[Governance] Request - Survey - Implementation process on higher decisions

Konstantinos Papapanagiotou Konstantinos at owasp.org
Tue Aug 18 20:16:40 UTC 2015


Ah... I certainly didn't want to make this sound personal. I'm really sorry
if it did. I know how much hard work you're putting in for owasp Josh. I
sincerely hope I wasn't misunderstood.

At the same time, we have different opinions here. No matter how much
technology has evolved, I think that in person meetings are irreplaceable.
(That's also why I'm in favor of global summits) I believe that the
majority of people can take 2-3 days off work to attend a conference even
if it has nothing to do with work. Of course family is number 1 priority
and I have to admit that I can't participate in owasp initiatives as much
as I would like to, due to putting family on the highest priority.

If 75% attendance of meetings (or in fact any %) is so important, maybe in
person meetings should be as well. Just a thought.

Kostas


On Tuesday, August 18, 2015, Josh Sokol <josh.sokol at owasp.org> wrote:

> I disagree.  People who work for companies that aren't security companies
> don't necessarily have the same support for attending these types of events
> so the net is that this change discourages them from running for the
> Board.  Personally, I think that these are exactly the types of people who
> we should want on the Board (ie. ones without corporate motivations).  I am
> a bit biased here as I avoided running for the Board for many years because
> of this rule and was the one who petitioned to have it removed.  Just
> because I wasn't present at AppSecUSA or AppSecEU last year, doesn't mean
> that I wasn't "close to the community" or somehow wasn't puling my weight
> as a Board member.  I attended both of these Board meetings, albeit over
> the phone.  I just have personal issues (both family and work) that prevent
> me from traveling often.  That doesn't make me any less of a Board member.
>
> ~josh
>
> On Tue, Aug 18, 2015 at 2:48 PM, Konstantinos Papapanagiotou <
> Konstantinos at owasp.org
> <javascript:_e(%7B%7D,'cvml','Konstantinos at owasp.org');>> wrote:
>
>> Since we are discussing board attendance, we might want to discuss
>> bringing back mandatory in person attendance. In person meetings are
>> important. Equally important in my opinion is for the board to be close to
>> the community, eg by attending global conferences. Otherwise the board is
>> like god: you believe in it but never actually see it.
>> If you want to be on the board you should be able to travel at least
>> once a year to a global conference near you.
>>
>> Just my 2 cents,
>> Kostas
>>
>>
>> On Tuesday, August 18, 2015, Josh Sokol <josh.sokol at owasp.org
>> <javascript:_e(%7B%7D,'cvml','josh.sokol at owasp.org');>> wrote:
>>
>>> I agree 100% Eoin.  The rule is there for a reason.  Voting to change it
>>> is one thing, but that change cannot be applied retroactively to the
>>> present situation.  The Bylaws are very clear in that this should trigger a
>>> Board vote to determine whether they should be removed.  I am absolutely
>>> pushing for that vote to happen, regardless of whether it actually results
>>> in a removal.  If the Board wants to evaluate a change to the Bylaws at a
>>> later date, then so be it, but I will not support it.  The Board is a
>>> commitment.  When you run, you are doing so knowing that meetings will not
>>> always happen when convenient and that you are expected to attend 75% of
>>> them.  There are certainly extenuating circumstances where a case could be
>>> made here, but I don't think I've heard any thus far.
>>>
>>> ~josh
>>>
>>> On Tue, Aug 18, 2015 at 1:04 PM, Eoin Keary <eoin.keary at owasp.org>
>>> wrote:
>>>
>>>> Sorry I have to write this email....but...
>>>>
>>>> I hope you don't change the rules just because certain members have not
>>>> complied by them....
>>>>
>>>> I was forwarded some emails regarding board attendance today which
>>>> appear that the 75% rule of board meeting attendance is now going to be
>>>> changed because some folks on the board have issue with it.
>>>>
>>>> This is like turkeys voting for Christmas.
>>>>
>>>> I respectfully hope the board abides by its owen guidelines, if not I
>>>> have great issue with the foundations governance.
>>>>
>>>> Respect, for the good guys in OWASP.
>>>>
>>>>
>>>> Eoin Keary
>>>> OWASP Volunteer
>>>> @eoinkeary
>>>>
>>>>
>>>>
>>>> On 18 Aug 2015, at 17:08, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>>
>>>> Johanna,
>>>>
>>>> So far I remember , the idea was proposed to the board by you and the
>>>>> board took the decision to implement Committee 2.0. I believe this was done
>>>>> with all good intentions but is not working.
