[Global_conference_committee] GCC OWASP GCC 2011 Plan

Mark Bristow mark.bristow at owasp.org
Tue Dec 21 10:42:15 EST 2010


Tom,

I like all the things you mentioned here with some minor caveats.  Overall
this is exactly what I'm trying to do is get things in place to centralize
this activity and really, what the 2011 plan I put forward is all about.

1) Are we going to mandate the use of the new reg system (I think we
should), if we are that's news to me and we need to get the INTL funding
issue squared away ASAP for AppSecBR2011 as the VAT is a killer

2) I think the Authorization authority should rest with the GCC not just the
Board.  I like the quarterly report for AppSec and Regional Cons.

3) Getting a central CFP system up and running is going to take a bit of
doing, but it's on the roadmap as well as I have a few other concerns with
OpenConf (that i've been discussing with Robert)

4) A gimmie

5) HUGE elephant in the room and we need to hammer out EXACTLY what these
policies should be.  Strategic losses are OK if approved and tracked so they
don't get out of hand.

My issue moving forward, is that we already have some of these Carrots in
place, and we are STILL not in good control of our schedule.  This is why I
think an associated stick is needed.  The "deny of funds" sounds great on
paper, but in practice, we don't do it and people know that.

-Mark

On Tue, Dec 21, 2010 at 10:23 AM, Tom Brennan <tomb at owasp.org> wrote:

