Chapters (Draft WIP)
Members are invited to provide feedback on this draft policy until September 16, 2020. The Policy Review Team will respond to comments mailed from your owasp.org email address to this address.
How to Start a Chapter
The following information should be provided in an application (should be Chapter Request Form) to start or restart an OWASP Chapter:
- List of the people that are founding the chapter. Each founding member(s) must submit:
- Statement regarding their professional background or resume, and
- Statement of why he or she wants to be an OWASP Leader.
- Only geographical cities will be covered by new chapters. Chapter names should represent the immediate city or region that is being served. Chapter leader(s) must work or live in the immediate geographical area and no more than 50 miles from the city indicated on their application.
- Acknowledgement that founding member(s) read, understands, and agrees to the terms of the Leader and Chapter Rules of Procedure.
- While it is not mandatory, a good understanding of English will help with communication within the OWASP global community. Requests to start or restart an OWASP Chapter may be initiated through the Chapter Request form. If at any time you wish to leave your position as leader or add a new leader the same form may be used by selecting “Modify Chapter Leadership” from the drop down menu.
New Chapter Approval Process
After receiving the above information via the online form, an OWASP employee will give a cursory check of the above items to ensure new chapter leaders are serious and understand their commitment. Upon review of requester’s credentials and resolution of any potential conflicts, the applicant can move forward as a chapter leader. The SLA from application to determination will be less than 30 days. A chapter web page, Meetup group, and Google Group mailing list will be set up for the new leader(s) and the chapter leader(s) will be given an OWASP email account and password to operate as the administrator of the new chapter mailing list.
The format used for naming a chapter is: OWASP [Insert City, Region, or Country Name of Chapter]. For example: OWASP Austin, OWASP London, OWASP Malaysia.
Chapter geographical area should not reasonably overlap with an existing chapter. Chapters promote face-to-face meetings and the geographical area covered should be no more than a reasonable travel for a meeting while also being large enough to serve a sizable application security community.
The OWASP Foundation no-longer grants country-wide chapters. Historically a chapter could cover a regional or national area but only with an annual plan to serve all major metropolitain areas.
Maintaining the website is the most basic aspect of promoting an OWASP chapter. This is the place where people will be directed when looking at our list of meeting locations by geographic region: and one of the main ways for prospective members or sponsors to find your chapter.
Part of holding free and open chapter meetings is making the information about your meetings (time and place) freely available and accessible. Therefore it is imperative that the information is posted on your wiki page as soon as the meeting is set. People must not be required to pay or sign up for a service to learn about your meetings.
The local chapter wiki page must include at least:
- Information about the chapter leadership, including best way to contact.
- Link to the chapter’s mailing list. Meetup
- Information about future and historical events.
- The presentations given in past meetings
Other promotional services such as LinkedIn, Facebook, Twitter, Ning, Meetup, etc. are useful to inform people about your local chapter and its activities; however, the OWASP Chapter Wiki Page must be the authoritative information source at all times. Some services will have an official alternative. One example of this is MeetUp Pro which will has an api that will allow you to mirror the meeting information you post on your MeetUp Pro account to your wiki page and the OWASP Events Calendar (Coming 2017).
If you have not already created a user account on our wiki site to edit your chapter’s wiki page, please do so.
To ensure uniformity and ease of reading on the wiki, OWASP has a set of guidelines for designing your wiki page. Tips on wiki markup/editing can be found here: http://www.mediawiki.org/wiki/Help:Editing_pages#Edit_Summary and http://www.mediawiki.org/wiki/Help:FormattingYou can copy and paste the wiki code for the chapter template .
Chapter leaders serve as the main point of contact for the local chapter and are responsible for ensuring that the local chapter fulfills its requirements, including planning at least two meetings per year.
- An Active Chapter Leader is responsive to all requests within a reasonable amount of time, generally within 5-7 business days. Chapter leaders must have their name and contact information clearly available on the Chapter wiki page.
- Preferably, a chapter should have as many organizers as possible. Running a successful chapter requires concerted effort all year long, and these duties should be split between whoever is willing to volunteer to take the load. A single chapter leader has proven to be an anti-pattern for successful chapters and high performing chapters often have three or more co-organizers that meet regularly to plan. In order to promote checks and balances, there are some benefits given explicitly to chapters with multiple leaders. The most important of these is that every chapter with at least 2 leaders is given access to a minimum starting annual budget of $500. You can read more about budgets in section four.
