OWASP 2020 Operating Plan
Vision: Global and open resource for software security
- Promote updated version of OWASP Top 10 set to release in October 2020.
- Continue to optimize business operations to overachieve financial and membership targets.
- Manage two successful global conferences planning three in 2021.
- Launch Project Summits and AppSec Days to over 500 attendees
- Increase relevance and reputation of OWASP measured by 10% increase in web traffic.
- Improve satisfaction with OWASP by survey measured a 10% increase.
- Increase corporate and individual membership by 25%
Single Source of Truth
Review existing systems for managing community, event, sponsor, and prospect data working to resolve gaps in functionality and data integrity. Retire legacy features/options in tools where appropriate to increase usability. Encourage leadership to use Foundation sourced tools, in particular, event and chapter meeting registrations, to increase transparency and achieve organizational efficiencies. Automate where direct time savings can be projected and live with manual processes when ROI is unclear or insignificant.
Retool Business Operations
Continuously audit business practices for inefficiency, fairness, integrity, transparency, and alignment against the Foundation mission. Monitor all points of data and money in/out of the Foundation while seeking to consolidate where possible and identifying new tools if appropriate. Use ticketing systems to ensure inbound requests meet predefined service level agreements (SLAs) while providing meaningful and accurate status information to requesters and assigned parties. Review and suggest changes to improve every aspect of the Foundation’s work product from members, sponsors, chapters, projects, invoicing, accounts payable/receivable, and events. Manage a technology roadmap for Foundation engagement, communication, security, and institutional resiliency. Ensure documented practices are followed for onboarding and offboarding stakeholders of the Foundation, and annually audit those practices. Manage human resource function with an Employee Manual and staff management processes. Monitor and enforce the expense reimbursement and travel policy for the Foundation.
Project Planning and Budgeting
Each year the Executive Director, along with staff and consultation with the Board, will develop an Operating Plan and Annual Budget for the Foundation. The Operating Plan will be presented to the Board for approval no later than 30-Sep, and the budget 30-Nov, of the prior calendar year. The Operating Plan will minimally include measurable goals and the major initiatives of the Foundation. A quarterly check-in on the plan, its goals and KPIs will be provided to the community. Also, any staff-led initiative that costs more than $10,000 or requires more than 40hrs of staff time, will have a publicly documented plan. The Foundation will create and share project and budget templates for event organizing committees.
To protect the financial assets of the Foundation, a set of documented treasury controls will be developed to cover our existing processes. These processes should balance freedom and bureaucracy while designed to simplify business operations and always ensuring good audit control. All initiatives of the Foundation that are expected in incur more than $50,000 of spending will have a budget to be approved by the Executive Director. Policies will assume best intentions of lower cost items, while ensuring scrutiny on higher price items. Semi-annually the Foundation will audit signatory and password access for citicial systems, including but not limited to banking, credentialing, and publicly accessible assets. Critical passwords will be changed on a semi-annual basis.
Provided budget limitations, the Foundation will generally follow a “fair and reasonable” expense policy. Chapters and projects will be provided guidelines at the beginning of every calendar year for their planning. Expenses that are expected to exceed $2,500 must be pre-approved and expenses greater than $5,000 must be direct billed to the Foundation and do not qualify for reimbursement. The Foundation will continue to use JIRA to process reimbursement with a documented SLA of no more than 22 days for fully documented requests.
Travel Assistance Budget
The Foundation will establish a budget and process for reimbursable travel expenses on behalf of the Foundation. A strong preference will be to use this program for our Project Summits and opportunities where members present our work at major third party conferences. All travel, other than staff and Board travel to Board meetings, will use this process for any travel reimbursement requests.
The Foundation will continue trademark registration efforts the following marks in the United States and European Union: OWASP, Open Web Application Security Project, Global AppSec, and AppSec Days. Additionally the Foundation will register our figure mark (logo) in these same three domiciles. Once completed, the Foundation will develop and share a Trademark Guidelines document for events, chapters, and projects along with implementing these changes on our websites and event names. At this time, the Foundation does not expect to fund any enforcement activities.
