[Governance] [Owasp-leaders] Request - Survey - Implementation process on higher decisions

Jim Manico jim.manico at owasp.org
Tue Aug 18 18:42:05 UTC 2015


This is a very good summary of this issues Josh, I'm with you.

Shall we initiate a vote and make this happen or is more discussion needed?

- Jim

On 8/18/15 8:37 AM, Josh Sokol wrote:
> One additional thought here as I was about to write something more 
> formal up.  Officially, the Bylaws state:
>
> /Failure by a board member to meet the 75% attendance requirement 
> after any tabulation will cause a mandatory vote of confidence by the 
> remaining board members, whose votes will be publicly recorded.  An 
> overall vote of "no confidence" is recorded if half or more of the 
> board members vote for it, which causes the board member in question 
> to be instantly removed from their seat on the board./
>
> I think that the key here is failure after _*ANY TABULATION*_.  
> Personally, I think this is a flaw in the Bylaws.  For one, we do not 
> ever specify what the timeframe for tabulation is.  Is it over the two 
> years that you are elected as a Board member?  Is it per year?  That 
> really needs to be clarified.  Secondly, let's say the timeframe is a 
> calendar year for the sake of argument and we are doing monthly 
> meetings, do we really want a situation where if someone misses any 
> one of the first, second, or third Board meetings of the year a vote 
> of no confidence is automatically triggered because they are at 0%, 
> 50%, or 66%? That seems unreasonable to me and is an unintended 
> side-effect of how this is worded.  In light of that, I don't think 
> there is any way that I could, in good conscience, actually vote to 
> remove Fabio, but I still think that we need to adhere to the Bylaws 
> as written and have a formal vote.  Once we do that, we should 
> probably consider changing the verbiage to reflect what I think we 
> actually want here which is that if someone is on the Board, but not 
> doing their job, they are removed.  My $0.02.
>
> ~josh
>
> On Tue, Aug 18, 2015 at 1:24 PM, Eoin Keary <eoin.keary at owasp.org 
> <mailto:eoin.keary at owasp.org>> wrote:
>
>     Wise words Josh. That's why you're a great board member and OWASP
>     leader!!
>     Thanks for understanding.
>
>     Eoin Keary
>     OWASP Volunteer
>     @eoinkeary
>
>
>
>     On 18 Aug 2015, at 19:22, Josh Sokol <josh.sokol at owasp.org
>     <mailto:josh.sokol at owasp.org>> wrote:
>
>>     I agree 100% Eoin.  The rule is there for a reason.  Voting to
>>     change it is one thing, but that change cannot be applied
>>     retroactively to the present situation.  The Bylaws are very
>>     clear in that this should trigger a Board vote to determine
>>     whether they should be removed. I am absolutely pushing for that
>>     vote to happen, regardless of whether it actually results in a
>>     removal.  If the Board wants to evaluate a change to the Bylaws
>>     at a later date, then so be it, but I will not support it.  The
>>     Board is a commitment.  When you run, you are doing so knowing
>>     that meetings will not always happen when convenient and that you
>>     are expected to attend 75% of them.  There are certainly
>>     extenuating circumstances where a case could be made here, but I
>>     don't think I've heard any thus far.
>>
>>     ~josh
>>
>>     On Tue, Aug 18, 2015 at 1:04 PM, Eoin Keary <eoin.keary at owasp.org
>>     <mailto:eoin.keary at owasp.org>> wrote:
>>
>>         Sorry I have to write this email....but...
>>
>>         I hope you don't change the rules just because certain
>>         members have not complied by them....
>>
>>         I was forwarded some emails regarding board attendance today
>>         which appear that the 75% rule of board meeting attendance is
>>         now going to be changed because some folks on the board have
>>         issue with it.
>>
>>         This is like turkeys voting for Christmas.
>>
>>         I respectfully hope the board abides by its owen guidelines,
>>         if not I have great issue with the foundations governance.
>>
>>         Respect, for the good guys in OWASP.
>>
>>
>>         Eoin Keary
>>         OWASP Volunteer
>>         @eoinkeary
>>
>>
>>
>>         On 18 Aug 2015, at 17:08, Josh Sokol <josh.sokol at owasp.org
>>         <mailto:josh.sokol at owasp.org>> wrote:
>>
>>>         Johanna,
>>>
>>>             So far I remember , the idea was proposed to the board
>>>             by you and the board took the decision to implement
>>>             Committee 2.0. I believe this was done with all good
>>>             intentions but is not working.
>>>
>>>
>>>         Actually, I would argue that even though there's only a
>>>         single committee right now, it is working exactly as
>>>         intended. The truth is that OWASP's leadership sits
>>>         somewhere in-between an Oligarchy (as you describe it) and
>>>         an Anarchy.  We're currently somewhere between Democracy and
>>>         Ochlocracy depending on the topic if you really want to get
>>>         technical. In any case, what you need to realize is that
>>>         somebody needs to have the power to make decisions or
>>>         decisions will never get made and we veer into Anarchy. What
>>>         Committees 2.0 did is specify that decision making power
>>>         starts with the Board as they have the fiduciary
>>>         responsibility for the OWASP Foundation in all legal sense. 