>  +5 for Mark for taking on this HOT SEAT as a VOLUNTEER to make OWASP
> Better.
>
> Hmm... Carrots
>
> What are the Carrots to make endorsed/authorized/coordinated with the GCC
> event - if compelling the logo item is not a sticking point rather a
> measuring stick of success.
>
> Event Registration and Payment Processing System
> Standardized Event Sponsorship Opportunities (Tiers)
> List of Press Globally to cover event
> List of Potential sponsors globally
> Standardized  CFP system
> Event Webpage using OWASP Wiki
>
> 1. NEW FOR 2011 is a OWASP Centralized membership management system (now
> OWASP Foundation can track, report and market to persons who attend our
> chapter, regional and global events. )  All chapters, events should be
> empowered to utilize this system in 2011 as a centralized system OR the
> event is NOT authorized. (For local chapter we add this in the chapter
> handbook)   When we need to charge for events, for concerns about regional
> funds being processed in countries other than the USA - I continue to hear
> this concern but i have yet to see anyone deal with it.  So until that time,
> payments can be collected via US Dollars using this online system or paypal
> another international accepted standard for payment processing.
>
> If regions want to create a legal entity in the country for processing,
> they should contact OWASP Foundation and we will create effort on this
> purpose. (Item for Summit BTW)
>
> 2. In running a event as a endorsed event, if the organizers want OWASP to
> take on FINANCIAL or LEGAL LIABILITY (defined by requires a funds transfer,
> signature of a officer/board member or employee of the OWASP Foundation)
> that needs to be approved and plugged into the annual program and is a
> responsibility of the conference committee to reviewed quarterly.  If we are
> just a recognized organization that is nice.. but logo use guidelines do
> apply:  http://www.owasp.org/index.php?title=OWASP_brand_usage_rules we
> would expect the same if we wanted to paste on a logo from ISACA, ISSA,
> Blackhat, BSides, Coca-Cola etc.. It goes both ways and its brand usage.
>
> 3. Endorsed events WILL be listed on the OWASP Website as endorsed upcoming
> events (we need to move that to a prominent location on the website BTW)
> front page (I will do this next month)  hence if not listed it is not
> endorsed and is a ROGUE event.  Without the OWASP Conference system
> including the OWASP CFP and REGISTRATION SYSTEM being used.. I am sure that
> people would be concerned about it being a endorsed event as they will not
> be using there OWASP account that is set up for events, chapters and CFP
> submissions globally.
>
> BTW CFP Standards such as :  http://people.csail.mit.edu/shaih/websubrev/ or
> http://www.openconf.com and will also bring that centralized process into
> place and perfect for GCC efforts.
>
> 4. Endorsed events will get a banner in rotation (on blogs and other
> associated owasp systems and promotions at events prior to it as part of the
> kick off presentation)
>
> 5. Elephant in the room concerning OWASP and conferences is MONEY - so if
> the event is endorsed by OWASP that means the goal is to generate revenue
> from the event so lets call that out. Some conferences may result in break
> even of negative balances with incredible value, while others maybe
> incredible profitable to drive the mission - there is a balance but we can
> not limit this with being proactive.
>
> Make it so simply that the easy path is using what is established -- this
> then builds empowerment and you get the desired result with out the stick.
>  #1 takes care of many things globally, it just needs to be rolled to
> production globally ASAP and included in the how to host a conference
> process.
>
>
>
>
>
> On Dec 21, 2010, at 8:00 AM, Mark Bristow wrote:
>
> > Well if you have a better suggestion I'm all for it.  We still have the
> problem of not having visibility into OWASP events.  This in turn makes the
> rest of the agenda much more difficult to achieve.  If we keep having
> "pop-up" events all the time, how are we supposed to present "global"
> sponsorships to event managers?  How will we be able to manage the schedule
> so we are not so Q3 and Q4 heavy?  If we can't tell people "no" how can we
> enforce good oversight and fiscal responsibility?  Are you telling me Dinis
> that if an event didn't coordinate with the GCC but used the OWASP brand,
> put on an event with a $15k tab at the end that OWASP would not end up
> paying?  OFC we would, it's been shown this way in the past.  What we're
> trying to do here is proactive not reactive.
> >
> > As stated, this is the best solution we could come up with to solve the
> issue of the schedule, which is fundamental to the rest of the plan.  This