A set of Key Performance Indicators (KPIs) will be monthly published in a publicly accessible format, that measure the Foundation’s performance against goals. Minimally these metrics will include financials, SLA on workflows, membership, event, project, and chapter metrics.
Support formation and participate in chartered Committees.
The Foundation should revisit a modernization and vision-casting on how we can build community around our cause. We need to define funnels to capitalize on inbound interest in our content and engage new visitors in OWASP. Our approach should avoid tools that are designed for closed and less visible interactions and where possible, leverage existing vibrant communities. We will explore designing pathways to engagement for every visitor journey in our work - from website visits, to content, to chapter meetings and event attendance. Lastly the Foundation will explore authentication solutions if third party tools are selected.
Following a refresh of Chapter and Chapter Leader Guidelines, the Foundation will require Leaders to accept an online agreement annually. The Foundation will provide online services like Meetup for Chapters to schedule and manage their Chapter meetings. Semi-annually staff will audit chapter activity to ensure chapter leaders are compliant to Foundation policies for meeting activity. Local chapters will be encouraged to directly solicit sponsors for supporting their chapter meetings.
OWASP is a member-led organization and our work products of projects, events, and local connections is only possible with the enthusiastic engagement of our members. Semi-annually before June 1, the Foundation will review membership benefits and suggest changes for Board consideration designed to strengthen the value of our low cost membership dues. Members of the Foundation will minimally enjoy an owasp.org email address along with event and training discounts. The Foundation will review and deploy updated processes for onboarding/offboarding members, while also defining user journey funnels to recruit members. At the end of 2020, the Foundation will complete the implementation of the new policies regarding leadership and membership.
Corporate support is critical for the growth of the Foundation. Annually the Foundation will survey this membership for feedback while reviewing member benefits and pricing. Minimally, corporate membership benefits will include prominent recognition on the Foundation website.
The Foundation will establish processes that enable local chapters to manage local partnerships. Any local partnership, especially those that involve financial support, shall have a memo of understanding between a local OWASP Champion who shall manage the partnership and the Foundation. These agreements are designed to protect all parties, streamline operations, and ensure partnerships conform to the mission and ethics of the Foundation.
Staff and leadership shall always be responsive and respectful of our member and nonmember communities. Our interactions should always encourage deeper commitment and engagement in our mission. Annually the Foundation will conduct, and then publish the results, of a Membership Survey focused on their perspectives and use of Foundation tools and projects. The Foundation will explore ways to more closely engage the Board and staff with the Top 20 chapters and projects. When possible, the Foundation will host member-only lounges and feedback sessions at Global AppSec and AppSec Days events.
No less than quarterly, OWASP will organize a call-in commuity Town Hall. The agenda for these meetings will include community-submitted, Board, and staff topics. While a good deal of the content will be “presentation” style, there will opportuities for community feedback and volunteering.
OWASP Top 10 - 2020 Edition
Properly launch this year’s Top 10 with a sustained and deliberate marketing effort to re-energize interest and support of the Foundation. Develop an updated graphical design framework that can be used by other projects. Explore ancillary work projects similar to the Top 10 which could target new decision makers in the infosec market.
Following a refresh of Project Leader Guidelines, the Foundation will require Leaders to accept an online agreement annually. The Foundation will provide online services like Github hosting for project repositories. Semi-annually staff will audit project activity to ensure project leaders are successfully moving their work along as expected. Projects can be promoted or demoted based on their work product and activity. Project funding will migrate from a project balance design toward a single fund.
It is important to the livelihood of the organization, that Projects get the resources and attention they need to be successful. No less than once per quarter, the Foundation shall proactively solicit feedback and requests for resources from each Project. That information shall be provided to the Board for action where appropriate. The Foundation will seek new ways to “highlight” Project work in our marketing, on social, and highly featured projects on our website.
Minimally twice each year, with one each in different geographies, the Foundation will host a three-day working sessions for selected projects. A merit-based selection process will be developed to invite projects to each summit. The program will solely include heads-down work time for OWASP projects. Travel assistance will be provided to selected projects and their key leaders/contributors.
