Chapter Leader Guidebook - Draft WIP

This is a DRAFT Work-in-Progress policy and will be open for review after initial work is completed.

Organizing Chapter Meetings

Meeting Formula

There are a variety of meeting formulas that have been used by existing local chapters; the most traditional of which is an evening speaker meeting. For this type of meeting, the chapter leader will organize one or more speakers to present on one or more topics in a lecture or question & answer format. Needless to say, chapters have adapted this formula in many ways to suit their members or geographic area. Meetings have been organized over breakfast, lunch, or dinner as well as at a bar having a conversation over drinks. Some chapters serve food during the meeting or after the meeting on site, others will invite meeting attendees to a cafe, bar, or restaurant nearby for food and drinks after the meeting. Meetings have been organized as social or networking events, roundtables, panel discussions, or even as a remote presentation.

Chapter leaders are encouraged to try a variety of formats to determine what will be the most successful for their audience and area. Also, it may work best to have a variety of formats throughout the year depending on the speaker and meeting space availability.

Virtual meetings may not be ideal to encourage networking and community building within your local chapter, but they are certainly a good alternative when the chapter is not able to find a venue or having trouble bringing in a speaker. OWASP has a GotoMeeting account already available for chapter leaders (paid by the Foundation and provided for free for the chapters). If you would like to set up a meeting or obtain the GotoMeeting login credentials, contact us.

Before - Planning the Meeting

In order of importance,* these are the key pieces to holding a chapter meeting:

  1. Great speakers / topics
  2. Venue
  3. Date
  4. Promotion

While the order of importance has been debated by chapter leaders, the general consensus appears above. Additional pieces (discussed more below) that some chapter leaders have said are “key” in their regions: sponsors and attendees. The list above is meant to be a starting place and a list of essential items for planning your meeting; it is assumed that once you have these items in place people will attend the meeting and sponsorship will follow thereafter.

Getting a Speaker

OWASP chapters are encouraged to get local speakers. Your chapter may also use international speakers, but you will quickly need funds to cover travel costs if the speakers cannot pay for the travel themselves.

One technique for bringing in international speakers is to coordinate your meeting with another event that the speaker may be attending or speaking at nearby. The intended speaker may be willing to arrive early or extend their trip by a day or two to speak at your local meeting.

If you have found an international speaker who is not able to pay for the travel themselves, and your chapter does not have the funds to cover the travel costs, you may be able to apply for “OWASP on the Move” funds (outlined below).

Speaker Agreement

Chapters are not required to have speakers sign the OWASP Speaker Agreement as part of their agreement or confirmation for the event. However, if you think OWASP values and principles may be an issue or are concerned that the speaker does not understand the terms of the arrangement, you may consider sending them this speaker agreement.

Meeting Venue

There are an infinite number of possibilities for a meeting location - local college, business, library, or even a restaurant or pub. Plan as far in advance as possible - good meeting spaces are often available at little or no cost (local colleges and universities are often willing to give meeting space for free), but they fill up quickly.

Also, it is important to consider accessibility when looking at locations: Where will the attendees park? What is the average travel time for attendees? Is there a security checkpoint? What happens if attendees have not pre-registered, can they still attend? Can you serve food at this location?

While having a permanent or stable meeting location for your chapter meetings may be convenient for planning, it is also important to consider any conflict of interest (or appearance of conflict of interest) your meeting venue may convey. For example: vendor neutrality is one of the core values of OWASP, but this doesn’t necessarily mean that a vendor cannot host a local chapter meeting. As long as the meeting is free and open and doesn’t violate other OWASP principles, a vendor’s office space may be a great location to hold a meeting. That being said, holding every meeting at this vendor’s office to the exclusion of other available and willing venues, may give an appearance of impropriety.

Setting a Date and Time

Most OWASP meetings are currently held during the week (Monday through Friday). Additionally, while meetings have traditionally been held in the evening, an increasing number of local chapters have found success in hosting breakfast (early morning) or lunch events.

When setting your meeting date and time, be sure to consider:

  • Will your anticipated venue will be available?
  • Will you be able to find a speaker for this date and time (many chapters will book the speaker first and then choose a date and time that works for him or her)?
  • Have you allowed sufficient travel time for attendees that are coming from work?
  • Are there any local or regional events or holidays that will conflict?