> is no different than anyone wishing to start an OWASP Project to have to
> loop in Paulo and the GPC.  That's a very similar requirement and I hear no
> objections to that policy.
> >
> > We're trying to improve the "carrots" as well, but if it's all carrot and
> no stick that will not work.  This is a simple, basic requirement to at
> least inform the committee of your intent to host an event.  It will enable
> the committee to execute all other aspects of the plan for 2011.  I don't
> understand why this is so controversial.
> >
> > On Tue, Dec 21, 2010 at 1:47 AM, dinis cruz <dinis.cruz at owasp.org>
> wrote:
> > Ralph's points are real important and I agree with his view.
> >
> > Btw, can I ask everybody not use the word Chaos and Bureaucracy?
> Everytime I see it used in OWASP it tend to be used on the wrong items, and
> since most of us seems to have a different definition for those (and they
> are very 'loaded' concepts), it is probably better to stay away from them :)
> >
> > The lack of oversight on some conferences (like China) is something that
> needs to be addressed, BUT we have to be careful in changing a system that
> is working and has delivered 16 conferences in 2010 and 17 in 2009 (some of
> those were 'OWASP Days')
> >
> > I just re-read the proposed model and it is one of those items that apart
> from a couple MUSTs it is a great action plan.
> >
> > The problem I see there is how you are going to enforce it, and Mark,
> maybe part of the problem is that you are putting too much focus on the MUST
> requirements.
> >
> > As I can see it, the current action plan allows for both dynamics:
> >  a) strong rules with strong enforcement (which will have an alergic
> reaction from the Community)
> >  b) strong rules with soft enforcement and 'focus on the good behaviour'
> >
> > I like b) because it gives us the best of both world.
> >
> > BUT if GIC is going to do b), then maybe there should be some caveats in
> there that make it explicit that we allow and expect some conferences to go
> creative (as long as they don't send us the bill after :)  )
> >
> > Dinis Cruz
> >
> > On 21 December 2010 03:41, Ralph Durkee <ralph.durkee at owasp.org> wrote:
> > It looks pretty clear there has been too much chaos and not enough
> oversight on some of the major conferences,  but I think you're going way
> overboard in the other direction having the GCC trying to regulate branding
> at non-owasp conferences, and try to regulate too heavy the smaller
> community events is a mistake on several levels:
> >
> > * We don't have the time and resources - let start slow with the fewer
> and more major conferences where the largest stakes are held.
> > * It's contrary to OWASP openness and spirit of encouraging grass roots
> participation
> > * Branding and logo usage is not just the GCC,  Let's put some general
> guidelines and encouragement, but don't get in the way or people spreading
> the good word of OWASP.
> > * If a conferences needs funding then that gives the GCC a hook, for
> regulation, but the level of regulation should be proportionate the funding
> and level of GCC resources that they needed.
> > * Bad governance can in fact makes this worse, especially in an extremely
> open community like OWASP which is not accustomed to it, you will create a
> backlash if we come down heavy.
> >
> > As for the schedule I think you're making the same mistake with going too
> far.  You need to control the schedule of the global conferences, and we
> obviously don't want to control the schedule at the chapter level.  As for
> the stuff in between I think the best we want to do is influence schedules,
> help with communication  and let the smaller conferences avoid conflicts
> themselves.  Any organizer worthwhile knows that a real conflict isn't good
> for the conference; that is if it really is a serious conflict at all.
> >
> > -- Ralph
> >
> >
> > On 12/20/2010 5:58 PM, Ralph Durkee wrote:
> >> The language only comprehends OWASP banding at chapter meetings and
> major OWASP conference events.  I don't think we want to say every other
> event can’t use the logo.  For example if they are attending an event, or
> presenting at an event or putting on conference and want to include OWASP as
> a track etc, then we don't want to say they can’t use the logo.  We all have
> different past experiences with different OWASP events, but there’s a lot of
> usage of OWASP logos at events that is a good thing for OWASP.
> >>
> >> -- Ralph
> >>
> >> On 12/20/2010 10:18 AM, Mark Bristow wrote:
> >>>
> >>>
> >>> ===============================
> >>> Goals
> >>>
> >>>     • Have a Global Appsec in NA,
> >>>
> >>>                 SA, EU, Asia in 2011
> >>>
> >>>     • Promote OWASP
> >>>
> >>>                 Projects/Initiatives at OWASP Conferences