>>>>>
>>>>
>>>> Actually, I would argue that even though there's only a single
>>>> committee right now, it is working exactly as intended.  The truth is that
>>>> OWASP's leadership sits somewhere in-between an Oligarchy (as you describe
>>>> it) and an Anarchy.  We're currently somewhere between Democracy and
>>>> Ochlocracy depending on the topic if you really want to get technical.  In
>>>> any case, what you need to realize is that somebody needs to have the power
>>>> to make decisions or decisions will never get made and we veer into
>>>> Anarchy.  What Committees 2.0 did is specify that decision making power
>>>> starts with the Board as they have the fiduciary responsibility for the
>>>> OWASP Foundation in all legal sense.  What it also did is allow any of our
>>>> leaders to carve out a piece of that power that they are passionate about
>>>> and run with it, just as you did with projects.  I really thought that we
>>>> would see some other committees pop up similar to what we had before in
>>>> other core areas of OWASP like Governance or Chapters, but the fact that
>>>> there isn't just tells me that as of yet, no leader is passionate enough
>>>> about it to carve out that power.  Maybe it's because of time commitments
>>>> or because of some perceived "red tape" or even (I hope) because most
>>>> people think the Board is doing an OK job making decisions, but the fact is
>>>> that the ability is there and you are an example of it being used.  So, as
>>>> I said, the system is working.  Where this is a void in the community
>>>> wanting to take the power to make decisions, the Board fills that void.  In
>>>> other words, if the community really thinks that they can do something
>>>> better than the Board, they can form a Committee (or "Action Team" or
>>>> "Initiative" or whatever they want to call it), and do it.
>>>>
>>>> Projects are global. They promote owasp at a global level. What is
>>>>> OWASP known for? for its chapters? Its conferences? I strongly believe
>>>>> OWASP is know for its projects, Code Review, Testing guide, the Cheat
>>>>> Sheets, ASVS, ZAP... Many references in major publications refer to OWASP
>>>>> top ten and respect them because of its projects.PCI  and major vendors use
>>>>> them as reference and guidelines.
>>>>>
>>>>
>>>> There is no doubt in my mind that Projects are important for OWASP.
>>>> They spread our mission in places where even our Chapters cannot go.  But,
>>>> if you want to talk about where most people interface with OWASP, it's not
>>>> projects, it's Chapters.  You won't find a reference in a major publication
>>>> to the OWASP Austin Chapter, for example, but we held a CryptoParty in
>>>> January and invited members of our community, the media, etc to participate
>>>> because we wanted to educate others on the importance of privacy.  You're
>>>> passionate about OWASP Projects, I get that, and I love it.  I'm passionate
>>>> about OWASP Chapters.  Neither should be trivialized as they both play a
>>>> very important role within OWASP.
>>>>
>>>> I would like to see is a better schema for them to get more awareness,
>>>>> especially people doing great things and because of lack of funds cannot
>>>>> promote their projects. Chapters are rich ,projects are poor. That is in my
>>>>> opinion a huge misbalance.
>>>>>
>>>>
>>>> We have many chapters with small bank accounts, some even negative, and
>>>> a few with quite large accounts.  Total it all up and it's a pretty decent
>>>> sum of money.  But, what you're arguing for here is effectively Socialism.
>>>> You're saying that it doesn't matter that the OWASP chapter in Denver
>>>> busted their ass (it is over a year's worth of effort by a team of people)
>>>> to put on last year's AppSecUSA Conference.  It doesn't matter that it can
>>>> cost a chapter hundreds if not thousands of dollars to rent meeting space,
>>>> bring in food, fly in speakers, etc.  You only see that they have money,
>>>> you do not, and you want it.  Not because you have a plan to spend it
>>>> either, because if you did you could simply ask the Foundation for it, but
>>>> because it is perceived as being disproportionate.  There is no payoff for
>>>> OWASP's mission if we rob from the rich, give to the poor, and at the end
>>>> of the day still just have money sitting in a savings account.  This
>>>> highlights the underlying issue here.  The issue is not that Chapters or
>>>> Projects HAVE money.  The issue is that they have money and are NOT
>>>> SPENDING IT to further the OWASP Mission.  Thus, the approach to fix this
>>>> issue (and I agree that it's an issue) shouldn't be to take away their
>>>> money, it should be to get them to spend it.
>>>>
>>>> The limit of USD2,000- for supporting a project leader a year is for
>>>>> most leaders not enough. If a leader outside US or EU is invited to
>>>>> blackhat , that amount is not enough to cover his traveling expenses.  And
>>>>> thats the maximum he can have in a year after filling on forms and going
>>>>> through some back-and-forth emails with the staff...
>>>>>
>>>>
>>>> Ahhhhh, finally we get to the root of the issue.  The issue isn't that
>>>> money isn't available, because, frankly, we had a significant amount of
>>>> money budgeted last year that wasn't used.  The issue is that there is a
>>>> cap on what any one project leader can request/spend.  My personal opinion
>>>> here is that this $2k cap should be treated as a guideline, not a rule.  It
>>>> is likely in place to prevent abuse by having a significant amount of money
>>>> from the pool go to any one individual.  But, that cap certainly should not
>>>> prevent the OWASP Foundation from investing in the projects, and people
>>>> behind the projects, to make them better.  The Board entrusts Paul, as
>>>> Executive Director, and the OWASP staff to handle the day-to-day operations
>>>> of the OWASP Foundation.  Part of their job is to review these types of
>>>> requests in order to determine whether they make sense and there are funds
>>>> available.  That said, if you get to a point where you feel that they are
>>>> being unreasonable, the Board can certainly step in and try to determine if
>>>> an exception should be made.  So, net-net, maybe that $2k cap is too low.