>>>         What it also did is allow any of our leaders to carve out a
>>>         piece of that power that they are passionate about and run
>>>         with it, just as you did with projects.  I really thought
>>>         that we would see some other committees pop up similar to
>>>         what we had before in other core areas of OWASP like
>>>         Governance or Chapters, but the fact that there isn't just
>>>         tells me that as of yet, no leader is passionate enough
>>>         about it to carve out that power.  Maybe it's because of
>>>         time commitments or because of some perceived "red tape" or
>>>         even (I hope) because most people think the Board is doing
>>>         an OK job making decisions, but the fact is that the ability
>>>         is there and you are an example of it being used.  So, as I
>>>         said, the system is working. Where this is a void in the
>>>         community wanting to take the power to make decisions, the
>>>         Board fills that void.  In other words, if the community
>>>         really thinks that they can do something better than the
>>>         Board, they can form a Committee (or "Action Team" or
>>>         "Initiative" or whatever they want to call it), and do it.
>>>
>>>             Projects are global. They promote owasp at a global
>>>             level. What is OWASP known for? for its chapters? Its
>>>             conferences? I strongly believe OWASP is know for its
>>>             projects, Code Review, Testing guide, the Cheat Sheets,
>>>             ASVS, ZAP... Many references in major publications refer
>>>             to OWASP top ten and respect them because of its
>>>             projects.PCI  and major vendors use them as reference
>>>             and guidelines.
>>>
>>>
>>>         There is no doubt in my mind that Projects are important for
>>>         OWASP.  They spread our mission in places where even our
>>>         Chapters cannot go.  But, if you want to talk about where
>>>         most people interface with OWASP, it's not projects, it's
>>>         Chapters.  You won't find a reference in a major publication
>>>         to the OWASP Austin Chapter, for example, but we held a
>>>         CryptoParty in January and invited members of our community,
>>>         the media, etc to participate because we wanted to educate
>>>         others on the importance of privacy.  You're passionate
>>>         about OWASP Projects, I get that, and I love it.  I'm
>>>         passionate about OWASP Chapters. Neither should be
>>>         trivialized as they both play a very important role within
>>>         OWASP.
>>>
>>>             I would like to see is a better schema for them to get
>>>             more awareness, especially people doing great things and
>>>             because of lack of funds cannot promote their projects.
>>>             Chapters are rich ,projects are poor. That is in my
>>>             opinion a huge misbalance.
>>>
>>>
>>>         We have many chapters with small bank accounts, some even
>>>         negative, and a few with quite large accounts. Total it all
>>>         up and it's a pretty decent sum of money. But, what you're
>>>         arguing for here is effectively Socialism.  You're saying
>>>         that it doesn't matter that the OWASP chapter in Denver
>>>         busted their ass (it is over a year's worth of effort by a
>>>         team of people) to put on last year's AppSecUSA Conference. 
>>>         It doesn't matter that it can cost a chapter hundreds if not
>>>         thousands of dollars to rent meeting space, bring in food,
>>>         fly in speakers, etc. You only see that they have money, you
>>>         do not, and you want it.  Not because you have a plan to
>>>         spend it either, because if you did you could simply ask the
>>>         Foundation for it, but because it is perceived as being
>>>         disproportionate. There is no payoff for OWASP's mission if
>>>         we rob from the rich, give to the poor, and at the end of
>>>         the day still just have money sitting in a savings account. 
>>>         This highlights the underlying issue here. The issue is not
>>>         that Chapters or Projects HAVE money.  The issue is that
>>>         they have money and are NOT SPENDING IT to further the OWASP
>>>         Mission.  Thus, the approach to fix this issue (and I agree
>>>         that it's an issue) shouldn't be to take away their money,
>>>         it should be to get them to spend it.
>>>
>>>             The limit of USD2,000- for supporting a project leader a
>>>             year is for most leaders not enough. If a leader outside
>>>             US or EU is invited to blackhat , that amount is not
>>>             enough to cover his traveling expenses.  And thats the
>>>             maximum he can have in a year after filling on forms and
>>>             going through some back-and-forth emails with the staff...
>>>
>>>
>>>         Ahhhhh, finally we get to the root of the issue.  The issue
>>>         isn't that money isn't available, because, frankly, we had a
>>>         significant amount of money budgeted last year that wasn't
>>>         used.  The issue is that there is a cap on what any one
>>>         project leader can request/spend.  My personal opinion here
>>>         is that this $2k cap should be treated as a guideline, not a
>>>         rule.  It is likely in place to prevent abuse by having a
>>>         significant amount of money from the pool go to any one
>>>         individual. But, that cap certainly should not prevent the
>>>         OWASP Foundation from investing in the projects, and people
>>>         behind the projects, to make them better.  The Board
>>>         entrusts Paul, as Executive Director, and the OWASP staff to
>>>         handle the day-to-day operations of the OWASP Foundation. 
>>>         Part of their job is to review these types of requests in
>>>         order to determine whether they make sense and there are
>>>         funds available. That said, if you get to a point where you
>>>         feel that they are being unreasonable, the Board can
>>>         certainly step in and try to determine if an exception
>>>         should be made.  So, net-net, maybe that $2k cap is too
>>>         low.  Should we raise it? If so, what should it be? What
>>>         amount would be reasonable for any one individual to consume
>>>         from that shared pool of funds? Guidelines can be changed.