> >>>
> >>>     • Enhance Services for
> >>>
> >>>                 Conference Planners
> >>>
> >>>     •
> >>> Reach out to developers
> >>>                 (have
> >>>
> >>>
> >>>                 20% of attendees in a dev position)
> >>>
> >>>     •
> >>> Reach out to non-members
> >>>                 (have
> >>>
> >>>
> >>>                 70% of attendees at cons non-members)
> >>>
> >>>     • Bring more into the fold
> >>>
> >>>                 (Generate 300 new/renewed members at conferences)
> >>>
> >>>     • Streamline Sponsorships
> >>>
> >>>                 (Global Conference Sponsors, Targeted Conference
> >>>                 Sponsors)
> >>>
> >>>     • Revise GCC Governance
> >>>     •
> >>> Have a profit of $200k in
> >>>                 2011 across all
> >>>
> >>>
> >>>                 conferences
> >>>
> >>>
> >>> Policy Changes
> >>>
> >>>     • Change
> >>>
> >>>               Conference Types to include:
> >>>
> >>>             •
> >>> OWASP
> >>>                 Global
> >>>
> >>>
> >>>                 AppSec Conferences (Currently
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>                 AppSec Conferences)
> >>>
> >>>             • OWASP
> >>>
> >>>                 Regional/Theme Conference (currently
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>                 Regional, all regional cons will be encouraged have to
> >>>
> >>>
> >>>                 have a unique
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>                 theme, development, Research, PHP, Government, Browsers
> >>>
> >>>
> >>>                 …..)
> >>>
> >>>     •
> >>> GCC Member
> >>>               attendance at
> >>>
> >>>
> >>>               conferences Global AppSec
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>               and Regional/Theme level cons (as available by GCC
> members
> >>>
> >>>
> >>>               and budget)
> >>>
> >>>             • GCC
> >>>
> >>>                 Representative shall not be intimately involved with
> the
> >>>
> >>>
> >>>                 conference planning to provide an objective assessment.
> >>>
> >>>             •
> >>> Members
> >>>                 will
> >>>
> >>>
> >>>                 have the opportunity to request travel to scheduled
> >>>                 events
> >>>
> >>>
> >>>                 and travel will be assigned based on proximity to the
> >>>
> >>>
> >>>                 event, cost and member availability.
> >>>
> >>>             • GCC member
> >>>
> >>>                 shall interface with the local planning committee at
> >>>                 least
> >>>
> >>>
> >>>                 1 month before trip (attend planning call)
> >>>
> >>>             • Interact
> >>>
> >>>                 with planners/attendees while at conference
> >>>
> >>>             • Interact
> >>>
> >>>                 with Sponsors
> >>>
> >>>             •
> >>> At the
> >>>                 next GCC meeting
> >>>
> >>>
> >>>                 the traveling member will be expected to provide an
> post
> >>>
> >>>
> >>>                 trip report covering
> >>>
> >>>                     • Assessment
> >>>
> >>>                   of facility
> >>>
> >>>                     •
> >>> Event
> >>>                   Marketing
> >>>
> >>>
> >>>                   Strategy
> >>>
> >>>                     • Examination
> >>>
> >>>                   of Event Budget
> >>>
> >>>                     • Estimation
> >>>
> >>>                   of Speaker Quality
> >>>
> >>>                     • Sponsor
> >>>
> >>>                   engagement/cost-effectiveness & feedback
> >>>
> >>>                     •
> >>> Any
> >>>                   notable comments
> >>>
> >>>
> >>>                   from planners/attendees
> >>>
> >>>                     •
> >>> Any
> >>>                   unique
> >>>
> >>>
> >>>                   outstanding elements
> >>>
> >>>                     •
> >>> Any
> >>>                   issues
> >>>
> >>>     • GCC Member
> >>>
> >>>               signature authority for OWASP
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>               (Leverage By-Lawys Article VI Section 1 - Designate as
> >>>
> >>>
> >>>               Agent)
> >>>
> >>>             • Alleviate
> >>>
> >>>                 need of OWASP Board to sign contracts (currently a
> >>>
> >>>
> >>>                 significant bottleneck)
> >>>
> >>>             • All
> >>>
> >>>                 conference related contracts will be required to go
> >>>
> >>>
> >>>                 through the GCC
> >>>
> >>>             • In general
> >>>
> >>>                 will be responsibility of Chair, however all committee
> >>>
> >>>
> >>>                 members shall be authorized to sign on conference
> >>>                 business
> >>>
> >>>