>>>> Should we raise it?  If so, what should it be?  What amount would be
>>>> reasonable for any one individual to consume from that shared pool of
>>>> funds?  Guidelines can be changed.  Guidelines can even be overruled for
>>>> the right reasons.  This is a relatively minor issue that it sounds like
>>>> should be re-evaluated given rising costs, bigger budget pools, unused
>>>> funds, etc.  Can you please come up with a reasonable proposal here and I
>>>> will take that to the Board for approval to change this guideline?
>>>>
>>>> Should we scrap projects and focus to be a dedicated conference
>>>>> organisation?...thats what  I see is happening whether consciously or not.
>>>>>
>>>>
>>>> Your perception is VERY far from the truth.  I've spent the past 8.5
>>>> years working with the OWASP Austin chapter and I've seen it grow from
>>>> literally 3 people in a monthly meeting to around 70.  You, yourself, even
>>>> said that OWASP is being referenced in major publications and our tools are
>>>> being used around the globe.  That said, keep in mind that the OWASP
>>>> mission is one of education, and conferences address that mission
>>>> directly.  They are also the main fundraiser that helps to make sure that
>>>> our chapters and projects have the money that they need in order to be
>>>> successful.
>>>>
>>>> Should we scrap conferences and focus to gather those funds to create a
>>>>> better platforms for projects and become the next Apache foundation?
>>>>>
>>>>
>>>> Where do you think those funds would come from?  By far, the majority
>>>> of OWASP's annual revenue comes from AppSecUSA and AppSecEU.  To be frank,
>>>> OWASP would be VERY different if it weren't for our conferences.
>>>>
>>>> Should we use crowdsource for gathering funds for projects through the
>>>>> OWASP foundation?
>>>>>
>>>>
>>>> This is not a mutually exclusive solution.  Yes, absolutely, use
>>>> crowdfunding to gather funds for projects.  Please prove out this model of
>>>> bringing another revenue source to OWASP.  I would imagine that this is a
>>>> way that projects would be able to get funds that a chapter never could.
>>>>
>>>> Project summits = events . Thats what I'm proposing. That Summits are
>>>>> treated like events to generate money for projects so they have also a fair
>>>>> way to generate money as chapters do. They will depend less from sponsors
>>>>> with commercial intentions.
>>>>>
>>>>
>>>> OK, but every project summit that we have had thus far has cost OWASP
>>>> money, not made it.  Speaking as the former Co-Chair of LASCON and
>>>> AppSecUSA, I can tell you that these types of events are a lot of work and
>>>> that it is difficult to attract attendees.  Attendees actually barely end
>>>> up covering their own costs (food, schwag, etc).  Sponsors and trainings
>>>> are usually the ones who generate the profit for these events.  So, let's
>>>> say you do a project summit.  How would you intend to attract attendees who
>>>> are willing to pay for the content?  If not, how would you intend to
>>>> attract sponsors whose sole purpose in being there is to sell product to
>>>> the attendees?  Especially if you don't want sponsors with commercial
>>>> intentions.  You would be lucky if you get enough sponsors to cover costs.
>>>> Or, in the situation of every past project summit that we've had, the
>>>> Foundation ends up covering the difference.  I'm not saying that you
>>>> shouldn't try to prove out this model.  I'm saying that it hasn't been
>>>> proven to date.  Also, it's a bit naive to say that chapters leveraging
>>>> their members and holding a conference isn't "fair".  We should be
>>>> encouraging as many endeavors as we can at OWASP that spread our mission.
>>>> Even more so if they generate additional revenue because that helps to
>>>> further our mission even more after the conference is over.  Nothing is
>>>> stopping a project from having a conference.  This isn't a matter of "fair"
>>>> or "unfair".  It's a matter of a team of people putting in the effort and
>>>> making it happen.  Please don't trivialize those efforts.
>>>>
>>>> Also more focus on crowdsourcing projects. If people finds it a great
>>>>> idea they will sponsor it.
>>>>>
>>>>
>>>> As I said above, I think this is a great idea.  Let's do it!
>>>>
>>>> I will ask the staff to create a survey and ask the community about
>>>>> it.  This is my proposal and based on those results I hope and expect the
>>>>> board to take actions.
>>>>
>>>>
>>>> Ask the staff to create a survey?  Why not make the survey yourself?