>>>         Guidelines can even be overruled for the right reasons. 
>>>         This is a relatively minor issue that it sounds like should
>>>         be re-evaluated given rising costs, bigger budget pools,
>>>         unused funds, etc.  Can you please come up with a reasonable
>>>         proposal here and I will take that to the Board for approval
>>>         to change this guideline?
>>>
>>>             Should we scrap projects and focus to be a dedicated
>>>             conference organisation?...thats what  I see is
>>>             happening whether consciously or not.
>>>
>>>
>>>         Your perception is VERY far from the truth.  I've spent the
>>>         past 8.5 years working with the OWASP Austin chapter and
>>>         I've seen it grow from literally 3 people in a monthly
>>>         meeting to around 70. You, yourself, even said that OWASP is
>>>         being referenced in major publications and our tools are
>>>         being used around the globe.  That said, keep in mind that
>>>         the OWASP mission is one of education, and conferences
>>>         address that mission directly. They are also the main
>>>         fundraiser that helps to make sure that our chapters and
>>>         projects have the money that they need in order to be
>>>         successful.
>>>
>>>             Should we scrap conferences and focus to gather those
>>>             funds to create a better platforms for projects and
>>>             become the next Apache foundation?
>>>
>>>
>>>         Where do you think those funds would come from?  By far, the
>>>         majority of OWASP's annual revenue comes from AppSecUSA and
>>>         AppSecEU.  To be frank, OWASP would be VERY different if it
>>>         weren't for our conferences.
>>>
>>>             Should we use crowdsource for gathering funds for
>>>             projects through the OWASP foundation?
>>>
>>>
>>>         This is not a mutually exclusive solution.  Yes, absolutely,
>>>         use crowdfunding to gather funds for projects. Please prove
>>>         out this model of bringing another revenue source to OWASP. 
>>>         I would imagine that this is a way that projects would be
>>>         able to get funds that a chapter never could.
>>>
>>>             Project summits = events . Thats what I'm proposing.
>>>             That Summits are treated like events to generate money
>>>             for projects so they have also a fair way to generate
>>>             money as chapters do. They will depend less from
>>>             sponsors with commercial intentions.
>>>
>>>
>>>         OK, but every project summit that we have had thus far has
>>>         cost OWASP money, not made it.  Speaking as the former
>>>         Co-Chair of LASCON and AppSecUSA, I can tell you that these
>>>         types of events are a lot of work and that it is difficult
>>>         to attract attendees.  Attendees actually barely end up
>>>         covering their own costs (food, schwag, etc).  Sponsors and
>>>         trainings are usually the ones who generate the profit for
>>>         these events.  So, let's say you do a project summit.  How
>>>         would you intend to attract attendees who are willing to pay
>>>         for the content?  If not, how would you intend to attract
>>>         sponsors whose sole purpose in being there is to sell
>>>         product to the attendees?  Especially if you don't want
>>>         sponsors with commercial intentions.  You would be lucky if
>>>         you get enough sponsors to cover costs.  Or, in the
>>>         situation of every past project summit that we've had, the
>>>         Foundation ends up covering the difference.  I'm not saying
>>>         that you shouldn't try to prove out this model.  I'm saying
>>>         that it hasn't been proven to date.  Also, it's a bit naive
>>>         to say that chapters leveraging their members and holding a
>>>         conference isn't "fair".  We should be encouraging as many
>>>         endeavors as we can at OWASP that spread our mission.  Even
>>>         more so if they generate additional revenue because that
>>>         helps to further our mission even more after the conference
>>>         is over. Nothing is stopping a project from having a
>>>         conference. This isn't a matter of "fair" or "unfair".  It's
>>>         a matter of a team of people putting in the effort and
>>>         making it happen.  Please don't trivialize those efforts.
>>>
>>>             Also more focus on crowdsourcing projects. If people
>>>             finds it a great idea they will sponsor it.
>>>
>>>
>>>         As I said above, I think this is a great idea.  Let's do it!
>>>
>>>             I will ask the staff to create a survey and ask the
>>>             community about it. This is my proposal and based on
>>>             those results I hope and expect the board to take actions.
>>>
>>>
>>>         Ask the staff to create a survey?  Why not make the survey
>>>         yourself?  What exactly are we surveying and why?  The only
>>>         thing that I think you've identified as an actual issue
>>>         preventing projects from operating efficiently is a cap on
>>>         the amount of funding availing.  That doesn't require a
>>>         survey to get changed, just a plan and an approval.  I can't
>>>         guarantee support or action as it depends on the varying
>>>         opinions of 7 unique individuals, but the Board would
>>>         certainly evaluate any proposal that is put on the table.
>>>
>>>         ~josh
>>>
>>>         On Mon, Aug 17, 2015 at 8:31 PM, johanna curiel curiel
>>>         <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>>
>>>         wrote:
>>>
>>>             Josh,
>>>
>>>             So far I remember , the idea was proposed to the board
>>>             by you and the board took the decision to implement
>>>             Committee 2.0. I believe this was done with all good
>>>             intentions but is not working.