- Chapter Leader (or Coordinator): Every chapter must nominate a Chapter Leader, who is the central point of contact for the chapter and responsible to the OWASP Board. We suggest (but do not require) that leaders rotate every 24 months to allow for new ideas and to spread the workload. Leadership can be in the form of a few people who work by consensus, a leader with an advisory board, or, if you must, a single leader. In case of dispute over the leader role, your leadership board may rotate over the 24 month term. If there are multiple candidates and no rotation agreement, elections should be held for a 24 months term (see elections below).
- Board: Chapters are free to decide on the number of role holders, their titles, how they are selected and for how long. In case there are multiple candidates for a specific role, and no restructuring, rotation or teaming works, elections for the role should be held for a 24 months term.
- We recommend that a chapter would have also a board with at least 3 members, each one having a specific role. Common roles:
- Organization: Secretary, PR/Marketing, Web, Membership, Finance & Meetings/Conferences
- Content: Education, Industry, Projects
- We recommend that a chapter would have also a board with at least 3 members, each one having a specific role. Common roles:
- Any long term change in how governance is handled must be decided either by consensus or votes. All paid or honorary members affiliated with your chapter must have sufficient notice and opportunity to take part in the discussion and decision making process. It is incumbent upon the current leaders or actors urging the change to make sure this happens. Unless otherwise stated, OWASP assumes that the leadership and chapter are governed by consensus. Any changes in this structure must be posted on the wiki whether it is a simple decision like “We work by consensus” and “We vote every 2 years” or a complex governance document like some of our chapters have.
- Your chapter page, must clearly identify who is the current leadership for the chapter or on the board of the chapter, including their phone numbers and/or email addresses. Additionally, post information on how people can get involved with the chapter planning, leadership, or decisions. What are your plans for the upcoming year? Are you looking for help with something particular? When are your elections held?
In the course of time, a leader may want to move on and leave his/her role. While this chapter provides guidelines to the technical process to follow, we found in the past that the actual challenge is finding the new leader, especially in chapters that lack a board. We strongly suggest that a chapter leader who wants to stop would try to find a successor among the active members of the chapter. Such a process has the best chance of ensuring the continuous success of the chapter.
Please let us know of your wish to leave the job and let us help you in finding a successor.
When a new leader is to be added to your team or a current leader is leaving you must fill out the change of leadership form to complete the activity. Chapter leadership is an agreement with the OWASP Foundation to take on responsibilities as well as privileges; records of who is in what role need to be up to date.
It is always advisable to avoid elections. Running a chapter is a hard, volunteer job and sharing the load is always advisable. Since the chapter leader role structure is flexible, choosing the defined chapter structure (such as a board of leaders who work by consensus) may help to avoid elections. However, if there is a lack of agreement between chapter members on structure, roles or any other issues an election for a role or a poll on any other subject may be required:
A poll on a subject will be held if 10% of the chapter members request it.
Elections for a role will be held if there are multiple candidates for a role at the end of the term for the role.
Chapters that either choose to hold regular or one off elections as well as those that are driven to elections due to disagreement have the ability to request to use the Foundation’s Simply Voting or Surveymonkey services as their balloting system.
How should elections be held?
OWASP does not enforce any procedure for elections and polls. However all elections must meet the OWASP core value of “Openness.” To this end, in the absence of a previously agreed upon process that is publicly accessible all elections must be announced on the chapter mailing list and all paid and honorary members must have the opportunity to vote. When structuring an election in the absence of an established process, an agreement on procedure between candidates or suggestion makers is sufficient. If such an agreement is not reached, the following procedure should be followed:
- The subject and options for vote alongside the names of the people requiring the vote would be submitted to the OWASP Foundation.
- The OWASP Foundation will request confirmation by email from the people requiring the vote.
- Once confirmed, the OWASP Foundation will send the ballot to the chapter members setting a deadline.
- One results are in, the OWASP Foundation will notify chapter members of the results.
This procedure for election heavily involves the OWASP Foundation as we feel that if the chapter cannot get to an agreement even as to how to hold elections, central intervention is required.
While local chapters operate, for the most part, independently from the OWASP Foundation, they are not stand alone legal entities. Chapters do not have their own by-laws or any special legal status or seperate governing documents. Chapters and chapter leaders are governed by the OWASP Foundation through the Executive Director and the OWASP Board.