>>>> What exactly are we surveying and why?  The only thing that I think you've
>>>> identified as an actual issue preventing projects from operating
>>>> efficiently is a cap on the amount of funding availing.  That doesn't
>>>> require a survey to get changed, just a plan and an approval.  I can't
>>>> guarantee support or action as it depends on the varying opinions of 7
>>>> unique individuals, but the Board would certainly evaluate any proposal
>>>> that is put on the table.
>>>>
>>>> ~josh
>>>>
>>>> On Mon, Aug 17, 2015 at 8:31 PM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>>> Josh,
>>>>>
>>>>> So far I remember , the idea was proposed to the board by you and the
>>>>> board took the decision to implement Committee 2.0. I believe this was done
>>>>> with all good intentions but is not working.
>>>>> http://lists.owasp.org/pipermail/owasp-leaders/2014-May/011794.html
>>>>>
>>>>> In this same email Sarah mentions:
>>>>>
>>>>> The 2008 committees worked, for the most part, independently of each other.
>>>>> This often created duplicate or even conflicting efforts leading to frustration.
>>>>>
>>>>> Results now: I'm the only committee called the Project Task
>>>>> Force.Maybe thats why none wants to create anymore committees.
>>>>>
>>>>> Projects are global. They promote owasp at a global level. What is
>>>>> OWASP known for? for its chapters? Its conferences? I strongly believe
>>>>> OWASP is know for its projects, Code Review, Testing guide, the Cheat
>>>>> Sheets, ASVS, ZAP... Many references in major publications refer to OWASP
>>>>> top ten and respect them because of its projects.PCI  and major vendors use
>>>>> them as reference and guidelines.
>>>>>
>>>>> I would like to see is a better schema for them to get more awareness,
>>>>> especially people doing great things and because of lack of funds cannot
>>>>> promote their projects. Chapters are rich ,projects are poor. That is in my
>>>>> opinion a huge misbalance.
>>>>>
>>>>> The limit of USD2,000- for supporting a project leader a year is for
>>>>> most leaders not enough. If a leader outside US or EU is invited to
>>>>> blackhat , that amount is not enough to cover his traveling expenses.  And
>>>>> thats the maximum he can have in a year after filling on forms and going
>>>>> through some back-and-forth emails with the staff...
>>>>>
>>>>>
>>>>>    - Should we scrap projects and focus to be a dedicated conference
>>>>>    organisation?...thats what  I see is happening whether consciously or not.
>>>>>    - Should we scrap conferences and focus to gather those funds to
>>>>>    create a better platforms for projects and become the next Apache
>>>>>    foundation?
>>>>>    - Should we use crowdsource for gathering funds for projects
>>>>>    through the OWASP foundation?
>>>>>
>>>>>
>>>>> I would like to see a solution to this or an action.
>>>>>
>>>>> Project summits = events . Thats what I'm proposing. That Summits are
>>>>> treated like events to generate money for projects so they have also a fair
>>>>> way to generate money as chapters do. They will depend less from sponsors
>>>>> with commercial intentions.(easier to avoid  Logogate issues and projects
>>>>> with the intention to promote apssec companies). Also more focus on
>>>>> crowdsourcing projects. If people finds it a great idea they will sponsor
>>>>> it.
>>>>>
>>>>> I will ask the staff to create a survey and ask the community about
>>>>> it. This is my proposal and based on those results I hope and expect the
>>>>> board to take actions.
>>>>>
>>>>> regards
>>>>>
>>>>> Johanna
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Aug 17, 2015 at 7:41 PM, Mario Robles <mario.robles at owasp.org>
>>>>> wrote:
>>>>>
>>>>>> Hey Josh,
>>>>>>
>>>>>> I could be wrong but the term Committee is commonly associated with
>>>>>> "bureaucracy" even if it's not what you meant, at least it was the first
>>>>>> thing on top of my head, I'm sure if you change the word Committee to
>>>>>> something like "Action Team" it would be better accepted
>>>>>>
>>>>>> Just my point view,
>>>>>>
>>>>>> Mario
>>>>>>
>>>>>>
>>>>>> <https://www.owasp.org/index.php/Costa_Rica>
>>>>>> On 17/08/2015 04:21 p.m., Josh Sokol wrote:
>>>>>>
>>>>>> I think we need to create Project Summits in the form of events with
>>>>>>> the whole purpose to gather funds for projects
>>>>>>>
>>>>>>
>>>>>> Please forgive my ignorance.  How does a Project Summit generate
>>>>>> funds for project?  Every Project Summit that we have had to date has cost
>>>>>> the Foundation money, hasn't it?  Can you please elaborate?
>>>>>>
>>>>>> Look, Denver chapter has around 50K in their bucket. The richest
>>>>>>> Project is ZAP with 10k... but thats is the exception. Even worse when you
>>>>>>> look at chapters outside US or EU, mine has only USD40 dollars. Most
>>>>>>> projects have Zero Dollars.