Posting Meeting Info on the Website

General information about what should be on a chapter’s wiki page can be found under “administration” below. As soon as you know the time, date, and location of your meeting, be sure to post it to your chapter’s wiki page. Additionally, most chapters post information about the upcoming meeting such as: meeting agenda, speaker background, summary of the topic(s) to be covered by the speaker/meeting.

How to add Meetup Events to Your Chapter Page

Events on your chapter Meetup page can be added to your OWASP Chapter page by including a meetup-group front matter and the following code:


{% include chapter_events.html group=page.meetup-group %}

For a more detailed example see [https://owasp.org/www-projectchapter-example/]

Catering

Many chapters provide food or refreshments before, during, or after their meeting. This is not a necessity for a chapter meeting, but something extra you might consider if you have the funds in your chapter account or are able to get a sponsor to cover costs (or provide food directly). It is also possible for meeting attendees to split the cost if they want food at the meeting; however, no one can be excluded from a meeting based on their ability or willingness to pay for food. Meetings must remain free and open.

If you need to decide on the amount of food ahead of time, line up the refreshment logistics based on RSVP’d attendees.

Sponsors & Affiliates

In order to organize events, an OWASP chapter often needs to find sponsors. These sponsors may provide meeting facilities, refreshments, etc. While sponsorship is good, it is important to avoid the commercialization pitfalls that may accompany it.

The following is specifically prohibited:

  • Providing sponsors with a list of people registering for or attending any event. This might even be illegal in certain countries due to privacy laws. The sponsor can collect leads in itself, for example by offering a prize for people providing contact details.
  • Providing the sponsor with a commercial or product centric presentation slot.

So what can sponsors get?

  • Many thanks, and hopefully a very good feeling of helping the community.
  • A table top style mini booth where they can put up a “roll up” poster or two and hand out your brochures and freebies. This might not be possible in certain meeting facilities.
  • Logo on the local chapter or event page.
  • All of the OWASP sponsorship options are detailed on the OWASP Corporate Membership page.

At the local level there are options for both Local Chapter Supporters (90/10 split with the Foundation, 90% directly supporting the local chapter) as well as Single Meeting Supporters.

Meeting Promotion

Here are some tips that chapter leaders can use to promote their meeting (and increase meeting attendance):

  • At a minimum, the date, time, location, speaker, and topic should be listed on your chapter’s wiki page and an email announcement sent out to your chapter’s mailing list.
  • When sending out direct meeting invitations, use google calendar invites through your @owasp.org email account. General email assumes that people will read it in a timely manner and will remember to place it onto their calendar. By using the google calendar invitations, this task is done for them.
  • Make sure that your upcoming meeting is broadcast through a variety of channels. In addition to posting the meeting to your chapter’s wiki page and mailing list, consider blogging or tweeting about it, as well as posting it on social networking sites such as LinkedIn, Facebook, Meetup, and myowasp.
  • Post your event to sites such as Yahoo Events and partner with other user groups to cross-market (i.e. ISSA, .Net SIG, Java SIG, SIM, DAMA).
  • Acknowledge the fact that even if people cannot physically attend, they may be able to participate remotely. The OWASP Foundation has an account with Zoom that is free for chapters to use. Account requests or details can be requested through: Contact Us.
  • Many people are tired and hungry, especially after a long day at work. While you cannot cure tiredness, you can at least try to feed your attendees. Pizza is cheap and it is relatively easy to find a sponsor.
  • Make sure the topics you choose are broadly applicable and not just targeted at one group (i.e. penetration testers, software developers). Part of making web application security visible requires you to choose (or solicit) speakers that appeal to IT executives, enterprise architects, business analysis, legal and compliance, etc. If a particular group does happen to be the “target audience” at a meeting, try to change things up for your next meeting.

RSVPs

Posting your meeting on the chapter’s wiki page and emailing an announcement to the chapter’s mailing list are the prime methods of letting people know about OWASP meetings. Some other useful methods are:

  • Ask your speakers to send invites to their circle
  • Ask people on the list to forward to people in their organization.
  • Use your own personal contacts. Since OWASP is not a commercial organization, this would be usually acceptable by your business contacts. Again, this might actually help you keep in touch with them.

