[Global_conference_committee] GCC OWASP GCC 2011 Plan

dinis cruz dinis.cruz at owasp.org
Tue Dec 21 01:33:30 EST 2010

Mark the problem is how you are doing it.

At OWASP you can't force our leaders into doing stuff, they are
very allergic to 'regulations' and with 'you have to get authorization first
before you do XYZ' requirements. Leaders are self-motivated and tend to
focus on areas they are personally or professionally interested in. This
model has worked very well in the past, and all you need to do is to look at
the number of conferences, chapters and projects to see a very healthy

I actually think that this is a good thing that OWASP has this allergy, and
as you can see on this thread, you can't just 'force' people into accepting
your ideas and requirements.

NOW, the big question is, in such environment how do you enforce some rules,
quality and control?

Well, you do it by creating a system of 'carrots and sticks' that reward the
behaviour you want (while allowing the ecosystem to try new things and be

Here are some example of *carrots*:

   - In the OWASP projects we work with the leaders to make their projects
   better, give them reviews/feedback on the project and give it more
   visibility (which is what we're trying to do with the Assessment Criteria
   - In Chapters we give them resources to spend, speakers and logistical
   - In Conferences we give them resources, logistics help, speakers,
   visibility, etc...

The main *stick* that we have (which we have to be very sensitive how to use
it) is that fact that we control the 'definition of what is an OWASP
Leader'. So for example there are talks at the moment on: 'How to evaluate
Chapter Leaders performance? What is the process to remove chapter leaders?
What is an Active Committee member?, etc...

This means that we need to be much better at removing leaders that are too
busy to work on their project/chapter/committee/board leadership (or that
are simply not good enough), since that will keep the system in check, and
will reward the leaders that work hard and 'deliver'.

Wouldn't it be 'easier' if you could just create a set of rules that you
could 'mandate' to the rest of the OWASP Community? (just like Marketing
Departments do?) . Maybe, but that would implode OWASP and would completely
change the dynamics.

Finally for a better example of the power of 'going independently', look at
your our DC conference. In a very top down approach the AppSec DC this year
would had never happened the way it did. BUT because you guys took the
responsibility and worked really hard to make it happen, it was the success
it was :)

*The OWASP Brand is a good example of something that we are doing
a conscious effort NOT to manage and efforce. *OWASP Brand has an historical
record of NON being abused by its leaders/community (with
some exceptions of course) and our job is to raise the bar and to work with
the best OWASP teams to show the rest of the community how to do it

In fact, there is a line of thinking (which I agree with) that says that *part
of the problem with the OWASP brand is that it is not abused enough!!! And
this lack of abuse is a direct consequence of it not being used enough*

Dinis Cruz

On 20 December 2010 23:59, Mark Bristow <mark.bristow at owasp.org> wrote:

> Dinis,
> Well the objective here was to create a rule that all OWASP events have to
> coordinate with the GCC.  If we can't even enforce this
> simple prerequisite of coordination, how does the board propose the GCC
> coordinate and oversee OWASP events?  We have tried the "please come tell us
> model" and that has basically completely failed.  At some point we have to
> impose some sort of structure.
> -Mark
> On Mon, Dec 20, 2010 at 6:49 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
>> Mark, the logic is actually that everybody is free to use our Logo/brand
>> and not have to ask permission to do so., As long as they stick with the
>> brand guidelines, it's all good
>> Our past strategy has been to only deal with the abuses, and so far, they
>> have been very few.
>> We want our brand to be used AS MUCH AS possible. Any potential abuses are
>> more that compensated by the empowerment that our community has when they
>> don't have to ask permission and are free to execute their ideas
>> Dinis Cruz
>> On 20 Dec 2010, at 23:02, Mark Bristow <mark.bristow at owasp.org> wrote:
>> Ralph,
>> I'd argue that this is covered under this board policy: <http://www.owasp.org/index.php/OWASP_brand_usage_rules>
>> http://www.owasp.org/index.php/OWASP_brand_usage_rules
>> What we don't want is events/conferences using the OWASP logo/name without
>> permission.  Using the OWASP logo without permission has been a somewhat
>> significant issue in the past.
>> On Mon, Dec 20, 2010 at 5:58 PM, Ralph Durkee < <ralph.durkee at owasp.org>
>> ralph.durkee at owasp.org> wrote:
>>>  The language only comprehends OWASP banding at chapter meetings and
>>> major OWASP conference events.  I don't think we want to say every other
>>> event can’t use the logo.  For example if they are attending an event,
>>> or presenting at an event or putting on conference and want to include OWASP
>>> as a track etc, then we don't want to say they can’t use the logo.  We
>>> all have different past experiences with different OWASP events, but there’s
>>> a lot of usage of OWASP logos at events that is a good thing for OWASP.
>>> -- Ralph
>>> On 12/20/2010 10:18 AM, Mark Bristow wrote:
>>> ===============================
>>> *Goals*
>>>    1. Have a Global Appsec in NA, SA, EU, Asia in 2011
>>>    2. Promote OWASP Projects/Initiatives at OWASP Conferences
>>>    3. Enhance Services for Conference Planners
>>>    4. Reach out to developers (have 20% of attendees in a dev position)
>>>    5. Reach out to non-members (have 70% of attendees at cons
>>>    non-members)
>>>    6. Bring more into the fold (Generate 300 new/renewed members at
>>>    conferences)
>>>    7. Streamline Sponsorships (Global Conference Sponsors, Targeted
>>>    Conference Sponsors)
>>>    8. Revise GCC Governance
>>>    9. Have a profit of $200k in 2011 across all conferences
>>> *Policy Changes*
>>>    - Change Conference Types to include:
>>>       - OWASP Global AppSec Conferences (Currently
>>>       AppSec Conferences)
>>>       - OWASP Regional/Theme Conference (currently
>>>       Regional, all regional cons will be encouraged have to have a
>>>       unique
>>>       theme, development, Research, PHP, Government, Browsers …..)
>>>    - GCC Member attendance at conferences Global AppSec
>>>    and Regional/Theme level cons (as available by GCC members and
>>>    budget)
>>>       - GCC Representative shall not be intimately involved with the
>>>       conference planning to provide an objective assessment.
>>>       - Members will have the opportunity to request travel to scheduled
>>>       events and travel will be assigned based on proximity to the event, cost and
>>>       member availability.
>>>       - GCC member shall interface with the local planning committee at
>>>       least 1 month before trip (attend planning call)
>>>       - Interact with planners/attendees while at conference
>>>       - Interact with Sponsors
>>>       - At the next GCC meeting the traveling member will be expected to
>>>       provide an post trip report covering
>>>          - Assessment of facility
>>>          - Event Marketing Strategy
>>>          - Examination of Event Budget
>>>          - Estimation of Speaker Quality
>>>          - Sponsor engagement/cost-effectiveness & feedback
>>>          - Any notable comments from planners/attendees
>>>          - Any unique outstanding elements
>>>          - Any issues
>>>        - GCC Member signature authority for OWASP
>>>    (Leverage By-Lawys Article VI Section 1 - Designate as Agent)
>>>       - Alleviate need of OWASP Board to sign contracts (currently a
>>>       significant bottleneck)
>>>       - All conference related contracts will be required to go through
>>>       the GCC
>>>       - In general will be responsibility of Chair, however all
>>>       committee members shall be authorized to sign on conference business (no
>>>       single point of failure)
>>>       - GCC members will not be permitted to sign contracts for
>>>       conferences they organize (except when signature is required immediately)
>>>       - Will be offered up before the board
>>>    - All OWASP Branded events MUST use the new conference management
>>>    system
>>>       - For OWASP Events only, not applicable to regular chapter
>>>       meetings
>>>       - It’s important to manage the schedule and enforce brand