>>>>>>>
>>>>>>
>>>>>> I'm not sure I understand the fixation on what other chapters have in
>>>>>> their bucket.  They have these funds because they worked hard to obtain
>>>>>> them.  In the case of Denver, they ran last year's AppSecUSA Conference.
>>>>>> Just because they have money in their account, it doesn't mean that you
>>>>>> aren't able to do things with the $40 you have in your account.  It just
>>>>>> means that they have to use their account funds first before being able to
>>>>>> use money from the Foundation pool while you would need to request funds
>>>>>> from that pool for anything over $40.  Any sort of reallocation just moves
>>>>>> the "ring fenced funds" issue to another account.  The model of chapters
>>>>>> and projects having accounts is not what's broken here.  It's the model of
>>>>>> chapters and projects saving their funds instead of spending them.  This is
>>>>>> why I voted "no" on the Summer of Code initiative.  It was giving money to
>>>>>> those who already had it and not forcing them to spend their funds first.
>>>>>> In any case, I'm not sure I understand why the amount of money Denver has
>>>>>> in their account has any impact on any other chapter or project other than
>>>>>> themselves.  We have tens of thousands of dollars allocated by the
>>>>>> Foundation to project and chapters on an annual basis, much of which goes
>>>>>> completely unused.  There is money available at OWASP for those who need it
>>>>>> and I have yet to hear of a situation where someone was told otherwise.
>>>>>>
>>>>>> Yes but how do they know where to go, that's why the survey. The
>>>>>>> survey is the compass. And the leaders are elected to listed to the
>>>>>>> community.
>>>>>>>
>>>>>>
>>>>>> I agree with this notion.  The OWASP Board should act in accordance
>>>>>> with the desires of the community and should be doing frequent checks to
>>>>>> confirm that initiatives are aligned.
>>>>>>
>>>>>> So the committee concept in theory seemed like a great idea but in
>>>>>>> practice is not working because in my eyes, creating a committee is
>>>>>>> creating a mini board inside OWASP.
>>>>>>>
>>>>>>
>>>>>> To be honest, I have been surprised by the lack of desire to
>>>>>> participate in OWASP Committees.  The community has said that they want
>>>>>> empowerment and the goal of the committees was to do that.  But, now that
>>>>>> it's there, nobody wants it?  Your example with John Lita follows the
>>>>>> Committees 2.0 process almost verbatim.  The only difference is that it
>>>>>> provides scoping to ensure that we don't have competing, or even worse,
>>>>>> conflicting initiatives and it specifies that the individuals involved need
>>>>>> to work within that scope.  Without it, you have a loosely knit group of
>>>>>> people running around with their own individual initiatives.  At that
>>>>>> level, OWASP is just a funding source for experimentation, not a
>>>>>> Foundation.  There is no accountability, but the liability on the
>>>>>> Foundation is still there.  Legally, we can't just have people running
>>>>>> around spending money without any form of guidance.
>>>>>>
>>>>>>  Allow me  and let the staff know that they should support me and any
>>>>>>> other volunteers seeking for implementing their ideas ;-).
>>>>>>> Lets cut the red tape with committees and let people know that if
>>>>>>> they want to do something,
>>>>>>>
>>>>>>>    - Contact the staff.
>>>>>>>    - Set a survey and gather support
>>>>>>>    - Need more money? Set a crowd funding project @
>>>>>>>    <https://www.kickstarter.com>https://www.kickstarter.com under
>>>>>>>    OWASP
>>>>>>>    - Volunteers implement idea or project with the support of owasp
>>>>>>>    staff and other volunteers
>>>>>>>
>>>>>>> I'm not sure how this is that much different from a Committee.
>>>>>> Contact the community via the mailing list and gather support, scope the
>>>>>> activities (ie. define the project), Board ensures that there's no
>>>>>> conflict, do your thing.  The "red tape" that you keep referring to is just
>>>>>> a process document that walks you through how to set up a committee.  After
>>>>>> that's done, the idea was to empower you to act within the defined scope
>>>>>> without going to the Board.  If we're talking specifically about projects,
>>>>>> which it sounds like this is geared towards, then it's even easier.
>>>>>> Register as a project (so that staff knows you exist and can support you)
>>>>>> and do your thing.  If you need money, ask for it.  I'm not sure I see the
>>>>>> problem here.  I'm also not sure what you're asking for as it doesn't seem
>>>>>> that different to me than how the status quo is supposed to operate.  Is it
>>>>>> operating differently in practice than it should in theory?  I don't have
>>>>>> an OWASP project and so perhaps I'm blind to the realities.  If so, then
>>>>>> the specific issues need to be addressed by bylaw change, policy change,
>>>>>> staff engagement, etc.  So far, all you've said is "projects need money",
>>>>>> which you have access to, and "cut the red tape", of which I don't see
>>>>>> anything more than a step to say "Hey, I want to be a project".  Please
>>>>>> help me to understand.