>>>             http://lists.owasp.org/pipermail/owasp-leaders/2014-May/011794.html
>>>
>>>             In this same email Sarah mentions:
>>>
>>>             The 2008 committees worked, for the most part, independently of each other.
>>>             This often created duplicate or even conflicting efforts leading to frustration.
>>>
>>>             Results now: I'm the only committee called the Project
>>>             Task Force.Maybe thats why none wants to create anymore
>>>             committees.
>>>
>>>             Projects are global. They promote owasp at a global
>>>             level. What is OWASP known for? for its chapters? Its
>>>             conferences? I strongly believe OWASP is know for its
>>>             projects, Code Review, Testing guide, the Cheat Sheets,
>>>             ASVS, ZAP... Many references in major publications refer
>>>             to OWASP top ten and respect them because of its
>>>             projects.PCI  and major vendors use them as reference
>>>             and guidelines.
>>>
>>>             I would like to see is a better schema for them to get
>>>             more awareness, especially people doing great things and
>>>             because of lack of funds cannot promote their projects.
>>>             Chapters are rich ,projects are poor. That is in my
>>>             opinion a huge misbalance.
>>>
>>>             The limit of USD2,000- for supporting a project leader a
>>>             year is for most leaders not enough. If a leader outside
>>>             US or EU is invited to blackhat , that amount is not
>>>             enough to cover his traveling expenses. And thats the
>>>             maximum he can have in a year after filling on forms and
>>>             going through some back-and-forth emails with the staff...
>>>
>>>               * Should we scrap projects and focus to be a dedicated
>>>                 conference organisation?...thats what  I see is
>>>                 happening whether consciously or not.
>>>               * Should we scrap conferences and focus to gather
>>>                 those funds to create a better platforms for
>>>                 projects and become the next Apache foundation?
>>>               * Should we use crowdsource for gathering funds for
>>>                 projects through the OWASP foundation?
>>>
>>>
>>>             I would like to see a solution to this or an action.
>>>
>>>             Project summits = events . Thats what I'm proposing.
>>>             That Summits are treated like events to generate money
>>>             for projects so they have also a fair way to generate
>>>             money as chapters do. They will depend less from
>>>             sponsors with commercial intentions.(easier to avoid
>>>              Logogate issues and projects with the intention to
>>>             promote apssec companies). Also more focus on
>>>             crowdsourcing projects. If people finds it a great idea
>>>             they will sponsor it.
>>>
>>>             I will ask the staff to create a survey and ask the
>>>             community about it. This is my proposal and based on
>>>             those results I hope and expect the board to take actions.
>>>
>>>             regards
>>>
>>>             Johanna
>>>
>>>
>>>
>>>             On Mon, Aug 17, 2015 at 7:41 PM, Mario Robles
>>>             <mario.robles at owasp.org <mailto:mario.robles at owasp.org>>
>>>             wrote:
>>>
>>>                 Hey Josh,
>>>
>>>                 I could be wrong but the term Committee is commonly
>>>                 associated with "bureaucracy" even if it's not what
>>>                 you meant, at least it was the first thing on top of
>>>                 my head, I'm sure if you change the word Committee
>>>                 to something like "Action Team" it would be better
>>>                 accepted
>>>
>>>                 Just my point view,
>>>
>>>                 Mario
>>>
>>>
>>>                 	
>>>
>>>                 On 17/08/2015 04:21 p.m., Josh Sokol wrote:
>>>>
>>>>                     I think we need to create Project Summits in
>>>>                     the form of events with the whole purpose to
>>>>                     gather funds for projects
>>>>
>>>>
>>>>                 Please forgive my ignorance. How does a Project
>>>>                 Summit generate funds for project? Every Project
>>>>                 Summit that we have had to date has cost the
>>>>                 Foundation money, hasn't it?  Can you please elaborate?
>>>>
>>>>                     Look, Denver chapter has around 50K in their
>>>>                     bucket. The richest Project is ZAP with 10k...
>>>>                     but thats is the exception. Even worse when you
>>>>                     look at chapters outside US or EU, mine has
>>>>                     only USD40 dollars. Most projects have Zero
>>>>                     Dollars.
>>>>
>>>>
>>>>                 I'm not sure I understand the fixation on what
>>>>                 other chapters have in their bucket.  They have
>>>>                 these funds because they worked hard to obtain
>>>>                 them.  In the case of Denver, they ran last year's
>>>>                 AppSecUSA Conference. Just because they have money
>>>>                 in their account, it doesn't mean that you aren't
>>>>                 able to do things with the $40 you have in your
>>>>                 account.  It just means that they have to use their
>>>>                 account funds first before being able to use money
>>>>                 from the Foundation pool while you would need to
>>>>                 request funds from that pool for anything over
>>>>                 $40.  Any sort of reallocation just moves the "ring
>>>>                 fenced funds" issue to another account.  The model
>>>>                 of chapters and projects having accounts is not
>>>>                 what's broken here. It's the model of chapters and
>>>>                 projects saving their funds instead of spending
>>>>                 them.  This is why I voted "no" on the Summer of
>>>>                 Code initiative. It was giving money to those who
>>>>                 already had it and not forcing them to spend their
>>>>                 funds first. In any case, I'm not sure I understand
>>>>                 why the amount of money Denver has in their account
>>>>                 has any impact on any other chapter or project
>>>>                 other than themselves. We have tens of thousands of
>>>>                 dollars allocated by the Foundation to project and
>>>>                 chapters on an annual basis, much of which goes
>>>>                 completely unused.  There is money available at
>>>>                 OWASP for those who need it and I have yet to hear
>>>>                 of a situation where someone was told otherwise.