>>>       management
>>>       - Any conference not registered & approved will not receive OWASP
>>>       funds or support
>>>       - Will take effect once system is in place
>>>    - All Global AppSec conferences must accommodate
>>>    an OWASP Track
>>>       - Will not represent more than 1/3 of content (can be half day,
>>>       full day, full conference as applies to the individual conference)
>>>       - Joint venture with Projects Committee
>>>       - Regional/theme events will have this available to them
>>>  *Initiatives*
>>>    - OWASP Conference management system (Goal 1, 3)
>>>       - We need a system to take in applications for events, vett them,
>>>       approve them, and schedule them.  The current process of people emailing
>>>       Kate, Me or the board is not acceptable with the number of events we have
>>>       - I see this as critical to establishing control over the OWASP
>>>       schedule and is a top priority
>>>    - OWASP AppSec Track (Goal 2)
>>>       - Partnership with projects committee
>>>       - Have a cadre of speakers, ready to go with presentations about
>>>       OWASP projects/activities
>>>       - Require all OWASP Regional and AppSec events to have an “OWASP
>>>       Track” of at least 6 presentations from this pool, managed, selected, and
>>>       funded by the GCC and the GPC
>>>    - OWASP Global Conference Sponsors (Goal 3, 7)
>>>       - Provide unified sponsorships for the Global AppSec Conferences
>>>       - Split revenues among individual conferences budget
>>>       - Streamlines our sponsorships
>>>       - Conference planners are welcome to elicit additional
>>>       sponsorships
>>>    - Central conference support services
>>>     (Goal 3)
>>>       - Investigate for-hire international conference support companies
>>>          - Event logistics companies
>>>       - Investigate costs for hiring conference organizer
>>>          - Foundation Employee
>>>        - Conference Marketing (Goal 3)
>>>       - OWASP Conference Twitter accounts
>>>       - OWASP Conference Domain Names
>>>          - Register Names only
>>>          -  <http://www.appsecna.org/>http://www.AppSecNA.org
>>>          - <http://www.appsecus.org/>http://www.AppSecUS.org
>>>          - <http://www.appseceu.org/>http://www.AppSecEU.org
>>>          - <http://www.appsecasia.org/>http://www.AppSecAsia.org
>>>          - http://www.AppSecSA.org <http://www.appsecsa.org/>
>>>          - If already owned by a conference, buy them out/transfer to
>>>          GCC Control
>>>          - GCC will re-direct to any hosting service once the conference
>>>          has been assigned
>>>          - Conference can still register AppSecXX2011.org and we can
>>>          just redirect as appropriate
>>>          - Helps maintain consistency in URLs between years
>>>       - Conference Twitter Accounts
>>>          - Like domains, turned over to planners for their use as
>>>          appropriate
>>>          - @OWASPConfrences – held by the GCC for announcements
>>>          - @OWASPAppSec – held by the GCC for announcements
>>>          - @AppSecNA
>>>          - @AppSecUS
>>>          - @AppSecEU
>>>          - @AppSecAsia
>>>          - @AppSecSA
>>>       - Use of Short URLS on the <http://owasp.org/>owasp.org website
>>>          - ex <https://owasp.org/AppSecBR>https://owasp.org/AppSecBRpoints to the wiki page for this year’s conference
>>>       - Regional Targeted Mailing Lists
>>>          - To reduce OWASP All traffic
>>>        - OWASP Merchandise Model(Goal 3, Goal9)
>>>       - A shippable “OWASP Store” with OWASP branded items for sale at
>>>       conferences
>>>       - Already exists, just need to formalize
>>>    - OWASP Conference Marketing (global, regional, electronic, print)
>>>    (Goal 4,5,6)
>>>       - Procure Booth space at developer focused conferences
>>>       - Provide budget for OWASP Schwag for use at OWASP Booths in other
>>>       conferences
>>>       - Evaluate other advertising mechanisms for conferences
>>>  *Budget*
>>>    - $7500 for conference support (schwag/tables) targeting developer
>>>    conferences
>>>    - $500 OWASP GCC Technology Needs
>>>       - Domain Names
>>>       - Other tech solutions + planning tools
>>>        - $15,000, OWASP Track Travel expenses (cap, will try and get
>>>    indv company sponsorships)
>>>    - $10,000 GCC Member at all conferences (approx $1500/AppSec, $800
>>>    Regional)
>>>    - Budget requires board approval
>> --
>> Mark Bristow
>> (703) 596-5175
>> <mark.bristow at owasp.org>mark.bristow at owasp.org
>> OWASP Global Conferences Committee Chair - <http://is.gd/5MTvF>
>> http://is.gd/5MTvF
>> OWASP DC Chapter Co-Chair - <http://is.gd/5MTwu>http://is.gd/5MTwu
>> AppSec DC Organizer - <https://www.appsecdc.org>https://www.appsecdc.org
>>  _______________________________________________
>> Global_conference_committee mailing list
>> Global_conference_committee at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/global_conference_committee
> --
> Mark Bristow
> (703) 596-5175
> mark.bristow at owasp.org
> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
> AppSec DC Organizer - https://www.appsecdc.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_conference_committee/attachments/20101221/5336ef7d/attachment-0001.html 

More information about the Global_conference_committee mailing list