>>>>>> ~josh
>>>>>>
>>>>>> On Mon, Aug 17, 2015 at 12:04 PM, johanna curiel curiel <
>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>>>  >I don't think there is anything preventing a project from doing
>>>>>>> the same, but I haven't seen it done at this point.
>>>>>>>
>>>>>>> I think we need to create Project Summits in the form of events with
>>>>>>> the whole purpose to gather funds for projects .Open samm has done this and
>>>>>>> I think we can try that. Fo that we need the support of the staff Business
>>>>>>> liaison, Event manager, just as they put their work and efforts in Events
>>>>>>> and appsecs. Here cut share between OWASp staff time and projects can also
>>>>>>> be done.
>>>>>>>
>>>>>>>  >OWASP has a project funding bucket.
>>>>>>> Look, Denver chapter has around 50K in their bucket. The richest
>>>>>>> Project is ZAP with 10k... but thats is the exception. Even worse when you
>>>>>>> look at chapters outside US or EU, mine has only USD40 dollars. Most
>>>>>>> projects have Zero Dollars.
>>>>>>> And the limits right now are a support but do not help to get
>>>>>>> important things moving like OWASP Academy portal, Leaders like Azzedine
>>>>>>> assist and show case his chapter or project or other more complex
>>>>>>> initiatives. Or major improvements or promotions to their projects.
>>>>>>>
>>>>>>>   >Remember that the Board is just a handful of leaders who were
>>>>>>> elected to set the compass.
>>>>>>>   Yes but how do they know where to go, that's why the survey. The
>>>>>>> survey is the compass. And the leaders are elected to listed to the
>>>>>>> community.
>>>>>>>
>>>>>>> And About committees...
>>>>>>> The only existing active committee right now is the Project Review
>>>>>>> (which I still call myself a taskforce). I haven't see much initiatives or
>>>>>>> participation from other committees. So the committee concept in theory
>>>>>>> seemed like a great idea but in practice is not working because in my eyes,
>>>>>>> creating a committee is creating a mini board inside OWASP. We do not want
>>>>>>> to create oligarchies in the end.
>>>>>>>
>>>>>>>   I thik we should cut off that comitee idea and be more practical.
>>>>>>> More like this
>>>>>>>
>>>>>>>   Example:
>>>>>>>
>>>>>>>
>>>>>>>    - John Lita wants to create an academy portal but developing it
>>>>>>>    costs money and resources that volunteers alone cannot be easy pull
>>>>>>>    off(owaspa project was the same and died, just like many educational
>>>>>>>    initiatives)
>>>>>>>    - John must create a proposal with defined goals and how to
>>>>>>>    reach them. He joins other volunteers in this effort. No need to be a
>>>>>>>    commitee.
>>>>>>>    -  John & Claudia create a survey and seek support of the
>>>>>>>    community
>>>>>>>    -   If the idea has major feedback and volunteers, then John has
>>>>>>>    the support from the staff to execute including looking for sponsors using
>>>>>>>    crowdsource funding portals
>>>>>>>    - Staff monitors development and results of the actions taken
>>>>>>>    - Staff reports results to the community back
>>>>>>>
>>>>>>> This is in my eyes how I have been working in the end, because , as
>>>>>>> volunteers, available time mostly depends on one or 2 passionate
>>>>>>> individuals like John-Lita, which are more dedicated and the rest follows...
>>>>>>>
>>>>>>> Now if we want to change things, don't tell me to set a committee,
>>>>>>> because Josh , this has not work so far.
>>>>>>>
>>>>>>>  Allow me  and let the staff know that they should support me and
>>>>>>> any other volunteers seeking for implementing their ideas ;-).
>>>>>>> Lets cut the red tape with committees and let people know that if
>>>>>>> they want to do something,
>>>>>>>
>>>>>>>    - Contact the staff.
>>>>>>>    - Set a survey and gather support
>>>>>>>    - Need more money? Set a crowd funding project @
>>>>>>>    <https://www.kickstarter.com>https://www.kickstarter.com under
>>>>>>>    OWASP
>>>>>>>    - Volunteers implement idea or project with the support of owasp
>>>>>>>    staff and other volunteers
>>>>>>>
>>>>>>> How do we get this idea to action?
>>>>>>> Shall we create a survey?
>>>>>>> Do you need to discuss this on a board meeting?
>>>>>>> How do I get empowered and let the staff know that as a volunteer I
>>>>>>> have your support for this?(if I do?
>>>>>>>
>>>>>>> You see...how dependable I'm from the board to be able to execute?
>>>>>>>
>>>>>>> Off course I can always do this on my own but them I better do it
>>>>>>> without OWASP...
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>> Johanna
>>>>>>>
>>>>>>> On Mon, Aug 17, 2015 at 10:55 AM, Josh Sokol <josh.sokol at owasp.org>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Johanna,
>>>>>>>>
>>>>>>>> Thank you for putting your thoughts out there for everyone.