When there is a problem at the local level, at what point does the global organization step in? Chapters are encouraged to handle disputes locally, within their own governance structures. However, what should a chapter leader (or other community member) do if there appears to be a violation of OWASP principles or ethics? Or what if someone feels that the chapter leader him or herself is not following the handbook?
If you feel that a chapter leader is not acting in accordance with the chapter handbook, please follow the following hierarchy in escalating your concern:
- Bring your concern to the attention of the chapter leader or chapter board. If possible, make an attempt to handle the issue locally.
- If you are unable to resolve at the local level, please contact the Community Manager through the contact us form.
- If the Community Manager is not able to handle your concern or you would like to challenge the feedback/decision of the Community Manager, the concern can be raised with the Global OWASP Board.
- If you feel an Code of Ethics violation has occurred, you may review the Whistleblower Policy for instructions on how to file a complaint.
Chapter Activity Requirements
Chapters must hold at least 4 meetings per year. Virtual meetings held via GotoMeeting or other online forum, do count towards this activity requirement as long as the event is free and open to attendees.
A chapter will be tagged as inactive if they have not hosted a meeting or event in over a year. Additionally any chapter leaders will be removed from their position.
If a leader has abandoned their chapter (left without finding a replacement leader) and no one has stepped up to take on the role, the chapter may also be tagged as inactive.
Reporting an inactive chapter - If you think a chapter is inactive and are interested in helping out, we recommend reaching out to the chapter leader or board listed on the chapter’s wiki page as a starting point. They may welcome you to take over the reins or let you know the status of the chapter.
Every effort will be made to reach out to the chapter leader before a chapter is marked inactive. Chapter leaders will be given seven days to respond before the chapter is marked inactive.
If a chapter appears to be inactive, or in danger of becoming inactive, and the chapter leader is unresponsive or unwilling to accept support, please report it to us via the contact form so that we can follow up. If you feel the current leadership is not performing up to OWASP standards or have other concerns about chapter leadership, refer to Section 5.6: Disputes for resolution procedures. Confidentiality will be maintained where possible.
Restarting an Inactive Chapter
The process for restarting an inactive chapter is the same as starting a new chapter. Instead of a new wiki page and mailing list being created, however, the new chapter leader will be listed on the existing wiki page and given administrative access to the mailing list.
EDITING FROM HERE
Organizing Chapter Meetings
There are a variety of meeting formulas that have been used by existing local chapters; the most traditional of which is an evening speaker meeting. For this type of meeting, the chapter leader will organize one or more speakers to present on one or more topics in a lecture or question & answer format. Needless to say, chapters have adapted this formula in many ways to suit their members or geographic area. Meetings have been organized over breakfast, lunch, or dinner as well as at a bar having a conversation over drinks. Some chapters serve food during the meeting or after the meeting on site, others will invite meeting attendees to a cafe, bar, or restaurant nearby for food and drinks after the meeting. Meetings have been organized as social or networking events, roundtables, panel discussions, or even as a remote presentation.
Chapter leaders are encouraged to try a variety of formats to determine what will be the most successful for their audience and area. Also, it may work best to have a variety of formats throughout the year depending on the speaker and meeting space availability.
Virtual meetings may not be ideal to encourage networking and community building within your local chapter, but they are certainly a good alternative when the chapter is not able to find a venue or having trouble bringing in a speaker. OWASP has a GotoMeeting account already available for chapter leaders (paid by the Foundation and provided for free for the chapters). If you would like to set up a meeting or obtain the GotoMeeting login credentials, contact us.
Before - Planning the Meeting
In order of importance,* these are the key pieces to holding a chapter meeting:
- Great speakers / topics
While the order of importance has been debated by chapter leaders, the general consensus appears above. Additional pieces (discussed more below) that some chapter leaders have said are “key” in their regions: sponsors and attendees. The list above is meant to be a starting place and a list of essential items for planning your meeting; it is assumed that once you have these items in place people will attend the meeting and sponsorship will follow thereafter.
Getting a Speaker
OWASP chapters are encouraged to get local speakers. Your chapter may also use international speakers, but you will quickly need funds to cover travel costs if the speakers cannot pay for the travel themselves.
One technique for bringing in international speakers is to coordinate your meeting with another event that the speaker may be attending or speaking at nearby. The intended speaker may be willing to arrive early or extend their trip by a day or two to speak at your local meeting.