>>>>
>>>>                     Yes but how do they know where to go, that's
>>>>                     why the survey. The survey is the compass. And
>>>>                     the leaders are elected to listed to the community.
>>>>
>>>>
>>>>                 I agree with this notion. The OWASP Board should
>>>>                 act in accordance with the desires of the community
>>>>                 and should be doing frequent checks to confirm that
>>>>                 initiatives are aligned.
>>>>
>>>>                     So the committee concept in theory seemed like
>>>>                     a great idea but in practice is not working
>>>>                     because in my eyes, creating a committee is
>>>>                     creating a mini board inside OWASP.
>>>>
>>>>
>>>>                 To be honest, I have been surprised by the lack of
>>>>                 desire to participate in OWASP Committees. The
>>>>                 community has said that they want empowerment and
>>>>                 the goal of the committees was to do that. But, now
>>>>                 that it's there, nobody wants it?  Your example
>>>>                 with John Lita follows the Committees 2.0 process
>>>>                 almost verbatim.  The only difference is that it
>>>>                 provides scoping to ensure that we don't have
>>>>                 competing, or even worse, conflicting initiatives
>>>>                 and it specifies that the individuals involved need
>>>>                 to work within that scope. Without it, you have a
>>>>                 loosely knit group of people running around with
>>>>                 their own individual initiatives. At that level,
>>>>                 OWASP is just a funding source for experimentation,
>>>>                 not a Foundation. There is no accountability, but
>>>>                 the liability on the Foundation is still there.
>>>>                 Legally, we can't just have people running around
>>>>                 spending money without any form of guidance.
>>>>
>>>>                      Allow me  and let the staff know that they
>>>>                     should support me and any other volunteers
>>>>                     seeking for implementing their ideas ;-).
>>>>                     Lets cut the red tape with committees and let
>>>>                     people know that if they want to do something,
>>>>
>>>>                       * Contact the staff.
>>>>                       * Set a survey and gather support
>>>>                       * Need more money? Set a crowd funding
>>>>                         project @ https://www.kickstarter.com under
>>>>                         OWASP
>>>>                       * Volunteers implement idea or project with
>>>>                         the support of owasp staff and other volunteers
>>>>
>>>>                 I'm not sure how this is that much different from a
>>>>                 Committee. Contact the community via the mailing
>>>>                 list and gather support, scope the activities (ie.
>>>>                 define the project), Board ensures that there's no
>>>>                 conflict, do your thing.  The "red tape" that you
>>>>                 keep referring to is just a process document that
>>>>                 walks you through how to set up a committee. After
>>>>                 that's done, the idea was to empower you to act
>>>>                 within the defined scope without going to the
>>>>                 Board. If we're talking specifically about
>>>>                 projects, which it sounds like this is geared
>>>>                 towards, then it's even easier. Register as a
>>>>                 project (so that staff knows you exist and can
>>>>                 support you) and do your thing.  If you need money,
>>>>                 ask for it. I'm not sure I see the problem here.
>>>>                 I'm also not sure what you're asking for as it
>>>>                 doesn't seem that different to me than how the
>>>>                 status quo is supposed to operate.  Is it operating
>>>>                 differently in practice than it should in theory? 
>>>>                 I don't have an OWASP project and so perhaps I'm
>>>>                 blind to the realities.  If so, then the specific
>>>>                 issues need to be addressed by bylaw change, policy
>>>>                 change, staff engagement, etc.  So far, all you've
>>>>                 said is "projects need money", which you have
>>>>                 access to, and "cut the red tape", of which I don't
>>>>                 see anything more than a step to say "Hey, I want
>>>>                 to be a project". Please help me to understand.
>>>>
>>>>                 ~josh
>>>>
>>>>                 On Mon, Aug 17, 2015 at 12:04 PM, johanna curiel
>>>>                 curiel <johanna.curiel at owasp.org
>>>>                 <mailto:johanna.curiel at owasp.org>> wrote:
>>>>
>>>>                      >I don't think there is anything preventing a
>>>>                     project from doing the same, but I haven't seen
>>>>                     it done at this point.
>>>>
>>>>                     I think we need to create Project Summits in
>>>>                     the form of events with the whole purpose to
>>>>                     gather funds for projects .Open samm has done
>>>>                     this and I think we can try that. Fo that we
>>>>                     need the support of the staff Business liaison,
>>>>                     Event manager, just as they put their work and
>>>>                     efforts in Events and appsecs. Here cut share
>>>>                     between OWASp staff time and projects can also
>>>>                     be done.
>>>>
>>>>                      >OWASP has a project funding bucket.