>>>>>>>> Silence is not good for anyone and OWASP will be far more successful if we
>>>>>>>> know what our leaders are struggling with and make a conscious effort to
>>>>>>>> improve it.  I think that many of your points are very valid and strongly
>>>>>>>> support the idea of polls to gauge community support for actions being
>>>>>>>> taken.  I also support the idea that the Board should be making as few of
>>>>>>>> these decisions as possible and putting the power back in the hands of the
>>>>>>>> community with support from the staff.  The Board should be the "compass"
>>>>>>>> making sure that we are moving in the right direction with the community
>>>>>>>> and staff being the ones actually pushing us forward.  That's not to say
>>>>>>>> that members of the Board won't have their own projects or initiatives, but
>>>>>>>> they do so as part of the community, not because of their roles on the
>>>>>>>> Board.  The Committees 2.0 framework was a first step in driving this level
>>>>>>>> of empowerment back to the community while maintaining accountability and
>>>>>>>> providing appropriately scoped actions.  My impression was that the
>>>>>>>> Projects Committee was rolling forward quite well under this guidance, but
>>>>>>>> it sounds like maybe I was wrong.  Are there specific actions that you have
>>>>>>>> tried to take on the committee that got blocked by the Board or hung up in
>>>>>>>> "red tape"?  Are there needs for funding that haven't been met?
>>>>>>>>
>>>>>>>> Regarding the project vs chapter funding schemas, I'm not sure that
>>>>>>>> there is a good answer.  Projects are typically made up of a pocket of
>>>>>>>> individuals.  Typically one leader with sometimes one or two others
>>>>>>>> assisting.  Chapters are typically anywhere from 20 people to hundreds.  We
>>>>>>>> provide members with the ability to allocate their funds to either, but
>>>>>>>> most associate themselves with a chapter rather than a project because
>>>>>>>> that's where they participate.  We also have chapters putting on
>>>>>>>> conferences with the goal of raising funds.  I don't think there is
>>>>>>>> anything preventing a project from doing the same, but I haven't seen it
>>>>>>>> done at this point.  Those are the two main ways that I see chapters
>>>>>>>> raising money.  Yes, there is certainly a difference in schemas and
>>>>>>>> projects will have a more difficult time, but that's also why OWASP has a
>>>>>>>> project funding bucket.  Money from these local events as well as funds
>>>>>>>> raised by our AppSec conferences gets budgeted specifically for this
>>>>>>>> purpose.  To my knowledge, no reasonable request for funds by projects has
>>>>>>>> been denied.  Just because there isn't money sitting "ring fenced" in an
>>>>>>>> account for the projects, doesn't mean that there isn't money that can be
>>>>>>>> spent.  It just means that it needs to be requested from the pool.  Yes,
>>>>>>>> it's a different model of funding, but the end result is the same.  There
>>>>>>>> are funds available at OWASP for everyone who needs them.
>>>>>>>>
>>>>>>>> There are obviously many things that need to be improved at OWASP
>>>>>>>> and, unfortunately, the Board has been tied up in rules, events, bylaws,
>>>>>>>> etc for a while now.  It's definitely not the "fun" part of the job and it
>>>>>>>> is very time consuming.  That said, I would argue that these are the things
>>>>>>>> that need to be changed in order for everyone else (staff, community, etc)
>>>>>>>> to be able to be better served.  We've made several changes to the Bylaws
>>>>>>>> and are working on more.  We've hired an Executive Director (Paul), an
>>>>>>>> Event Manager (Laura), a Community Manager (Noreen), and a Project
>>>>>>>> Coordinator (Claudia) just in the almost two years that I've been on the
>>>>>>>> Board.  The needle on the compass is set and, while it takes some time to
>>>>>>>> right the ship, we are getting there by giving our community the support it
>>>>>>>> requires to be successful.  So, here's my general thought:
>>>>>>>>
>>>>>>>> 1) If it's within the scope of a defined Committee, JUST DO IT!
>>>>>>>>
>>>>>>>> 2) If there's no Committee defined for it, CREATE ONE, then JUST DO
>>>>>>>> IT!
>>>>>>>>
>>>>>>>> 3) If a Committee doesn't make sense, ASK THE STAFF FOR IT!
>>>>>>>>
>>>>>>>> 4) If asking the staff isn't working or we need to change a policy
>>>>>>>> to make it happen, LET THE BOARD KNOW!
>>>>>>>>
>>>>>>>> The Board should be the last resort, in my opinion, not the first.
