OWASP Operating Plan 2021 - Survive

• Introduction
• Survive (Part 1) [TOC]
• Thrive (Part 3)

Focus on Mission

Adopted by the Board of Directors 2020-09-22

OWASP cannot survive by thinking small and being a “small OWASP.” Almost all mission-related activities in late 2020 and through 2021 need to devolve to the Community through Core Committees and volunteerism to drive our mission going forward. The Foundation should be assisting as a partner and reducing friction, not controlling or running these mission-related activities.

Focus on Mission is primarily governed and run by the Community through Committees, assisted by the Foundation. Our interaction with these goals is documented here, but if Committees choose another path, our goal is to support them.

Community Committees

Projects

Projects governance, including project reviews and promotions, will be devolved to the forthcoming Projects Committee.

OKR’s

• By October 2020, establish the Project Committee and elect officers
• By December 2020, have met publicly at least once and agreed a calendar of activities
• By July 2021, re-write the Project handbook and set up community maintenance
• By December 2021, reported progress on this calendar of activities to the Board no less than 4 times.

Committee Charter

• Promote project activity, and provide mentorship and guidance to project leads and team members.
• Maintain the project lifecycle within OWASP, including working with staff to improve procedures, and documenting guidelines in an updated or re-written Project Handbook.
• Work with OWASP projects and establish any processes to assist projects to achieve flagship-level status, including deleting, revising, or establishing a project review process.
• Evangelize OWASP projects publicly, including working with outside projects to become OWASP projects.
• Provide first level dispute resolution for projects, which can be escalated to the OWASP Conflict Resolution process, or in severe cases, the Foundation, Compliance Committee, or Global Board.
• Work with the Foundation to build operational automation and provide managed shared infrastructure for projects.
• Advise the Board or Foundation on relevant bylaw or policy changes.

Chapters

Chapter governance, including inactive chapter reviews, will be devolved to the Chapter Committee.

2021 OKRs:

• Work with the Foundation to establish minimum and maximum numbers of chapter leaders.
• Document, reform, and standardize regional chapters to “not be the boss” but establish good governance, regional coordination, regional events, and to promote OWASP within regional or smaller countries, encourage city chapter creation in their region, align activity requirements with chapters, and establish oversight for assistance and dissolution.
• Rewrite a new chapter handbook to assist new and existing chapter leaders in leading their chapter more effectively.
• By December 2020, work with the Foundation to get ALL active chapters onto the standard OWASP platform (owasp.org + Meetup) so that we can automate activity detection so the Committee can identify and help inactive chapters to become active again. On the last business day of December 2020, all inactive chapters as determined by automation will be automatically disbanded.

Planned Activities

• Work with the Foundation to establish COVID and non-COVID chapter activity requirements, reducing activity in COVID affected regions, and all the while promoting chapters to meet virtually, and when safe - physically, as often as possible.
• Renew student chapters and memberships, to make it either free or heavily discounted, and seek donations from partners to provide discounts and free stuff to student chapters around the world.
• Work with the Foundation to establish automatable and minimalist chapter governance metrics, to automate chapter discoverability for members, automate activity detection, and to highlight chapters in need of assistance, renewal, or dissolution.
• Work with the Foundation and Board to establish “fair and reasonable” expenses for chapters.
• Work up BAU plans for monthly slides to be shown at all chapter meetings, plan monthly meeting themes, and promote chapter activity.
• Establish and manage a speaker’s bureau, chapters, events, and outreach.

Events

Regional events are being devolved back to the Community. To support this initiative, a new Events Committee should be established, primarily consisting of current regional event leaders.

OKRs:

• Establish an Events Committee to assist regional events by December 2020.
• By the end of 2021, the Events Committee will have helped or re-establish at least three regional events.
• By the end of 2020, to have written a first draft of a regional events handbook.
• By the end of 2020, to establish a simplified virtual, small, and large regional budget templates.
• By July 2021, to establish virtual, small, and large regional training events.
• Work with the Foundation to define and operationalize the Regional X model of independent OWASP branded events.

