OWASP Operating Plan 2021 - Survive
Adopted by the Board of Directors 2020-09-22
Thrive is the way OWASP dreams big dreams, and executes big goals. As these are truly stretch goals, the only way to consider any of these ideas as a failure is to not try them at all.
We should be thinking how we turn these lofty goals into outcomes. The previous sections keep us in business and focused on mission, but to be truly big, we need to innovate, develop a fast fail culture, and be ready for the future, and not just address the concerns of the past.
By the end of 2021:
- Work on reforming the Foundation’s culture from “we can’t do that” to “Let’s do it”
- $5m per year in revenue
- 10,000 active members
- 500 active chapters
- 300 active projects
<Your Idea Here>
The Thrive category is a dream big, grow big grab bag of ideas. If you have big ideas to fund OWASP or advance our mission (or preferably both!) that you want to pursue, please email the team at [email protected]
Security Platform and Bug Bounties
We would like to work with the Projects Committee to implement a security vulnerability program, along the lines of a triage or similar process, either run on an OWASP platform, or outsourced to a Bug Bounty provider. We have initiated talks with one of the outsourced providers, but this could be a way to make our infrastructure, applications, and data safer, whilst also providing a mechanism to advance our mission for our members.
In conjunction with the various Committees, work on a program to gamify, increase, and reward strategic OWASP mission related activity, such as event attendance, project work, leadership, and so on. Depending on the outcome of membership reform, this might include granting of complimentary membership or lead to a lifetime achievement award.
OWASP Learning Platform
Establish a learning platform on a fair and reasonable basis for commercial supporters, and as a free platform for OWASP projects, such as OWASP SKF, JuiceShop, and all others.
For example, in partnership with Secure Flag PLC, we have established a pilot for Secure Flag as a membership benefit. The pilot has been a tremendous success, and we will be working with the Board to obtain permanent funding for this platform, but with a vendor neutral tone.
We have been approached by one other organization so far to provide a similar service, and we wish to encourage member benefits along these lines. Our Projects Director will take applications for such donations of platforms, and try them for a period, and if successful, the Foundation will ask the Board for permission to add them permanently.
<Your Project Here>
The OWASP Foundation should be helping our projects to have a free virtual infrastructure to allow them to demonstrate their platforms and projects, such as OWASP SKF, OWASP Juice Shop, and so on. If you have an idea for adding a member service to such a platform, please contact the Projects Committee.
The Education and Training Committee will be tasked with developing an industry certification program, with a view to enabling some of our core projects to have an official and industry recognized certification, first for developers and then for our industry.
This is a difficult task, and we shouldn’t be seen as a certificate mill, but be a truly difficult certification to hold. We will need to respect our vendor neutral roots, but realize that this is a frequent ask by industry, and if we don’t fill the gap, someone else will (or already has). We need to earn income from this activity, so a grant should be created, and seek donations to allow full time work to build it out, as building a certification program with volunteers is likely to be extraordinarily difficult.
This could easily become a major income stream for the Foundation, but also a major cost. We need to balance the costs of developing and maintaining such a certification, along with the requirements from industry and governments to have a strong certification in place.
Certification of Trainers
One question the Foundation is constantly being asked to supply a certification that the training course and the trainer are certified to train in that subject matter. This is a highly contentious topic, and we would be reaching out to the training Community to ensure that we can both have a reasonable method of certification that recognizes that no such thing exists, but would benefit them immensely.
The Foundation will run this program, work to build a grant program and sponsorship around it, and find appropriate resources to work on it full time after a suitable donation.
OWASP recently received official certification of various trademarks after many years of claiming them on our website.
Our brand has been abused for years by commercial entities, who are making millions of dollars a year off the community’s efforts, usually without contributing a single cent to help our mission or sponsor activities that could help them build an even larger business. We want a virtuous cycle, where a trademark program will help protect our brand, raise funds for building out our mission, and ensure that commercial vendors also benefit from improved materials and input to the projects they rely for their business. We will be reaching out to large training platforms, such as PluralSight, edX, Lynda, Udemy, to provide a blanket license to allow the community and low profit trainings to be covered by our marks.
The purpose is to ensure fair use, and encourage our brand to get out there, but under standard industry terms that protect OWASP’s and the community’s interests.
We need to protect our brand from unauthorized use, whilst clarifying that chapters, events, and so on can continue to use these trademarks per an updated branding guidelines for free. This could be a source of funds, particularly for commercial use of our marks. If we don’t enforce our trademarks, they will be lost, so some form of program will need to be built and tested.
Trademark co-branding program
A common request to the Foundation is to run an event under our banner. We need to understand how best to allow chapters, not for profit, and non-affiliated commercial vendors to license our name for either no cost or a small fee, whilst protecting our brand from misuse.
Trademark licensing program for trainers and events
A licensing program will be built to include options for non-profits, RegionalX, and commercial providers, with per event fees, subscription, or an upfront annual fee.
Merchandise can be a way to earn passive income. Currently, we use Konik to manage our merchandise inventory. This hasn’t really been working, and we don’t have a merchandise store front. The following merchandise operational activities will occur:
- Working with leaders, projects, chapters, and Committees to promote existing merchandise to their relevant audiences with a view to eliminating all current inventory.
- Look into virtual merchandise options (such as Shopify or TeeSpring), where OWASP and the Community will provide the designs, the virtual merchandise drop shipper will produce and ship the merchandise on our behalf, so that we don’t have to carry any stock nor send the merchandise.
- Empower the OWASP Security Pins project and other projects to come up with Community designed logos and swag.
One idea is for OWASP to establish a crowdfunding mechanism to fund grants or specific activities within our Community, such as funding a bug bounty, or funding project work for an organization.
Donate a Car
Implement a “donate a car” pilot in the USA in partnership with a national virtual car buying program, so that the profits relating unwanted or second hand cars can be a tax deductible donation for the donor, and OWASP doesn’t have to deal with an actual car. We will investigate adding this as a funding option and how it might work by the end of 2021.
One method that we have not sought to look into before is asking our Community to remember OWASP in their wills, and provide a bequest to the Foundation. We will investigate adding this as a funding option and how it might work by the end of 2021.
Revitalise Site Content
Increase the visibility of the OWASP website by inviting chapter speakers to write on the OWASP website technical articles based on their talks. Given the visibility of the main page this would provide the speakers with visibility and would invite more readers to the website if there is a steady stream of content being built (and shared on sites such as reddit and hacker news etc…
OWASP Mobile App
Increase site traffic by developing a simple webview Android/IOS mobile app then just points to the site. The app can increase site traffic and over time it can be used to deliver notification for regional events/local chapter events as well as calls for donations etc..
OWASP Books and Online store
Deliver a project which publishes OWASP books on a regular basis for flagship documentation projects, this would generate extra income, and the original content would still be free online. It just means it would also be available on stores like Amazon.