Meeting invitations/announcements should contain a request to forward it to other interested parties.

You might also want to use event invites instead of e-mail messages. These services provide different advantages such as integration with the attendee calendar and RSVP management, but on the other hand might seem more commercial and obtrusive.

You can send event invites using the following tools:

  • Meetup is the preferred tool for creating and sharing upcoming meeting details
  • Direct calendar invites: one can do that using a dedicated Google calendar account.
  • The tool most used by OWASP chapters is: Eventbrite, which is free for non-profits.

OWASP Merchandise

The OWASP Foundation can provide you with OWASP books, shirts, pens, lanyards, flyers, or other materials that you might need to jump-start your next meeting. The cost of these items will be billed to your local chapter. If you would like OWASP Merchandise for your meeting or local event, but do not have the funds to cover it, you request that the costs be covered by the Global Chapters Committee. Requests can be submitted through the OWASP Merchandise Request Form.

Rocksports has also set up an OWASP Storefront to show items they have available and many OWASP books have been made available through Lulu.

Screening Presentations

In order to ensure that presentations remain vendor neutral and don’t turn into platforms for a sales pitch, it is recommended that you screen the presentations before the meeting. This may also be a good time to remind your speaker about the terms of the Speaker Agreement (or make sure they understand what is expected of them).

Remote Participation

The OWASP Foundation has an account with Zoom that is free for chapters to use. Account requests can be requested through Contact Us. As soon as you have scheduled the meeting date and time, the remote participation can also be scheduled so you can include details on your chapter’s wiki page, meetup, and/or in your emails.

Speaker Gifts

Although it is not necessary, giving speakers a small token of appreciation such as an OWASP t-shirt, mug, or pen set is encouraged.

During the Meeting

Meeting Set-Up

Arrive early! Ensure that everything for the meeting space is set up before the first attendees will be arriving. Here are a few things you may need to set up or prepare:

  • Registration & badges (if any)
  • OWASP merchandise and signs including banner
  • Remote participation
  • Sponsor booths/tables
  • Catering - Will food or beverages be served before, during, or after your event? Where will the food be located? Who is providing the food? Will someone need to meet the delivery person at the front door of the building?
  • Equipment - projector, sound system, and any special items that may have been requested by the speaker(s)

Video Recording

If you have the equipment, you may want to consider recording a video of your meeting and posting for members who were not able to attend the meeting. This is also a nice resource for chapter leaders or event organizers to use in the future to screen a speaker or learn about their style. The OWASP Speaker Agreement includes authorization for the speaker’s presentation to be recorded and posted. If you plan to record the meeting, you should make sure the speaker is aware and has agreed to the reproduction of their presentation.

Time Management

Spread tasks across many individuals in order to ensure that your meeting runs smoothly and all of the tasks before, during, and after the meeting are handled in a timely fashion. There are usually people that attend the meetings who are willing to want to help the chapter be successful, but are not able to commit to a chapter leadership role - that doesn’t mean they aren’t willing to help out on a meeting-by-meeting basis.

Meeting Content

Job announcements: Some chapters encourage recruiters or other individuals who are hiring in their area to come for their meeting and make the job announcement in person. At the beginning of the meeting they ask anyone who is hiring to stand up and introduce themselves and who they are looking for. Then at a break or after the meeting, attendees can get in touch with them. This encourages recruiters/employers to invest a small amount of time in your chapter (attending the meeting) and also gives both the person hiring and the people looking for jobs the benefit of face-to-face contact.

Present an OWASP Update: Always cover the OWASP mission and goals at each meeting to reinforce it to the attendees of why and what the purpose of the chapter is. Explain the web application security problem in a general way to attract a large crowd and to educate the new members and guests.

OWASP Conferene Recap: Additionally, if you or any of your chapter members have recently attended an OWASP conference or other event, this is a good time for a short (5-10 minutes) presentation about the event.

One or more speakers:if you have a general time frame for the speaker(s), make sure to let them know. Also, if you will be having more than one speaker, consider whether you will have a short break between them for attendees to stretch their legs and get refreshments, or whether you will want the change-over time to be quick (and attendees remain in their seats).