Also, the OWASP Speakers Project is available to help local chapters or application security conferences to find OWASP related speakers.https://www.owasp.org/index.php/Category:OWASP_Speakers_Project
If you have found an international speaker who is not able to pay for the travel themselves, and your chapter does not have the funds to cover the travel costs, you may be able to apply for “OWASP on the Move” funds (outlined below).
Many chapters do not have every speaker sign the OWASP [Speaker Agreement] as part of their agreement or confirmation for the event. However, if you think OWASP values and principles may be an issue or are concerned that the speaker does not understand the terms of the arrangement, you may consider sending them this speaker agreement: https://www.owasp.org/index.php/Speaker_Agreement
There are an infinite number of possibilities for a meeting location - local college, business, library, or even a restaurant or pub. Plan as far in advance as possible - good meeting spaces are often available at little or no cost (local colleges and universities are often willing to give meeting space for free), but they fill up quickly.
Also, it is important to consider accessibility when looking at locations: Where will the attendees park? What is the average travel time for attendees? Is there a security checkpoint? What happens if attendees have not pre-registered, can they still attend? Can you serve food at this location?
While having a permanent or stable meeting location for your chapter meetings may be convenient for planning, it is also important to consider any conflict of interest (or appearance of conflict of interest) your meeting venue may convey. For example: vendor neutrality is one of the core values of OWASP, but this doesn’t necessarily mean that a vendor cannot host a local chapter meeting. As long as the meeting is free and open and doesn’t violate other OWASP principles, a vendor’s office space may be a great location to hold a meeting. That being said, holding every meeting at this vendor’s office to the exclusion of other available and willing venues, may give an appearance of impropriety.
Setting a Date and Time
Most OWASP meetings are currently held during the week (Monday through Friday). Additionally, while meetings have traditionally been held in the evening, an increasing number of local chapters have found success in hosting breakfast (early morning) or lunch events.
When setting your meeting date and time, be sure to consider:
- Will your anticipated venue will be available?
- Will you be able to find a speaker for this date and time (many chapters will book the speaker first and then choose a date and time that works for him or her)?
- Have you allowed sufficient travel time for attendees that are coming from work?
- Are there any local or regional events or holidays that will conflict?
Posting Meeting Info on the Website
General information about what should be on a chapter’s wiki page can be found under “administration” below. As soon as you know the time, date, and location of your meeting, be sure to post it to your chapter’s wiki page. Additionally, most chapters post information about the upcoming meeting such as: meeting agenda, speaker background, summary of the topic(s) to be covered by the speaker/meeting.
Many chapters provide food or refreshments before, during, or after their meeting. This is not a necessity for a chapter meeting, but something extra you might consider if you have the funds in your chapter account or are able to get a sponsor to cover costs (or provide food directly). It is also possible for meeting attendees to split the cost if they want food at the meeting; however, no one can be excluded from a meeting based on their ability or willingness to pay for food. Meetings must remain free and open.
If you need to decide on the amount of food ahead of time, line up the refreshment logistics based on RSVP’d attendees.
Sponsors & Affiliates
In order to organize events, an OWASP chapter often needs to find sponsors. These sponsors may provide meeting facilities, refreshments, etc. While sponsorship is good, it is important to avoid the commercialization pitfalls that may accompany it.
The following is specifically prohibited:
- Providing sponsors with a list of people registering for or attending any event. This might even be illegal in certain countries due to privacy laws. The sponsor can collect leads in itself, for example by offering a prize for people providing contact details.
- Providing the sponsor with a commercial or product centric presentation slot.
So what can sponsors get?
- Many thanks, and hopefully a very good feeling of helping the community.
- A table top style mini booth where they can put up a “roll up” poster or two and hand out your brochures and freebies. This might not be possible in certain meeting facilities.
- Logo on the local chapter or event page.
- All of the OWASP sponsorship options are detailed on the OWASP Membership page: https://www.owasp.org/index.php/Membership
At the local level there are options for both Local Chapter Supporters (90/10 split with the Foundation, 90% directly supporting the local chapter) as well as Single Meeting Supporters.
Here are some tips that chapter leaders can use to promote their meeting (and increase meeting attendance):
- At a minimum, the date, time, location, speaker, and topic should be listed on your chapter’s wiki page and an email announcement sent out to your chapter’s mailing list.
- When sending out direct meeting invitations, use google calendar invites through your @owasp.org email account. General email assumes that people will read it in a timely manner and will remember to place it onto their calendar. By using the google calendar invitations, this task is done for them.