Global AppSec Events
Each year the Foundation will develop and host Global AppSec events. This year the Foundation will host two; one in June in Dublin and the other in October in San Francisco. Before April 1, the Foundation will have locations, dates, and signed venue agreements for three 2021 events one each of U.S., Europe, and Asia. Each event will continue using previous formats that include keynotes, session tracks, and in-person training. Event budgets shall project at least 30% profit margin for the Foundation and will include deep registration discounts for chapter and project leaders.
Global AppSec Program Team
The content of Global events will be managed by a team of OWASP members that will be sourced from the continent of the event. These teams will replace the local organizing committee function for Global AppSec events. The Foundation will carry the bulk of the workload for these conferences having local chapters primarily providing local volunteer and grassroots marketing efforts.
In 2020 the Foundation will develop and pilot up to four local AppSec Days events. Spread throughout the year, these events will be one day regional conferences of 100 to 250 attendees. Each event will include a keynote, session tracks, and if possible, in-person training. These events will be priced to cover the costs of the event.
Continuing a long tradition of volunteer engagement, the Foundation will continue to support local teams in hosting regional AppSec events. Local event teams must annually apply with the Foundation where they include a high-level budget and agree to certain terms including, but limited to, payment, registration, legal and other policies. The primary goal of these events is to support the educational mission of the Foundation Existing Regional events like AppSec California, LASCON, SnowFROC, Seasides, AppSec Day Australia are included in this event category.
Growth & Partnering
Once selected, a branding system will be defined for a variety of executions including events and chapters. Following launch, the Foundation will abandon previous marks. Unique Chapter Marks will not be protected and the Foundation shall discourage their use by chapters.
Following the December 2019 launch of our new website, the Foundation will monitor and enhance the user experience with feedback membership, visitors, and experts. There will be a deliberate effort to harmonize the design of successful Projects and the main website. An annual content calendar will be developed for spotlights, features, and weekly blog posts. An event registration system will be developed to migrate from third parties for those services. Finally, a static archive of the Foundation wiki will be hosted through 2020 for historical purposes.
Following the success of this new product in 2019, the Development team will continue to source new and larger corporate sponsorship packages to fund the operations of the Foundation. A list of 50 target companies will be defined and our goal will be to close no less than ten of these accounts to multi-year agreements. The Foundation will also explore retooling event sponsorships looking to define multi-event or annual agreements to grow the size of our exhibitions and reward our larger corporate sponsors.
Working together with partners in the technology and infosec community is a shortcut to increased visibility and reputation of the Foundation. Our 2020 Global Partnerships will minimally include Blackhat and DEFCON. Generally, the Foundation will not directly promote third party events or activities to our membership. Additionally the Foundation will explore comarketing opportunities with organizations like Github, Mozilla, Google, Microsoft, Apple, and other global InfoSec companies, seeking no fewer than two engagements prior in 2021.
Prior to May 1, the Foundation will develop a Marketing Plan for the remainder of 2020. This plan should be designed to leverage the launch of the Foundation’s new web presence, branding, and co-marketing agreements. The plan will minimally include a messaging framework, content plan, press and analyst relations, social media, and event promotion activities.
No later than 2H2020, the Foundation will launch a Corporate Grant Funding effort seeking to identify, solicit, and secure six-figure and higher charitable grants that forward the mission of the Foundation. Included in this effort will be training and expected process changes for managing and delivering results documented in secured grants.
20th Year Anniversary Celebration
September 2020 will mark the beginning of the OWASP Foundation’s 20th year. Before June 1, a plan will be developed with details for a 24 month celebration that recognizes the historical contributions of long-time members, whlie also recruiting new members and supporters into our ecosystem.
Online Training and Certificate Program
A potential new revenue source for the Foundation could be online training. In the 2nd half of 2020, the Foundation will explore the development, launch, and promotion of a new Online Training and Certificate Program. The plan should include a discussion on costs, potential product offerings, partner recommendations, pricing, and member discounts for this service.
In all of the Foundation’s work, we shall strive to be inclusive of underserved communities like students, women in technology, and those living in developing economies. Our membership and event registration pricing should always include accommodations for these communities. Additionally a plan shall be developed to increase participation by 25% in each of these communities in the work of the Foundation.
Adopted by the Board of Directors 2020-02-18