>>>>>>>> We should be the enabler, not the bottleneck.  I think that our leaders
>>>>>>>> make too many assumptions (probably based on past Board actions) about what
>>>>>>>> needs to go to the Board and we need to get away from that.  Remember that
>>>>>>>> the Board is just a handful of leaders who were elected to set the
>>>>>>>> compass.  We have a finite number of things that we can handle and our
>>>>>>>> Board meetings are typically overflowing with topics.  So, if something is
>>>>>>>> bothering you, I would encourage you to change it.  That's why, with the
>>>>>>>> David Rook situation, I encouraged creation of a new Committee to determine
>>>>>>>> a reasonable solution.  If it requires a policy change by the Board, then
>>>>>>>> we can vote on that, but asking the Board to take action just perpetuates
>>>>>>>> the oligarchy that you mention in your e-mail.  Instead of pushing these
>>>>>>>> issues up to the Board for action, let's have the community DECIDE what
>>>>>>>> they want and have the Board change the compass needle via bylaws,
>>>>>>>> policies, and staff discussions, accordingly.  At least, that's my vision
>>>>>>>> for OWASP.  Is that something that you can get on board with?
>>>>>>>>
>>>>>>>> ~josh
>>>>>>>>
>>>>>>>> On Mon, Aug 17, 2015 at 8:11 AM, johanna curiel curiel <
>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>
>>>>>>>>> Members of the board,
>>>>>>>>>
>>>>>>>>> With the recent issue regarding David Rook, and my latest
>>>>>>>>> experience with red-tape, I'm proposing the following.
>>>>>>>>>
>>>>>>>>> My goals is to call your attention to these issues which I have
>>>>>>>>> been observing for a years and not as a critique to your work, but I think
>>>>>>>>> if you do not pay attention to these issues and DO something about them,
>>>>>>>>> OWASP will loose valuable community participation.
>>>>>>>>>
>>>>>>>>>    - When an initiative is proposed or launched by a member of
>>>>>>>>>    the board, this should be followed up by a survey where the community can
>>>>>>>>>    vote.Wether is a rule or money, these decisions should be taken based on
>>>>>>>>>    collected data and proper substantiation to avoid oligarchy
>>>>>>>>>    - When an initiative is launched by a member of the community,
>>>>>>>>>    especially when this initiative cost more than 10k, it should be
>>>>>>>>>    substantiated with data how this initiative will benefit the community.
>>>>>>>>>    Also should be followed by a survey
>>>>>>>>>    - Staff should help creating the survey and analyse the votes
>>>>>>>>>    - *In other words: do more survey to find out what the
>>>>>>>>>    community needs and wants.*
>>>>>>>>>
>>>>>>>>> My observations and where I think you need to give more attention:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>    - Board/Executive director should work closer with the staff
>>>>>>>>>    for guidance and empowering their role. I have the feeling that the staff
>>>>>>>>>    is paralysed waiting for instructions or following strict rules. The staff
>>>>>>>>>    should be motivated to take initiative and implement projects on their own
>>>>>>>>>    that can help the community. They should not be too dependent on an
>>>>>>>>>    Executive director or member of the board for this part
>>>>>>>>>
>>>>>>>>> As I see it ,OWASP is known for his Projects & Chapter leaders
>>>>>>>>> which as volunteers have contributed the most to set OWASP on the
>>>>>>>>> spotlight. Therefore:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>    - You should determine and implement better ways  to provide
>>>>>>>>>    better funding schemas for projects . This is something a volunteer cannot
>>>>>>>>>    do. And *nothing* has been done to help  solve this issue
>>>>>>>>>    - There is an unfair inequality in the way chapters can
>>>>>>>>>    generate funds vs Projects.
>>>>>>>>>    - Money is locked down in the chapters budget
>>>>>>>>>    - Chapters outside US & EU have more struggles to find
>>>>>>>>>    support. You should consider a way to support better these ones since their
>>>>>>>>>    countries are not developed in the area of security as countries in EU and
>>>>>>>>>    US.
>>>>>>>>>    - Follow up: when issues like David Rook or a volunteer
>>>>>>>>>    rants(like me or others ) out of frustation, take action. Put it in the
>>>>>>>>>    agenda and try to solve and discuss the issues to improve the actual
>>>>>>>>>    problems. So far I have seen very little follow up on major issues and
>>>>>>>>>    discussions raised in the mailing lists
>>>>>>>>>    - Way to much attention to rules, *events* and bylaws etc.
>>>>>>>>>    Time to take action and take decisions and propose plans for improvements
>>>>>>>>>    of the actual situation above mentioned
>>>>>>>>>
>>>>>>>>> Being that said, and with all due respect to you, I hope that you
>>>>>>>>> can take actions and *execute* improvements that have been an
>>>>>>>>> issue since I joined OWASP 3 years ago.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Johanna
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Governance mailing list
>>>>>>>>> Governance at lists.owasp.org
>>>>>>>>> https://lists.owasp.org/mailman/listinfo/governance
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>> _______________________________________________
>>>> Governance mailing list
>>>> Governance at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/governance
>>>>
>>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/governance/attachments/20150818/b0c7fa96/attachment-0001.html>


More information about the Governance mailing list