- Make sure that your upcoming meeting is broadcast through a variety of channels. In addition to posting the meeting to your chapter’s wiki page and mailing list, consider blogging or tweeting about it, as well as posting it on social networking sites such as LinkedIn, Facebook, Meetup, and myowasp.
- Post your event to sites such as Yahoo Events and partner with other user groups to cross-market (i.e. ISSA, .Net SIG, Java SIG, SIM, DAMA).
- Acknowledge the fact that even if people cannot physically attend, they may be able to participate remotely. The OWASP Foundation has an account with Zoom that is free for chapters to use. Account requests or details can be requested can be requested through Contact Us.
- Many people are tired and hungry, especially after a long day at work. While you cannot cure tiredness, you can at least try to feed your attendees. Pizza is cheap and it is relatively easy to find a sponsor.
- Make sure the topics you choose are broadly applicable and not just targeted at one group (i.e. penetration testers, software developers). Part of making web application security visible requires you to choose (or solicit) speakers that appeal to IT executives, enterprise architects, business analysis, legal and compliance, etc. If a particular group does happen to be the “target audience” at a meeting, try to change things up for your next meeting.
Posting your meeting on the chapter’s wiki page and emailing an announcement to the chapter’s mailing list are the prime methods of letting people know about OWASP meetings. Some other useful methods are:
- Ask your speakers to send invites to their circle
- Ask people on the list to forward to people in their organization.
- Use your own personal contacts. Since OWASP is not a commercial organization, this would be usually acceptable by your business contacts. Again, this might actually help you keep in touch with them.
Meeting invitations/announcements should contain a request to forward it to other interested parties.
You might also want to use event invites instead of e-mail messages. These services provide different advantages such as integration with the attendee calendar and RSVP management, but on the other hand might seem more commercial and obtrusive.
You can send event invites using the following tools:
- Meetup is the preferred tool for creating and sharing upcoming meeting details
- Direct calendar invites: one can do that using a dedicated Google calendar account.
- The tool most used by OWASP chapters is: Eventbrite, which is free for non-profits.
The OWASP Foundation can provide you with OWASP books, shirts, pens, lanyards, flyers, or other materials that you might need to jump-start your next meeting. The cost of these items will be billed to your local chapter. If you would like OWASP Merchandise for your meeting or local event, but do not have the funds to cover it, you request that the costs be covered by the Global Chapters Committee. Requests can be submitted through the OWASP Merchandise Request Form.
Rocksports has also set up an OWASP Storefront to show items they have available and many OWASP books have been made available through Lulu.
You may want to send your speakers a PowerPoint template to use for their presentations. Here are some options:
- OWASP Impress Template (Open/Libre Office)
In order to ensure that presentations remain vendor neutral and don’t turn into platforms for a sales pitch, it is recommended that you screen the presentations before the meeting. This may also be a good time to remind your speaker about the terms of the Speaker Agreement (or make sure they understand what is expected of them).
The OWASP Foundation has an account with Zoom that is free for chapters to use. Account requests can be requested through Contact Us. As soon as you have scheduled the meeting date and time, the remote participation can also be scheduled so you can include details on your chapter’s web page, meetup, and/or in your emails.
Although it is not necessary, giving speakers a small token of appreciation such as an OWASP t-shirt, mug, or pen set is encouraged.
During the Meeting
Arrive early! Ensure that everything for the meeting space is set up before the first attendees will be arriving. Here are a few things you may need to set up or prepare:
- Registration & badges (if any)
- OWASP merchandise and signs including banner
- Remote participation
- Sponsor booths/tables
- Catering - Will food or beverages be served before, during, or after your event? Where will the food be located? Who is providing the food? Will someone need to meet the delivery person at the front door of the building?
- Equipment - projector, sound system, and any special items that may have been requested by the speaker(s)
If you have the equipment, you may want to consider recording a video of your meeting and posting for members who were not able to attend the meeting. This is also a nice resource for chapter leaders or event organizers to use in the future to screen a speaker or learn about his/her style. The OWASP Speaker Agreement includes authorization for the speaker’s presentation to be recorded and posted. If you plan to record the meeting, you should make sure the speaker is aware and has agreed to the reproduction of his/her presentation.
Spread tasks across many individuals in order to ensure that your meeting runs smoothly and all of the tasks before, during, and after the meeting are handled in a timely fashion. There are usually people that attend the meetings who are willing to want to help the chapter be successful, but are not able to commit to a chapter leadership role - that doesn’t mean they aren’t willing to help out on a meeting-by-meeting basis.