>>>>                     Look, Denver chapter has around 50K in their
>>>>                     bucket. The richest Project is ZAP with 10k...
>>>>                     but thats is the exception. Even worse when you
>>>>                     look at chapters outside US or EU, mine has
>>>>                     only USD40 dollars. Most projects have Zero
>>>>                     Dollars.
>>>>                     And the limits right now are a support but do
>>>>                     not help to get important things moving like
>>>>                     OWASP Academy portal, Leaders like Azzedine
>>>>                     assist and show case his chapter or project or
>>>>                     other more complex initiatives. Or major
>>>>                     improvements or promotions to their projects.
>>>>
>>>>                     >Remember that the Board is just a handful of
>>>>                     leaders who were elected to set the compass.
>>>>                       Yes but how do they know where to go, that's
>>>>                     why the survey. The survey is the compass. And
>>>>                     the leaders are elected to listed to the community.
>>>>
>>>>                     And About committees...
>>>>                     The only existing active committee right now is
>>>>                     the Project Review (which I still call myself a
>>>>                     taskforce). I haven't see much initiatives or
>>>>                     participation from other committees. So the
>>>>                     committee concept in theory seemed like a great
>>>>                     idea but in practice is not working because in
>>>>                     my eyes, creating a committee is creating a
>>>>                     mini board inside OWASP. We do not want to
>>>>                     create oligarchies in the end.
>>>>
>>>>                       I thik we should cut off that comitee idea
>>>>                     and be more practical. More like this
>>>>
>>>>                     Example:
>>>>
>>>>                       * John Lita wants to create an academy portal
>>>>                         but developing it costs money and resources
>>>>                         that volunteers alone cannot be easy pull
>>>>                         off(owaspa project was the same and died,
>>>>                         just like many educational initiatives)
>>>>                       * John must create a proposal with defined
>>>>                         goals and how to reach them. He joins other
>>>>                         volunteers in this effort. No need to be a
>>>>                         commitee.
>>>>                       *  John & Claudia create a survey and seek
>>>>                         support of the community
>>>>                       *   If the idea has major feedback and
>>>>                         volunteers, then John has the support from
>>>>                         the staff to execute including looking for
>>>>                         sponsors using crowdsource funding portals
>>>>                       * Staff monitors development and results of
>>>>                         the actions taken
>>>>                       * Staff reports results to the community back
>>>>
>>>>                     This is in my eyes how I have been working in
>>>>                     the end, because , as volunteers, available
>>>>                     time mostly depends on one or 2 passionate
>>>>                     individuals like John-Lita, which are more
>>>>                     dedicated and the rest follows...
>>>>
>>>>                     Now if we want to change things, don't tell me
>>>>                     to set a committee, because Josh , this has not
>>>>                     work so far.
>>>>
>>>>                      Allow me  and let the staff know that they
>>>>                     should support me and any other volunteers
>>>>                     seeking for implementing their ideas ;-).
>>>>                     Lets cut the red tape with committees and let
>>>>                     people know that if they want to do something,
>>>>
>>>>                       * Contact the staff.
>>>>                       * Set a survey and gather support
>>>>                       * Need more money? Set a crowd funding
>>>>                         project @ https://www.kickstarter.com under
>>>>                         OWASP
>>>>                       * Volunteers implement idea or project with
>>>>                         the support of owasp staff and other volunteers
>>>>
>>>>                     How do we get this idea to action?
>>>>                     Shall we create a survey?
>>>>                     Do you need to discuss this on a board meeting?
>>>>                     How do I get empowered and let the staff know
>>>>                     that as a volunteer I have your support for
>>>>                     this?(if I do?
>>>>
>>>>                     You see...how dependable I'm from the board to
>>>>                     be able to execute?
>>>>
>>>>                     Off course I can always do this on my own but
>>>>                     them I better do it without OWASP...
>>>>
>>>>                     Regards
>>>>
>>>>                     Johanna
>>>>
>>>>                     On Mon, Aug 17, 2015 at 10:55 AM, Josh Sokol
>>>>                     <josh.sokol at owasp.org
>>>>                     <mailto:josh.sokol at owasp.org>> wrote:
>>>>
>>>>                         Johanna,
>>>>
>>>>                         Thank you for putting your thoughts out
>>>>                         there for everyone. Silence is not good for
>>>>                         anyone and OWASP will be far more
>>>>                         successful if we know what our leaders are
>>>>                         struggling with and make a conscious effort
>>>>                         to improve it.  I think that many of your
>>>>                         points are very valid and strongly support
>>>>                         the idea of polls to gauge community
>>>>                         support for actions being taken.  I also
>>>>                         support the idea that the Board should be
>>>>                         making as few of these decisions as
>>>>                         possible and putting the power back in the
>>>>                         hands of the community with support from
>>>>                         the staff.  The Board should be the
>>>>                         "compass" making sure that we are moving in
>>>>                         the right direction with the community and
>>>>                         staff being the ones actually pushing us
>>>>                         forward. That's not to say that members of
>>>>                         the Board won't have their own projects or
>>>>                         initiatives, but they do so as part of the
>>>>                         community, not because of their roles on
>>>>                         the Board. The Committees 2.0 framework was
>>>>                         a first step in driving this level of
>>>>                         empowerment back to the community while
>>>>                         maintaining accountability and providing
>>>>                         appropriately scoped actions.  My
>>>>                         impression was that the Projects Committee
>>>>                         was rolling forward quite well under this
>>>>                         guidance, but it sounds like maybe I was
>>>>                         wrong. Are there specific actions that you
>>>>                         have tried to take on the committee that
>>>>                         got blocked by the Board or hung up in "red
>>>>                         tape"? Are there needs for funding that
>>>>                         haven't been met?