Collecting CPE Forms

Send out CPE credits to attendees that requested them or explain to them that ISC2 (as a example) is a self certify – if organizations such as those want to designate someone to collect and validate they are welcome to do so, but that is not a responsibility of OWASP Chapter Leaders.

Collecting Feedback

Collect feedback on the speaker from attendees:

  • There are a number of sites available that have feedback templates or allow you to build your own survey: formsite.com, surveymonkey.com, zoomerang.com, Google form, etc.
  • A speaker feedback form developed by the NYC/NJ Metro Chapter is also available for you to use. The NYC/NJ Metro Chapter distributes copies to meeting attendees and asks them to complete them and hand them back in at the end of the meeting. Then the chapter leader (or another person willing to keep track of feedback) quickly adds the totals up to get an idea of which speakers they would like to ask back again to present.
  • This is also a good time to capture potential topics or speakers for upcoming chapter meetings. What would meeting attendees like to learn about? Is anyone at the meeting willing to give a presentation in the future?

Networking/Social Events

There are a variety of ways to incorporate networking or social interactions into your meeting format. While some chapters designate specific meetings for networking and socializing (no speaker, just meet at a local restaurant or pub), it is more common to allow time for socializing after the meeting. Some meeting venues will be able to host this, but more than likely you will want to relocate to a restaurant or bar nearby. Consider asking the speaker(s) to join you so that guests can have an opportunity for follow up conversations. This time also fosters building a local OWASP community where the guests get to know each other and what is going on in the local appsec community.

After the Meeting

Review event, lessons learned, what can be improved with the other chapter leaders or board members. Go over any feedback collected at the meeting.

Meeting Minutes (and Photos)

Post meeting minutes to document what was covered at the meeting, including any announcements or decisions that were made. Pictures from the meeting are also encouraged.

Posting Presentations and Recordings

In addition to any meeting minutes and photos, try to collect the presentation from the speaker to post on the chapter’s wiki page.

If you took a video recording of the meeting, you should post that as well. Vimeo is commonly used to host the uploaded video, which can then be linked to your chapter page.

Follow-up Communication

Once you post meeting materials such as minutes, pictures, presentation, or video to your chapter wiki page, send a follow up email to meeting guests thanking them for attending, letting them know about the next meeting (if you have the information), and directing them to the material on your wiki page.

If you collected any new email addresses, this will also be a confirmation that you have added their name to the mailing list.

Certificate of Attendance

It is not standard practice for OWASP to issue Certificates of Attendance for Chapter Meetings. Your chapter nominating someone hold onto a meeting sign-in sheet after each meeting. Meeting attendees are still responsible for submitting their own CPEs, but then the Chapter Leader (or whoever is keeping track of the sign-in sheets) can go back and audit against the chapter’s sign-in sheet if (ISC)2 or another organization audits them.

Organizing Local Events

In addition to holding meetings, you may want to grow and promote your chapter by organizing a larger event such as an OWASP Day, Training Day, or Regional Roadshow. Many of the considerations for these events are similar to that for a meeting, just on a larger scale.

Additionally, you will need to consider whether there will be any cost for attendees? Options include: free for anyone, free for members (so individuals would have to purchase a membership to attend), cost for everyone but discounted for members, or same cost for everyone. The best way to plan for these events is to look at what some chapters have done in the past and try and talk to the chapter leader or event organizer who was involved.

Please register your event through the OWASP Conference Management System (OCMS), which will help OWASP track events not only hosted by OWASP but also sponsored or supported by Foundation funds. The Global Chapters Committee and Global Conferences Committee are also willing to help with your event planning.

Many OWASP Chapters (or a group of chapters in the same region) have planned an OWASP Day which consists of a full day of talks about AppSec and sometimes and additional day of training, provided for little or no cost. The primary goals of OWASP Days are to educate people and raise awareness about application security, not make money.Previous OWASP Days include New Zealand Day, BeNeLux Day, and German OWASP Day.