Job announcements: Some chapters encourage recruiters or other individuals who are hiring in their area to come for their meeting and make the job announcement in person. At the beginning of the meeting they ask anyone who is hiring to stand up and introduce themselves and who they are looking for. Then at a break or after the meeting, attendees can get in touch with them. This encourages recruiters/employers to invest a small amount of time in your chapter (attending the meeting) and also gives both the person hiring and the people looking for jobs the benefit of face-to-face contact.
** Present an OWASP Update**: Always cover the OWASP mission and goals at each meeting to reinforce it to the attendees of why and what the purpose of the chapter is. Explain the web application security problem in a general way to attract a large crowd and to educate the new members and guests.
OWASP Conferene Recap: Additionally, if you or any of your chapter members have recently attended an OWASP conference or other event, this is a good time for a short (5-10 minutes) presentation about the event.
One or more speakers:if you have a general time frame for the speaker(s), make sure to let them know. Also, if you will be having more than one speaker, consider whether you will have a short break between them for attendees to stretch their legs and get refreshments, or whether you will want the change-over time to be quick (and attendees remain in their seats).
Collecting CPE Forms
Send out CPE credits to attendees that requested them or explain to them that ISC2 (as a example) is a self certify – if organizations such as those want to designate someone to collect and validate they are welcome to do so, but that is not a responsibility of OWASP Chapter Leaders.
Collect feedback on the speaker from attendees:
- There are a number of sites available that have feedback templates or allow you to build your own survey: formsite.com, surveymonkey.com, zoomerang.com, Google form, etc.
- A speaker feedback form developed by the NYC/NJ Metro Chapter is also available for you to use. The NYC/NJ Metro Chapter distributes copies to meeting attendees and asks them to complete them and hand them back in at the end of the meeting. Then the chapter leader (or another person willing to keep track of feedback) quickly adds the totals up to get an idea of which speakers they would like to ask back again to present.
- This is also a good time to capture potential topics or speakers for upcoming chapter meetings. What would meeting attendees like to learn about? Is anyone at the meeting willing to give a presentation in the future?
There are a variety of ways to incorporate networking or social interactions into your meeting format. While some chapters designate specific meetings for networking and socializing (no speaker, just meet at a local restaurant or pub), it is more common to allow time for socializing after the meeting. Some meeting venues will be able to host this, but more than likely you will want to relocate to a restaurant or bar nearby. Consider asking the speaker(s) to join you so that guests can have an opportunity for follow up conversations. This time also fosters building a local OWASP community where the guests get to know each other and what is going on in the local appsec community.
After the Meeting
Review event, lessons learned, what can be improved with the other chapter leaders or board members. Go over any feedback collected at the meeting.
Meeting Minutes (and Photos)
Post meeting minutes to document what was covered at the meeting, including any announcements or decisions that were made. Pictures from the meeting are also encouraged.
Posting Presentations and Recordings
In addition to any meeting minutes and photos, try to collect the presentation from the speaker to post on the chapter’s wiki page.
If you took a video recording of the meeting, you should post that as well. Vimeo is commonly used to host the uploaded video, which can then be linked to your chapter page.
Once you post meeting materials such as minutes, pictures, presentation, or video to your chapter wiki page, send a follow up email to meeting guests thanking them for attending, letting them know about the next meeting (if you have the information), and directing them to the material on your wiki page.
If you collected any new email addresses, this will also be a confirmation that you have added their name to the mailing list.
Certificate of Attendance
It is not standard practice for OWASP to issue Certificates of Attendance for Chapter Meetings. Your chapter nominating someone hold onto a meeting sign-in sheet after each meeting. Meeting attendees are still responsible for submitting their own CPEs, but then the Chapter Leader (or whoever is keeping track of the sign-in sheets) can go back and audit against the chapter’s sign-in sheet if (ISC)2 or another organization audits them.
Organizing Local Events
In addition to holding meetings, you may want to grow and promote your chapter by organizing a larger event such as an OWASP Day, Training Day, or Regional Roadshow. Many of the considerations for these events are similar to that for a meeting, just on a larger scale.