>>>>
>>>>                         Regarding the project vs chapter funding
>>>>                         schemas, I'm not sure that there is a good
>>>>                         answer. Projects are typically made up of a
>>>>                         pocket of individuals. Typically one leader
>>>>                         with sometimes one or two others assisting.
>>>>                         Chapters are typically anywhere from 20
>>>>                         people to hundreds.  We provide members
>>>>                         with the ability to allocate their funds to
>>>>                         either, but most associate themselves with
>>>>                         a chapter rather than a project because
>>>>                         that's where they participate. We also have
>>>>                         chapters putting on conferences with the
>>>>                         goal of raising funds.  I don't think there
>>>>                         is anything preventing a project from doing
>>>>                         the same, but I haven't seen it done at
>>>>                         this point. Those are the two main ways
>>>>                         that I see chapters raising money.  Yes,
>>>>                         there is certainly a difference in schemas
>>>>                         and projects will have a more difficult
>>>>                         time, but that's also why OWASP has a
>>>>                         project funding bucket.  Money from these
>>>>                         local events as well as funds raised by our
>>>>                         AppSec conferences gets budgeted
>>>>                         specifically for this purpose.  To my
>>>>                         knowledge, no reasonable request for funds
>>>>                         by projects has been denied. Just because
>>>>                         there isn't money sitting "ring fenced" in
>>>>                         an account for the projects, doesn't mean
>>>>                         that there isn't money that can be spent. 
>>>>                         It just means that it needs to be requested
>>>>                         from the pool. Yes, it's a different model
>>>>                         of funding, but the end result is the same.
>>>>                         There are funds available at OWASP for
>>>>                         everyone who needs them.
>>>>
>>>>                         There are obviously many things that need
>>>>                         to be improved at OWASP and, unfortunately,
>>>>                         the Board has been tied up in rules,
>>>>                         events, bylaws, etc for a while now.  It's
>>>>                         definitely not the "fun" part of the job
>>>>                         and it is very time consuming. That said, I
>>>>                         would argue that these are the things that
>>>>                         need to be changed in order for everyone
>>>>                         else (staff, community, etc) to be able to
>>>>                         be better served.  We've made several
>>>>                         changes to the Bylaws and are working on
>>>>                         more.  We've hired an Executive Director
>>>>                         (Paul), an Event Manager (Laura), a
>>>>                         Community Manager (Noreen), and a Project
>>>>                         Coordinator (Claudia) just in the almost
>>>>                         two years that I've been on the Board. The
>>>>                         needle on the compass is set and, while it
>>>>                         takes some time to right the ship, we are
>>>>                         getting there by giving our community the
>>>>                         support it requires to be successful. So,
>>>>                         here's my general thought:
>>>>
>>>>                         1) If it's within the scope of a defined
>>>>                         Committee, JUST DO IT!
>>>>
>>>>                         2) If there's no Committee defined for it,
>>>>                         CREATE ONE, then JUST DO IT!
>>>>
>>>>                         3) If a Committee doesn't make sense, ASK
>>>>                         THE STAFF FOR IT!
>>>>
>>>>                         4) If asking the staff isn't working or we
>>>>                         need to change a policy to make it happen,
>>>>                         LET THE BOARD KNOW!
>>>>
>>>>                         The Board should be the last resort, in my
>>>>                         opinion, not the first.  We should be the
>>>>                         enabler, not the bottleneck.  I think that
>>>>                         our leaders make too many assumptions
>>>>                         (probably based on past Board actions)
>>>>                         about what needs to go to the Board and we
>>>>                         need to get away from that. Remember that
>>>>                         the Board is just a handful of leaders who
>>>>                         were elected to set the compass.  We have a
>>>>                         finite number of things that we can handle
>>>>                         and our Board meetings are typically
>>>>                         overflowing with topics. So, if something
>>>>                         is bothering you, I would encourage you to
>>>>                         change it. That's why, with the David Rook
>>>>                         situation, I encouraged creation of a new
>>>>                         Committee to determine a reasonable
>>>>                         solution.  If it requires a policy change
>>>>                         by the Board, then we can vote on that, but
>>>>                         asking the Board to take action just
>>>>                         perpetuates the oligarchy that you mention
>>>>                         in your e-mail. Instead of pushing these
>>>>                         issues up to the Board for action, let's
>>>>                         have the community DECIDE what they want
>>>>                         and have the Board change the compass
>>>>                         needle via bylaws, policies, and staff
>>>>                         discussions, accordingly. At least, that's
>>>>                         my vision for OWASP.  Is that something
>>>>                         that you can get on board with?