> >>>                 (no single point of failure)
> >>>
> >>>             •
> >>> GCC
> >>>                 members
> >>>
> >>>
> >>>                 will not be permitted to sign contracts for conferences
> >>>
> >>>
> >>>                 they organize (except when signature is required
> >>>
> >>>
> >>>                 immediately)
> >>>
> >>>             • Will be
> >>>
> >>>                 offered up before the board
> >>>
> >>>     • All OWASP
> >>>
> >>>               Branded events MUST use the new conference management
> >>>               system
> >>>
> >>>             • For OWASP
> >>>
> >>>                 Events only, not applicable to regular chapter meetings
> >>>
> >>>             •
> >>> It’s
> >>>                 important to
> >>>
> >>>
> >>>                 manage the schedule and enforce brand management
> >>>
> >>>             •
> >>> Any
> >>>                 conference not
> >>>
> >>>
> >>>                 registered & approved will not receive OWASP funds
> >>>                 or
> >>>
> >>>
> >>>                 support
> >>>
> >>>             •
> >>> Will
> >>>                 take effect once
> >>>
> >>>
> >>>                 system is in place
> >>>
> >>>     •
> >>> All Global
> >>>               AppSec
> >>>
> >>>
> >>>               conferences must accommodate
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>               an OWASP Track
> >>>
> >>>             •
> >>> Will not
> >>>                 represent more
> >>>
> >>>
> >>>                 than 1/3 of content (can be half day, full day, full
> >>>
> >>>
> >>>                 conference as applies to the individual conference)
> >>>
> >>>             • Joint venture with Projects Committee
> >>>             • Regional/theme events will have this available to them
> >>> Initiatives
> >>>
> >>>     • OWASP
> >>>
> >>>               Conference management system (Goal 1, 3)
> >>>
> >>>             • We need a
> >>>
> >>>                 system to take in applications for events, vett them,
> >>>
> >>>
> >>>                 approve them, and schedule them.  The current process
> of
> >>>
> >>>
> >>>                 people emailing Kate, Me or the board is not acceptable
> >>>
> >>>
> >>>                 with the number of events we have
> >>>
> >>>             • I see this
> >>>
> >>>                 as critical to establishing control over the OWASP
> >>>
> >>>
> >>>                 schedule and is a top priority
> >>>
> >>>     • OWASP AppSec
> >>>
> >>>               Track (Goal 2)
> >>>
> >>>             • Partnership
> >>>
> >>>                 with projects committee
> >>>
> >>>             •
> >>> Have a
> >>>                 cadre
> >>>
> >>>
> >>>                 of speakers, ready to go with presentations about OWASP
> >>>
> >>>
> >>>                 projects/activities
> >>>
> >>>             •
> >>> Require
> >>>                 all
> >>>
> >>>
> >>>                 OWASP Regional and AppSec events to have an “OWASP
> >>>                 Track”
> >>>
> >>>
> >>>                 of at least 6 presentations from this pool, managed,
> >>>
> >>>
> >>>                 selected, and funded by the GCC and the GPC
> >>>
> >>>     • OWASP Global
> >>>
> >>>               Conference Sponsors (Goal 3, 7)
> >>>
> >>>             • Provide
> >>>
> >>>                 unified sponsorships for the Global AppSec Conferences
> >>>
> >>>             • Split
> >>>
> >>>                 revenues among individual conferences budget
> >>>
> >>>             • Streamlines
> >>>
> >>>                 our sponsorships
> >>>
> >>>             • Conference
> >>>
> >>>                 planners are welcome to elicit additional sponsorships
> >>>
> >>>     • Central
> >>>
> >>>               conference support services
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>                (Goal 3)
> >>>
> >>>             • Investigate
> >>>
> >>>                 for-hire international conference support companies
> >>>
> >>>                     • Event
> >>>
> >>>                   logistics companies
> >>>
> >>>             • Investigate
> >>>
> >>>                 costs for hiring conference organizer
> >>>
> >>>                     • Foundation
> >>>
> >>>                   Employee
> >>>
> >>>     • Conference
> >>>
> >>>               Marketing (Goal 3)
> >>>
> >>>             • OWASP
> >>>
> >>>                 Conference Twitter accounts
> >>>
> >>>             • OWASP
> >>>
> >>>                 Conference Domain Names
> >>>
> >>>                     • Register
> >>>
> >>>                   Names only
> >>>
> >>>                     • http://www.AppSecNA.org
> >>>                     • http://www.AppSecUS.org
> >>>                     • http://www.AppSecEU.org
> >>>                     • http://www.AppSecAsia.org