Additionally, you will need to consider whether there will be any cost for attendees? Options include: free for anyone, free for members (so individuals would have to purchase a membership to attend), cost for everyone but discounted for members, or same cost for everyone. The best way to plan for these events is to look at what some chapters have done in the past and try and talk to the chapter leader or event organizer who was involved.
Please register your event through the OWASP Conference Management System (OCMS), which will help OWASP track events not only hosted by OWASP but also sponsored or supported by Foundation funds. The Global Chapters Committee and Global Conferences Committee are also willing to help with your event planning.
Local OWASP Days
Many OWASP Chapters (or a group of chapters in the same region) have planned an OWASP Day which consists of a full day of talks about AppSec and sometimes and additional day of training, provided for little or no cost. The primary goals of OWASP Days are to educate people and raise awareness about application security, not make money.Previous OWASP Days include New Zealand Day, BeNeLux Day, and German OWASP Day.
OWASP Training Days
OWASP Training Days are full day training courses that are free for members (so non-members can attend by paying the $50 fee to becoming members). The course aims to educate people about OWASP Projects by providing a selection of mature and enterprise ready projects together with practical examples of how to use them. Training Materials: https://www.owasp.org/index.php/OWASP_Training, Material downloads: http://code.google.com/p/owasp-training/downloads/list
OWASP Regional Roadshows consist of one or more speakers visiting multiple chapters in a region (touring) either as speakers for chapter meetings or to provide training. These Roadshows help Chapter Leaders bring in great international speakers as well as generate awareness in their areas around Application Security and OWASP. Previous Roadshows include LATAM and EU Tours.
Growing and Promoting your Chapter
Some of the most successful chapters have clearly defined both their short term (achievable within 1 year) and long term goals (achievable in more than 1 year), and set forth a plan to achieve those goals. Goals may include the number of meetings you want to have in a year, certain topics you hope to cover in your meetings, an OWASP Project your chapter members want to contribute to, or even a dollar amount your chapter hopes to have in their local chapter account.
Surveying chapter members is a good way to learn how to improve or change your meetings to better meet their needs. While you can collect information about specific speakers and presentations at the end of each meeting (see “Collecting Feedback” above); additionally, give chapter members a chance each year to evaluate the past year and speak about expectations for the upcoming year. You can hand out paper copies at a meeting or even email out the survey to your chapter mailing list.
As a chapter leader, outreach is a great way to educate people about OWASP as well as upcoming chapter meetings, lining up speakers, and soliciting sponsors. Here are some ideas for where to start:
- Use OWASP chapter mailing lists to alert members of meetings and monthly events.
- Coordinate with other OWASP Chapters in your area - maybe you can piggyback off one of their speakers or combine for a social event.
- Talk to other security groups, developer groups (Linux, Python, PHO, Ruby, etc.), professional organizations, local CERTS, and hackerspaces in your area (ISSA, ISACA, FBI/Infragard, HTCIA, etc.). Cross-promote and/or join meetings, be a guest speaker and host guest speakers.
- Host a booth or ask for a speaker slot at local developer/security events. Do a local talk about OWASP Projects that you have been involved or are familiar with.
- Talk to local higher education institutions. Involve the university and its computer science students - you may be able to host a meeting or speak to a group of students.
- Hook up with government, industry, and academic contacts in your area to relay the invitation and generate some interest.
- Find out what companies are active in this domain in your area in order to raise their interest and support.
- Consider possible press contacts in your area - invite them to a local meeting, event, or send a press release about an upcoming speaker.
- Ask for help. A successful chapter has several leaders (there are no limits) so share the fun and the pain!
Recruiting List Members
It is extremely important to grow the size of the list. This is the primary source from which people learn about meetings and the larger the list, the more successful the meetings. Needless to say, list members need not be OWASP paying members.
There are three primary methods to add members to the list:
- Automatically registering attendees to an event to the list While this may seem unorthodox at first, when done correctly this is the most effective way to enlist new members. Since meeting attendees are usually interested to learn about future meetings, this usually works fine. Just:
- Enlist all meeting attendees.
- Send an email to the meeting attendees summarizing the meetings
- In this email, alongside the usual thanks and the location of the presentations, inform that you enlisted attendees to the list, that the list is mostly just for meeting announcements and that anyone is free to contact you to be removed.
- Promptly remove who ever ask for it.
- Be sure to remind the attendees of the meeting that you will be adding them to the mailing list for future meeting announcements.