>>>>
>>>>                         ~josh
>>>>
>>>>                         On Mon, Aug 17, 2015 at 8:11 AM, johanna
>>>>                         curiel curiel <johanna.curiel at owasp.org
>>>>                         <mailto:johanna.curiel at owasp.org>> wrote:
>>>>
>>>>                             Members of the board,
>>>>
>>>>                             With the recent issue regarding David
>>>>                             Rook, and my latest experience with
>>>>                             red-tape, I'm proposing the following.
>>>>
>>>>                             My goals is to call your attention to
>>>>                             these issues which I have been
>>>>                             observing for a years and not as a
>>>>                             critique to your work, but I think if
>>>>                             you do not pay attention to these
>>>>                             issues and DO something about them,
>>>>                             OWASP will loose valuable community
>>>>                             participation.
>>>>
>>>>                               * When an initiative is proposed or
>>>>                                 launched by a member of the board,
>>>>                                 this should be followed up by a
>>>>                                 survey where the community can
>>>>                                 vote.Wether is a rule or money,
>>>>                                 these decisions should be taken
>>>>                                 based on collected data and proper
>>>>                                 substantiation to avoid oligarchy
>>>>                               * When an initiative is launched by a
>>>>                                 member of the community, especially
>>>>                                 when this initiative cost more than
>>>>                                 10k, it should be substantiated
>>>>                                 with data how this initiative will
>>>>                                 benefit the community. Also should
>>>>                                 be followed by a survey
>>>>                               * Staff should help creating the
>>>>                                 survey and analyse the votes
>>>>                               * *In other words: do more survey to
>>>>                                 find out what the community needs
>>>>                                 and wants.*
>>>>
>>>>                             My observations and where I think you
>>>>                             need to give more attention:
>>>>
>>>>                               * Board/Executive director should
>>>>                                 work closer with the staff for
>>>>                                 guidance and empowering their role.
>>>>                                 I have the feeling that the staff
>>>>                                 is paralysed waiting for
>>>>                                 instructions or following strict
>>>>                                 rules. The staff should be
>>>>                                 motivated to take initiative and
>>>>                                 implement projects on their own
>>>>                                 that can help the community. They
>>>>                                 should not be too dependent on an
>>>>                                 Executive director or member of the
>>>>                                 board for this part
>>>>
>>>>                             As I see it ,OWASP is known for his
>>>>                             Projects & Chapter leaders which as
>>>>                             volunteers have contributed the most to
>>>>                             set OWASP on the spotlight. Therefore:
>>>>
>>>>                               * You should determine and implement
>>>>                                 better ways  to provide better
>>>>                                 funding schemas for projects . This
>>>>                                 is something a volunteer cannot do.
>>>>                                 And /nothing/ has been done to help
>>>>                                  solve this issue
>>>>                               * There is an unfair inequality in
>>>>                                 the way chapters can generate funds
>>>>                                 vs Projects.
>>>>                               * Money is locked down in the
>>>>                                 chapters budget
>>>>                               * Chapters outside US & EU have more
>>>>                                 struggles to find support. You
>>>>                                 should consider a way to support
>>>>                                 better these ones since their
>>>>                                 countries are not developed in the
>>>>                                 area of security as countries in EU
>>>>                                 and US.
>>>>                               * Follow up: when issues like David
>>>>                                 Rook or a volunteer rants(like me
>>>>                                 or others ) out of frustation, take
>>>>                                 action. Put it in the agenda and
>>>>                                 try to solve and discuss the issues
>>>>                                 to improve the actual problems. So
>>>>                                 far I have seen very little follow
>>>>                                 up on major issues and discussions
>>>>                                 raised in the mailing lists
>>>>                               * Way to much attention to rules,
>>>>                                 /events/ and bylaws etc. Time to
>>>>                                 take action and take decisions and
>>>>                                 propose plans for improvements of
>>>>                                 the actual situation above mentioned
>>>>
>>>>                             Being that said, and with all due
>>>>                             respect to you, I hope that you can
>>>>                             take actions and /execute/ improvements
>>>>                             that have been an issue since I joined
>>>>                             OWASP 3 years ago.
>>>>
>>>>
>>>>                             Regards
>>>>
>>>>
>>>>                             Johanna
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>                             _______________________________________________
>>>>                             Governance mailing list
>>>>                             Governance at lists.owasp.org
>>>>                             <mailto:Governance at lists.owasp.org>
>>>>                             https://lists.owasp.org/mailman/listinfo/governance
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>                 _______________________________________________
>>>>                 OWASP-Leaders mailing list
>>>>                 OWASP-Leaders at lists.owasp.org
>>>>                 <mailto:OWASP-Leaders at lists.owasp.org>
>>>>                 https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>>         _______________________________________________
>>>         Governance mailing list
>>>         Governance at lists.owasp.org <mailto:Governance at lists.owasp.org>
>>>         https://lists.owasp.org/mailman/listinfo/governance
>>
>>
>
>
>
> _______________________________________________
> Governance mailing list
> Governance at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/governance

-- 
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org
Join me at AppSecUSA 2015!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/governance/attachments/20150818/aa8f4382/attachment-0001.html>


More information about the Governance mailing list