> >>>                     • http://www.AppSecSA.org
> >>>                     • If already owned by a
> >>>
> >>>                     conference, buy them out
> >>> /transfer to GCC
> >>>                   Control
> >>>
> >>>                     • GCC will
> >>>
> >>>                   re-direct to any hosting service once the conference
> >>>                   has
> >>>
> >>>
> >>>                   been assigned
> >>>
> >>>                     • Conference
> >>>
> >>>                   can still register AppSecXX2011.org and we can just
> >>>
> >>>
> >>>                   redirect as appropriate
> >>>
> >>>                     • Helps
> >>>
> >>>                   maintain consistency in URLs between years
> >>>
> >>>             • Conference
> >>>
> >>>                 Twitter Accounts
> >>>
> >>>                     • Like
> >>>
> >>>                   domains, turned over to planners for their use as
> >>>
> >>>
> >>>                   appropriate
> >>>
> >>>                     • @OWASPConfrences
> >>>
> >>>                   – held by the GCC for announcements
> >>>
> >>>                     • @OWASPAppSec
> >>>
> >>>                   – held by the GCC for announcements
> >>>
> >>>                     • @AppSecNA
> >>>                     • @AppSecUS
> >>>                     • @AppSecEU
> >>>                     • @AppSecAsia
> >>>                     • @AppSecSA
> >>>             •
> >>> Use of
> >>>                 Short
> >>>
> >>>
> >>>                 URLS on the
> >>> owasp.org
> >>>
> >>>                 website
> >>>
> >>>                     • ex https://owasp.org/AppSecBR
> >>>
> >>>                   points to the wiki page for this year’s conference
> >>>
> >>>             • Regional
> >>>
> >>>                 Targeted Mailing Lists
> >>>
> >>>                     •
> >>> To
> >>>                   reduce
> >>>
> >>>
> >>>                   OWASP All traffic
> >>>
> >>>     • OWASP
> >>>
> >>>               Merchandise Model(Goal 3, Goal9)
> >>>
> >>>             •
> >>> A
> >>>                 shippable
> >>>
> >>>
> >>>                 “OWASP Store” with OWASP branded items for sale at
> >>>
> >>>
> >>>                 conferences
> >>>
> >>>             • Already
> >>>
> >>>                 exists, just need to formalize
> >>>
> >>>     • OWASP
> >>>
> >>>               Conference Marketing (global, regional, electronic,
> print)
> >>>
> >>>
> >>>               (Goal 4,5,6)
> >>>
> >>>             • Procure
> >>>
> >>>                 Booth space at developer focused conferences
> >>>
> >>>             • Provide
> >>>
> >>>                 budget for OWASP Schwag for use at OWASP Booths in
> other
> >>>
> >>>
> >>>                 conferences
> >>>
> >>>             • Evaluate
> >>>
> >>>                 other advertising mechanisms for conferences
> >>>
> >>> Budget
> >>>
> >>>     • $7500 for conference support
> >>>
> >>>                 (schwag/tables) targeting developer conferences
> >>>
> >>>     • $500 OWASP GCC Technology
> >>>
> >>>                 Needs
> >>>
> >>>             • Domain Names
> >>>             • Other tech solutions +
> >>>
> >>>                   planning tools
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>     • $15,000, OWASP Track Travel
> >>>
> >>>                 expenses (cap, will try and get indv company
> >>>                 sponsorships)
> >>>
> >>>     • $10,000 GCC Member at all
> >>>
> >>>                 conferences (approx $1500/AppSec, $800 Regional)
> >>>
> >>>     • Budget requires board approval
> >>>
> >
> > _______________________________________________
> > Global_conference_committee mailing list
> > Global_conference_committee at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/global_conference_committee
> >
> >
> >
> > _______________________________________________
> > Global_conference_committee mailing list
> > Global_conference_committee at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/global_conference_committee
> >
> >
> >
> >
> > --
> > Mark Bristow
> > (703) 596-5175
> > mark.bristow at owasp.org
> >
> > OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
> > OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
> > AppSec DC Organizer - https://www.appsecdc.org
> >
> > _______________________________________________
> > Global_conference_committee mailing list
> > Global_conference_committee at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/global_conference_committee
>
>


-- 
Mark Bristow
(703) 596-5175
mark.bristow at owasp.org

OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
AppSec DC Organizer - https://www.appsecdc.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_conference_committee/attachments/20101221/eac50887/attachment-0001.html 


More information about the Global_conference_committee mailing list