- When you meet people in the security community, mention OWASP. Since OWASP is (hopefully) something you are proud of doing, it usually pops up in professional conversations. If they are interested in OWASP, especially getting involved in at the local level, offer to register the person to the list to get notifications on future meetings. Also, if you have OWASP business cards, consider having your chapter mailing list address printed on it. This will be an easy way to direct people to the right place…. just give them your card! OWASP business cards can be requested and charged to your chapter, provided that the chapter has the necessary funds available, through the OWASP Merchandise Request Form.
- Meeting invites. Even if initially sent through the list itself, meeting invites are often forwarded. Add to the invite itself, information on subscribing to the mailing list.
Consider putting together a flyer about your Chapter with upcoming speakers, topics, and events, or summarizing your local sponsorship opportunities (more on “Raising Funds” below).
There are a number of different ways in which to raise money for your chapter.
Paid Individual Memberships - encourage the people who participate in your local chapter and attend your meetings to become a paid OWASP member.
- All paid memberships are processed through Become a Member
In the past, chapters have used (paid) membership drives to promote OWASP and raise money for their chapter. One approach is to enter all new members (or renewing members) in a raffle for prizes to be selected at your next meeting.
Donations from 3rd parties can be accepted via Donate. To receive a donation allocated to your chapter the donation button in the website header must be clicked while on your Chapter web page.
Chapter Sponsors – Local and Global
In order to grow your chapter, it is usually necessary to obtain sponsorship to cover chapter operations. This can come from local businesses or larger companies.
Local chapters get their funding primarily from local sponsorships. Any time you hold an event or conference you can ask companies to sponsor your event. Most of this money is spent on organizing the event including venue, food etc. However, whatever money is left can be used later for other expenses. Donations received from sponsors are shared between the local chapters and the OWASP Foundation.
There are three different sponsorship options:
- Single Meeting Supporter - Organizations that wish to support OWASP local chapter with donation to enable OWASP Foundation to continue the mission.
- Benefits include being recognized as a local supporter by posting the company logo on the OWASP Chapter website, and having a table at local chapter meeting to promote application security products/services etc.
- The dollar amount for this is set by each local chapter.
- Local Chapter Supporter - Organizations that are not yet interested in becoming full Organizational Supporters but who have a desire to direct their support in a more regional manner may prefer to become a Chapter Supporter.
- Benefits include being recognized as a local supporter by posting the company logo on the OWASP Chapter website, and having (1) supporting member vote in elections and on issues that shape the direction of the community.
- Suggested dollar amounts are $500 (Silver), $1000 (Gold), and $2000 (Platinum) per year, split 10/90 with the Foundation - 90% of the funds going directly to the local chapter.
- Organizational Supporter (Global)- Organizations that wish to support OWASP with a 100% tax deductible donation to enable OWASP Foundation to continue the mission.
- Benefits include an opportunity to post a rotating banner ad on the OWASP home page for 30 days at no additional cost, being recognized as a supporter by posting the company logo on the OWASP Website, being listed as a sponsor in the OWASP newsletter that goes to over 10,000 individuals around the world on owasp mailing lists.
- Organizational Supporters have (1) supporting member vote in elections and on issues that shape the direction of the community.
- $5000 per year, split 60/40 with the Foundation - 40% going to the local chapter designated at the time of payment.
More details on the different levels of sponsorship can be found at Corporate Supporters
leaders, either by mutual agreement, election, or if all else fails, appointed by the Community Manager.
While knowledge of English is extremely helpful in communicating with the OWASP community around the world, it is certainly not necessary. To support the spread of the OWASP mission regardless of a person’s language, many chapters have worked as a team on translating OWASP Projects, Documentation, or even this Handbook.
Understanding local culture and habits, and considering them when planning meetings can make a big difference in meeting attendance and the success of your chapter. For example, in some cultures it is not popular or even rude to discuss business over lunch. Thus, an OWASP meeting over lunch would not work very well. On the other hand, some areas have had great success with planning meetings during the lunch hour because it doesn’t cut into people’s “family” time in the evening. Talk to others in your city or region to find out what would work best for them and don’t be constrained by what chapters in other regions are doing.
Some countries or regions may have trouble accessing OWASP tools such as google docs, the OWASP wiki site, or downloadable tools. If these access issues prevent a chapter from adhering to the mandatory chapter rules, they may ask the Global Chapter Committee for an exemption from the policy. Additionally, the OWASP foundation will work with the chapter to find a suitable alternative or workaround such as setting up local mirrors of tools or wiki.