OWASP Training Days

OWASP Training Days are full day training courses that are free for members (so non-members can attend by paying the $50 fee to becoming members). The course aims to educate people about OWASP Projects by providing a selection of mature and enterprise ready projects together with practical examples of how to use them.

Regional Roadshows

OWASP Regional Roadshows consist of one or more speakers visiting multiple chapters in a region (touring) either as speakers for chapter meetings or to provide training. These Roadshows help Chapter Leaders bring in great international speakers as well as generate awareness in their areas around Application Security and OWASP. Previous Roadshows include LATAM and EU Tours.

Growing and Promoting your Chapter

Setting Goals

Some of the most successful chapters have clearly defined both their short term (achievable within 1 year) and long term goals (achievable in more than 1 year), and set forth a plan to achieve those goals. Goals may include the number of meetings you want to have in a year, certain topics you hope to cover in your meetings, an OWASP Project your chapter members want to contribute to, or even a dollar amount your chapter hopes to have in their local chapter account.

Surveys

Surveying chapter members is a good way to learn how to improve or change your meetings to better meet their needs. While you can collect information about specific speakers and presentations at the end of each meeting (see “Collecting Feedback” above); additionally, give chapter members a chance each year to evaluate the past year and speak about expectations for the upcoming year. You can hand out paper copies at a meeting or even email out the survey to your chapter mailing list.

Outreach

As a chapter leader, outreach is a great way to educate people about OWASP as well as upcoming chapter meetings, lining up speakers, and soliciting sponsors. Here are some ideas for where to start:

  • Use OWASP chapter mailing lists to alert members of meetings and monthly events.
  • Coordinate with other OWASP Chapters in your area - maybe you can piggyback off one of their speakers or combine for a social event.
  • Talk to other security groups, developer groups (Linux, Python, PHO, Ruby, etc.), professional organizations, local CERTS, and hackerspaces in your area (ISSA, ISACA, FBI/Infragard, HTCIA, etc.). Cross-promote and/or join meetings, be a guest speaker and host guest speakers.
  • Host a booth or ask for a speaker slot at local developer/security events. Do a local talk about OWASP Projects that you have been involved or are familiar with.
  • Talk to local higher education institutions. Involve the university and its computer science students - you may be able to host a meeting or speak to a group of students.
  • Hook up with government, industry, and academic contacts in your area to relay the invitation and generate some interest.
  • Find out what companies are active in this domain in your area in order to raise their interest and support.
  • Consider possible press contacts in your area - invite them to a local meeting, event, or send a press release about an upcoming speaker.
  • Ask for help. A successful chapter has several leaders (there are no limits) so share the fun and the pain!

Recruiting List Members

It is extremely important to grow the size of the list. This is the primary source from which people learn about meetings and the larger the list, the more successful the meetings. Needless to say, list members need not be OWASP paying members.

There are three primary methods to add members to the list:

  1. Automatically registering attendees to an event to the list While this may seem unorthodox at first, when done correctly this is the most effective way to enlist new members. Since meeting attendees are usually interested to learn about future meetings, this usually works fine. Just:

      • Enlist all meeting attendees.
      • Send an email to the meeting attendees summarizing the meetings
      • In this email, alongside the usual thanks and the location of the presentations, inform that you enlisted attendees to the list, that the list is mostly just for meeting announcements and that anyone is free to contact you to be removed.
      • Promptly remove who ever ask for it.
      • Be sure to remind the attendees of the meeting that you will be adding them to the mailing list for future meeting announcements.
  2. When you meet people in the security community, mention OWASP. Since OWASP is (hopefully) something you are proud of doing, it usually pops up in professional conversations. If they are interested in OWASP, especially getting involved in at the local level, offer to register the person to the list to get notifications on future meetings. Also, if you have OWASP business cards, consider having your chapter mailing list address printed on it. This will be an easy way to direct people to the right place…. just give them your card! OWASP business cards can be requested and charged to your chapter, provided that the chapter has the necessary funds available, through the OWASP Merchandise Request Form.
  3. Meeting invites. Even if initially sent through the list itself, meeting invites are often forwarded. Add to the invite itself, information on subscribing to the mailing list.

Promotional Materials

Consider putting together a flyer about your Chapter with upcoming speakers, topics, and events, or summarizing your local sponsorship opportunities (more on “Raising Funds” below).