Additional Activities and Reform with the Foundation

• Regional event reform, as part of the finance package reform. This proposal has not yet been fully costed and may not be possible, but we must try. A proposal to allow regional event organizers to be a P&L center of their own in OWASP Foundation books (as per today), but get 100% of the splits, to spend as they please on mission-related activities, such as funding grants or similar. The initial float for a proposed regional event will be seeded by the Board after a vote on the regional event application, which includes a fully detailed event budget. After approval, regional events will carry a balance year to year, to spend as they see fit, but they must cover the float for the next year’s conference, and provide a new budget each year prior to spending on the event itself. Branding requirements will apply, as will the confidentiality of attendees and sponsors for GDPR reasons. As per today, regional events will be required to use our event registration system to allow for secure credit card transactions, GDPR reasons, and rapid refunds. Event insurance, which is not optional, will be covered on a fee for service approach by the Foundation. Regional events must account for all money and sponsorships so that a balance can be maintained on their behalf, so they are IRS tax compliant, GDPR compliant, and to permit the organizers to fund grants or expense other activities as they see fit throughout the year. All optional Foundation provided services, including corporate sponsorship, will become a paid service covering the Foundation’s expenses rather than relying upon a split or admin overhead fee.
• Regional Events Shared Services. Event organizing Committees will be eligible for owasp.org email addresses to help manage the event. All regional events will need to submit a proposal with a valid budget, create an owasp.org web site, and maintain transparency through OWASP shared infrastructure.
• Regional X proposal. In some countries, running an event by an extra-national organization is not permitted. We would like to license our brand for a full self-controlled Regional X model in these circumstances with an upfront payment for the license. All contracts and risk would fall to the Regional X organizers, and any services provided by the Foundation will be service fee.
• Regional events will have access to a rate card for optional Foundation services, and have easy access to mandatory Foundation services, such as event insurance.

The Events Committee Charter should be responsible for:

• Provide education, mentorship, and training for new regional event organizers.
• Promote regional events, and provide mentorship and guidance to event organizers and team members.
• Maintain the regional event lifecycle within OWASP, including working with staff to improve regional event procedures
• Document and maintain regional event guidelines in a Regional Event Handbook.
• Evangelize OWASP regional events publicly, including working with partner conferences and outside events to potentially become OWASP regional events
• Provide first level dispute resolution for events, which can be escalated to the OWASP Conflict Resolution process, or in severe cases, the Foundation, Compliance Committee, or Global Board.
• Work with the Foundation to build operational automation and provide managed shared infrastructure for regional events.
• Work with the Director of Corporate Support to obtain event sponsorships and corporate member support of regional events.
• Advise the Board or Foundation on relevant policy changes necessary to make regional events more active or successful.

The staff liaison with the Events Committee will be the Events Director.

Education and Training

OWASP must be committed to educating the next and current generation of application security professionals through high school and tertiary programs, support basic and applied research, and assist industry trainers and so on to become better. Although the Education Committee will be responsible for driving all of the content, the Foundation will be helping the Education Committee to become profitable in its own right through the creation of certification of trainers, trademark licensing, providing virtual training, and other programs to monetize the highly lucrative and essential training market. These are detailed in the Refocus on Mission and Thrive Sections.

2021 OKRs (to be approved by the Education and Training Committee):

• Work to establish OWASP tertiary and industry curriculums
• Write a committee handbook
• Work with the Foundation to establish a learning platform, for OWASP Juice Shop, SKF, and other projects
• Work on establishing a research portal, allowing projects and researchers to establish research priorities and get them funded through grants
• Build a literature portal to allow researchers to add and curate papers that may not be known to the wider community.

Outreach

Outreach, such as partnerships, Community driven social media, and so on, will devolve almost entirely to the Outreach Committee. As contracts can only be signed by the Executive Director, the Outreach Committee will need to work with the ED on any partnerships. A revised and standardized partnership MoU model will come into place to ensure that partnerships that are likely to be in OWASP’s interests can be progressed reasonably quickly without breaching OWASP’s GDPR and other legal requirements.

2021 OKRs (to be approved by the Outreach Committee):

• Community run Social Media Strategy.
• Establish Community moderation of the OWASP Facebook page.
• Outreach Handbook to be written.

