggested dollar amounts are $500 (Silver), $1000 (Gold), and $2000 (Platinum) per year, split 10/90 with the Foundation - 90% of the funds going directly to the local chapter.
  3. Organizational Supporter (Global)- Organizations that wish to support OWASP with a 100% tax deductible donation to enable OWASP Foundation to continue the mission.
    • Benefits include an opportunity to post a rotating banner ad on the OWASP home page for 30 days at no additional cost, being recognized as a supporter by posting the company logo on the OWASP Website, being listed as a sponsor in the OWASP newsletter that goes to over 10,000 individuals around the world on owasp mailing lists.
    • Organizational Supporters have (1) supporting member vote in elections and on issues that shape the direction of the community.
    • $5000 per year, split 60/40 with the Foundation - 40% going to the local chapter designated at the time of payment.

More details on the different levels of sponsorship can be found at: https://www.owasp.org/index.php/Membership

leaders, either by mutual agreement, election, or if all else fails, appointed by the Community Manager.

International Aspects

Translation

While knowledge of English is extremely helpful in communicating with the OWASP community around the world, it is certainly not necessary. To support the spread of the OWASP mission regardless of a person’s language, many chapters have worked as a team on translating OWASP Projects, Documentation, or even this Handbook.

Localization

Understanding local culture and habits, and considering them when planning meetings can make a big difference in meeting attendance and the success of your chapter. For example, in some cultures it is not popular or even rude to discuss business over lunch. Thus, an OWASP meeting over lunch would not work very well. On the other hand, some areas have had great success with planning meetings during the lunch hour because it doesn’t cut into people’s “family” time in the evening. Talk to others in your city or region to find out what would work best for them and don’t be constrained by what chapters in other regions are doing.

Material distribution

Some countries or regions may have trouble accessing OWASP tools such as Google Docs, OWASP Sites, or downloadable tools. If these access issues prevent a chapter from adhering to the mandatory chapter rules, they may ask the Global Chapter Committee for an exemption from the policy. Additionally, the OWASP foundation will work with the chapter to find a suitable alternative or workaround such as setting up local mirrors of tools or wiki.