Raising Funds

There are a number of different ways in which to raise money for your chapter.

Paid Individual Memberships - encourage the people who participate in your local chapter and attend your meetings to become a paid OWASP member.

  • Individual supporters pay $50 per year for their membership and the fee is split 60/40 with the Foundation (40% goes to the local chapter or project account designated by the member at the time of joining).
  • All paid memberships are processed through the OWASP Membership page.
  • Some regions (developing countries) of the world may qualify for a discounted membership of $20.

In the past, chapters have used (paid) membership drives to promote OWASP and raise money for their chapter. One approach is to enter all new members (or renewing members) in a raffle for prizes to be selected at your next meeting.

Donations

Donations from 3rd parties can be accepted via paypal. These funds are transferred to OWASP Foundation and then chapter leaders can submit receipts for reimbursement from their chapter’s account. For more information on reimbursement and your chapter account, see the section on Handling Money.

Chapter Sponsors – Local and Global

In order to grow your chapter, it is usually necessary to obtain sponsorship to cover chapter operations. This can come from local businesses or larger companies.

Local chapters get their funding primarily from local sponsorships. Any time you hold an event or conference you can ask companies to sponsor your event. Most of this money is spent on organizing the event including venue, food etc. However, whatever money is left can be used later for other expenses. Donations received from sponsors are shared between the local chapters and the OWASP Foundation.

There are three different sponsorship options:

  1. Single Meeting Supporter - Organizations that wish to support OWASP local chapter with donation to enable OWASP Foundation to continue the mission.
    • Benefits include being recognized as a local supporter by posting the company logo on the OWASP Chapter website, and having a table at local chapter meeting to promote application security products/services etc.
    • The dollar amount for this is set by each local chapter.
  2. Local Chapter Supporter - Organizations that are not yet interested in becoming full Organizational Supporters but who have a desire to direct their support in a more regional manner may prefer to become a Chapter Supporter.
    • Benefits include being recognized as a local supporter by posting the company logo on the OWASP Chapter website, and having (1) supporting member vote in elections and on issues that shape the direction of the community.
    • Suggested dollar amounts are $500 (Silver), $1000 (Gold), and $2000 (Platinum) per year, split 10/90 with the Foundation - 90% of the funds going directly to the local chapter.
  3. Organizational Supporter (Global)- Organizations that wish to support OWASP with a 100% tax deductible donation to enable OWASP Foundation to continue the mission.
    • Benefits include an opportunity to post a rotating banner ad on the OWASP home page for 30 days at no additional cost, being recognized as a supporter by posting the company logo on the OWASP Website, being listed as a sponsor in the OWASP newsletter that goes to over 10,000 individuals around the world on owasp mailing lists.
    • Organizational Supporters have (1) supporting member vote in elections and on issues that shape the direction of the community.
    • $5000 per year, split 60/40 with the Foundation - 40% going to the local chapter designated at the time of payment.

More details on the different levels of sponsorship can be found at: OWASP Corporate Membership page.

International Aspects

Translation

While knowledge of English is extremely helpful in communicating with the OWASP community around the world, it is certainly not necessary. To support the spread of the OWASP mission regardless of a person’s language, many chapters have worked as a team on translating OWASP Projects, Documentation, or even this Handbook.

Localization

Understanding local culture and habits, and considering them when planning meetings can make a big difference in meeting attendance and the success of your chapter. For example, in some cultures it is not popular or even rude to discuss business over lunch. Thus, an OWASP meeting over lunch would not work very well. On the other hand, some areas have had great success with planning meetings during the lunch hour because it doesn’t cut into people’s “family” time in the evening. Talk to others in your city or region to find out what would work best for them and don’t be constrained by what chapters in other regions are doing.

Material distribution

Some countries or regions may have trouble accessing OWASP tools such as Google Docs, OWASP Sites, or downloadable tools. If these access issues prevent a chapter from adhering to the mandatory chapter rules, they may ask the Global Chapter Committee for an exemption from the policy. Additionally, the OWASP foundation will work with the chapter to find a suitable alternative or workaround such as setting up local mirrors of tools or wiki.