WIA, Diversity, and Inclusion

The WIA Committee – at the foundation’s request – recently decided to become the WIA, Diversity and Inclusion Committee. This Committee is essentially in developing our industry to be inclusive of all genders, career stages, geographic locations, and more. The role of this Committee is vital in ensuring that our industry has sufficient skilled professionals to address the global need for application security professionals, and to weed out illegal and toxic behavior that makes it hard or impossible for many to participate or have rewarding careers. Our industry is better when we are inclusive, and the Foundation is behind ensuring that WIA, Diversity and Inclusion is properly supported. As such, two staff members will be allocated to WIA, Diversity, and Inclusion: the Executive Director and the Operations Manager.

Corporate Advisory Committee

We will establish a Core Corporate Committee, made of at least 2 and up to 5 Corporate Sponsors under the reformed Committee policy to advise the Board and Foundation on ways to improve the value of Corporate Membership, increase corporate membership numbers, and work closer with industry.

OKRs:

• Consider establishment of the Corporate Member Committee by the end of 2020, starting by canvassing our existing Corporate Members to determine interest and participation in the Committee, and to define its purpose.
• If formed, the Committee to write a Corporate Member Handbook.
• The Foundation will restore Corporate Members enfranchisement with a single (1) vote in the Board election per our current bylaws. They are members and the bylaws make no distinction between members of any type.
• The Foundation will run quarterly Corporate Member town halls to listen to concerns and improve the experience for our Corporate Members.

Foundation Committees

• Policy Review
• Compliance
• Corporate Members

These core activities have (or will have) an associated Foundation Committee to assist the Board or Foundation run arms length independent mission critical activities.

Policy Review Committee

Currently, the Policy Review team is a team defined by the Policy Review policy. The current team is not in favor of being a Committee, but we will work with them during the Policy Reform process to determine if they become a standard Committee. This Committee may not end up existing, and shouldn’t be an OKR in itself.

Key objectives (to be agreed with the Committee):

• Define a Committee purpose per the Committees policy.
• Write a Community Review Process Committee handbook, including induction, processes, and a catalog of prior decisions.
• Amend the process to publish privacy respecting feedback in a way that also provides transparency to our members.
• Define Policy Review Committee activity requirements, as the Committee may have no business for some time, and this shouldn’t count towards inactivity requirements.
• Fully populate the committee to its maximum size to encourage diversity of policy positions and community input.

Compliance Committee

The current Compliance Committee is not formed as a formal Committee. It has special challenges in recruiting new members, and rewarding members for all their hard work. This plan proposes to reform the Compliance Committee by working with them to develop a formal set of activities, encourage and reward Committee membership, and to work on a way to build in transparency in a highly charged and emotional process that respects privacy for Code of Conduct related matters, whilst giving the Community the ability to review the outcomes of previous requests for rulings.

Key objectives (to be agreed with the Committee):

• Define a Committee purpose per the Committees policy.
• Write a Compliance Committee handbook, including induction.
• No secret court. Establish a process to publish privacy respecting decisions in a way that also provides transparency to our members, as they will often be bound by these decisions.
• Define Compliance Committee activity requirements, as the Committee may have no business for some time, and this shouldn’t count towards inactivity requirements.
• Recruit up to 3 new members by the end of 2021.

Grants or Finance Committee

A grants Committee should be established as part of the Finance Reform package to disburse grants.

OKRs:

• Establish the Grants or Finance Committee under the reformed Committee model, consisting of the OWASP Treasurer as Chair, Executive Director as the person responsible for contracting, and 3 to 5 leaders, selected from Chapters, Projects, and various other Committee leadership.
• Add a “grants” budget item in 2021 to be spent in 12 equal monthly installments on a range of grants, decided on by the Grants Committee.
• The Committee will write a grants handbook to detail how to create a successful grant, and how to spend funds in an appropriate way.
• The Foundation to build a grant application form that will obtain sufficient information for the Grants or Finance Committee to evaluate grants.
• The Foundation to build oversight and safeguards to ensure that OWASP’s mission and the Board’s strategic direction is inbuilt as a core part of the transparent evaluation criteria. All successful grants will be published publicly along with successful outcomes and amounts spent.